WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Troubleshooting authorization providers

This article describes the issues you might encounter using a Java Authorization Contract for Containers (JACC) authorization provider. Tivoli Access Manager is bundled with WebSphere Application Server as an authorization provider. However, you also can plug in your own authorization provider.

Using Tivoli Access Manager as a Java Authorization Contract for Containers authorization provider

Using an external provider for Java Authorization Contract for Containers authorization

You might encounter the following issues when you use an external provider for JACC authorization:

The configuration of JACC might fail

If you are having problems configuring JACC, check the following:

The server might fail to start after configuring JACC

If the server does not start after JACC has been configured, check the following:

The application might not deploy properly

When you click Save, the policy and role information is propagated to the Tivoli Access Manager policy. It might take some time to finish. If the save fails, you must uninstall the application and then reinstall it.

To access an application after it is installed, you must wait 30 seconds (by default) to start the application after you save.

The startServer command might fail after you have configured Tivoli Access Manager or a clean uninstall did not take place after unconfiguring JACC.

If the cleanup for JACC unconfiguration or start server fails after JACC has been configured, do the following:
  • Remove Tivoli Access Manager properties files from WebSphere Application Server. For each application server in a network deployment (ND) environment with N servers defined (for example, server1, server2), the following files must be removed:

    $WAS_INSTALL/java/jre/PdPerm.properties
    $WAS_INSTALL/java/jre/PdPerm.ks
    $WAS_INSTALL/profiles/profile_name/etc/tam/*

  • Use a utility to clear the security configuration and return the system to the state it was in before Tivoli Access Manager JACC was configured. The utility removes all of the PDLoginModuleWrapper entries as well as the Tivoli Access Manager authorization table entry from the security.xml file, effectively removing the Tivoli Access Manager JACC provider. Backup security.xml before running this utility.
    Enter the following commands:

    $WAS_HOME/java/jre/bin/java -classpath
    "$WAS_HOME/lib/AMJACCProvider.jar:CLASSPATH"
    com.tivoli.pd.as.jacc.cfg.CleanSecXML fully_qualified_path/security.xml

An "HPDIA0202w An unknown user name was presented to Access Manager" error might occur

You might encounter the following error message if you are attempting to use an existing user in a Local Directory Access Protocol (LDAP) user registry with Tivoli Access Manager:

AWXJR0008E Failed to create a PDPrincipal for principal mgr1.:
AWXJR0007E A Tivoli Access Manager exception was caught. Details are:
"HPDIA0202W An unknown user name was presented to Access Manager."

This problem might be caused by the hostname exceeding predefined limits with Tivoli Access Manager when it is configured against MS Active Directory. In WebSphere Version 6.0, the maximum length of the hostname can not exceed 46 characters.

Check that the hostname is not fully qualified. Configure the machine so that the hostname does not include the host domain.

To correct this error, complete the following steps:
  1. On the command line, type the following information to get a Tivoli Access Manager command prompt:

    pdadmin -a administrator_name -p administrator_password

    The pdadmin administrator_name prompt is displayed. For example:

    pdadmin -a administrator1 -p password

  2. At the pdadmin command prompt, import the user from the LDAP user registry to Tivoli Access Manager by typing the following information:

    user import user_name cn=user_name,o=organization_name,c=country

    For example:

    user import jstar cn=jstar,o=ibm,c=us

After importing the user to Tivoli Access Manager, you must use the user modify command to set the user account to valid. The following syntax shows how to use this command:

user modify user_name account-valid yes

For example:
user modify jstar account-valid yes

For information on how to import a group from LDAP to Tivoli Access Manager, see the Tivoli Access Manager documentation.

An "HPDAC0778E The specified user's account is set to invalid" error might occur

You might encounter the following error message after you import a user to Tivoli Access Manager and restart the client:
AWXJR0008E   Failed to create a PDPrincipal for principal mgr1.: 
AWXJR0007E   A Tivoli Access Manager exception was caught. 
Details are: "HPDAC0778E   The specified user's account is set to invalid."
To correct this error, use the user modify command to set the user account to valid. The following syntax shows how to use this command:
user modify user_name account-valid yes
For example:
user modify jstar account-valid yes

An "HPDJA0506E Invalid argument: Null or zero-length user name field for the ACL entry" error might occur

You might encounter an error similar to the following message when you propagate the security policy information from the application to the provider using the wsadmin command propagatePolicyToJACCProvider:
AWXJR0035E   An error occurred while  attempting to add member, cn=agent3,o=ibm,c=us, to role AgentRole
HPDJA0506E   Invalid argument: Null or zero-length user name field for the ACL entry

To correct this error, create or import the user, which is mapped to the security role to the Tivoli Access Manager. For more information on propagating the security policy information, see the documentation for your authorization provider.

An WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl" error might occur

After the JACC provider and Tivoli Access Manager are enabled, when attempting to install the application (which is configured with security roles using the wsadmin command), the following error might occur:
WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl"; exception information:
 com.ibm.ws.scripting.ScriptingException: WASX7111E: Cannot find a match for supplied option: 
"[RuleManager, , , cn=mgr3,o=ibm,c=us|cn=agent3,o=ibm,c=us, cn=ManagerGro
up,o=ibm,c=us|cn=AgentGroup,o=ibm,c=us]" for task "MapRolesToUsers

The $AdminApp task option MapRolesToUsers becomes invalid when Tivoli Access Manager is used as the authorization server. To correct the error, change MapRolesToUsers to TAMMapRolesToUsers.




Related concepts
Authorization in WebSphere Application Server
Tivoli Access Manager integration as the JACC provider
JACC providers
JACC support in WebSphere Application Server

Related tasks
Enabling an external JACC provider
Configuring a JACC provider
Propagating security policy of installed applications to a JACC provider using wsadmin scripting

Related reference
Interfaces used to support JACC

Related information
IBM Tivoli Access Manager for e-business 5.1

Reference topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/rsec_jacctroubles.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)