This article describes the issues you might encounter using a Java Authorization Contract for Containers (JACC) authorization provider. Tivoli Access Manager is bundled with WebSphere Application Server as an authorization provider. However, you also can plug in your own authorization provider.
Using Tivoli Access Manager as a Java Authorization Contract for Containers authorization provider
Using an external provider for Java Authorization Contract for Containers authorization
The configuration of JACC might fail
If you are having problems configuring JACC, check the following:
The server might fail to start after configuring JACC
If the server does not start after JACC has been configured, check the following:
The application might not deploy properly
When you click Save, the policy and role information is propagated to the Tivoli Access Manager policy. It might take some time to finish. If the save fails, you must uninstall the application and then reinstall it.
To access an application after it is installed, you must wait 30 seconds (by default) to start the application after you save.
The startServer command might fail after you have configured Tivoli Access Manager or a clean uninstall did not take place after unconfiguring JACC.
$WAS_INSTALL/java/jre/PdPerm.properties
$WAS_INSTALL/java/jre/PdPerm.ks
$WAS_INSTALL/profiles/profile_name/etc/tam/*
$WAS_HOME/java/jre/bin/java -classpath
"$WAS_HOME/lib/AMJACCProvider.jar:CLASSPATH"
com.tivoli.pd.as.jacc.cfg.CleanSecXML fully_qualified_path/security.xml
An "HPDIA0202w An unknown user name was presented to Access Manager" error might occur
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.:
AWXJR0007E A Tivoli Access Manager exception was caught. Details are:
"HPDIA0202W An unknown user name was presented to Access Manager."
Check that the hostname is not fully qualified. Configure the machine so that the hostname does not include the host domain.
pdadmin -a administrator_name -p administrator_password
The pdadmin administrator_name prompt is displayed. For example:pdadmin -a administrator1 -p password
user import user_name cn=user_name,o=organization_name,c=country
For example:user import jstar cn=jstar,o=ibm,c=us
user modify user_name account-valid yes
For example:user modify jstar account-valid yes
For information on how to import a group from LDAP to Tivoli Access Manager, see the Tivoli Access Manager documentation.
An "HPDAC0778E The specified user's account is set to invalid" error might occur
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.: AWXJR0007E A Tivoli Access Manager exception was caught. Details are: "HPDAC0778E The specified user's account is set to invalid."
user modify user_name account-valid yesFor example:
user modify jstar account-valid yes
An "HPDJA0506E Invalid argument: Null or zero-length user name field for the ACL entry" error might occur
AWXJR0035E An error occurred while attempting to add member, cn=agent3,o=ibm,c=us, to role AgentRole HPDJA0506E Invalid argument: Null or zero-length user name field for the ACL entry
To correct this error, create or import the user, which is mapped to the security role to the Tivoli Access Manager. For more information on propagating the security policy information, see the documentation for your authorization provider.
An WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl" error might occur
WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl"; exception information: com.ibm.ws.scripting.ScriptingException: WASX7111E: Cannot find a match for supplied option: "[RuleManager, , , cn=mgr3,o=ibm,c=us|cn=agent3,o=ibm,c=us, cn=ManagerGro up,o=ibm,c=us|cn=AgentGroup,o=ibm,c=us]" for task "MapRolesToUsers
The $AdminApp task option MapRolesToUsers becomes invalid when Tivoli Access Manager is used as the authorization server. To correct the error, change MapRolesToUsers to TAMMapRolesToUsers.
Related concepts
Authorization in WebSphere Application Server
Tivoli Access Manager integration as the JACC provider
JACC providers
JACC support in WebSphere Application Server
Related tasks
Enabling an external JACC provider
Configuring a JACC provider
Propagating security policy of installed applications to a JACC provider
using wsadmin scripting
Related reference
Interfaces used to support JACC
Related information
IBM Tivoli Access Manager for e-business 5.1