Explanation | The syntax or structure of this filter is: LDAP attribute=$[Client certificate attribute] (for example, uid=$[SubjectCN]). The left side of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The right side of the filter specification is one of the public attributes in your client certificate. The right side must begin with a dollar sign ($) and an open brace ({ or [) and end with a close brace (} or ]). You can use the following certificate attribute values on the right side of the filter specification. The strings are case sensitive: $[UniqueKey], $[PublicKey], $[Issuer], $[NotAfter], $[NotBefore], $[SerialNumber], $[SigAlgName], $[SigAlgOID], $[SigAlgParams], $[SubjectCN], $[Version]. |
Action | Ensure that the certificate filter follows the documented syntax. |
Explanation | The Distinguished Name (DN) field specified in the certificate filter is unknown. |
Action | Ensure that the certificate filter is correct. For more information, see the certification configuration documentation. |
Explanation | The specified initialization property is mandatory. The user registry operation cannot start without it. |
Action | Ensure this property is specified in the server.xml file. Ensure this property is not empty or null. |
Explanation | TBSCertificate certificate attribute cannot be used in the filter specification. You can use the following certificate attribute values on the right side of the filter specification. The strings are case sensitive: $'{UniqueKey}', $'{PublicKey}', $'{Issuer}', $'{NotAfter}', $'{NotBefore}', $'{SerialNumber}', $'{SigAlgName}', $'{SigAlgOID}', $'{SigAlgParams}', $'{SubjectCN}', $'{Version}'. |
Action | Ensure that the certificate filter is correct. |
Explanation | You can use only the following certificate attribute values on the right side of the filter specification. The strings are case sensitive: $'{UniqueKey}', $'{PublicKey}', $'{Issuer}', $'{NotAfter}', $'{NotBefore}', $'{SerialNumber}', $'{SigAlgName}', $'{SigAlgOID}', $'{SigAlgParams}', $'{SubjectCN}', $'{Version}'. |
Action | Ensure that the certificate filter is correct. |
Explanation | An operation has been requested on an entity, but that operation does not support the specified entity type. |
Action | Ensure that the entities that are provided in the input are of supported entity types, and remove any unsupported entity types from the input. |
Explanation | An operation has been requested on an entity, but that operation does not support the specified entity type. |
Action | Ensure that the entities that are provided in the input are of supported entity types, and remove any unsupported entity types from the input. |
Explanation | The specified property is not defined. |
Action | Ensure that the property is defined or use the correct property name. |
Explanation | The operation cannot be performed because the specified entity is not in the scope of the realm. |
Action | Ensure that the unique name of the entity is specified correctly. If a realm name is specified in the Context object of the input object, ensure that the name is spelt correctly. |
Explanation | The operation could not be performed because the default parent for this entity type could not be determined. |
Action | Ensure that the default parent for the entity type is configured for the federated repositories or realm. The parent may also be specified as part of the input. |
Explanation | A SortControl object was passed in for the search operation without a sort key, which is required to perform the sort. |
Action | Set the sort key in the SortControl object and ensure that the property used as the sort key is part of the return property list. |
Explanation | The user registry cannot get the next page of the search results. The cookie parameter that is used to get the next page of the search results must be specified in the PageControl object. |
Action | Ensure that the cookie property is specified in the PageControl object with an initial value of 0. The cookie in the PageResponseControl object returns the cookie value that is used to get the next page of the search results. |
Explanation | The search operation cannot be performed. The expression property must be specified in the SearchControl object. |
Action | Provide a search expression string in the expression property in the SearchControl object. |
Explanation | The operation cannot be performed. The search expression specified in the SearchControl object does not follow a supported XPath syntax. |
Action | Review the syntax of the search expression and correct any errors. |
Explanation | When creating an entity, the relative distinguished name (RDN) must be well formed and contain properties that are not ambiguous. For example, the OrgContainer entity type can represent either an organization (that uses the 'o' RDN property) or an organizational unit (that uses the 'ou' RDN property) in an underlying repository. If both 'o' and 'ou' are specified in the RDN for the input data object for the new entity, a unique name for the new entity cannot be created. |
Action | Determine the entity type that you want to create in the underlying repository and provide the appropriate RDN property for that type. For example, if you want to create an organization, provide only the 'o' property value. |
Explanation | The identifier of the entity was not specified. The system cannot find the entity. The user registry operation cannot continue without finding this entity. |
Action | Ensure that the entity in the input object contains an identifier property. |
Explanation | The specified identifier object is not valid. Either a valid uniqueId or uniqueName attribute must be specified in the identifier object. The user registry operation cannot continue without a valid identifier object. If an identifier object has been specified, either the uniqueId or the uniqueName is empty or null. |
Action | Ensure that the entity in the input object has an identifier with a valid uniqueId or uniqueName (both cannot be null or empty). |
Explanation | The specified unique name syntax is not valid. The uniqueName specified in the identifier property is not correct. The user registry operation cannot continue without the correct unique name. |
Action | Verify that the unique name is spelt correctly. Review the unique name syntax. For example, if it is in a Distinguished Name (DN) format, ensure that the special characters are escaped correctly. |
Explanation | The value of the property is not valid. For example, an identifier type property points to an incorrect entry. |
Action | Ensure that the value of the property is correct and is of the correct data type. If you are trying to retrieve identifier type property along with other properties, then split them into two calls. One call to retrieve non-identifier type properties and the other call to retrieve the identifier type property. |
Explanation | The value of the property is not valid. For example, an identifier type property points to an incorrect entry. |
Action | Ensure that the value of the property is correct and is of the correct data type. If you are trying to retrieve identifier type property along with other properties, then split them into two calls. One call to retrieve non-identifier type properties and the other call to retrieve the identifier type property. |
Explanation | The specified uniqueId of the parent entity is not valid. Please specify a valid unique Id. |
Action | Verify uniqueId for the parent entity is present in the repository and that it is specified correctly. |
Explanation | The format of the value of the property is not valid. For example, the type of the property is an integer, but the value specified is not a valid integer. |
Action | Ensure that the value of the property is of the correct data type and format. |
Explanation | The operation does not support multiple entities. For example, the update operation can only be performed on one entity at a time. |
Action | Ensure that only one entity is passed for the user registry operation. |
Explanation | The SearchControl object must be specified in the input object of the search operation. |
Action | Specify the SearchControl object in the search input object. |
Explanation | The number of records returned by the search is greater than the maximum number of records specified in the search limit. |
Action | Either increase the maximum search limit or make the search expression more restrictive so that a smaller number of records are fetched. |
Explanation | The countLimit parameter is used to specify the number of search results the caller wants to return in a search operation. It cannot be used together with the PageControl object. |
Action | Based on the requirement, the caller can use either the countLimit parameter or the PageControl object but not both. |
Explanation | Search principalName with other properties in a search expression is not supported. |
Action | Do not use principalName in search operations along with other properties. |
Explanation | The count limit for a search operation cannot be a negative number. A positive number sets the maximum number of entries returned as a result of the search. The value 0 indicates no limit; all entries are returned if the search limit is set to 0. |
Action | Do not specify a negative number for count limit. |
Explanation | During get operation, if the externalName is set, then the ExternalNameControl must be specified. |
Action | Specify the ExternalNameControl or remove the externalName from the input object. |
Explanation | The repository is a read-only repository. It does not support create, update, or delete operations. |
Action | Ensure that a write operation is not invoked on a read-only repository. |
Explanation | The operation cannot be performed because the value of the mandatory property is missing. For example, RDN (Relative Distinguished Name) property is not specified when the entity is created; or propertyName or entityTypeName is missing from PropertyDefinitionControl or ExtensionPropertyDefinitionControl; or entityName is missing from the entitySchema. |
Action | Provide a value for the mandatory property. |
Explanation | The operation cannot be performed because the value of the mandatory property is missing. For example, RDN (Relative Distinguished Name) property is not specified when the entity is created; or propertyName or entityTypeName is missing from PropertyDefinitionControl or ExtensionPropertyDefinitionControl; or entityName is missing from the entitySchema. |
Action | Provide a value for the mandatory property. |
Explanation | The search operation cannot be performed because the search expression is not valid. |
Action | Provide a valid search expression. |
Explanation | The specified operation requires an Entity object. |
Action | The entity object must be defined for the entity that you want to operate on. |
Explanation | The search limit for a search operation cannot be a negative number. |
Action | Do not specify a negative number for the search limit property. The value must be 0 or a positive number. |
Explanation | There is no cross-repository group configuration defined for the repository. |
Action | Refer to the log file for the reason of failure. Check your repository configuration. |
Explanation | User registry cannot get the next page of the search results. The cookie parameter that is used to get the next page of the search results in the PageControl object is not valid. |
Action | Ensure that a valid cookie is specified in the PageControl object. |
Explanation | The specified search base does not exist in the current realm. |
Action | Check the search base specified and ensure that the corresponding base entry is configured in the current realm. |
Explanation | The extended property is already defined, and the duplicate definition is ignored, because two properties cannot have the same name. |
Action | Check for multiple definitions for the extended property in the server configuration. Delete or rename duplicates. |
Explanation | Because the property is already defined in the entity's schema, it is ignored since it cannot be redefined as an extended property. |
Action | Check the entity's schema to determine if the property can be used. Either rename or delete the conflicting extended property from the server configuration. |
Explanation | The program encountered a system exception while performing the user registry operation. |
Action | Review the logs for the cause of this error and take appropriate corrective actions. |
Explanation | The program encountered a system exception while performing the user registry operation. |
Action | Review the logs for the cause of this error and take appropriate corrective actions. |
Explanation | The program encountered the specified error during the operation. |
Action | Review the logs for the cause of this error and take appropriate corrective actions. |
Explanation | The program encountered the specified error during the operation. |
Action | Review the logs for the cause of this error and take appropriate corrective actions. |
Explanation | The program encountered the specified error during the operation. |
Action | Review the logs for the cause of this error and take appropriate corrective actions. |
Explanation | The caller's subject cannot be retrieved because of an unknown error. |
Action | Review the trace logs for the root cause of the error. There might be a problem with the WebSphere security configuration. |
Explanation | The subject's credentials cannot be retrieved because of an unknown error. |
Action | Review the trace logs for the root cause of the error. There might be a problem with the WebSphere security configuration. |
Explanation | The identifiers uniqueName and uniqueId are not specified. At least one identifier must be specified. |
Action | Ensure that the identifier property is specified for each entity that is passed in. If an identifier is not specified, add the property and specify either the uniqueName or the uniqueId. |
Explanation | The search operation cannot be performed because the search expression is not valid. |
Action | Provide a valid search expression. |
Explanation | An exception was thrown by the custom registry. The custom registry might be unavailable or unable to perform the operation. |
Action | Review the reason message and the trace file to determine the cause of the failure. Fix the error and try again. |
Explanation | An error occurred while mapping the given certificate to the user registry. |
Action | Either correct the certificate mapping in the serve.xml file or login with a valid certificate. |
Explanation | An error occurred while generating the certificate from the input certificate file. |
Action | Log in with a valid certificate. |
Explanation | The specified entity name, which could be a uniqueName or a uniqueId, could not be found in the underlying repository. The user registry operation cannot continue without finding this entity. |
Action | Ensure that the entity exists in the underlying repository. If the entity exists, then verify that the read permission is set for the entity and try again. |
Explanation | The specified entity name, which could be a uniqueName or a uniqueId, could not be found in the underlying repository. The user registry operation cannot continue without finding this entity. |
Action | Ensure that the entity exists in the underlying repository. If the entity exists, then verify that the read permission is set for the entity and try again. |
Explanation | The specified entity name, which could be a uniqueName or a uniqueId, could not be found in the underlying repository. The user registry operation cannot continue without finding this entity. |
Action | Ensure that the entity exists in the underlying repository. If the entity exists, then verify that the read permission is set for the entity and try again. |
Explanation | The specified user is trying to clear the entire cache of the specified repository by using the clearAll mode. |
Action | This message is logged for audit purposes. |
Explanation | The specified clear cache mode is not supported for this repository. |
Action | Specify a clear cache mode that is supported for the specified repository. |
Explanation | The specified clear cache mode is invalid for this repository. |
Action | Specify the correct clear cache mode. The cache will not be cleared for the specified repository unless a valid clear cache mode is provided. |
Explanation | The X.509 certificate mapping mode was set to CUSTOM, but no custom X.509 certificate mapper was bound to the LDAP registry. |
Action | Ensure that the certificateMapperId attribute in the LDAP registry is configured to point to a valid custom X.509 certificate mapper. |
Explanation | The specified unique name or an entity with same RDN value already exists in the repository. A duplicate entity with the same unique name or same Relative Distinguished Name (RDN) cannot be added to the repository. |
Action | Retry the operation and specify a different name for the entity to make it unique. |
Explanation | The custom X.509 certificate mapper threw a CertificateMapNotSupportedException exception. |
Action | If the exception was unexpected, review the custom X.509 certificate mapper implementation and make necessary changes. |
Explanation | The custom X.509 certificate mapper threw a CertificateMapFailedException exception. |
Action | If the exception was unexpected, review the custom X.509 certificate mapper implementation and make necessary changes. |
Explanation | The custom X.509 certificate mapper must return a non-empty and non-null value or throw one of the named exceptions. |
Action | Modify the custom X.509 certificate mapper implementation so that it does not return an empty or null value. If a valid value cannot be returned, the implementation must throw a checked exception. |
Explanation | The entity cannot be retrieved because of the reason specified by the underlying repository. |
Action | Review the reason message and the trace file to determine the cause of the failure. Fix the error and try again. |
Explanation | One or more instances of the loginProperty attribute are defined. These attributes are used to build the user filter. |
Action | If the userFilter attribute is preferred, remove any loginProperty attributes. |
Explanation | One or more login properties are not valid WIM PersonAccount properties. |
Action | Either choose valid PersonAccount properties or add the properties to PersonAccount as extended properties. Ensure that the case for each login property matches the case for the corresponding PersonAccount property. |
Explanation | The entity cannot be searched because of the reason specified by the underlying registry. |
Action | Review the reason message and the trace file to determine the cause of the failure. Fix the error and try again. |
Explanation | Either the specified Kerberos principal is invalid, or the Kerberos credential cache (ccache) is invalid or expired. |
Action | Ensure that a valid Kerberos principal is specified, and that the Kerberos credential cache (ccache) is not expired. |
Explanation | Either the specified Kerberos principal is invalid, or the Kerberos keytab is invalid. |
Action | Ensure that a valid Kerberos principal is specified, and that a valid Kerberos keytab containing the Kerberos principal is specified. |
Explanation | Either the specified Kerberos principal is invalid, or the default Kerberos credential cache (ccache) is invalid or expired. |
Action | Ensure that a valid Kerberos principal is specified, and that the default Kerberos credential cache (ccache) is not expired. |
Explanation | The federated repository could not be initialized due to an underlying failure. |
Action | Review the reason message and the trace file to determine the cause of the failure. Fix the error and try again. |
Explanation | To use the keytab file, the keytab filename must be specified and the Kerberos credential cache (ccache) filename must not be specified. |
Action | No action is required. To avoid this message, remove either the LDAP registry ticketCache attribute or the Kerberos keytab attribute. |
Explanation | The Kerberos principal name cannot be null. The principal name must either include the realm name or a default realm name must be defined in Kerberos configuration file. |
Action | Correct the principal name or add a default realm name. |
Explanation | The Kerberos file cannot be opened. Either the file permissions are incorrect, or the file does not exist. |
Action | Verify that the file location is correct and that the server has read file permissions. |
Explanation | The value of the property level, was specified as a negative number. |
Action | The value of the property, level, must be either 0 or a positive integer. Change the value of the property level and then try again. |
Explanation | The value of the property level, was specified as a negative number. |
Action | The value of the property, level, must be either 0 or a positive integer. Change the value of the property level and then try again. |
Explanation | The configuration refers to a file that is either unreadable or does not exist. |
Action | Ensure that the configuration points to a file that exists and is readable by the application process. |
Explanation | The specified property is not defined for the particular entity type. |
Action | Verify that the property name is correct. |
Explanation | The specified distinguished name (DN) is not valid. The user registry operation cannot continue without a valid DN. |
Action | Ensure that the syntax of the distinguished name is correct. For example, review for escape characters. |
Explanation | The userIdMap value must be in a valid format so that the objectclass and attribute can be parsed. |
Action | Update the userIdMap value so that it adheres to the specified format. |
Explanation | The delete or rename function can only be performed on a leaf entity, that is, an entity without any descendants. The specified entity has descendants. |
Action | Delete all the descendants of the entity first, then delete or rename the entity itself. |
Explanation | The message indicates that a general naming exception has occurred during an LDAP operation. See the exception for additional details. |
Action | Ensure that the related repository (for example, a database or an LDAP server) is started and set up correctly. |
Explanation | The message indicates that a general naming exception has occurred during an LDAP operation. See the exception for additional details. |
Action | Ensure that the related repository (for example, a database or an LDAP server) is started and set up correctly. |
Explanation | The Kerberos service was not available when the LDAP registry attempted to bind to the LDAP server. If the Kerberos service is not available, no users can authenticate. |
Action | Review the LDAP registry configuration settings for the bindAuthMechanism, krb5Principal, and krb5TicketCache attributes as well as the Kerberos configuration. Restart the server. |
Explanation | The data type specified does not match with the data type that is defined for the property. For example, the data type defined in the configured user registry is a binary, but the data type defined in the back-end repository is a string. |
Action | Ensure that the data type of the property is the same both in the configured user registry and in the back-end repository. |
Explanation | The LDAP registry replaces the %v with the value to search for when doing searches for users or groups. |
Action | Update the specified filter to include an attribute value assertion that contains =%v in the value assertion. |
Explanation | Either the specified Kerberos principal is invalid, or the default Kerberos keytab is invalid. |
Action | Ensure that a valid Kerberos principal is specified and that the default Kerberos keytab is valid. |
Explanation | The group related operations, such as assigning members to a group or getting the members of a group, are only applicable to the Group entity type. An exception is thrown if the specified entity is not of a Group type. |
Action | Ensure that the specified entity type is of Group type. For the LDAP adapter, ensure that the object class that is defined for the Group entity type matches with the actual object class of group. |
Explanation | During creation, if the parent of the entity that you want to create is not found, an exception is thrown. |
Action | Ensure that the default parent defined for the entity exists. If it does not exist, you need to create it and retry your operation. |
Explanation | The LDAP entry for the specified entity is not found on the LDAP server. |
Action | Ensure that the unique name of the entity is correctly specified. Ensure that the node mapping of the LDAP repository is correctly defined. |
Explanation | The LDAP attribute used as the external identifier must be unique and cannot contain multiple values. |
Action | Ensure that the correct attribute is chosen for the external identifier. If no appropriate attribute exists, the distinguished name can be used as the external identifier. |
Explanation | The specified principal name cannot be authenticated because the password verification failed. |
Action | Ensure that both the principal name and the password are specified correctly. Ensure that the account is not locked and that the account is enabled. |
Explanation | The authentication is not supported with the certificate by the repository. |
Action | Ensure that the authentication is supported with the certificate by the repository. |
Explanation | The entity type defined in the server.xml file must be unique. |
Action | Edit the server.xml file to remove the duplicate entity type. |
Explanation | The initial context pool size should be less the maximum context pool size. |
Action | Ensure that the initial context pool size is less than the maximum context pool size or set the maximum context pool size to 0. |
Explanation | The preferred context pool size should be less than the maximum context pool size. |
Action | Ensure that the preferred context pool size is less than the maximum context pool size or set the maximum context pool size to 0. |
Explanation | Configuration changes to federated repositories triggered an update to the LDAP repository, but there was an error while processing those changes. |
Action | Review the logs for the cause of this error and take appropriate corrective actions. |
Explanation | A principal name is required to log in with a password. |
Action | Ensure that the principal name is specified. |
Explanation | The principal name is not found in the repository. The login process cannot continue. |
Action | Ensure that the correct principal name is specified. |
Explanation | Multiple principals were found for the given principal name. The login process cannot continue. |
Action | Ensure that the right principal name is specified. For example, specifying the principal name as a unique name can avoid this type of exception. |
Explanation | Multiple principals were found for the given principal name. The login process cannot continue. |
Action | Ensure that the right principal name is specified. For example, specifying the principal name as a unique name can avoid this type of exception. |
Explanation | If the principal name is specified during login, the password cannot be null or empty. |
Action | Specify the password. |
Explanation | If the principal name is specified during login, the password cannot be null or empty. |
Action | Specify the password. |
Explanation | Authentication using a certificate is not allowed by the underlying user registry. |
Action | Authenticate using a user ID and password instead of using a certificate. |
Explanation | In the create or update operation, a value is specified for a property that cannot be written to the repository. For example, a pricipalName cannot be specified for a CREATE operation. |
Action | Remove the erroneous property from the input and retry the operation by specifying valid properties and values. |
Explanation | All write operations (create, update, delete) are only allowed in primary LDAP server. |
Action | Ensure primary server has been started and retry the operation. |
Explanation | The LDAP attribute used as the external identifier must contain a value for each entity. |
Action | Ensure that the correct attribute is chosen for the external identifier. If no appropriate attribute exists, the distinguished name can be used as the external identifier. |
Explanation | If a repository supports change tracking as specified by the 'supportChangeLog' flag for the repository in the server.xml file, then the checkpoint passed for it in the ChangeControl should not be empty or null. |
Action | Try the search again with a valid checkpoint or disable 'supportChangeLog' for that repository in the server.xml file, if the user registry adapter is not capable of change tracking. |
Explanation | The valid change types for a search for changed entities are add, modify, delete, rename and * (* is for all change types). |
Action | Specify one of the valid change types. |
Explanation | Cannot connect to the primary LDAP server. Connection to the failover server will occur if configured in the server.xml file. See the failover documentation for more information. |
Action | Ensure that the specified LDAP server is up and running. |
Explanation | The user registry is now connected to the specified LDAP Server. |
Action | No user action required. |
Explanation | The starting index for the paged results cannot be less than 1. If the specified value is less than 1, then the value is discarded and the returned results start from the first page by default. |
Action | Ensure that the startIndex parameter value is set to greater than or equal to 1. |
Explanation | The sort order parameter must be specified either in ascending or descending order. If any other value is specified, then the sort order is set to ascending by default. |
Action | Ensure that the sort order is specified either in ascending or descending order. |
Explanation | When the value of the count parameter is less than or equal to zero, the page cache is cleared and no data is returned. All subsequent calls get the data from the back-end. |
Action | Ensure that the value of the count parameter is correct. |
Explanation | The SCIM API was unable to parse the search filter. |
Action | Ensure that the search filter is valid and that it conforms to System for Cross-domain Identity Management (SCIM) standards. |
Explanation | It is expected that the URL includes an identifier for the requested resource, since the URL ends in a backslash. |
Action | To request a collection of resources, remove the trailing backslash from the URL. If you are requesting a specific resource, append the identifier for the resource to the URL. |
Explanation | The user has tried to delete himself or herself from virtual member manager. This action is not allowed. |
Action | Log in as a different user to delete the current user. |