This blog promotes knowledge sharing through experience and collaboration. For more product information, visit our WebSphere Commerce CSE page. For easier navigation, utilize the Categories to find posts that match your interest.
Why isn’t our WebSphere Commerce account lockout policy working?
In this post, I discuss how to troubleshoot Account Lockout Policy issues with Commerce.
WebSphere Commerce provides the ability to create account lockout policies to prevent users from continuously attempting to logon to the site with invalid credentials. Additional information on Account Lockout policies can be found here in Knowledge Center. Below are several things to validate when you feel your account lockout policy is not functioning as intended.
Validate your Account lockout mode
Account policies only work when the authentication mode is DB. Meaning account lockout policies do not work when LDAP is used for authentication.
<MemberSubSystem AuthenticationMode="DB" ProfileDataStorage="DB" name="Member SubSystem">
Check the account lockout policy settings for the user
Account lockout policy settings are stored PLCYACCLCK table. Run the following query to determine the PLCYACCLCK settings for the user you are concerned with:
SELECT LOCKOUTTHRESHOLD, WAITTIME FROM PLCYACCLCK WHERE PLCYACCLCK_ID = (SELECT PLCYACCLCK_ID FROM PLCYACCT P, USERREG U WHERE U.PLCYACCT_ID = P.PLCYACCT_ID AND U.LOGONID = '<Users Logon>')
LOCKOUTTHRESHOLD – this is the number of times a user can consecutively enter a incorrect password before the system lock them out. Note the word consecutively; meaning once the user authenticates successfully, the previous incorrect attempts reset.
WAITTIME - this functions to restrict the user from trying to re-logon for a set period of time (seconds) after an invalid logon attempt.
Check the users’ registration record
The USERREG table stores data pertinent to the users current state.
SELECT STATUS, PLCYACCT_ID, TIMEOUT, PASSWORDRETRIES, PASSWORDINVALID FROM USERREG WHERE LOGONID = '<Users Logon>'
STATUS – contains the users’ current status with the site. A value of ‘0’ shows the user account is locked and cannot logon. A value of ‘1’ means the user is enabled.
PLCYACCT_ID – this is the PLCYACCT record which is tied to the user. This can be used to determine the PLCYACCLCK the user has been associated to.
TIMEOUT – This is the time for which the user cannot log in after a failed attempt to log in
PASSWORDRETRIES – this is number of times the user has unsuccessfully attempted to logon since their last successful attempt. When the password retries exceeds the PLCYACCLCK. LOCKOUTTHRESHOLD, the account will be locked (STATUS=0)
PASSWORDINVALID – contains the timestamp for the last unsuccessful logon attempt.
Use tracing to determine what is happening
The account lockout policy uses the WC_USER (com.ibm.websphere.commerce.WC_USER=all ) trace to capture what is happening during a logon attempt.
In the trace, search for the following string: 'com.ibm.commerce.security.commands.LogonCmdImpl.isLogonAllowedNow'
You will see the following trace pattern with a Entry, Message and Exit. :
Below are some of the common messages and their meaning the isLogonAllowedNow method will produce:
User Account is disabled
This is telling us the users account is disabled and will not be able to authenticate. This is due to USERREG.STATUS =0.
Last failed logon timestamp is null; returning true
This is telling us the users last attempt to authenticate was a success and the user will be allowed to logon
No policy account lockout; returning true
This is telling us the user does not have account lockout policy and will be able to logon. If you feel the user should have a lockout policy, validate the USERREG. PLCYACCT_ID is set to a valid PLCYACCT record containing a matching PLCYACCTLCK record
Current time is before next allowed time; returning false
This is telling us the user who is trying to authenticate too soon after an invalid password was entered and will not be able to logon. Meaning the time of logon was prior to the allowed retry time (PASSWORDINVALID + WAITTIME). Note: This does not count as an invalid or valid logon attempt, so PASSWORDRETRIES will not be adjusted in this case.
Current time is after next allowed time; returning true
This is telling us the user who is trying to authenticate has waited the necessary time period since their last unsuccessful logon attempt (PASSWORDINVALID). The application will allow this user to logon.
If you are still unsure, open a PMR with WCS product support
If you are still are unable to determine why your policy account lockout is not functioning as intended, please open a PMR with product support and perform the following steps to assist with analyzing the issue: