Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
3 replies Latest Post - ‏2012-11-01T16:02:20Z by kark
SudhirKoka
SudhirKoka
5 Posts
ACCEPTED ANSWER

Pinned topic Single signon not working between Liberty profile and full WAS servers

‏2012-11-01T02:15:05Z |
The single signon using LTPA tokens is not working between Liberty profile 8.5 server and a full WAS 8.5 server.

I have synched the LTPA keys between both these servers. I have configured the user "db2admin" using the same password in the Liberty profile 8.5 server with basicRegistry and in the full WAS 8.5 server with file registry. I am using the same realm name "defaultWIMFileBasedRealm" in both these servers.

I see the following VMM error on full WAS server, when I try to launch a application running on full WAS server from Liberty profile.
VMMtracefile.com.ibm.tivoli.reporting.advanced.cognos.auth.VMMProvider - looking for formfield credentials: 31 Oct 2012 18:53:21,317
DEBUG WebContainer : 1 VMMtracefile.com.ibm.tivoli.reporting.advanced.cognos.auth.utils.ServiceUtils - entering useLtpaToLogin: 31 Oct 2012 18:53:21,317
ERROR WebContainer : 1 VMMtracefile.com.ibm.tivoli.reporting.advanced.cognos.auth.utils.ServiceUtils - WSLoginFailedException thrown: 31 Oct 2012 18:53:21,317
com.ibm.websphere.wim.exception.InvalidUniqueNameException: CWWIM1011E The 'db2admin' unique name is not valid.
at com.ibm.ws.wim.util.UniqueNameHelper.formatUniqueName(UniqueNameHelper.java:102)
at com.ibm.ws.wim.ProfileManager.getImpl(ProfileManager.java:1566)
at com.ibm.ws.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:363)
at com.ibm.ws.wim.ProfileManager.get(ProfileManager.java:416)
at com.ibm.websphere.wim.ServiceProvider.get(ServiceProvider.java:366)
at com.ibm.ws.wim.registry.util.SecurityNameBridge.getUserSecurityName(SecurityNameBridge.java:222)
at com.ibm.ws.wim.registry.WIMUserRegistry$7.run(WIMUserRegistry.java:635)
at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5429)
at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5555)
at com.ibm.ws.wim.security.authz.jacc.JACCSecurityManager.runAsSuperUser(JACCSecurityManager.java:438)
at com.ibm.ws.wim.env.was.JACCAuthorizationService.runAsSuperUser(JACCAuthorizationService.java:1069)
at com.ibm.ws.wim.security.authz.ProfileSecurityManager.runAsSuperUser(ProfileSecurityManager.java:285)
at com.ibm.ws.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:623)
at com.ibm.ws.security.registry.UserRegistryImpl.getUserSecurityName(UserRegistryImpl.java:569)
at com.ibm.ws.security.ltpa.LTPAServerObject.getSecurityName(LTPAServerObject.java:1744)
at com.ibm.ws.security.ltpa.LTPAServerObject.validate(LTPAServerObject.java:1571)
at com.ibm.ws.security.ltpa.LTPAServerObject.validate(LTPAServerObject.java:1495)
at com.ibm.tivoli.reporting.advanced.cognos.auth.utils.ServiceUtils.useLtpaToLogin(ServiceUtils.java:112)
at com.ibm.tivoli.reporting.advanced.cognos.auth.VMMProvider.logon(VMMProvider.java:114)
at com.ibm.cognos.camaaa.internal.customLegacy.auth.NamespaceAuthProvider2Adapter.logon(NamespaceAuthProvider2Adapter.java:66)
at com.ibm.cognos.camaaa.internal.customLegacy.common.handler.CustomJavaProviderHandler.processAuthProviderRequest(CustomJavaProviderHandler.java:206)
at com.ibm.cognos.camaaa.internal.customLegacy.common.handler.CustomJavaProviderHandler.handleInboundRequest(CustomJavaProviderHandler.java:167)
  • kark
    kark
    26 Posts
    ACCEPTED ANSWER

    Re: Single signon not working between Liberty profile and full WAS servers

    ‏2012-11-01T13:54:01Z  in response to SudhirKoka
    Since two different repositories are being used, the uniqueID of the db2admin user in basicRegistry is not the same as in the fileRegistry. The uniqueId of the user is stored in the LTPA token so when the full WAS profile tries to get information about this user using the basicRegistry's uniqueId it will not find it in the fileRegistry - which is what the exception below indicates.
    --Ajay
    • SudhirKoka
      SudhirKoka
      5 Posts
      ACCEPTED ANSWER

      Re: Single signon not working between Liberty profile and full WAS servers

      ‏2012-11-01T15:41:39Z  in response to kark
      How should one configure the repositories for single sign-on to work between Liberty Profile server and full WAS server? The full WAS server does not have basic registry whereas the Liberty Profile server does not have the file registry. A lot of our customers do not have LDAP repository in their environments, so we can not force them to LDAP repository (not sure whether LDAP repositories work between Liberty and full WAS).

      My expectation was that the single signon would work as long as the user is defined in the Federated Repositories of the WAS server. It should not matter which repository it is under as long as the username and password matches.
      • kark
        kark
        26 Posts
        ACCEPTED ANSWER

        Re: Single signon not working between Liberty profile and full WAS servers

        ‏2012-11-01T16:02:20Z  in response to SudhirKoka
        The same LDAP repositories in both Liberty and full profile should work. We use the uniqueName of the user (eg. full DN on LDAP) so if the repositories match it should work.

        --Ajay