Topic
  • 6 replies
  • Latest Post - ‏2014-02-17T15:00:09Z by MandeepG
zbychfish
zbychfish
52 Posts

Pinned topic ISIM 6.0 - security domain in WAS for organizational feed

‏2012-11-14T15:19:58Z |
Hi,
I am trying create the organizational feed to new ISIM 6.0
The new version assumes Security Domain and I have successfully logged to ISIM using WSLogin profile

system.setJavaProperty("java.security.auth.login.config", "c:\\jaas.conf");
system.setJavaProperty("com.ibm.CORBA.ConfigURL", "c:\\sas.client.props");
system.setJavaProperty("com.ibm.CORBA.securityServerHost", "10.8.8.10");
system.setJavaProperty("com.ibm.CORBA.securityServerPort", "2809");
contextFactory = "com.ibm.itim.apps.impl.websphere.WebSpherePlatformContextFactory";
appServerUrl = "iiop://10.8.8.10:2809";
ejbUser = "itim manager";
ejbPswd = "XXXX";
env = new Packages.java.util.Hashtable();
env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.CONTEXT_FACTORY, contextFactory);
env.put(Packages.com.ibm.itim.apps.PlatformContext.PLATFORM_URL, appServerUrl);
env.put(Packages.com.ibm.itim.apps.PlatformContext.PLATFORM_PRINCIPAL, ejbUser);
env.put(Packages.com.ibm.itim.apps.PlatformContext.PLATFORM_CREDENTIALS, ejbPswd);
env.put(Packages.com.ibm.itim.apps.PlatformContext.PLATFORM_REALM, "itimCustomRealm");
platform = Packages.com.ibm.itim.apps.InitialPlatformContext(env);
handler = new Packages.com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl(ejbUser, "itimCustomRealm", ejbPswd);
lc = new Packages.javax.security.auth.login.LoginContext("WSLogin", handler);
lc.login();

Then I have tried to get the root of Organization

var container = new Packages.com.ibm.itim.apps.identity.ContainerManager(platform, userSubject);
root = container.getRoot();
and I have received an error:

com.ibm.itim.apps.ApplicationException: CORBA NO_PERMISSION 0x0 No; nested exception is:
org.omg.CORBA.NO_PERMISSION:
>> SERVER (id=4773e3aa, host=ISIM) TRACE START:
>> org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException: ; nested exception is:
com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization failed for ??? while invoking (Home)ITIM#api_ejb.jar#enroleejb.OrganizationManagerHome create::2 null vmcid: 0x0 minor code: 0 completed: No

I assume that I have problem with correct configuration of CORBA in client environment

BTW: When I switched off security domain I can logon using old (5.1) method and get Root container info

Any suggestion?
  • lotim
    lotim
    72 Posts

    Re: ISIM 6.0 - security domain in WAS for organizational feed

    ‏2013-08-01T11:23:54Z  

    Hi,

    I have the same situation, same .CORBA.NO_PERMISSION error with com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization failed for ??? while invoking...

    The strange thing is that the ISIM java examples work fine but I can not seem to get passed this error, would be great if someone could chime in on this problem?

    /L-O

  • zbychfish
    zbychfish
    52 Posts

    Re: ISIM 6.0 - security domain in WAS for organizational feed

    ‏2013-08-01T13:30:27Z  
    • lotim
    • ‏2013-08-01T11:23:54Z

    Hi,

    I have the same situation, same .CORBA.NO_PERMISSION error with com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization failed for ??? while invoking...

    The strange thing is that the ISIM java examples work fine but I can not seem to get passed this error, would be great if someone could chime in on this problem?

    /L-O

    Problem solved.

    The CORBA environment is not set in TDI java runtime

    Use configuration from ISIM WAS

    Should works!!!

     

  • lotim
    lotim
    72 Posts

    Re: ISIM 6.0 - security domain in WAS for organizational feed

    ‏2013-08-02T07:41:26Z  
    • zbychfish
    • ‏2013-08-01T13:30:27Z

    Problem solved.

    The CORBA environment is not set in TDI java runtime

    Use configuration from ISIM WAS

    Should works!!!

     

    Hi!

    Thanks for the feedback!

    Can you elaborate a bit more regarding where I find the configuration in ISIM WAS and do you use system.setJavaProperty to set the cobra environment in TDI?

    Is this the place in ISIM WAS to find the cobra settings?
    Security domains > ISIMSecurityDomain > Custom properties

    Thanks,

    L-O

    Updated on 2013-08-02T07:43:28Z at 2013-08-02T07:43:28Z by lotim
  • zbychfish
    zbychfish
    52 Posts

    Re: ISIM 6.0 - security domain in WAS for organizational feed

    ‏2013-08-02T10:39:37Z  
    • lotim
    • ‏2013-08-02T07:41:26Z

    Hi!

    Thanks for the feedback!

    Can you elaborate a bit more regarding where I find the configuration in ISIM WAS and do you use system.setJavaProperty to set the cobra environment in TDI?

    Is this the place in ISIM WAS to find the cobra settings?
    Security domains > ISIMSecurityDomain > Custom properties

    Thanks,

    L-O

    Hi,

    Java orb configuration is stored in orb.property file in lib directory of jre home.

    My orb file contains:

    # IBM JDK properties  
    org.omg.CORBA.ORBClass=com.ibm.CORBA.iiop.ORB
    org.omg.CORBA.ORBSingletonClass=com.ibm.rmi.corba.ORBSingleton
    javax.rmi.CORBA.StubClass=com.ibm.rmi.javax.rmi.CORBA.StubDelegateImpl
    javax.rmi.CORBA.PortableRemoteObjectClass=com.ibm.rmi.javax.rmi.PortableRemoteObject
    javax.rmi.CORBA.UtilClass=com.ibm.ws.orb.WSUtilDelegateImpl

    # WS Plugins
    com.ibm.CORBA.ORBPluginClass.com.ibm.ws.wlm.client.WLMClient
    com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orbimpl.transport.WSTransport
    com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orbimpl.WSORBPropertyManager
    com.ibm.CORBA.ORBPluginClass.com.ibm.ISecurityUtilityImpl.SecurityPropertyManager
    com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orb.WSSubcontractInitImpl

    # WS Interceptors
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ws.Transaction.JTS.TxInterceptorInitializer
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ejs.ras.RasContextSupport
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ISecurityLocalObjectBaseL13Impl.ClientRIWrapper
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ws.activity.remote.cos.ActivityServiceClientInterceptor
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRI
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.debug.olt.ivbtrjrt.OLT_RI
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ws.wlm.client.WLMClientInitializer

    # WS ORB & Plugins properties
    com.ibm.ws.orb.transport.ConnectionInterceptorName=com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityConnectionInterceptor
    com.ibm.ws.orb.transport.WSSSLClientSocketFactoryName=com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl
    com.ibm.CORBA.enableLocateRequest=true
    com.ibm.CORBA.ORBCharEncoding=UTF8
    com.ibm.CORBA.ForceTunnel=never
    com.ibm.CORBA.TransportMode=Pluggable
     

    the code similar to below should work:

    system.setJavaProperty("java.security.auth.login.config", "file:c:/IBM/OrangeHRM/TDI/jaas_login_was.conf");
    system.setJavaProperty("com.ibm.CORBA.securityServerHost", "192.168.168.10");
    system.setJavaProperty("com.ibm.CORBA.securityServerPort", "2809");
    system.setJavaProperty("com.ibm.CORBA.ConfigURL", "file:C:/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/sas.client.props");
    system.setJavaProperty("com.ibm.SSL.ConfigURL", "file:C:/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/ssl.client.props");
    contextFactory = "com.ibm.itim.apps.impl.websphere.WebSpherePlatformContextFactory";
    appServerUrl = "corbaloc:iiop:192.168.168.10:2809";
    ejbUser = "itim manager";
    ejbPswd = "password";

    env = new Packages.java.util.Hashtable();

    env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.CONTEXT_FACTORY, contextFactory);
    env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.PLATFORM_URL, appServerUrl);
    env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.PLATFORM_PRINCIPAL, "itim manager");
    env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.PLATFORM_CREDENTIALS, "password");
    env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.PLATFORM_REALM, "ibmtestad");
    platform = Packages.com.ibm.itim.apps.InitialPlatformContext(env);
    handler = new Packages.com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl(ejbUser, "ibmtestad", ejbPswd);
    lc = new Packages.javax.security.auth.login.LoginContext("WSLogin", handler);
    lc.login();
    mgr = new Packages.com.ibm.itim.apps.identity.PersonManager(platform, lc.getSubject());
    people = mgr.getPeople("uid", "ssmith", null);

     

  • lotim
    lotim
    72 Posts

    Re: ISIM 6.0 - security domain in WAS for organizational feed

    ‏2013-12-16T23:22:13Z  
    • zbychfish
    • ‏2013-08-02T10:39:37Z

    Hi,

    Java orb configuration is stored in orb.property file in lib directory of jre home.

    My orb file contains:

    # IBM JDK properties  
    org.omg.CORBA.ORBClass=com.ibm.CORBA.iiop.ORB
    org.omg.CORBA.ORBSingletonClass=com.ibm.rmi.corba.ORBSingleton
    javax.rmi.CORBA.StubClass=com.ibm.rmi.javax.rmi.CORBA.StubDelegateImpl
    javax.rmi.CORBA.PortableRemoteObjectClass=com.ibm.rmi.javax.rmi.PortableRemoteObject
    javax.rmi.CORBA.UtilClass=com.ibm.ws.orb.WSUtilDelegateImpl

    # WS Plugins
    com.ibm.CORBA.ORBPluginClass.com.ibm.ws.wlm.client.WLMClient
    com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orbimpl.transport.WSTransport
    com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orbimpl.WSORBPropertyManager
    com.ibm.CORBA.ORBPluginClass.com.ibm.ISecurityUtilityImpl.SecurityPropertyManager
    com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orb.WSSubcontractInitImpl

    # WS Interceptors
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ws.Transaction.JTS.TxInterceptorInitializer
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ejs.ras.RasContextSupport
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ISecurityLocalObjectBaseL13Impl.ClientRIWrapper
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ws.activity.remote.cos.ActivityServiceClientInterceptor
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRI
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.debug.olt.ivbtrjrt.OLT_RI
    org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ws.wlm.client.WLMClientInitializer

    # WS ORB & Plugins properties
    com.ibm.ws.orb.transport.ConnectionInterceptorName=com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityConnectionInterceptor
    com.ibm.ws.orb.transport.WSSSLClientSocketFactoryName=com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl
    com.ibm.CORBA.enableLocateRequest=true
    com.ibm.CORBA.ORBCharEncoding=UTF8
    com.ibm.CORBA.ForceTunnel=never
    com.ibm.CORBA.TransportMode=Pluggable
     

    the code similar to below should work:

    system.setJavaProperty("java.security.auth.login.config", "file:c:/IBM/OrangeHRM/TDI/jaas_login_was.conf");
    system.setJavaProperty("com.ibm.CORBA.securityServerHost", "192.168.168.10");
    system.setJavaProperty("com.ibm.CORBA.securityServerPort", "2809");
    system.setJavaProperty("com.ibm.CORBA.ConfigURL", "file:C:/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/sas.client.props");
    system.setJavaProperty("com.ibm.SSL.ConfigURL", "file:C:/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/ssl.client.props");
    contextFactory = "com.ibm.itim.apps.impl.websphere.WebSpherePlatformContextFactory";
    appServerUrl = "corbaloc:iiop:192.168.168.10:2809";
    ejbUser = "itim manager";
    ejbPswd = "password";

    env = new Packages.java.util.Hashtable();

    env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.CONTEXT_FACTORY, contextFactory);
    env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.PLATFORM_URL, appServerUrl);
    env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.PLATFORM_PRINCIPAL, "itim manager");
    env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.PLATFORM_CREDENTIALS, "password");
    env.put(Packages.com.ibm.itim.apps.InitialPlatformContext.PLATFORM_REALM, "ibmtestad");
    platform = Packages.com.ibm.itim.apps.InitialPlatformContext(env);
    handler = new Packages.com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl(ejbUser, "ibmtestad", ejbPswd);
    lc = new Packages.javax.security.auth.login.LoginContext("WSLogin", handler);
    lc.login();
    mgr = new Packages.com.ibm.itim.apps.identity.PersonManager(platform, lc.getSubject());
    people = mgr.getPeople("uid", "ssmith", null);

     

    Hi!

    I get this to work just fine now but I get another strange error, when I try to authenticate with wrong timid / password I get prompted with a login dialogue. I would like to trap the login-exception and not get the login-dialogue hanging on os-level.

    How do you prevent the login dialog from popping up?

     

    Thanks,

    L-O

  • MandeepG
    MandeepG
    4 Posts

    Re: ISIM 6.0 - security domain in WAS for organizational feed

    ‏2014-02-17T15:00:09Z  
    • lotim
    • ‏2013-12-16T23:22:13Z

    Hi!

    I get this to work just fine now but I get another strange error, when I try to authenticate with wrong timid / password I get prompted with a login dialogue. I would like to trap the login-exception and not get the login-dialogue hanging on os-level.

    How do you prevent the login dialog from popping up?

     

    Thanks,

    L-O

    Hi,

    On calling Container.getRoot() .. , I am getting same exception -> org.omg.CORBA.NO_PERMISSION:
        >> SERVER (id=4773e3aa, host=WIN-I8S94JFSJR5) TRACE START:
        >>    org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException:  ; nested exception is:
        com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization failed for ??? while invoking (Home)ITIM#api_ejb.jar#enroleejb.OrganizationManagerHome create::2 null  vmcid: 0x0  minor code: 0  completed: No
        >>     at com.ibm.ws.security.core.SecurityCollaborator.performAuthorization(SecurityCollaborator.java:685)
        >>     at com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke(EJSSecurityCollaborator.java:275)

    As suggested above, I have copied the orb.properties from WAS JRE lib folder and also have used the code above.. Still I am struggling with the above error .. Is there anything else to be done ??

    Please help !