AC Messages
CSIAC0501E Creation of database connection failed. Check the database configuration and network connectivity to the database server.
Explanation
The database connection could not be created.
Action
Ensure that the database is configured correctly. Also check that the network connectivity to the database server is available.
CSIAC0502E A database error occurred.
Explanation
An unrecoverable database error occurred.
Action
Check the server logs for more details to trace the cause of the error.
CSIAC0503E A file database error has occurred.
Explanation
An unrecoverable file database error occurred.
Action
Check the server logs for more details to trace the cause of the error.
CSIAC0504E The database file does not exist.
Explanation
An unrecoverable database error occurred.
Action
Check the server logs for more details to trace the cause of the error.
CSIAC0505E Unable to reach Database.
Explanation
The database cannot be reached
Action
Check the server logs for more details to trace the cause of the error.
CSIAC0506E Unable to get Data Access Object.
Explanation
An instance of the Data Access Object cannot be retrieved
Action
Check the server logs for more details to trace the cause of the error.
CSIAC0507E Unable to retrieve transaction.
Explanation
A Transaction object cannot be retrieved from the Data Access Object
Action
Check the server logs for more details to trace the cause of the error.
CSIAC0508E An invalid SQL statement was executed.
Explanation
The result from a SQL statement showed invalid execution.
Action
Check the server logs for more details to trace the cause of the error.
CSIAC0509E An invalid cleanup interval of VALUE_0 was defined.
Explanation
The clean up interval is invalid, it must be a valid integer above 60000.
Action
Check the server logs for more details to trace the cause of the error.
CSIAC0510E The datasource VALUE_0, could not be retrieved.
Explanation
The JNDI lookup to get a datasource failed.
Action
Check the server logs for more details to trace the cause of the error.
CSIAC0511E An error occurred during deserialization as part of a database operation.
Explanation
The deserialization failed for a stored data object.
Action
Check the server logs for more details to trace the cause of the error.
CSIAC0512E An invalid configuration parameter was specified for either the retry limit, retry delay or default TTL of the distributed map.
Explanation
One or more of the following parameters values is invalid; retryLimit, retryDelay, or defaultTTL.
Action
Check the server logs for more details to trace the cause of the error.
CSIAC1501E An error occurred during the login process.
Explanation
The server might be experiencing problems.
Action
Try again later. If the problem persists, contact the administrator.
CSIAC1502E The service does not exist or is disabled.
Explanation
The tenant does not exist or is disabled.
Action
Ensure that the tenant is in the correct state.
CSIAC1503E User with the unique ID [uid] was not found for this tenant.
Explanation
The user with the specified ID does not exist for this tenant.
Action
Specify a valid user ID.
CSIAC1504E Federated user with the unique ID [uid] was not found for this tenant.
Explanation
The federated user with the specified ID does not exist for this tenant.
Action
Specify a valid user ID.
CSIAC1505E User with the name [userName] was not found for this tenant.
Explanation
The user with the specified name does not exist for this tenant.
Action
Specify a valid user name.
CSIAC1506E Federated user with the name [userName] was not found for this tenant.
Explanation
The federated user with the specified name does not exist for this tenant.
Action
Specify a valid user name.
CSIAC1507E Unable to retrieve users for this tenant.
Explanation
The retrieval of users for this tenant failed.
Action
Ensure that the User Profile Management service is up and running.
CSIAC1508E No user matched the filter [filterString] for this tenant.
Explanation
No user matched with the specified user filter for this tenant.
Action
Try filtering users on other properties.
CSIAC1509E Invalid filter string specified to retrieve the users.
Explanation
The specified filter string was invalid. Users cannot be fetched using null or empty filter string.
Action
Specify a valid filter string for users.
CSIAC1510E Invalid filter string specified to retrieve the groups.
Explanation
The specified filter string was invalid. Groups cannot be fetched using null or empty filter string.
Action
Specify a valid filter string for groups.
CSIAC1511E Unable to retrieve groups for this tenant.
Explanation
The retrieval of groups for this tenant failed.
Action
Ensure that the User Profile Management service is up and running.
CSIAC1512E No group found for the tenant.
Explanation
The groups are not defined for this tenant.
Action
Ensure that the groups are defined appropriately for this tenant. For example, allUsers, admins, etc.
CSIAC1513E Group with the unique ID [uid] was not found for this tenant.
Explanation
The group with the specified ID does not exist for this tenant.
Action
Specify a valid group ID.
CSIAC1514E Group with the name [name] was not found for this tenant.
Explanation
The group with the specified name does not exist for this tenant.
Action
Specify a valid group name.
CSIAC1515E No group matched the filter [filterString] for this tenant.
Explanation
No group matched with the specified group filter for this tenant.
Action
Try filtering groups on other properties.
CSIAC1516E Unable to call the User Profile Management API. URL: url. Exception: exception.
Explanation
This may happen due to insufficient privileges or the operation may not be allowed.
Action
Ensure that the caller has appropriate entitlements for the resources.
CSIAC1517E A call to the User Profile Management API failed. URL: url. Status: status. Error Response: error.
Explanation
An API call can fail due to invalid URL path or parameters.
Action
Ensure that the URL path and the parameters specified are valid.
CSIAC3000E The value value received for AttributeName in the ElementName element is not valid.
Explanation
The data received from the peer node does not conform to Liberty protocol version 1.0.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3001E A value for the attribute AttributeName must be provided for the <ElementName> element.
Explanation
The application is in error. Required data was not set in the Liberty protocol object.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3002E The VariableName message that was received specifies an unsupported version [MajorMinor]. Only version MajorMinor is supported.
Explanation
The data from the peer node specifies a version that is not supported by this application.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3003E The received message failed signature verification: error_message.
Explanation
The received message was signed but signature verification failed.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3004E The received message was not signed.
Explanation
This application is configured to require that all received messages must be signed, but the message received was not signed.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3005E The attempt to sign a message was unsuccessful.
Explanation
The protocol message could not be signed. This error could be caused by a keystore configuration error or expired certificates.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3006E An unexpected exception was caught while initializing the keystore.
Explanation
An unexpected exception was caught from the key service.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3007E An unexpected exception was caught decoding a BASE64 encoded string.
Explanation
A string that should be BASE64 encoded could not be decoded.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3008E The member element MemberElementName must be provided for the <ElementName> element.
Explanation
The application is in error. Required data was not set in the Liberty protocol object.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3009E The received <ElementName> element does not contain the required member element MemberElementName.
Explanation
The sending application is in error. Required data was not included in the incoming request message.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3010E The received element <ElementName> does not contain the required attribute MemberElementName.
Explanation
The sending application is in error. Required data was not included in the incoming request message.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3011E The received element <ElementName> does not match the expected element <ExpectedElementName>.
Explanation
The sending application is in error. The request or response does not conform to the Liberty message protocol.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3012E The elements <ElementName> and <ElementName> are mutually exclusive members of the <ElementName> element.
Explanation
The sending application is in error. The request or response does not conform to the Liberty message protocol.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3013E The artifact string length is not valid. The length is <length> bytes instead of 42 bytes.
Explanation
The sending application is in error. The request or response does not conform to the Liberty message protocol.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3014E The artifact type is unsupported.
Explanation
The sending application is in error. The request or response does not conform to the Liberty message protocol.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3015E The signature algorithm <length> is missing or unsupported.
Explanation
The sending application is in error. The request or response does not conform to the Liberty message protocol.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3016E The received namespace URI [Namespace] does not match the expected namespace URI [ExpectedNamespace] for element <ExpectedNamespace>.
Explanation
The sending application is in error. The request or response does not conform to the Liberty message protocol.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3017E The received URL-encoded <Request> is not valid: [Input string].
Explanation
The URL-encoded string that was received is not valid. The most likely cause is that the data was sent to the wrong URL endpoint by the sender.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3018E A key alias was not provided by the caller.
Explanation
The caller did not provide a key alias.
Action
Ensure that a key alias is provided.
CSIAC3019E The attempt to encrypt or decrypt a message was unsuccessful: Error message.
Explanation
The protocol message could not be signed. This error could be caused by a keystore configuration error or expired certificates.
Action
Enable a trace for detailed messages and validate the configuration.
CSIAC3020E An error occurred when decoding SAML message. The message may be corrupted or encoded incorrectly.
Explanation
An error occurred when decoding SAML message. The message may be corrupted or encoded incorrectly.
Action
Check the assertion for any encoding issues.
CSIAC3021E An error occurred when parsing SAML message. The message may be corrupted or malformed.
Explanation
An error occurred when parsing SAML message. The message may be corrupted or malformed.
Action
Check the assertion for any malformed XML elements.
CSIAC4501E The received request is missing the required parameter: parameter
Explanation
The current request is not valid.
Action
Validate the incoming message.
CSIAC4502E The value value for attribute attr is not valid.
Explanation
The current request is not valid.
Action
Validate the incoming message.
CSIAC4503E The requested target, target is unknown or disabled.
Explanation
The current request is not valid.
Action
Validate the incoming message, and that the identity provider has configured and enabled service provider partners for this target.
CSIAC4504E The request received an artifact with succinct ID: succinctId, which did not match a known partner identity provider.
Explanation
The current request is not valid.
Action
Validate the incoming message and the configuration of the partner identity providers.
CSIAC4505E The current user making the request is not authenticated.
Explanation
The current request is not valid.
Action
Validate the incoming message.
CSIAC4506E The token cannot be exchanged for the service provider.
Explanation
The current request could not be completed because the token exchange failed.
Action
Validate the incoming message and the trust service configuration.
CSIAC4507E No configured post page is available to use to return the token to the service provider.
Explanation
The current request could not be completed because the token exchange succeeded but no configured post page was available.
Action
This is a configuration error. Ensure that the post page exists in the template directory.
CSIAC4508E No token was available to return to the service provider.
Explanation
The current request could not be completed because the token exchange failed.
Action
Validate the incoming message and the trust service configuration.
CSIAC4509E The system cannot process the request because the SAML response message that was received is not valid. The message might be corrupted or malformed.
Explanation
The SAML response message must valid and well-formed.
Action
Validate the incoming message and the trust service configuration.
CSIAC4510E The sign-on message at the service provider contained parameters that are not valid.
Explanation
The current request could not be completed because the sign-on request is not valid.
Action
Validate the incoming message from the identity provider.
CSIAC4511E The response from the identity provider could not be understood or did not contain an assertion: samlresponse.
Explanation
The current request could not be completed because the identity provider response was not understandable or did not contain a SAML assertion for sign on.
Action
Ensure that the identity provider is configured to send the correct XML element response and that the request to the identity provider was valid.
CSIAC4512E The identity provider token cannot be exchanged for one that is valid for the resource.
Explanation
The current request could not be completed because the identity provider response was not understandable.
Action
Validate that the identity provider is configured to send the correct XML element response.
CSIAC4513E The SAML artifact: artifact is not valid.
Explanation
The current request could not be completed as the provided SAML artifact is not valid.
Action
Validate that the service provider is configured correctly.
CSIAC4514E The SAML assertion cannot be retrieved.
Explanation
The current request could not be completed because a SAML assertion could not be retrieved.
Action
Validate that the service provider is configured correctly and that the identity provider is configured to store the assertions for a sufficient time.
CSIAC4515E While processing action: action the internal context was missing attribute: action.
Explanation
The current request could not be completed because of an internal processing error.
Action
Contact IBM software support with this log file.
CSIAC4516E While processing action: action the following configuration parameter was determined to be missing or incorrect: action.
Explanation
The current request could not be completed because the configuration is not valid.
Action
Validate that the system is configured correctly.
CSIAC4517E The assertion could not be retrieved from the identity provider at: ip using artifact: artifact.
Explanation
The service provider could not retrieve the assertion from the identity provider.
Action
Ensure that the identity provider is available.
CSIAC4518E The user cannot be authenticated.
Explanation
The current request could not be completed because the trust service response could not authenticate the user.
Action
Validate that the trust service and Point of Contact are properly configured.
CSIAC4519E The SAML request is not valid.
Explanation
The current request could not be completed because the request received is not valid.
Action
Validate that the request is valid.
CSIAC4520E The where-are-you-from process received a request for the identity provider: ipURL, which did not match a known partner identity provider.
Explanation
The current request received a where-are-you-from cookie which did not match an enabled partner identity provider.
Action
Validate that the incoming message contains a WAYF cookie that matches one of the provider IDs for an enabled partner identity provider. One workaround is to delete all persistent cookies on the browser and have the user perform the WAYF process again.
CSIAC4521E The sign-on request at the service provider did not contain valid sign-on parameters. Either a SAML Response or a SAML Artifact should be included in the initial sign-on request.
Explanation
The current request could not be completed because the sign-on request is not valid.
Action
Validate the incoming message from the browser to ensure that the identity provider has sent either a valid browser-artifact sign-on (redirect containing a SAMLart parameter), or a valid browser-post sign-on (POST containing a SAMLResponse parameter).
CSIAC4530E Unexpected exception: exception
Explanation
The SAML 2.0 plug-in caught an unexpected exception.
Action
Examine the trace logs for more information.
CSIAC4531E Cannot determine the message issuer.
Explanation
The Issuer attribute is required for this message and cannot be determined.
Action
Verify that configuration is correct. The message issuer is the self provider ID.
CSIAC4532W The provider is passive and cannot display the following page on the browser: page
Explanation
The provider is passive cannot take control of the user interface, including displaying pages.
Action
This might or might not be a problem. If it is a problem, determine why the provider is passive by examining trace logs and configuration. A provider can be directed to be passive by the IsPassive attribute in an authentication request.
CSIAC4533E The provider cannot find the page to display.
Explanation
The provider cannot find a page to display in the browser.
Action
Examine the trace logs to determine which page was supposed to have been displayed. It might have been an error status page or a success status page. Check the system installation to determine if the pages have been properly installed.
CSIAC4535E The provider is passive and cannot force a user authentication.
Explanation
The provider is passive and cannot take control of the user interface, including authenticating the user.
Action
Reconfigure the requesting provider to send authentication requests that do not require forced authentication, or that do not require the identity provider to be passive, or both.
CSIAC4536E The provider is passive and cannot query the user for consent to federate.
Explanation
The provider is passive and cannot take control of the user interface, including querying the user for consent-to-federate accounts.
Action
Reconfigure the requesting provider to send authentication requests that do not require the identity provider to be passive.
CSIAC4537E Cannot determine the SAML status.
Explanation
The SAML status attribute is required for this message and cannot be determined.
Action
Examine the trace logs to see why the SAML status was not set.
CSIAC4538E Cannot create account linkage between the providers.
Explanation
The accounts are not linked and the SAML request forbids creating account information required for linkage.
Action
Reconfigure the requesting provider to send authentication requests that allow the identity provider to create account linkage. This is done by setting the AllowCreate attribute in the NameIDPolicy element to true.
CSIAC4539E Cannot create account linkage between the providers because the user denied consent to federate.
Explanation
The accounts are not linked (federated) and the user denied permission to link them.
Action
Instruct end users to consent to account linkage (federation).
CSIAC4540E The timestamp in the SAML message is out of range. The message timestamp, msgTime, is not within tolerance seconds of compareTime.
Explanation
The SAML message has a timestamp that is not valid.
Action
There are several reasons that a SAML message timestamp might be out of range: The clocks on the service and identity providers systems are skewed beyond the acceptable tolerance, network delays are hampering message flow, or the acceptable tolerance for message timestamp is set too low. The administrator should check these points and make any necessary adjustments.
CSIAC4541E The destination URL in the SAML message (msgDest) does not match the current provider location (here).
Explanation
The SAML message has a destination URL that is not valid.
Action
The most likely problem is that the SAML message is being created with an incorrect destination. Verify that configuration on the sending provider specifies the correct URL for the receiving provider.
CSIAC4542E No authentication assertions were found.
Explanation
No assertions could be found at the identity provider.
Action
Examine the trace logs to see why no authentication assertion was set.
CSIAC4543E Cannot determine the message destination.
Explanation
The Destination attribute is required for this message and cannot be determined.
Action
Verify that configuration is correct. The message destination is the URI to which the message is sent.
CSIAC4544E Cannot determine the endpoint endpoint for provider.
Explanation
The required target endpoint for the SAML message cannot be determined.
Action
Verify that configuration is correct.
CSIAC4545E The name identifier policy in the authentication request could not be met by this identity provider.
Explanation
The identity provider could not create a name identifier that adhered to the policy in the authentication request. Usually, this means that the policy specified an unsupported format or not did specify that a persistent identifier could be created.
Action
Verify that authentication requests specify supported name identifier policies, or do not specify a policy at all.
CSIAC4546E The user account could not be federated.
Explanation
The identity provider could not federate the user account. Usually, this means that there is something wrong with the identity service.
Action
Verify that the identity service is configured properly and that the registry server is available.
CSIAC4547E This provider cannot accept an unsolicited authentication response.
Explanation
The authentication response being processed does not have a corresponding authentication request. This provider is not configured to accept unsolicited authentication responses.
Action
Verify that the service provider is configured properly regarding acceptance of unsolicited authentication responses.
CSIAC4548E The specifications for the endpoint endpoint are not valid.
Explanation
The endpoint specified by the SAML message cannot be validated.
Action
Verify that configuration is correct and that endpoint specifications such as index, URL and binding in the message are correct.
CSIAC4549E Cannot determine the name identifier for the logout request.
Explanation
The NameID attribute is required for this message and cannot be determined.
Action
Examine the trace logs to see why no name identifier information was set.
CSIAC4550E Cannot determine the session index for the logout request.
Explanation
The SessionIndex attribute is required for this message and cannot be determined.
Action
Examine the trace logs to see why no session index was set.
CSIAC4551E The logout requester is not a valid partner.
Explanation
The issuer of the logout request message cannot be determined as a valid partner to this provider. On an identity provider, the request issuer must be a provider to which this provider has issued an assertion. On a service provider, the request issuer must be a provider that has issued an assertion to this provider.
Action
If the request is legitimate, examine the trace logs to see why the request issuer was not found in the list of known logout partners.
CSIAC4552E The response message does not correlate to the pending request.
Explanation
The response message contains an InResponseTo attribute that does not match the ID attribute of the pending request. It is possible that the response was received in error.
Action
If the response is legitimate, examine the trace logs to see why the InResponseTo attribute does not match the ID attribute of the currently pending request.
CSIAC4553E Logout failed.
Explanation
The locally authenticated user was not logged out successfully.
Action
Examine the trace logs to see why logout failed.
CSIAC4554E Cannot find partner configuration for provider partner.
Explanation
The required configuration for the partner provider cannot be found.
Action
Ensure that the partner provider's metadata has been imported into this federation and that the configuration file is not corrupted.
CSIAC4555E Token exchange failed.
Explanation
The current request could not be completed because the token exchange failed.
Action
Validate the incoming message and the trust service configuration. In addition, examine the trace logs to see why the token exchange failed.
CSIAC4556E The message has an Issuer attribute that is not valid.
Explanation
The SAML message is required by the specification to have an Issuer attribute. The Issuer format, if specified, must be urn:oasis:names:tc:SAML:2.0:nameid-format:entity. The message is either missing the Issuer attribute or has the wrong format specified.
Action
Examine the trace logs on the provider that issued the message to see why the message was constructed without the Issuer attribute or with the incorrect Issuer format.
CSIAC4557E The issuer of the ArtifactResolve message, issuer, does not match the intended recipient of the artifact message, recipient.
Explanation
An ArtifactResolve message was received from a provider which is not the intended recipient of the message associated with the artifact.
Action
The system is behaving correctly by disregarding potential attacks.
CSIAC4558E Cannot initialize the SOAP client for the endpoint endpoint.
Explanation
Unable to initialize the SOAP client.
Action
Validate the SOAP client configuration. In addition, examine the trace logs for additional information.
CSIAC4559E The artifact exchange failed. The message could not be retrieved using artifact: artifact.
Explanation
This provider attempted to exchange an artifact for a SAML protocol message but no message was returned.
Action
Examine the artifact issuer to see why the artifact was not exchanged. The artifact may have expired and its associated message purged from the system, for example.
CSIAC4560E A SAML response message was received that is not valid.
Explanation
A SAML response message was received, but a corresponding SAML request message could not be found. The response is considered invalid.
Action
If the SAML response is expected, examine the trace logs to see why the corresponding SAML request was not found. Otherwise, no action is needed.
CSIAC4561E A SAML response message was received that is not valid.
Explanation
A SAML response message was received, but it did not contain any AuthnStatements. The response is considered invalid for purposes of authentication.
Action
Examine the issuer of the SAML message to see why it issued a SAML assertion with no AuthnStatement.
CSIAC4562E No alias was found for user User and provider PartnerProvider.
Explanation
There was no alias found for the currently authenticated user for the specified partner provider.
Action
Enable trace for detailed messages about the error.
CSIAC4563E The identity service request to remove an alias for userId and provider providerId failed.
Explanation
The identity service operation was not successful.
Action
Ensure that the identity and provider are valid and check the log for messages returned from the identity service.
CSIAC4564E No principal was found for alias aliasId and partner provider providerId.
Explanation
The identity service operation was not successful.
Action
Validate that the alias and provider are valid and check the log for messages returned from the identity service.
CSIAC4565E The identity service request to update an alias for userId and provider providerId failed.
Explanation
The identity service operation was not successful.
Action
Validate that the identity and provider are valid and check the log for messages returned from the identity service.
CSIAC4566E The assertion issued by partnerProvider could not be validated or decrypted.
Explanation
The assertion could not be validated or decrypted.
Action
Make sure that the validation keys, decryption keys and decryption parameters are configured properly for the provider that issued the assertion. The trace log will indicate which operation failed, validation or decryption.
CSIAC4567E The SAML message could not be decrypted.
Explanation
The SAML message could not be decrypted.
Action
Make sure that the decryption keys and decryption parameters are configured properly for the provider that sent the message.
CSIAC4568E The SAML message signature could not be validated.
Explanation
The SAML message signature could not be validated.
Action
Make sure that the validation key is configured properly for the provider that sent the message.
CSIAC4569E The SAML message could not be parsed.
Explanation
The SAML message could not be parsed.
Action
Make sure that incoming message is properly formatted.
CSIAC4570E The SAML artifact could not be parsed.
Explanation
The SAML artifact could not be parsed.
Action
Make sure that incoming artifact is properly formatted.
CSIAC4571E The incoming HTTP message is not valid.
Explanation
The incoming HTTP message is not valid.
Action
Make sure that incoming HTTP message is properly formatted.
CSIAC4572E Authentication failed at the identity provider.
Explanation
The SAML status included in the authentication response message indicates that authentication failed at the identity provider.
Action
Examine the trace logs on the identity provider that issued the response message to see why the authentication operation failed.
CSIAC4573E The name identifier in the request is not valid.
Explanation
The name identifier in the request does not match the information that was stored for that provider during login. If the service provider was acting as a member of an affiliation group during login, the name identifier in the request must reflect that fact.
Action
If the request is legitimate, examine the trace logs to see why information in the request name identifier does not match the information stored for that provider.
CSIAC4574E Cannot perform the name ID management operation on a name identifier with format Format.
Explanation
The name identifier established during authentication in the current session is not persistent. Name ID update and termination management operations can be performed only on persistent name identifiers.
Action
The user should authenticate using a means that establishes a persistent name identifier and then retry the operation.
CSIAC4575E The request was missing the TARGET parameter.
Explanation
The initial request to the service provider must contain a TARGET parameter.
Action
Modify the initial request to the service provider to contain a TARGET parameter, which should point to the desired SSO target URL.
CSIAC4576E The request failed due to an internal error on the identity provider.
Explanation
The identity provider encountered an internal error preparing the samlp:Response for the service provider.
Action
Check the identity provider log to determine the root cause of this error. The identity provider configuration for this partner might not be correct.
CSIAC4577E The SAML request for artifact Artifact could not be created using signing key KeyIdentifier.
Explanation
The service provider was unable to generate a signed samlp:Request message.
Action
Check that the service provider signing key identifier is correctly configured.
CSIAC4578E The SAML artifact Artifact has already been presented to the identity provider.
Explanation
The identity provider has detected that this artifact has already been presented for exchange.
Action
This could be a replay attack, or the browser user may have simply reloaded the page containing the redirect to the service provider with the artifact.
CSIAC4579E The federation group type specified in the configuration is not supported. Group ID: 'id', Group display name: 'id', federation group type 'type'.
Explanation
The federation group defined is not a supported type.
Action
Verify that configuration files are present and have not been corrupted. Specify a supported group type in the configuration.
CSIAC4580E The partnerEndpointType endpoint for partner 'id' and display name 'displayName' for federation group with ID 'id' and display name 'displayName' is not valid. Endpoint value is 'displayName'.
Explanation
The specified partner endpoint is not valid.
Action
Verify that configuration files are present and have not been corrupted. Specify a valid endpoint value in the configuration.
CSIAC4581E The partnerEndpointType endpoint for self 'id' and display name 'displayName' for federation group with ID 'id' and display name 'displayName' is not valid. Endpoint value is 'displayName'.
Explanation
The specified self endpoint is not valid.
Action
Verify that configuration files are present and have not been corrupted. Specify a valid endpoint value in the configuration.
CSIAC4582E The partnerEndpointType endpoint is missing from the provider [id] and display name [displayName] configuration for federation group with ID [id] and display name [displayName].
Explanation
A required endpoint is missing from the provider's configuration.
Action
Verify that configuration files are present and have not been corrupted. Specify the required endpoint in the provider's configuration.
CSIAC4583E The propertyName property is missing from the provider [id] and display name [displayName] configuration for federation group with ID [id] and display name [displayName].
Explanation
A required property is missing from the provider's configuration.
Action
Verify that configuration files are present and have not been corrupted. Specify the required property in the provider's configuration.
CSIAC4584E The property value 'propertyValue' for property 'propertyName' specified for provider 'id' and display name 'displayName' for federation group with ID 'id' and display name 'displayName' is not valid.
Explanation
The specified property value is not valid.
Action
Verify that configuration files are present and have not been corrupted. Specify a valid property value in the configuration.
CSIAC4585E The boolean property value 'propertyValue' for property 'propertyName' specified for provider 'id' and display name 'displayName' for federation group with ID 'id' and display name 'displayName' is not valid. For Boolean properties the permitted values are 'true' or 'false'.
Explanation
The specified Boolean property value is not valid.
Action
Verify that configuration files are present and have not been corrupted. Specify a valid Boolean property value in the configuration.
CSIAC4586E The numeric property value [propertyValue] for property [propertyName] specified for provider [id] and display name [displayName] for federation group with ID [id] and display name [displayName] is not valid. The minimum value for this property is [displayName].
Explanation
The specified numeric property value is not valid.
Action
Verify that configuration files are present and have not been corrupted. Specify a valid numeric property value in the configuration.
CSIAC4587E The Identity provider succinct id value 'propertyValue' specified under property 'propertyName' for provider 'id' and display name 'displayName' for federation group with ID 'id' and display name 'displayName' is not valid. The identity provider succinct ID is a required property.
Explanation
The specified numeric property value is not valid.
Action
Verify that configuration files are present and have not been corrupted. Specify a valid identity provider succinct ID value in the configuration.
CSIAC4588E The common domain service host value 'commonDomainServiceHost' specified using property 'propertyName' for partner 'id' and display name 'displayName' for federation group with ID 'id' and display name 'displayName' is not valid. The common domain service host must start with "http://" or "https://" and end with the common domain value 'displayName'.
Explanation
The specified common domain service host is not valid.
Action
Verify that configuration files are present and have not been corrupted. Specify a valid common domain service host in the configuration.
CSIAC4589E The provider source id value [propertyValue] specified under property [propertyName] for provider [id] and display name [displayName] for federation group with ID [id] and display name [displayName] does not match the message digest of the provider ID.
Explanation
The specified provider source ID value is not valid.
Action
Verify that configuration files are present and have not been corrupted. Specify a valid provider source ID value in the configuration.
CSIAC4590E The binding value value for attribute attr is not valid for profile profile.
Explanation
The specified binding is not valid for the profile being executed.
Action
Validate the incoming message.
CSIAC4591E Unobfuscation of the basic authentication password for SOAP client authentication failed.
Explanation
Unobfuscation of the basic authentication password for SOAP client authentication failed.
Action
Check the logs for a runtime exception.
CSIAC4592E The ECP profile is not enabled for the provider.
Explanation
The ECP profile is not enabled.
Action
Validate the incoming message.
CSIAC4593E The name identifier policy in the request is not valid.
Explanation
The name identifier policy in the request is not valid. The format is not a supported format or the SPNameQualifier is not known to the provider.
Action
If the request is legitimate, examine the trace logs to see why the name identifier policy is considered invalid.
CSIAC4594E The SAML assertion contains a session index value that has been invalidated by a previously received logout request.
Explanation
The current request could not be completed because a SAML assertion is not considered valid.
Action
If the response is legitimate, examine the trace logs to see why the session index attribute was included on a logout request.
CSIAC4595E The SAML assertion with the specified assertion ID value was not found.
Explanation
The current request could not be completed because a SAML assertion was not stored or the assertion ID is not valid.
Action
Please submit the request with a valid assertion ID.
CSIAC4596E The index 'value' for endpoint type 'value' specified using query string parameter 'value' does not exist.
Explanation
The current request could not be completed because a the endpoint index is not valid.
Action
Please submit the request with a valid endpoint index.
CSIAC4597E The value 'value' specified using query string parameter 'value' is not valid integer value.
Explanation
The current request could not be completed because a query string parameter is not valid.
Action
Please submit the request with a valid integer value.
CSIAC4598E Logout from one or more partners failed.
Explanation
A failed status was returned from one or more partner logout attempts.
Action
Check the logs for failure reason.
CSIAC4599E The users account was not successfully defederated from the partner.
Explanation
The users account was not successfully defederated from the partner.
Action
Check the logs for failure reason.
CSIAC4600E The user provided to the administrative command does not have an active session.
Explanation
The users could not be logged out because they do not currently have a valid session.
CSIAC4601E The SAML assertion cannot be retrieved using artifact: artifact
Explanation
The current request could not be completed because a SAML assertion could not be retrieved.
Action
Validate that the service provider is configured correctly and that the identity provider is configured to store the assertions for a sufficient time.
CSIAC4602E The SAML module was unable to query the user attributes.
Explanation
The current request could not be completed because the SAML module was unable to create a attribute query service claims object.
Action
Check the logs for failure reason.
CSIAC4603E The SAML module was unable to obtain the subject name id from the attribute query request.
Explanation
The current request could not be completed because the subject name id is not valid.
Action
Please submit a valid attribute query request.
CSIAC4604E The SAML module was unable to obtain the subject principal name using the name id included with the attribute query request.
Explanation
The current request could not be completed because the subject principal name can not be obtained.
Action
Please submit a valid attribute query request.
CSIAC4605E The SAML message could not be retrieved using artifact: artifact.
Explanation
The provider could not retrieve the SAML message using the supplied artifact.
Action
Ensure that the artifact is valid and the provider is properly configured.
CSIAC4606E The SAML artifact: artifact is expired.
Explanation
The artifact received is no longer valid.
Action
Ensure that the artifact is valid and the provider is properly configured.
CSIAC4608E The SAML request is expired.
Explanation
The request received is no longer valid.
Action
Ensure that the request is valid and the provider is properly configured.
CSIAC4609E The specified target URL did not match the allowed pattern.
Explanation
The target URL in the request did not match the configured pattern.
Action
None.
CSIAC4610E Unable to retrieve the application's configuration for the Entity ID value because there is no match found.
Explanation
The authentication request cannot be processed because the Entity ID from the authentication request does not match any configured application's Provider ID. The Provider ID must always match the application's Entity ID. This error might also happen if the application is not yet configured or the application's configuration was deleted.
Action
Check if the application is configured or available in the Applications page. If there is an existing application configuration, review and edit the Provider ID to match the application's Entity ID. Otherwise, create the application configuration and make sure to use the Entity ID as the Provider ID.
CSIAC4611E The SAML assertion is invalid because the required attribute attribute is missing from the SAML assertion.
Explanation
The SAML assertion contains child elements, which assert that certain attributes are associated with the authenticated user. The child elements of a SAML assertion include <saml:Issuer>, <saml:AttributeStatement>, <saml:Subject>, and others. Required attributes must be specified to process the assertion.
Action
Specify the missing attribute in the SAML assertion.
CSIAC4612E The application has been disabled.
Explanation
The system cannot perform the request because the application is currently disabled.
Action
Ensure the application is enabled and try again.
CSIAC4613E The partner partnername cannot update the user's federated identity.
Explanation
The SAML response indicates the partner cannot process the federated identity updating request.
Action
Check the logs for failure reason.
CSIAC4614E The partner partnername cannot delete the user's federated identity.
Explanation
The SAML response indicates the partner cannot process the federated identity deletion request.
Action
Check the logs for failure reason.
CSIAC4615E The system cannot process the request because no user login session exists.
Explanation
The user is not logged-in.
Action
None.
CSIAC4616E The system cannot process the request because the SAML response that was received contains failure status. Status code [statuscode], status message [statusmessage].
Explanation
A configuration issue might exist with the application and the provider.
Action
Ensure that the application and provider are properly configured and try again.
CSIAC5002E The requester cannot be prompted for an identity provider. No defined federations are valid for the request.
Explanation
The current request and delegate protocol do not match any known defined federation.
Action
Validate the configuration of the single sign-on protocol service.
CSIAC5003E The template identifier cannot be located.
Explanation
The current request action cannot be processed.
Action
Validate the configuration of the single sign-on protocol service.
CSIAC5004E The template document used to request a requester's identity provider is not valid.
Explanation
The template document is missing the required tokens or is not a valid XML document.
Action
Validate the configuration of the single sign-on protocol service.
CSIAC5006E The request message could not be understood by the adapter.
Explanation
The request adapter was unable to adapt the input message.
Action
Validate the configuration of the single sign-on protocol service and the input message.
CSIAC5007E The single sign-on protocol service is in a state such that the status cannot be displayed with a template page.
Explanation
This error can be caused by an input request before the single sign-on protocol service is fully bootstrapped or it is caused by a configuration that is not valid.
Action
Validate the configuration of the single sign-on protocol service and the input message.
CSIAC5008E Requests cannot be accepted.
Explanation
This error can be caused by an input request before the single sign-on protocol service is fully bootstrapped or it can be caused by a configuration that is not valid.
Action
Validate the configuration of the single sign-on protocol service and the input message.
CSIAC5010E The request to address address cannot be accepted.
Explanation
This error might be caused by misconfiguration or by a request that is not valid.
Action
Validate the configuration of the single sign-on protocol service and the input message.
CSIAC5011E The protocol for address address could not be determined.
Explanation
This error typically occurs because the configuration is not valid or because a configuration has not been received.
Action
Validate the configuration of the single sign-on protocol service and replication latency.
CSIAC5012E The single-sign on protocol service has not started.
Explanation
This error typically occurs because the configuration is not valid or because a configuration has not been received.
Action
Validate the configuration of the single sign-on protocol service and replication latency.
CSIAC5014E An instance of a distributed map cannot be retrieved.
Explanation
Without the distributed map, the single sign-on protocol service cannot be configured.
Action
Validate the configuration of the single sign-on protocol service and environment.
CSIAC5015E An error occurred while moving to a new configuration.
Explanation
The newly set or retrieved configuration could not be used.
Action
Validate the configuration of the single sign-on protocol service and environment.
CSIAC5017E An error occurred while bootstrapping the single sign-on protocol service.
Explanation
The configuration could not be found or contains items that are not valid.
Action
Validate the configuration of the single sign-on protocol service. A detailed message can be found in the trace.
CSIAC5018E The version of the configuration inputVersion is not valid for the single sign-on protocol service.
Explanation
The configuration version is not valid.
Action
Validate the configuration of the single sign-on protocol service and the configuration versions.
CSIAC5020E The configured component className cannot be loaded.
Explanation
The configuration component is not valid.
Action
Validate the configuration of the single sign-on protocol service and the configuration versions.
CSIAC5021E The configured endpoint endpoint is not valid.
Explanation
The configuration component is not valid.
Action
Validate the configuration of the single sign-on protocol service and the configuration versions.
CSIAC5025E Unable to register a management bean.
Explanation
The configuration component is not valid.
Action
Check the log file for errors.
CSIAC5027E The configured delegate protocol delegate is not valid.
Explanation
The configuration component is not valid.
Action
Validate the configuration of the single sign-on protocol service and valid configuration versions
CSIAC5029E The configured delegate protocol delegate has a configuration entry that is not valid for the configuration file location.
Explanation
The configuration component is not valid.
Action
Validate the configuration of the single sign-on protocol service and valid configuration versions.
CSIAC5037E The single sign-on protocol service configuration file cannot be located. This result might be expected.
Explanation
The configuration component is not valid.
Action
Validate the configuration of the single sign-on protocol service and the configuration versions.
CSIAC5038E The configuration file at confLocation cannot be read. This file is specified in the configuration and is required for the single sign-on protocol service to start.
Explanation
The configuration file is not valid. This result might be due to access violations or an XML validation error.
Action
Validate the configuration of the single sign-on protocol service and the configuration versions.
CSIAC5039E The component component cannot be created.
Explanation
The configuration file is not valid, or a specified class could not be loaded.
Action
Validate the configuration of the single sign-on protocol service and the configuration versions.
CSIAC5040E The component component cannot be created. The provided configuration is not valid.
Explanation
The configuration file is not valid.
Action
Validate the configuration of the single sign-on protocol service and the configuration versions.
CSIAC5041E No input was received with the management operation.
Explanation
The management operation is not valid.
Action
Validate the management operation.
CSIAC5042E The property, property, is required for this operation.
Explanation
The management operation is not valid.
Action
Validate the management operation.
CSIAC5043E The page factory root, root, does not exist.
Explanation
The management operation is not valid.
Action
Validate the management operation.
CSIAC5044E The page factory default language, root, does not exist.
Explanation
The management operation is not valid.
Action
Validate the management operation.
CSIAC5045E The given reference ID, id, is not valid.
Explanation
The management operation is not valid.
Action
Validate the management operation.
CSIAC5046E The given classname ,classname, could not be loaded.
Explanation
The management operation is not valid.
Action
Validate the management operation.
CSIAC5047E The given entity, entity, does not exist.
Explanation
The management operation is not valid.
Action
Validate the management operation.
CSIAC5048E The given value, value, is not valid for configuration item item.
Explanation
The management operation is not valid.
Action
Validate the management operation.
CSIAC5051E The WebSEAL authentication service client cannot be initialized.
Explanation
The management operation is not valid.
Action
Validate the management operation.
CSIAC5052E The WebSEAL authentication service client is not in a valid state because the configuration is not valid and cannot be used.
Explanation
The sign in or sign out operation cannot be performed.
Action
Validate the configuration of the authentication service and policy server configuration files.
CSIAC5053E The credential included with the request, cred, is not valid.
Explanation
The credential format is not understandable.
Action
Validate the configuration of the authentication service and WebSEAL.
CSIAC5054E The entity ID, id, is not valid.
Explanation
The configuration component is not valid.
Action
Validate the configuration of the single sign-on protocol service and the configuration versions.
CSIAC5055E The configured class, classN, does not implement or extend the required class or interface, intf.
Explanation
The configuration file is not valid.
Action
Validate the configuration of the single sign-on protocol service and the configuration versions.
CSIAC5056E The token included with the sign in request, cred, is not valid.
Explanation
The token type and format is not understandable.
Action
Validate the configuration of the authentication service and caller.
CSIAC5057E The required WebSEAL header, cred, is missing.
Explanation
The header is required for proper operation.
Action
Validate the WebSEAL configuration.
CSIAC5058E The sign out operation has failed.
Explanation
Sign out failed.
Action
Check the trace log for detailed output from the policy server.
CSIAC5059E The configured default page factory selector, selector, is not valid.
Explanation
The specified default selector is not valid.
Action
Check the configured default against the available selectors.
CSIAC5060E Page factory operation requires at least one page selector.
Explanation
The specified page factory configuration does not specify any selectors.
Action
Check the configuration of the page factory.
CSIAC5061E An unexpected error has occurred with a protocol module module.
Explanation
This error might be caused by misconfiguration or by a request that is not valid.
Action
Validate the configuration of the single sign-on protocol service, protocol module, and the input message.
CSIAC5062E The Point of Contact protocol module is missing the required action, specified by parameter parameter.
Explanation
This error is typically caused by a request that is not valid. The action parameter is necessary to determine the behavior of the module.
Action
Validate the request message.
CSIAC5063E The Point of Contact protocol module is missing the required token for the chosen action.
Explanation
This error is typically caused by a request that is not valid. The token is necessary to perform the specified action.
Action
Validate the request message.
CSIAC5064E The configured module with ID id and version version was not found when searching for modules.
Explanation
The module with the specified ID and version was not found while attempting to load modules. This can occur if the Federated Identity Manager modules have not been configured correctly or the module does not exist.
Action
Validate the Federated Identity Manager configuration.
CSIAC5065E The configured module with ID id does not expose a class with ID id.
Explanation
The module with the given ID and exposed class ID was not found while attempting to load modules. This can occur if the Federated Identity Manager modules have not been configured correctly or the module does not exist.
Action
Validate the Federated Identity Manager configuration.
CSIAC5066E The configured module with ID id referencing a module with ID moduleId with java class className cannot be instantiated.
Explanation
When attempting to load a module with the given ID and class name, an error occurred. This can occur if the if the Federated Identity Manager modules have not been configured correctly or the module does not exist.
Action
Validate the Federated Identity Manager configuration.
CSIAC5067E The configured module reference, referenceId, could not be located in the configuration.
Explanation
In order to load a module, a valid reference ID is required.
Action
Validate the Federated Identity Manager configuration.
CSIAC5068E An attempt was made to retrieve a component with identifier 'id' which does not exist.
Explanation
In order to load a component, a valid reference ID is required.
Action
Validate the Federated Identity Manager configuration.
CSIAC5069E The delegate protocol instance delegateId requires a protocol action actionClassName which could not be created.
Explanation
The actions for the delegate protocol need to be located and created in order to be invoked.
Action
Validate the Federated Identity Manager configuration.
CSIAC5073E The group membership group specified for delegate id is not valid and will be ignored.
Explanation
The specified group ID does not exist or could not be found.
Action
Validate the Federated Identity Manager configuration.
CSIAC5074E The delegate protocol id will not be available at runtime because the properties provided in the groups that it is a member of are not valid.
Explanation
The properties for the delegate group memberships are not correct. This typically indicates that federation configuration is not valid.
Action
Validate the Federated Identity Manager configuration. Additional messages in the error and trace logs by the protocol implementation will display the exact error condition.
CSIAC5075E The delegate protocol id will not be available at runtime because the protocol action className could not be created.
Explanation
A protocol action used by this delegate could not be created.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5076E An error occurred reading page templates. The SPS will continue startup, but no pages will be available at runtime.
Explanation
An error occurred reading the pages directory. The directory may not exist or the service may not have the required permissions to read the files.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5077E An error occurred creating the service factory id. This service factory will not be available to protocols at runtime.
Explanation
An error occurred creating the service factory.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5078E An error occurred creating the point of contact client id. The service will not be available to protocols at runtime.
Explanation
An error occurred creating the point of contact client.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5079E An error occurred creating the global handler id. The service will not be available at runtime.
Explanation
An error occurred creating the global handler.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5080E An error occurred creating the protocol determination module id. The service will not be available at runtime.
Explanation
An error occurred creating the protocol determination module.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5081E Unable to retrieve an instance of the IdServiceClientFactory.
Explanation
An error occurred retrieving an instance of the alias service client factory.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5082E Unable to retrieve an instance of the Token Command Factory with endpoint endpoint.
Explanation
An error occurred retrieving an instance of the token service client factory.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5083E The single sign-on protocol service was unable to locate a directory where template pages are stored.
Explanation
The Federated Identity Manager application does not contain the directory containing template page directories.
Action
Validate the Federated Identity Manager configuration.
CSIAC5084E An internal error has occurred within the SPS.
Explanation
The current request could not be processed because of an internal error.
Action
Validate the Federated Identity Manager configuration.
CSIAC5085E The current request cannot be accepted because the component that is required to process it is missing.
Explanation
The current request could not be processed because of an internal error.
Action
Validate the Federated Identity Manager configuration.
CSIAC5087E Unable to retrieve an instance of the Name Identifier Generator with key id.
Explanation
An error occurred retrieving an instance of the specified NameId generator from the alias service.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5088W The time zone identifier given, [id], is not valid.
Explanation
The given time zone identifier is not a supported time zone.
Action
Ensure that the time zone identifier in the configuration is correct. Check the returned exception for more details.
CSIAC5089W The time display pattern [id] is not supported.
Explanation
The given time display pattern is not supported.
Action
Ensure that the time format in the configuration is correct. Check the returned exception for more details.
CSIAC5090W The callback [id] could not be initialized.
Explanation
An error was encountered during the initialization of the given callback.
Action
Check the logs for a related exception and correct the problem. The error is most likely caused by a configuration error.
CSIAC5092E Access denied.
Explanation
The user does not have permission to access the Web page.
Action
If the user should be permitted to access the Web page, the administrator should grant the user permission. The administrator may need to add a user to the group being used for SOAP endpoint access control, for instance.
CSIAC5096E The point of contact implementation failed to perform programmatic login.
Explanation
An error occurred performing JAAS login.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5097E The point of contact implementation failed to authenticate the user performing the request.
Explanation
An error occurred performing JAAS login.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5098E The point of contact implementation failed to obtain the initial request URL.
Explanation
An error occurred obtaining the initial request URL from the user session.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5106E ITFIM Form Login Error
Explanation
See message.
Action
Check the trace and message logs for further details.
CSIAC5107E Form Login Error
Explanation
See message.
Action
Check the trace and message logs for further details.
CSIAC5109E Form authentication failed.
Explanation
See message.
Action
Check the trace and message logs for further details.
CSIAC5110E Check the user ID and password, and try again.
Explanation
See message.
Action
Check the trace and message logs for further details.
CSIAC5111E The point of contact endpoint requires the user to be authenticated. Please validate the point of contact settings.
Explanation
Unable to obtain user information from the request.
Action
Validate that the security roles are mapped properly to users and the point of contact settings.
CSIAC5112E Access to the URL 'url' by the user 'user name' was denied because the user was not assigned the role 'role name'.
Explanation
A user attempted to access the specified URL, but was denied access.
Action
Validate that the security roles are mapped properly to users. If the request was a SOAP request, verify that the partner has a valid password or certificate. Verify that the SOAP Endpoint Security Settings have been configured properly. If you are using groups to control access to the SOAP endpoint, verify that the partner's user ID is in the correct group.
CSIAC5113E The query service factory was configured with a class name that cannot be loaded. The class name is: 'class'
Explanation
This is an internal error in the configuration of the query service factory in the sps.xml configuration file.
Action
Report this error to IBM Software Support; this error should not happen.
CSIAC5114E The query service was unable to complete the request with the trust service.
Explanation
An exception was thrown when communicating with the trust service.
Action
Examine the exception reported in the log file.
CSIAC5115E The claims object passed to the query service for update was of type: 'class' and did not support the required interface: 'interface'.
Explanation
An internal programming error has been detected.
Action
Report this error to IBM Software Support; this error should not happen.
CSIAC5116W Cannot locate the domain mapping file. Will not try to initialize ITFIMRuntime components.
Explanation
The Tivoli Federated Identity Manager domain mapping properties file could not be located in the WebSphere configuration repository. This could be that the Tivoli Federated Identity Manager runtime has not yet been deployed.
Action
Deploy the Tivoli Federated Identity Manager runtime.
CSIAC5120E The Tivoli Federated Identity Manager runtime components cannot be initialized because the runtime cannot connect to a remote configuration repository.
Explanation
If the Tivoli Federated Identity Manager runtime components are deployed in a WebSphere cluster, then the runtime components need to acquire a handler to a remote deployment manager's configuration repository. This connection may fail if the deployment manager was not started, or that the managed nodes were started before launching the deployment manager.
Action
Restart the WebSphere cluster by first starting the deployment manager, then starting the node agents, and finally starting the managed node servers.
CSIAC5121W The credential attribute 'attribute' with value 'attribute value' could not be added to the SSO token because the attributes size limit has been reached.
Explanation
The Tivoli Federated Identity Manager PoC implementation was not able to add the attribute to the SSO token.
Action
Increase the attributes size limit.
CSIAC5122E The Tivoli Federated Identity Manager runtime components are not initialized.
Explanation
The Tivoli Federated Identity Manager runtime components are not initialized. The runtime node is probably not configured. The following components will not be operational: Security Token Service, Single Sign-on Protocol Service, Info Service, and Audit Service.
Action
Configure the runtime nodes.
CSIAC5123E The point of contact client callback mapping rule is invalid.
Explanation
The point of contact client callback mapping rule is invalid.
Action
Verify that the point of contact client callback is configured correctly.
CSIAC5124E The point of contact client callback could not determine mapping rule type.
Explanation
The point of contact client callback cannot determine the rule type based on the configuration.
Action
Verify that the point of contact client callback is configured correctly.
CSIAC5125E The point of contact client callback failed to execute the mapping rule.
Explanation
The point of contact client callback could not execute the mapping rule.
Action
Verify that the point of contact client callback is configured correctly.
CSIAC5127E The point of contact client callback attribute {0} in the universal user is invalid.
Explanation
The point of contact client callback attribute value in the universal user is invalid.
Action
Verify that the authentication policy callback is configured correctly.
CSIAC5128E The point of contact client callback failed to create the authentication policies.
Explanation
The point of contact client callback failed to create the authentication policies.
Action
Verify that the authentication policy callback is configured correctly.
CSIAC5129E The point of contact implementation failed to obtain the authentication target URL or transaction id from the supplied query string parameters.
Explanation
An error occurred obtaining the target URL or transaction id from the query string.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5130E The point of contact multi phase authentication callback implementation failed to obtain the authentication target URL.
Explanation
An error occurred obtaining the target URL.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5131W The point of contact callback query string parameters {0} value {1} is not valid.
Explanation
An error occurred obtaining the query string parameter value.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5132W The point of contact callback mapping rule context attribute {0} value {1} is not valid.
Explanation
An error occurred obtaining the mapping rule context attribute value.
Action
Validate the Federated Identity Manager configuration and check the trace and message logs for further details.
CSIAC5133E The system cannot read the 'dscclient.properties' file
Explanation
The client configuration containing information on available DSCs is missing.
Action
Ensure the file named dscclient.properties exists with the correct values present.
CSIAC5134E No DSC can be reached at this time.
Explanation
All configured DSCs in the dscclient.conf are not responding.
Action
Check that the dscclient.properties contains valid DSC information, and check that the DSCs are responsive.
CSIAC5135E An internal error occurred during user entitlement evaluation.
Explanation
An internal error occurred during user entitlement evaluation.
Action
The administrator need to check the network connectivity and health status of the App Access Entitlement API.
CSIAC5136E Unable to apply the access policy.
Explanation
App Access Entitlement API returned an invalid access policy ID or Access Policy API is not available.
Action
Contact IBM support team to resolve the error.
CSIAC5137E User is not authorized to access the application due to policy constraints.
Explanation
Access policy evaluation denied your access to the application. Please check with your administrator for the applicable access policy for the application.
Action
The administrator needs to check the applicable access policy for the application.
CSIAC5138E Only entitled users can single sign-on to the application. You must request for application access.
Explanation
The user does not have permission to access the Web page.
Action
If the user should be permitted to access the Web page, the administrator should grant the user permission.
CSIAC5139E The application has been disabled.
Explanation
The system cannot perform the request because the application is currently disabled.
Action
Ensure the application is enabled and try again.
CSIAC5140E You are not authorized to access this protected resource.
Explanation
This resource can only be access by an authorized user.
Action
Ensure that the authorization endpoint is properly configured and secured.
CSIAC5141E An internal error occurred during user consent status check.
Explanation
An internal error occurred during user consent status check.
Action
Check the network connectivity and health status of the DPCM API.
CSIAC5506E The given TokenType or AppliesTo (TokenType/AppliesTo) in the request is not supported by this server's configuration for RequestType RequestType.
Explanation
The request requested a TokenType or AppliesTo that is not supported by the server's configuration. This error can occur because the request data did not map to any processing chains or because the expected processing chain that the request maps to did not start correctly.
Action
Ensure that the request has all the required data.
CSIAC5507E STSModule module_name not found.
Explanation
The server attempted to load the STSModule but could not because an error occurred.
Action
Check the server logs for errors and exceptions to identify the problem.
CSIAC5508E The QName namespace prefix (QName) does not match any defined namespaces.
Explanation
The given namespace prefix does not match any defined namespaces.
Action
Ensure that the request uses supported XML namespaces.
CSIAC5509E The server did not start correctly.
Explanation
The trust server did not start correctly because of internal errors.
Action
Inspect logs and configuration files and ensure that data in the configuration file is correct.
CSIAC5510E A TokenType or AppliesTo must be specified in the request.
Explanation
According to the specification, at least one of TokenType or AppliesTo must be specified in the request.
Action
Ensure that the required request data is given.
CSIAC5511E The date and time are not in the expected UTC format.
Explanation
The date and time given in the request was not in the expected UTC time format.
Action
Ensure that the correct time format is used for the request.
CSIAC5513E A RequestType must be specified in the request.
Explanation
According to the specification, a RequestType must be specified in the request.
Action
Ensure that the required request data is given.
CSIAC5514E The given RequestType (RequestType) is not supported by this server's configuration.
Explanation
The RequestType does not apply to any of the STSChainMappingDefinitions located in the server's configuration.
Action
Ensure that the required request data is given.
CSIAC5515E Either no configured XPath selected a node from the request, or the given TokenType or AppliesTo (TokenType/AppliesTo) in the request is not supported by this server's configuration for RequestType RequestType and Issuer (Issuer).
Explanation
Either no XPath in the configuration selected a node from the request, or the request requested a TokenType or AppliesTo that is not supported by the server's configuration.
Action
Ensure that the required request data is given.
CSIAC5516E The given Issuer (Issuer) is not supported by this server's configuration.
Explanation
The Issuer does not apply to any of the STSChainMappingDefinitions located in the server's configuration.
Action
Ensure that the required request data is given.
CSIAC5517E The server could not find the expected token included in the request.
Explanation
The given request did not include the expected token based on the server's configuration.
Action
Ensure that the required request data is given.
CSIAC5518E An incorrect namespace was encountered and received QName, but expected QName.
Explanation
The client sent a request that used a namespace that was not expected. This error is typically caused by an old namespace being used.
Action
Ensure that the supported XML namespaces are used.
CSIAC5519E The expected namespace URI for the WS-Trust schema was not found in the request.
Explanation
The client did not specify a valid WS-Trust schema in the request.
Action
Ensure that the required request data is given.
CSIAC5520E An error was encountered when attempting to open file filename.
Explanation
The server attempted to open the specified file and encountered an error.
Action
Ensure that the file exists and has the correct file permissions.
CSIAC5521E Either the properties file (filename) was not found in the classpath or the key (key) returned no data.
Explanation
The given properties file could not be found in the classpath or the key to look up data in the properties file did not return the expected data.
Action
Ensure that the given properties file is located in the classpath, or that the key given has data associated with it, or both.
CSIAC5522E The message passed to the service from the webservices runtime was not complete or did not exist.
Explanation
A possible cause of this problem is that the Trust Service System Handler was not installed correctly or was removed from the system.
Action
Ensure that the Trust Service System Handler is installed and located in the WebSphere Application Server classpath.
CSIAC5523E The trust service did not start successfully because it could not locate the local or distributed configuration data.
Explanation
The trust service could not locate the configuration data.
Action
If the service is the only service for the domain, ensure that the configuration file exists. If the service is in a cluster, ensure that the cluster is operating correctly.
CSIAC5530E The trust service did not fully stop.
Explanation
See message.
Action
No response required.
CSIAC5531E The trust service did not fully start.
Explanation
See message.
Action
No response required.
CSIAC5532E The trust service did not fully start, stop, or both.
Explanation
See message.
Action
No response required.
CSIAC5533E The trust service failed to write configuration to persistent storage.
Explanation
See message.
Action
No response required.
CSIAC5534E The context was not found.
Explanation
See message.
Action
No response required.
CSIAC5535E The management method requested is not implemented.
Explanation
See message.
Action
No response required.
CSIAC5536E An error occurred while retrieving the server's configuration for the management operation.
Explanation
The server encountered an error when it attempted to retrieve its configuration.
Action
Check logging messages for errors related to retrieving the server's configuration and ensure that the correct file permissions are set on the server's configuration file.
CSIAC5538E A classname must be provided.
Explanation
The caller-requested operation requires a classname but did not provide a classname.
Action
Ensure that a classname is given.
CSIAC5539E The classname provided (classname) was not found in the server's classpath.
Explanation
A classname was provided that does not exist in the server's classpath.
Action
Ensure that the given class exists in the server's classpath.
CSIAC5541E The classname provided (classname) does not implement the required interface for modules.
Explanation
The classname provided exists but does not implement the required interface for modules.
Action
Ensure that the classname provided implements the required interface for modules.
CSIAC5542E The classname provided (classname) does not implement the expected model.
Explanation
The classname provided does not have a no-argument public constructor.
Action
Ensure that the classname provided includes a no-argument public constructor.
CSIAC5543E The given unique identifier (identifier) does not exist in the configuration.
Explanation
The given unique identifier does not exist.
Action
Ensure that the provided identifier exists in the current configuration.
CSIAC5544E The remove request could not be completed. There must be no references to the object being removed in order for the request to complete.
Explanation
There must be no references to the configuration data being removed.
Action
Ensure that the configuration data being removed does not have any references to it.
CSIAC5546E The unique identifier did not match the expected type.
Explanation
The given unique identifier did not match the expected type in the configuration. This error might also mean that the unique identifier did not exist in the configuration.
Action
Ensure that the entire unique identifier is for the correct data.
CSIAC5547E A unique identifier must be provided.
Explanation
A unique identifier was not provided.
Action
Ensure that a unique identifier is provided.
CSIAC5548E The request type is already in the configuration.
Explanation
The management request to add a new request type was denied because there cannot be duplicate request types in the configuration.
Action
Ensure that the request type is not already in the configuration.
CSIAC5549E To add a request type, a request type URI must be provided.
Explanation
A request type URI was not provided and is required.
Action
Ensure that a unique request type URI is provided.
CSIAC5550E The mapping type given is not a supported mapping type.
Explanation
Either the mapping type was not given or it did not match one of the supported mapping types.
Action
Ensure that the mapping type is one of the supported mapping types.
CSIAC5551E The request-type mapping requested to be modified does not exist.
Explanation
The request-type mapping requested to be modified does not exist in the server's configuration.
Action
Ensure that the request type mapping that is being modified exists in the server's configuration.
CSIAC5558E The chain (chain identifier) could not be initialized due to errors.
Explanation
The given chain could not be started without errors being returned.
Action
Check the trace logs for a more specific error for the given chain.
CSIAC5559E The request failed to process successfully.
Explanation
The given request failed to process successfully. See the server logs for a specific cause of the failure.
Action
Check the trace logs for a more specific error for the given chain.
CSIAC5560E The module reference ID used in the configuration of module chain ID 'chainId', (chainReference) is not valid. The module reference does not exist.
Explanation
The referenced identifier does not exist.
Action
Validate the STS configuration.
CSIAC5561E The module reference used in the configuration of module chain ID 'chainId', (referenceId) is not valid. The module does not exist.
Explanation
The referenced module does not exist.
Action
Validate the STS configuration and installed STS plug-ins.
CSIAC5562E The class 'className' referenced in module chain ID 'chainId' could not be initialized. The init method did not successfully complete.
Explanation
The module implementation did not successfully initialize.
Action
Validate the STS configuration and installed STS plug-ins.
CSIAC5563E The module chain with ID 'id' could not be created because of an earlier error.
Explanation
The module chain could not be successfully created.
Action
Validate the STS configuration and installed STS plug-ins.
CSIAC5564E The module chain with ID 'id' does not exist.
Explanation
The module chain could not be located in the configuration.
Action
Validate the STS configuration and installed STS plug-ins.
CSIAC5565E The input request did not contain any data and cannot be processed.
Explanation
The input request was null or was not provided.
Action
Validate the configuration of the caller and the input message.
CSIAC5567E The module chain mapping with ID 'id' references a group that does not exist.
Explanation
The group membership was either not specified or does not exist in the configuration. Modules with the module chain may need information from this group to operate.
Action
Validate the STS configuration and installed STS plug-ins.
CSIAC5568W The server encountered an exception while processing a request in validate mode. If the environment has trace enabled, the exception will appear in the trace log.
Explanation
The STS encountered an exception while processing a request in the validate mode. According to specifications, the server must return a status code similar to the following: http://schemas.xmlsoap.org/ws/2005/02/trust/status/invalid. The exception was caught and logged, allowing the server to return the correct message.
Action
Validate the request parameters and retry the operation.
CSIAC5569E The security token service could not create a logger in the given directory (directory name) because it is not a directory.
Explanation
The Security Token Service was not able to create a logger in the given directory because it is not a directory.
Action
Ensure the given directory is a valid directory.
CSIAC5570E The security token service message logger encountered an error and could not log the message.
Explanation
The security token service message logger encountered an error that is preventing it from logging messages.
Action
Confirm that the system is allocated enough resources and there are no initialization errors.
CSIAC5571E The security token service message logger encountered an error while creating the log file. The error text is: file name.
Explanation
The Security Token Service was not able to create a log file because an error occurred.
Action
Correct the logger name.
CSIAC5572E The security token service message for chain mapping (Mapping) failed signature validation.
Explanation
The Security Token Service was not able to validate the signature on the trust message. This may be caused by an incorrect key alias configured for this chain mapping or the SOAP request was modified along the way or the message was not signed by a trusted signer.
Action
Verify that the correct key alias is configured and the SOAP message was not modified en route.
CSIAC5573E The security token service is configured to validate signatures for chain mapping (Mapping) but the request received was not signed.
Explanation
The Security Token Service was not able to validate the signature on the trust message. The received request was not signed.
Action
Ensure that the message came from a trusted source and that the message must be signed.
CSIAC5574E The Keystore service is not available for signing or validating messages.
Explanation
The Keystore service has encountered an error.
Action
Validate the TFIM configuration and restart the server.
CSIAC6001E The SAML assertion is not valid before this time param. Current system time: param.
Explanation
The SAML assertion’s NotBefore attribute specifies the earliest time instant at which the assertion is valid. A problem can occur if the identity provider and the service provider clocks are not synced. For example, if the identity provider clock is X seconds faster than the service provider clock.
Action
Synchronize the identity provider and the service provider's system clock or implement a clock skew.
CSIAC6002E The SAML assertion expired in param. Current system time: param.
Explanation
The SAML assertion’s NotOnOrAfter attribute specifies the time instant at which the assertion has expired. A problem can occur if the identity provider and the service provider clocks are not synced. For example, if the identity provider clock is X seconds faster than the service provider clock.
Action
Synchronize the identity provider and the service provider's system clock or implement a clock skew.
CSIAC6003E The given SAML assertion token's digital signature is not valid.
Explanation
The given SAML assertion token's digital signature is not valid.
Action
Ensure that the assertion token has not been modified after the signing.
CSIAC6004E The given SAML assertion was not signed, a valid signature was expected with the assertion.
Explanation
The given SAML assertion was not signed, a valid signature was expected with the assertion.
Action
If signature validation is not required, re-configure the SAML module so it does not verify signatures.
CSIAC6005E Issuing SAML assertion has failed, none of the supported Subject types were present.
Explanation
Issuing SAML assertion has failed, none of the supported Subject types were present.
Action
Subject types should be emailAddress, X509SubjectName or WindowsDomainQualifiedName.
CSIAC6006E No audience has been found in the given assertion.
Explanation
An Audience element with valid URI is missing from the AudienceRestrictionCondition element in the assertion xml document.
Action
An Audience URI should exist in the request.
CSIAC6007E Issuing SAML assertion has failed, no authentication method was given.
Explanation
The AuthenticationMethod attribute should exist as part of the given assertion AuthenticationStatement element.
Action
Ensure that the AuthenticationMethod attribute exists as part of the given assertion AuthenticationStatement element, for example, password, X509-PKI, PGP, etc.
CSIAC6008E Assertion issuer is not configured.
Explanation
An issuer was not configured but assertion signing was configured.
Action
If assertion signing is required, an issuer must be configured.
Reconfigure this application and re-start the server.
CSIAC6009E Keystore alias is not configured.
Explanation
A keystore alias must be configured if assertion signing or validation is configured.
Action
If assertion signing or validation is required, a keystore alias must be configured.
Reconfigure this application and restart the server.
CSIAC6010E The Identity Provider [ IDP ] provided a name identifier [ alias ] that could not be mapped to a valid principal name by the Identity Service.
Explanation
The Identity provider's name identifier was not found in the Identity Service.
Action
Ensure that the principal is federated.
CSIAC6011E Invalid security token. Claims element was not found.
Explanation
Liberty requires that a valid Claims element must be in the security token.
Action
This is an internal error.
CSIAC6012E The Access Manager Java Runtime configuration file is not specified.
Explanation
The path to the Access Manager Java Runtime configuration file is not specified in the STS modules configuration file.
Action
If issuing of IVCreds is enabled, ensure that a configuration file location of AM Java Runtime is specified.
CSIAC6013E The digital signature of the given IV-Cred token is invalid.
Explanation
The given IV-Cred token's digital signature is invalid.
Action
Ensure that the IV-Cred token has not been modified after the signing.
CSIAC6014E There was an invalid Principal Chain given in the Access Manager credential.
Explanation
The Access Manager credential has a internal structure called Principal Chain which is required for the credential to be a valid credential.
Action
This is an internal error.
CSIAC6015E The IV-Cred binary token is invalid or not present.
Explanation
The IV-Cred module requires that a valid BinarySecurityToken element must be in the security token.
Action
This is an internal error.
CSIAC6016E A principal name was not provided to create an Access Manager credential.
Explanation
Creating an IV-Cred credential requires a principal name.
Action
Provide a principal entity in the request.
CSIAC6017E An Access Manager credential could not be created for the given principal.
Explanation
A principal name was provided that is not valid.
Action
Ensure that a valid principal name is provided.
CSIAC6018E Unexpected exception was caught.
Explanation
An unexpected exception was caught.
Action
This is an internal error.
CSIAC6019E The audience in the assertion does not match the Service Provider's URI.
Explanation
The audience restriction value in an assertion must match the URI of the Service Provider.
Action
Ensure that the application is properly configured.
CSIAC6020E The InResponseTo attribute in the assertion does not match the request ID of an Authentication request.
Explanation
The InResponseTo attribute, if specified, must match an Authentication request.
Action
This may be due to an attempt to replay an assertion.
CSIAC6021E The Keystore service is not available for signing or validating assertions.
Explanation
The Keystore service was not started or has encountered an error.
Action
Validate the configuration and restart the server.
CSIAC6022E The given Username Token has expired.
Explanation
The given Username Token has expired.
Action
Ensure that the server's clock is synchronized with the other server's clocks that it participates with in the secure domain.
CSIAC6023E The given Username token's digital signature is not valid.
Explanation
The given Username token's digital signature is not valid.
Action
Ensure that the token has not been modified after the signing.
CSIAC6024E The given same Username token was replayed.
Explanation
The given Username token was verified before and now it is being reused. This server's configuration does not allow Username tokens to be reused.
Action
Each Username token has a unique Nonce to protect it from Replay Attack.
Check to see whether the token has been cached and re-issued again without refreshing the Nonce.
CSIAC6025E A principal name was not provided to create a Username token.
Explanation
Creating a Username Token requires a Principal name.
Action
Provide a Principal entity in the request.
CSIAC6026E The given Username token's digital signature is missing.
Explanation
The given Username token's digital signature is missing.
Action
Ensure that the application is properly configured.
CSIAC6027E The expected security token type is missing.
Explanation
The expected security token type is missing.
Action
Ensure that the application is properly configured.
CSIAC6028E The given SAML assertion was verified before and now it is being reused. This server's configuration does not allow assertions to be reused.
Explanation
The use-once enforcement has been enabled and the given SAML assertion has been verified before.
Action
Ensure assertions are used only once.
CSIAC6030E The Liberty AuthnContext contains unsupported Authentication Context Statement references.
Explanation
Authentication Context Statement references are not supported.
Action
Ensure that the sending Service Provider specifies only Authentication Context class references.
CSIAC6031E The Liberty AuthnContext contains an invalid Authentication Context Class reference.
Explanation
The Liberty architecture specifies the valid set of Authentication Context classes. The received AuthnRequest contained a class reference that is not valid.
Action
Ensure that the sending Service Provider sends only supported Authentication Context class references.
CSIAC6032E The authentication request requires an authentication method that is not supported.
Explanation
The authentication request specifies authentication class references that must be used to authenticate the principal, but none of these classes are supported by this implementation.
Action
Ensure that the sending Service Provider specifies at least one Authentication Context class reference that is supported by this application.
CSIAC6033E The Access Manager Java Runtime configuration file is not specified.
Explanation
The path to the Tivoli Access Manager Java Runtime configuration file is not specified.
Action
Ensure a configuration file location for the Tivoli Access Manager Java Runtime is specified.
CSIAC6034E A principal name was not provided with which to create an Access Manager principal.
Explanation
Creating an Access Manager principal requires a principal name.
Action
Provide a principal name in the request.
CSIAC6035E The Status Token Module has not been enabled.
Explanation
The configuration key 'status.module.enable' must be present and set to true on every federation where the status token is used.
Action
Enable the status module.
CSIAC6036E The IV-Cred token module does not operate in the given mode, mode.
Explanation
The mode that was configured for the module is not valid.
Action
Change the operation mode to 'issue' or 'validate'.
CSIAC6037E The IV-Cred token module configuration is missing a required parameter, param.
Explanation
The specified parameter is required for operation.
Action
Add the specified parameter to the configuration.
CSIAC6038E The token module does not operate in the given mode, mode.
Explanation
The mode that was configured for the module is not valid.
Action
Change the operation mode to 'issue' or 'validate'.
CSIAC6039E The specified keystore alias [alias] was not found or is not valid.
Explanation
The key service could not find a key with the provided alias or the alias has an invalid type.
Action
Ensure you have the correct keystore configured.
CSIAC6040E An anonymous principal name is not configured for partner identity provider.
Explanation
An assertion was received from the identity provider with a onetime name identifier, but an anonymous principal name is not specified in the configuration for the partner.
Action
Configure an anonymous principal name for the partner.
CSIAC6041E A username token was not present in the current request.
Explanation
The current request did not contain a user name token for validation.
Action
Ensure that clients are sending the username token.
CSIAC6042E The input token [namespace][local ] is not a username token and cannot be parsed.
Explanation
The current request did not contain a user name token for validation.
Action
Ensure that clients are sending the username token.
CSIAC6043E The received message does not contain a created time element.
Explanation
The current request did not contain a created time element, although configuration specifies that it is required.
Action
If clients do not send the username token or created time, then they must disable lifetime checking.
CSIAC6046E The AppliesTo element is missing from the request or is badly formed.
Explanation
The AppliesTo element is missing from the request or is badly formed.
Action
Ensure the configuration is correct.
CSIAC6047E None of the requested authentication context requirements can be met.
Explanation
The authentication request contained one or more authentication contexts whose requirements cannot be met by the identity provider.
Action
Ensure the configuration is correct.
CSIAC6048E The attribute profile specified in the request is not supported.
Explanation
The request specified an attribute profile that is not supported by the identity provider.
Action
Ensure the configuration is correct.
CSIAC6049E The Attribute in the request contained an unexpected content for the name or the value.
Explanation
The request specified an attribute that is not supported by the identity provider.
Action
Ensure the configuration is correct.
CSIAC6050E A Keystore alias is not configured for encryption.
Explanation
A keystore alias must be configured if encryption is to be used.
Action
An encryption keystore alias is required for sending or receiving encrypted elements.
Reconfigure this application and re-start the server.
CSIAC6051E The Assertion does not contain a valid recipient or the bearer subject confirmation is missing.
Explanation
The Subject in the assertion must contain a bearer subject confirmation with a recipient value that matches the Assertion Consumer service endpoint of the Service Provider.
Action
Ensure that the identity provider conforms with the SAML 2.0 SSO profile.
CSIAC6052E A Keystore alias is not configured for decryption and the assertion is encrypted or contains encrypted elements.
Explanation
A keystore alias must be configured in order to process encrypted assertion elements.
Action
An decryption keystore alias is required for receiving encrypted elements.
Reconfigure this application and re-start the server.
CSIAC6053W A Keystore alias is not configured for encryption. Attribute attrname will not be encrypted.
Explanation
The mapping rule has indicated a preference for encrypting an attribute, but a keystore alias has not been configured for encryption.
Action
An encryption keystore alias is required for sending or receiving encrypted elements.
Reconfigure this application and re-start the server.
CSIAC6054E An unrecognized SAML Condition element has been found in the Assertion: [ Element ].
Explanation
The Assertion state is indeterminate because of an unrecognized Condition element.
Action
Ensure that the federation is properly configured.
CSIAC6055E Validation of the digital signature on the given element failed.
Explanation
The validation of the digital signature on the given element failed. Either the signature is corrupted or the wrong validation key was used.
Action
Determine whether the cause of the failure is a corrupted signature or invalid key, fix the problem, and regenerate the request.
CSIAC6056E A valid JAAS principal was not found.
Explanation
A valid JAAS principal was not found.
Action
Determine the reason why the requestor is not authenticated to WebSphere, fix the problem, then try again.
CSIAC6057E Generation of the binary security token failed.
Explanation
The STS failed to issue a binary security token.
Action
Check the logs to determine the cause of the failure, fix the problem, and try again.
CSIAC6058E An error occurred validating the attributes of the RequestSecurityToken.
Explanation
An error occurred validating the attributes of the RequestSecurityToken.
Action
Check the logs for the cause of the error, fix the problem, and try again.
CSIAC6059E The required parameter DSIG.VerificationKeyIdentifier was not found.
Explanation
The required parameter DSIG.VerificationKeyIdentifier was not found.
Action
Ensure that the parameter is set correctly and try again.
CSIAC6060E The protected object name for the web service is not specified.
Explanation
The protected object name configuration parameter has not been specified.
Action
Ensure a protected object name configuration parameter is specified.
CSIAC6062E JAAS authentication for user insert failed.
Explanation
The system failed to authenticate the given user through JAAS.
Action
Ensure that the user's credentials are valid and resubmit the request.
CSIAC6063E The X.509 security token is missing or is not valid.
Explanation
The X.509 security token to be validated is either missing or is not valid.
Action
Ensure that the X.509 security token is valid and resubmit the request.
CSIAC6064E The X.509 certificate path is not valid.
Explanation
The X.509 certificate path for the certificate or certificates, contained within the security token, is not valid.
Action
Ensure that the X.509 security token is valid and resubmit the request.
CSIAC6065E The Kerberos security token is missing or is not valid.
Explanation
The Kerberos security token to be validated is either missing or is not valid.
Action
Ensure that the Kerberos security token is valid and resubmit the request.
CSIAC6066E STSUniversalUser has more than one Principal 'name' attribute: param1 param2: param2
Explanation
The STSUniversalUser should have only one Principal attribute with the key 'name'. Otherwise, the STSUniversalUser is ambiguous.
Action
Ensure that the STSUniversalUser has only one 'name' Principal attribute and resubmit the request.
CSIAC6067E The Kerberos service name is not configured.
Explanation
The Kerberos service name is not configured.
Action
Ensure that the Kerberos service name is configured.
CSIAC6068E The signature generation process for the given element has failed.
Explanation
The server attempted to digitally sign something and has failed to do so.
Action
Determine the cause of the failure and resubmit the request.
CSIAC6069E The received assertion failed signature verification.
Explanation
The server's attempt to verify an assertion's digital signature has failed.
Action
Determine the cause of the failure and resubmit the request.
CSIAC6070E Required assertion signature not found.
Explanation
The assertion was not signed as required.
Action
Determine the cause of the failure and resubmit the request.
CSIAC6071W The delegation module was not given any delegate modules at initialization. The module will do nothing when called.
Explanation
The delegation module was placed in a module chain, but was not given any modules for delegation. When this module is invoked, it will do nothing.
Action
Ensure that the module is properly configured by providing it a list of delegate modules.
CSIAC6072E Cannot find module instance with ID insert.
Explanation
See message.
Action
Verify the module instance ID exists.
CSIAC6073E The token presented is not an LTPA token.
Explanation
The token presented was not a binary security token and therefore not an LTPA token.
Action
Make sure that the Base in the request contains an LTPA token as a binary security token.
CSIAC6074E The LTPA token is empty.
Explanation
An empty token was presented to the module.
Action
Make sure that the request contains an LTPA Token.
CSIAC6075E Token creation failed.
Explanation
The token could not be created.
Action
Make sure that the correct password was presented for the keys. Otherwise, read the description of the exception that caused this and check the trace log for errors.
CSIAC6076E LTPA Token is invalid.
Explanation
The LTPA token presented for validation is not valid. Extended error information should be available in the exception stack trace.
Action
Make sure that the request contains a valid LTPA token.
CSIAC6077E Validated token information is empty, incorrect keys are the probable reason.
Explanation
The information gathered from the token is empty.
Action
Make sure that the correct keys and password are used for token consumption.
CSIAC6078E The STS Universal User cannot be empty.
Explanation
The STS Universal User document passed into the module was empty.
Action
Make sure that the STS Universal User document presented to the module is not empty.
CSIAC6079E The realm used for token creation is not specified. You must specify a realm in either the configuration or the STS Universal User principal.
Explanation
The realm that was going to be used for token creation was empty. This must be specified in order for the user ID to be created.
Action
Either reconfigure the module to insert a static realm, or specify a realm in the STS Universal User principal.
CSIAC6080E The User ID is not specified. Each token created must have a User ID.
Explanation
No name attribute was specified in the STS Universal User.
Action
Check the STS Universal User document and make sure that a name is specified in the principal.
CSIAC6081E The LTPA token module does not operate in the given mode, mode.
Explanation
The mode that was configured for the module is not valid.
Action
Change the operation mode to 'issue', 'exchange' or 'validate'.
CSIAC6082E The password for the keys is not valid.
Explanation
The password configured to decrypt the keys is not valid.
Action
Enter the correct password for the LTPA keys.
CSIAC6083E The public key is not valid.
Explanation
The public key entered is not a valid public key.
Action
Enter a valid public key value.
CSIAC6084E The private key is not valid.
Explanation
The private key entered is not a valid private key.
Action
Enter a valid private key value.
CSIAC6085E The shared key is not valid.
Explanation
The shared key entered is not a valid shared key.
Action
Enter a valid shared key value.
CSIAC6086E The JCE provider specified, provider, does not exist.
Explanation
The JCE provider entered is not a valid provider.
Action
Enter a valid provider, or use the default provider.
CSIAC6087E The algorithm specified, algorithm, does not exist.
Explanation
The algorithm entered is not a valid algorithm.
Action
Enter a valid algorithm, or use the default.
CSIAC6088E The padding specified in the cipher suite, padding, does not exist.
Explanation
The padding entered is not valid.
Action
Enter valid padding, or use the default.
CSIAC6089E The decryption of the token failed. This could be caused by an invalid token, invalid shared key or an invalid password for the key.
Explanation
The decryption of the token failed. This could be caused by a token, shared key, or password that is not valid.
Action
Verify that the LTPA shared key and password are correct.
CSIAC6090E The encryption of the token failed. This could be caused by an invalid token, invalid shared key or an invalid password for the key
Explanation
The encryption of the token failed. This could be caused by a token, shared key, or password that is not valid.
Action
Verify that the LTPA shared key and password are correct.
CSIAC6091E The Version specified in the configuration for issuing a token: [version] is not valid. It must be either 1 or 2.
Explanation
The LTPA token version number is not valid.
Action
Verify that the LTPA token being sent to the module is LTPAv1 or LTPAv2.
CSIAC6092E The expiration parameter in the STSUniversalUser not a valid number: [expiration].
Explanation
The LTPA expiration time is not valid. It must be a valid positive integer representing the number of milliseconds since the epoch that this token expires.
Action
Verify that the mapping rule sets the expiration Principal attribute correctly.
CSIAC6093E The LTPA token has expired. Expiration time: expiration. Current time: now.
Explanation
The LTPA token has expired.
Action
Verify that the expiration time of the token is valid and that the clock on the system where the token is generated is in sync with the clock on the FIM Runtime.
CSIAC6100E The text block for variable [variable] is [text], which is not a valid XML node.
Explanation
The variable is being used to add an XML node as a value to an STSUniversalUser; however, the text for that variable is not a valid XML node string.
Action
Modify the Tivoli Directory Integrator assembly line to produce valid a XML string for the node value, or use a string value.
CSIAC6101E The assembly line identified by [al] could not be executed.
Explanation
The assembly line could not be successfully invoked.
Action
Check the causing exception to determine if this was an assembly line error, or an RMI error invoking the assembly line.
CSIAC6102E The assembly line represented by [ Hostname: hostname Port: port ConfigurationFilename: config AssemblyLineName:alname] cannot be loaded.
Explanation
The assembly line cannot be loaded. Check that the connection details are correct and that the server is running.
Action
Validate that the Tivoli Directory Integrator connection, configuration and assembly line details are correct, and that the Tivoli Directory Integrator server is running.
CSIAC6105W Invalidating connection to TDI Server rmiurl.
Explanation
The connection to the Tivoli Directory Integrator server has been invalidated due to an exception during a remote operation. This can occur, for example, if the Tivoli Directory Integrator server is restarted.
Action
No immediate administration intervention is necessary. If this message appears regularly, validate that the Tivoli Directory Integrator server is running correctly and is reachable.
CSIAC6106E The Tivoli Directory Integrator server at hostname hostname and port port cannot be reached.
Explanation
The connection to the Tivoli Directory Integrator server cannot be established. This could be an invalid configuration, a networking problem, or an inactive server.
Action
Check that the Tivoli Directory Integrator server is running and reachable, and that the configuration of the hostname and port for the Tivoli Directory Integrator server is correct.
CSIAC6107W Another thread has detected that the connection to Tivoli Directory Integrator server at hostname hostname and port port is invalid. One retry for this request will be attempted.
Explanation
The connection to the Tivoli Directory Integrator server failed, and was detected by another thread while waiting for an available connection.
Action
Check that the Tivoli Directory Integrator server is running and reachable.
CSIAC6108E Too many threads (numthreads) were waiting for access to the assembly line: [ Hostname: hostname Port: port ConfigurationFilename: config AssemblyLineName:alname]
Explanation
The threshold for the maximum number of waiting threads on the assembly line has been exceeded.
Action
Check that the Tivoli Directory Integrator server is functioning normally. It may be necessary to increase the pool size for the assembly line, or increase the maximum number of threads that can wait.
CSIAC6109E A timeout (timeoutval msec) occurred while waiting for a connection to the Tivoli Directory Integrator server for assembly line: [ Hostname: hostname Port: port ConfigurationFilename: config AssemblyLineName:alname]
Explanation
The thread was waiting for a connection to the Tivoli Directory Integrator server, and the timeout was reached.
Action
Check that the Tivoli Directory Integrator server is functioning normally. It may be necessary to increase the pool size for the assembly line, or increase the maximum timeout.
CSIAC6110E A thread was unexpectedly interrupted while waiting for an assembly line handler for: [ Hostname: hostname Port: port ConfigurationFilename: config AssemblyLineName:alname]
Explanation
A thread was waiting for an assembly line handler, and was unexpectedly interrupted. This error should not occur.
Action
Contact IBM Software Support.
CSIAC6120E The TAM GSO module does not operate in the given mode, mode.
Explanation
The mode that was configured for the module is not valid.
Action
Change the operation mode to 'map'.
CSIAC6121E The token representing the current user was empty.
Explanation
This indicates an error in the request to the trust service, or a processing error in a previous module in the trust chain.
Action
Validate your trust chain configuration and the request to the trust service.
CSIAC6122E Could not retrieve GSO credentials from Tivoli Access Manager for the GSO resource [rsrc] for user [user].
Explanation
Tivoli Access Manager could not be contacted, or the returned credentials were empty.
Action
Validate that the Tivoli Access Manager policy server is running and that the Tivoli Access Manager user has a matching GSO resource.
CSIAC6123E The Tivoli Access Manager credentials do not contain a username for the GSO resource [rsrc] for user [user].
Explanation
The Tivoli Access Manager configuration is not valid.
Action
Validate that the Tivoli Access Manager GSO credentials for this user are correctly populated.
CSIAC6124E The token representing the current user did not contain a username.
Explanation
This indicates an error in the request to the trust service, or a processing error in a previous module in the trust chain.
Action
Validate your trust chain configuration and the request to the trust service.
CSIAC6125E The configuration for the Tivoli Access Manager GSO resource name is missing.
Explanation
This message indicates a configuration error.
Action
Validate your trust chain configuration.
CSIAC6126E The Access Manager Java Runtime configuration file is not specified or does not exist.
Explanation
The path to the Tivoli Access Manager Java Runtime configuration file is not specified or the file does not exist.
Action
Ensure that Tivoli Access Manager Java Runtime is configured for this domain.
CSIAC6130E Invalid security token. Claims element is missing the required attribute [name].
Explanation
The Claims element must contain the specified attribute or element.
Action
This is an internal error.
CSIAC6131E Invalid security token. The Assertion does not contain an AuthnStatement element.
Explanation
The SAML 20 SSO protocol requires the presence of at least one authentication statement (AuthnStatement) element.
Action
Ensure that the Identity Provider is compliant with the SAML 2.0 SSO protocol.
CSIAC6132E The SAML STS module was unable to locate the issued assertion.
Explanation
The selection criteria specified to query the issued assertion does not match any of the assertions cached or the assertion has expired.
Action
Provide a valid selection criteria.
CSIAC6140E The STSUniversalUser STS module does not operate in the given mode, mode.
Explanation
The mode that was configured for the module is not valid.
Action
Change the operation mode to 'issue' or 'validate'.
CSIAC6141E The token passed to the STS module for validation was not an STSUniversalUser token.
Explanation
This indicates the token module has been called in validate mode with a token that is not an STSUniversalUser.
Action
Validate that the client of the trust service is passing the correct token type.
CSIAC6142E The incoming security token did not contain the required browser request claims.
Explanation
An STS module requires BrowserRequestClaims in the incoming security token.
Action
Ensure that the STS module requiring the claims is invoked by a protocol that provides the claims.
CSIAC6150E The Access Manager Java Runtime configuration file does not exist.
Explanation
The Tivoli Access Manager Java Runtime configuration file does not exist.
Action
Ensure that Tivoli Access Manager Java Runtime is configured for this domain.
CSIAC6151E A Tivoli Access Manager principal name was not provided.
Explanation
An authentication check requires a principal name.
Action
Provide a principal name in the STS universal user.
CSIAC6160E The Access Manager Java Runtime configuration file does not exist.
Explanation
The Tivoli Access Manager Java Runtime configuration file does not exist.
Action
Ensure that Tivoli Access Manager Java Runtime is configured for this domain.
CSIAC6161E A Tivoli Access Manager principal name was not provided.
Explanation
An authorization check requires a principal name.
Action
Provide a principal name in the STS universal user.
CSIAC6162E A Tivoli Access Manager protected object name was not provided.
Explanation
An authorization check requires a protected object name.
Action
Provide a protected object name in the STS universal user.
CSIAC6163E A Tivoli Access Manager action was not provided.
Explanation
An authorization check requires an action.
Action
Provide an action in the STS universal user.
CSIAC6165E The LTPA token configuration is missing the required secret shared key.
Explanation
The LTPA token requires a secret shared key to be able to encrypt or decrypt LTPA tokens.
Action
Verify that the secret shared key was given for the LTPA token module. Also, verify that there wasn't an error during startup when initializing the LTPA token module's configuration.
CSIAC6166E The LTPA token configuration is missing the required public key.
Explanation
The LTPA token requires a public key to be able to validate LTPA tokens.
Action
Verify that the public key was given for the LTPA token module. Also, verify that there wasn't an error during startup when initializing the LTPA token module's configuration.
CSIAC6167E The LTPA token configuration is missing the required private key.
Explanation
The LTPA token requires a private key to be able to issue LTPA tokens.
Action
Verify that the private` key was given for the LTPA token module. Also, verify that there wasn't an error during startup when initializing the LTPA token module's configuration.
CSIAC6168E The LTPA token configuration validation failed.
Explanation
The LTPA token configuration validation failed.
Action
Verify that the configuration for the LTPA module is correct. Also, examine the system log for any reported exceptions.
CSIAC6170E The mapping extension utility function fnc failed.
Explanation
The mapping extension utility function failed, and the error message should contain a caused-by exception which explains the root cause.
Action
Examine the system log for the reported root-cause exception.
CSIAC6171E WebSphere Registry authentication for user insert failed.
Explanation
The system failed to authenticate the given user through the WebSphere Registry.
Action
Ensure that the user's credentials are valid and resubmit the request.
CSIAC6180E The Kerberos realm name is missing or invalid.
Explanation
The Kerberos realm name is missing or invalid.
Action
Ensure that the Kerberos realm name is present in the STS universal user by defining the appropriate mapping rule.
CSIAC6181E The Kerberos client name is missing or invalid.
Explanation
The Kerberos client name is missing or invalid.
Action
Ensure that the Kerberos client name is present in the STS universal user by defining the appropriate mapping rule.
CSIAC6182E The Kerberos client password is missing or invalid.
Explanation
The Kerberos client password is missing or invalid.
Action
Ensure that the Kerberos client password is present in the STS universal user by defining the appropriate mapping rule.
CSIAC6183E The Kerberos service name is missing or invalid.
Explanation
The Kerberos service name is missing or invalid.
Action
Ensure that a mapping rule the Kerberos service name is present in the STS universal user by defining the appropriate mapping rule.
CSIAC6190E The KESS STS module does not operate in the given mode, mode.
Explanation
The configured mode is invalid.
Action
Change the operation mode to 'map'.
CSIAC6191E The KESS STS token configuration is not valid for a required parameter: param. Value: value.
Explanation
The KESS STS token module has been configured with an invalid option.
Action
Verify that the configuration for the token module contains the required parameters for the operation.
CSIAC6192E The STSUniversalToken is missing the required 'ElementID' Context Attribute.
Explanation
When performing signing operations, the STSUniversalUser must contain a Context Attribute called 'ElementID'. This attribute must have a value that matches the value of a reference attribute in the element to sign.
Action
Verify that the STSUniversalUser processed by this module contains a Context Attribute called 'ElementID'. Verify that value of the attribute matches the value of a reference attribute that can be signed.
CSIAC6193E The KESS STS Module cannot determine a node to sign from the attribute: attrname.
Explanation
The STSUniversalUser attribute did not contain a node value that the KESS STS module can sign.
Action
Verify that the STSUniversalUser processed by this module contains a node value in the configured attribute that can be signed.
CSIAC6194E The KESS STS Module failed to validate a signature for XML: xml.
Explanation
The KESS STS Module cannot complete the signing operation because the signature is invalid.
Action
Verify that the client is sending XML with a valid signature and that KESS contains a matching signature validation key.
CSIAC6195E The KESS STS Module cannot determine a node to validate from the attribute: attrname.
Explanation
The KESS STS module cannot validate the signature because the STSUniversalUser attribute contains an invalid node value.
Action
Verify that the STSUniversalUser processed by this module contains a node value in the configured attribute that can be validated.
CSIAC6196E The KESS STS Module cannot determine a node to encrypt from the attribute: attrname.
Explanation
The KESS STS module cannot complete the encryption operation because the STSUniversalUser attribute contains a node value that cannot be encrypted.
Action
Verify that the STSUniversalUser processed by this module contains a node value in the configured attribute that can be encrypted.
CSIAC6197E The KESS STS Module cannot determine a node to decrypt from the attribute: attrname.
Explanation
The KESS STS module cannot complete the decryption operation because the STSUniversalUser attribute contains a node value that cannot be decrypted.
Action
Verify that the STSUniversalUser processed by this module contains a node value in the configured attribute that can be decrypted.
CSIAC6198E The Default Map Module could not determine mapping rule type.
Explanation
The Default Map Module cannot determine the rule type based on the configuration.
Action
Verify that the default mapping module is configured correctly.
CSIAC6200E The SAML Attribute Query STS module does not operate in the given mode, mode.
Explanation
The mode that was configured for the module is not valid.
Action
Change the operation mode to 'map'.
CSIAC6201E The SAML Attribute Query STS module could not find an assertion on the attribute query saml response.
Explanation
The attribute authority did not returned an assertion on the saml response.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6202E The SAML Attribute Query STS module could parse the assertion from the attribute query saml response.
Explanation
The SAML attribute query sts module was not able to parse the assertion on the saml response.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6203E The SAML Attribute Query STS module could not validate the xml digital signature.
Explanation
The SAML attribute query sts module was not able to validate the xml digital signature.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6204E The SAML Attribute Query STS module signature validation key is not properly configured.
Explanation
The SAML attribute query sts module signature validation key is not properly configured.
Action
Verify that the validation key is configured on the partner configuration.
CSIAC6205E The SAML Attribute Query STS module could not get the saml response from the soap envelope.
Explanation
The SAML attribute query sts module could not get the saml response from the soap envelope.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6206E The assertion included on the SAML Attribute Query SAML Response is not signed. This module is configure to reject unsigned assertions.
Explanation
The SAML attribute query sts module expects the assertion to be signed.
Action
Verify the configuration and modify the settings to make assertion signature optional.
CSIAC6207E The SAML Attribute Query STS module could not parse the saml response.
Explanation
The SAML attribute query sts module could not parse the saml response.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6208E The SAML Attribute Query STS module could not decrypt the xml message.
Explanation
The SAML attribute query sts module was not able to decrypt the xml message.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6209E The SAML Attribute Query STS module decryption key is not properly configured.
Explanation
The SAML attribute query sts module decryption key is not properly configured.
Action
Verify that the validation key is configured on the partner configuration.
CSIAC6210E The SAML Attribute Query SAML Response is not signed. This module is configure to reject unsigned saml response.
Explanation
The SAML attribute query sts module expects the saml response to be signed.
Action
Verify the configuration and modify the settings to make saml response signature optional.
CSIAC6211E The SAML Attribute Query STS module could not sign the attribute query xml message.
Explanation
The SAML attribute query sts module was not able to sign the attribute query xml message.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6212E The SAML Attribute Query STS module could not create the attribute query xml message.
Explanation
The SAML attribute query sts module could not create the attribute query xml message.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6213E The SAML Attribute Query STS module was not able to send the attribute query xml message.
Explanation
The SAML attribute query sts module could not send the attribute query xml message to the attribute authority.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6214E The SAML Attribute Query STS module was not able to obtain the user principal name.
Explanation
The SAML attribute query sts module could not obtain the user principal name.
Action
Verify that the configuration is correct. Verify that the mapping module is setting the universal user values properly.
CSIAC6215E The SAML Attribute Query STS module was not able to obtain the partner alias from the alias service.
Explanation
The SAML attribute query sts module could not obtain the partner alias from the alias service.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6216E The SAML Attribute Query STS module received an invalid saml response.
Explanation
The saml response received by the SAML attribute query sts module is not valid.
Action
Verify that the configuration is correct. Also, examine the system log for any reported exceptions.
CSIAC6217E The response message InResponseTo attribute does not correlate to the pending request ID attribute.
Explanation
The response message contains an InResponseTo attribute that does not match the ID attribute of the pending request. It is possible that the response was received in error.
Action
If the response is legitimate, examine the trace logs to see why the InResponseTo attribute does not match the ID attribute of the currently pending request.
CSIAC6218E The timestamp in the SAML message is out of range. The message timestamp, msgTime, is not within tolerance seconds of compareTime.
Explanation
The SAML message has a timestamp that is not valid.
Action
There are several reasons that a SAML message timestamp might be out of range: The clocks on the communicating providers systems are skewed beyond the acceptable tolerance, network delays are hampering message flow, or the acceptable tolerance for message timestamp is set too low. The administrator should check these points and make any necessary adjustments.
CSIAC6219E Cannot determine the SAML status.
Explanation
The SAML status attribute is required for this message and cannot be determined.
Action
Examine the trace logs to see why the SAML status was not set.
CSIAC6220E The attribute query request failed at the attribute authority.
Explanation
The SAML status included in the saml response message indicates that the request failed at the attribute authority.
Action
Examine the trace logs at the attribute authority or the saml response to see why the request operation failed.
CSIAC6221E The SAML Attribute Query STS token configuration is not valid for a required parameter: param. Value: value.
Explanation
The SAML Attribute Query STS token module has been configured with an invalid option.
Action
Verify that the configuration for the token module contains the required parameters for the operation.
CSIAC6222E The SAML Attribute Query STS token configuration is not valid for a required parameter: param. Value: value is out of range. Minimum value: value. Maximum Value: value.
Explanation
The SAML Attribute Query STS token module has been configured with an invalid option.
Action
Verify that the configuration for the token module contains the required parameters for the operation.
CSIAC6230E The OAuth validation request for token type: [type] failed.
Explanation
The OAuth validation request failed because the syntax of the request message or the parameters is not valid.
Action
Ensure that the request message and the parameters have the correct syntax.
CSIAC6231E The OAuth token type: [type] cannot be created.
Explanation
The OAuth server cannot issue an OAuth token for the requested token type.
Action
Check the trace logs to determine the cause of the error.
CSIAC6232E The OAuth server failed to authorize the OAuth token: [token] and user name: [username].
Explanation
The OAuth server cannot generate a verification code.
Action
Check the trace logs to determine the cause of the error.
CSIAC6233E The validation for the OAuth token: [token] failed.
Explanation
The OAuth server cannot validate the token.
Action
Check the trace logs to determine the cause of the error.
CSIAC6235E The token type: [type] that was received is not valid.
Explanation
The token type value is not recognized.
Action
Ensure that the token type sent to the OAuth server is valid.
CSIAC6236E The STSUU token passed to the STS does not have the required parameter: param.
Explanation
The STSUU token sent to the server does not have all the required parameters.
Action
Check the trace log to see which parameter is not present and to determine the cause of the error.
CSIAC6238E The configuration value for the parameter: [param] is not valid. The value found was: [value]. The default value [default value] is used instead.
Explanation
The value of the configuration parameter is not valid.
Action
Ensure that the configuration parameter type is correct and that the value is valid.
CSIAC6239E An OAuth parameter with the name: [param] already exists.
Explanation
There is a duplicate parameter in the request.
Action
Ensure that there are no duplicate parameters in the request message.
CSIAC6240E The OAuth token with lookup: [token string] and type: [type] cannot be found.
Explanation
The token for the given token type does not exist in the cache.
Action
Ensure that the token is valid and is mapped to the token type.
CSIAC6241E Invalid STS mode: mode.
Explanation
The STS mode is not mapped to the STS module.
Action
Ensure that the STS module is configured with the correct mode.
CSIAC6242E A two-legged OAuth request from client: client identifier failed.
Explanation
The OAuth server is not configured to accept two-legged OAuth requests.
Action
Ensure that two-legged OAuth is enabled at the OAuth server.
CSIAC6243E The OAuth client with identifier: client identifier cannot be found.
Explanation
The client identifier in the request does not match any registered client or the client is disabled at the OAuth server.
Action
Ensure that the client is valid and is registered correctly.
CSIAC6250E Invalid STS mode: mode.
Explanation
The STS mode is not mapped to the STS module.
Action
Ensure that the STS module is configured with the correct mode.
CSIAC6252E The OAuth 2.0 request type: request_type is not valid.
Explanation
The value of the request_type parameter is not valid.
Action
Ensure your OAuth 2.0 enforcement point is providing the correct value for this parameter, or no value at all.
CSIAC6253E The OAuth 2.0 token module request failed due to the following exception: name.
Explanation
An internal exception caused the request to stop.
Action
Check the exception that caused this error.
CSIAC6254E The mapping extension utility function fnc failed because the required attribute [attributeName] is missing or is not valid. Ensure that the identity contains the following attributes [attributeList].
Explanation
The mapping rule that is used to map the user identity might be wrong.
Action
Ensure that the mapping rule is configured to provide all the required user attributes.
CSIAC6255E The required attribute [name=attrName, id=attrId] is missing or is not valid.
Explanation
The attribute might be missing from database.
Action
Ensure that the mapping rule is configured to provide all the required user attributes.
CSIAC6256E The uri value not assigned.
Explanation
There was a required value missing in one of the fields. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6257E Invalid uri value. Uri must begin with http or https.
Explanation
The required value is invalid. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6258E The authType value not assigned.
Explanation
The required value is invalid. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6259E The authentication type not supported. Supported types are NONE, BASIC or CERTIFICATE.
Explanation
The authType value is invalid. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6260E The username value for Basic Authentication not assigned.
Explanation
The required value is invalid. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6261E The password value for Basic Authentication not assigned.
Explanation
The required value is invalid. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6262E The client keystore value for Certificate Authentication not assigned.
Explanation
The required value is invalid. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6263E The client alias value for Certificate Authentication not assigned.
Explanation
The required value is invalid. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6264E The message format value not supported. Supported types are XML, JSON or WSTRUST.
Explanation
The required value is invalid. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6265E The AppliesTo value required for WS-Trust message.
Explanation
The required value is invalid. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6266E The export operation is not supported by this protocol.
Explanation
A request to export the configuration data has been made against a protocol which does not provide this support.
Action
Ensure that the correct federation has been selected.
CSIAC6267E The IssuerUri value required for WS-Trust message.
Explanation
The required value is invalid. Refer to the exception for which fields and types are missing.
Action
Add a value of the correct type to the request payload.
CSIAC6268E The LTPA key file is not valid.
Explanation
The specified LTPA Key file is not valid.
Action
Select a valid LTPA Key file
CSIAC6269E The remote server did not respond to the request in a timely manner or did not send back a valid response.
Explanation
The remote server was unresponsive and timed out, or did not send back a valid response.
Action
Check the logs to determine the cause of the failure, fix the problem, and try the request again.
CSIAC6270E Unable to provision the user.
Explanation
Configuration is invalid or services are unavailable
Action
Ensure that the identity source configuration is valid
CSIAC6271E Unable to hash the string [parameterName].
Explanation
Failed to create a message digest for the string.
Action
Please retry the request.
CSIAC6272E Unable to retrieve the JIT configuration.
Explanation
Failed to read the JIT configuration from back-end database.
Action
Ensure that back-end database is properly configured and it can be reached.
CSIAC6273E The required attribute [parameterName] is missing or not valid.
Explanation
The specified attribute is not provided or the value is not valid.
Action
Ensure that the attribute that is specified in the error message and its correct value are included in the request.
CSIAC6274E Authentication failed due to a configured policy.
Explanation
The configured policy evaluation aborted the authentication flow.
Action
If the authentication failed unexpectedly, the administrator needs to check the authentication policy configured.
CSIAC6275E Authentication failed because of an internal error in policy evaluation.
Explanation
The configured policy evaluation failed.
Action
Contact the system administrator for further assistance.
CSIAC6276E User account is disabled.
Explanation
Existing user account is disabled.
Action
Ensure that the user account is enabled.
CSIAC6277E An error occurred when processing attribute source.
Explanation
Failed to map attributes or to find attribute sources.
Action
Please check the attribute mapping configuration.
CSIAC6278E User account is not found.
Explanation
No user account found and just-in-time provisioning is disabled.
Action
Ensure that the user account exists.
CSIAC6279E The system cannot complete the just-in-time provisioning because the username attribute is missing.
Explanation
Username is a required attribute for just-in-time provisioning of the user account.
Action
Ensure that the identity source includes the username attribute in the external identity token.
CSIAC6280E The required attribute for name identifier [id=attrId] is missing or is not valid.
Explanation
The attribute might be missing from the database.
Action
Ensure that the attribute is configured correctly.
CSIAC6281E The system cannot complete the login because the user did not consent.
Explanation
The user denied consent to login.
Action
None.
CSIAC6282E An internal error occurred during user consent status check.
Explanation
The error might be the result of a temporary system or network connectivity problem.
Action
Check the network connectivity and health status of the DPCM API.
CSIAC6283E The username or password that you entered is incorrect.
Explanation
The username or password that you entered is incorrect.
Action
None
CSIAC6284E The system could not process the WS-Trust request because an internal error occurred.
Explanation
An internal error occurred when processing the WS-Trust request.
Action
Wait and resubmit the request. If the problem persists, contact IBM Security Verify support.
CSIAC6285E User is not authorized to access the application due to policy constraints.
Explanation
Access policy evaluation denied your access to the application. Please check with your administrator for the applicable access policy for the application.
Action
The administrator needs to check the applicable access policy for the application.
CSIAC6286E The system cannot complete the just-in-time provisioning because identity linking is enabled, but no realm is configured.
Explanation
A realm must be specified for just-in-time provisioning when identity linking is enabled.
Action
Ensure that the identity source configuration is valid.
CSIAC6287E The system cannot complete the just-in-time provisioning because identity linking is enabled but no principal attribute is configured.
Explanation
All required attributes must be specified in the request.
Action
Add the missing attribute to the configuration and retry the request.
CSIAC6288E The system cannot complete the just-in-time provisioning because the realm attribute is missing.
Explanation
All required attributes must be specified in the request.
Action
Add the missing attribute to the configuration and retry the request.
CSIAC6289E The system cannot complete the just-in-time provisioning because multiple users were found.
Explanation
Configuration is invalid or services are unavailable
Action
Correct the user value or use a different user and retry the request.
CSIAC6290E The system cannot complete the just-in-time provisioning because it cannot retrieve any users.
Explanation
This problem might be caused by a temporary system error or network issue.
Action
Wait and retry the request later.
CSIAC6291E The system cannot complete the just-in-time provisioning because it cannot create the user.
Explanation
This problem might be caused by a temporary system error or network issue.
Action
Wait and retry the request later.
CSIAC6292E The system cannot complete the just-in-time provisioning because it cannot update the user.
Explanation
This problem might be caused by a temporary system error or network issue.
Action
Wait and retry the request later.
CSIAC6293E The system cannot complete the just-in-time provisioning because update user operation is forbidden.
Explanation
You do not have sufficient authorization to perform this operation. Request the necessary permissions from your administrator.
Action
Review the authorizations of the requestor and if appropriate, grant the necessary permissions.
CSIAC6294E The system cannot complete the just-in-time provisioning because it cannot retrieve the user to be updated.
Explanation
Configuration is invalid or services are unavailable.
Action
Verify that the user exists and was entered correctly. If the user is correct, wait and retry the request later.
CSIAC6295E The system cannot complete the just-in-time provisioning because conflicts exist when updating the user.
Explanation
Configuration is invalid or services are unavailable.
Action
Wait and retry the request later.
CSIAC6296E The system cannot process the request because an internal error occurred during the active profile request rule evaluation.
Explanation
The internal error might be caused by a temporary system or network problem, or failure to evaluate the active profile request rule.
Action
The administrator needs to verify that the system and network are available and check the active profile request rule for any errors.