Security authorization provider troubleshooting tips
This article describes the issues you might encounter using a Java™ Authorization Contract for Containers (JACC) authorization provider. Tivoli® Access Manager is bundled with WebSphere® Application Server as an authorization provider. However, you also can plug in your own authorization provider.
Tivoli Access Manager as a Java Authorization Contract for Containers authorization provider
- The configuration of JACC might fail.
- The server might fail to start after configuring JACC.
- The application might not deploy properly.
- The startServer command might fail after you have configured Tivoli Access Manager or a clean uninstall did not take place after unconfiguring JACC.
- HPDIA0202w An unknown user name was presented to Access Manager error might occur.
- HPDAC0778E The specified user's account is set to invaliderror might occur.
- WASX7017E: Exception received while running file InsuranceServicesSingle.jacl error might occur.
- Access denied exceptions accessing applications when using JACC
External providers for Java Authorization Contract for Containers authorization provider
The configuration of JACC might fail
If you have problems configuring JACC, check the following items:
- Ensure that the parameters are correct. For example, you do not want a number after TAM_Policy_server_hostname:7135, but you do want be a number after TAM_Authorization_server_hostname:7136 (for example, TAM_Authorization_server_hostname:7136:1).
- If a message such as
server can't be contacted
is displayed, it is possible that the host names or port numbers of the Tivoli Access Manager servers are incorrect, or that the Tivoli Access Manager servers have not started. - Ensure that the password for the sec_master user is correct.
- Check the SystemOut.log file and search for
the
AMAS
string to see if any error messages are present.
The server might fail to start after configuring JACC
If the server does not start after JACC is configured, check the following items:
- Ensure that WebSphere Application Server and Tivoli Access Manager use the same Lightweight Directory Access Protocol (LDAP) server.
- If the message
Policy Director Authentication failed
is displayed, ensure that:- WebSphere Application Server LDAP server
ID is the same as the
Administrator user
in the Tivoli Access Manager JACC configuration panel. - Verify that the Tivoli Access Manager Administrator distinguished name (DN) is correct.
- Verify that the password of the Tivoli Access Manager administrator has not expired and is valid.
- Ensure that the account is valid for the Tivoli Access Manager administrator.
- WebSphere Application Server LDAP server
ID is the same as the
- If a message such as
socket can't be opened for xxxx
(wherexxxx
is a number) is displayed, take the following actions:- Go to the profile_root/etc/tam directory.
- Change
xxxx
to an available port number in the amwas.commomconfig.properties file. If the node failed to start, changexxx
to an available port number in the amwas*cellName_nodeName_.properties file. If the Application Server failed to start, changexxxx
in the amwas*cellname_nodeName_serverName.properties file.
The application might not deploy properly
When you click Save, the policy and role information is propagated to the Tivoli Access Manager policy. This process might take some time to finish. If the save fails, you must uninstall the application and then reinstall it.
To access an application after it is installed, you must wait 30 seconds, by default, to start the application after you save.
The startServer command might fail
The startServer command might fail after you configure Tivoli Access Manager or a clean uninstall did not take place after unconfiguring JACC.
- Remove Tivoli Access
Manager properties files from WebSphere Application Server.The following files must be removed.
install_root/tivoli/tam/PdPerm.properties install_root/tivoli/tam/PdPerm.ks profile_root/etc/tam/*
- Use a utility to clear the security configuration and return the
system to the state it was in before you configure the JACC provider
for Tivoli Access Manager. The utility removes
all of the PDLoginModuleWrapper entries as well as the Tivoli Access
Manager authorization table entry from the security.xml file,
effectively removing the JACC provider for Tivoli Access
Manager. Backup the security.xml file before
running this utility. Enter the following commands:
install_root/java/jre/bin/java -classpath
install_root/lib/AMJACCProvider.jar:CLASSPATH
com.tivoli.pd.as.jacc.cfg.CleanSecXML fully_qualified_path/security.xml
HPDIA0202w: An unknown user name
was presented to Access Manager
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.:
AWXJR0007E A Tivoli Access Manager exception was caught. Details are:
HPDIA0202W An unknown user name was presented to Access Manager.
This problem might be caused by the host name exceeding
predefined limits with Tivoli Access Manager when it
is configured against MS Active Directory. In WebSphere Application Server, the maximum length
of the host name can not exceed 46 characters.Check that the host name is not fully qualified. Configure the machine so that the host name does not include the host domain.
- On the command line, type the following information to get a Tivoli Access
Manager command prompt:
The pdadmin administrator_name prompt is displayed. For example:pdadmin -a administrator_name -p administrator_password
pdadmin -a administrator1 -p passw0rd
- At the pdadmin command prompt, import the user from the LDAP user
registry to Tivoli Access Manager by typing the following
information:
For example:user import user_name cn=user_name,o=organization_name,c=country
user import jstar cn=jstar,o=ibm,c=us
user modify user_name account-valid yes
For
example:user modify jstar account-valid yes
For information on how to import a group from LDAP to Tivoli Access Manager, see the Tivoli Access Manager documentation.
HPDAC0778E: The specified user's
account is set to invalid
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.: AWXJR0007E A Tivoli Access Manager exception was caught. Details are: "HPDAC0778E The specified user's account is set to invalid."
user modify user_name account-valid yes
For
example:user modify jstar account-valid yes
HPDJA0506E: Invalid argument: Null or
zero-length user name field for the ACL entry
AWXJR0035E An error occurred while attempting to add member, cn=agent3,o=ibm,c=us, to role AgentRole HPDJA0506E Invalid argument: Null or zero-length user name field for the ACL entry
To correct this error, create or import the user, that is mapped to the security role to the Tivoli Access Manager. For more information on propagating the security policy information, see the documentation for your authorization provider.
WASX7017E: Exception received while
running file InsuranceServicesSingle.jacl
WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl"; exception information: com.ibm.ws.scripting.ScriptingException: WASX7111E: Cannot find a match for supplied option: "[RuleManager, , , cn=mgr3,o=ibm,c=us|cn=agent3,o=ibm,c=us, cn=ManagerGro up,o=ibm,c=us|cn=AgentGroup,o=ibm,c=us]" for task "MapRolesToUsers"
The $AdminApp MapRolesToUsers task option is no longer valid when Tivoli Access Manager is used as the authorization server. To correct the error, change MapRolesToUsers to TAMMapRolesToUsers.
Access denied exceptions accessing applications when using JACC
AWXJR0044E: The access decision for Permission, {0}, was denied because either the PolicyConfiguration or RoleConfiguration objects did not get created successfully at application installation time. RoleConfiguration exists = {false}, PolicyConfiguration exists = {"false"}.
If the access denied exceptions are not expected for the application, check the SystemOut.log files to see if the security policy information was correctly propagated to the provider.
If the security policy information for the application is successfully propagated to the provider, the audit statements with the message key SECJ0415I appear. However, if there was a problem propagating the security policy information to the provider (for example: network problems, JACC provider is not available), the SystemOut.log files contain the error message with the message keys SECJ0396E (during install) or SECJ0398E (during modification). The installation of the application is not stopped due to a failure to propagate the security policy to the JACC provider. Also, in the case of failure, no exception or error messages appear during the save operation. When the problem causing this failure is fixed, run the propagatePolicyToJaccProvider tool to propagate the security policy information to the provider without reinstalling the application.