IBM Support

403 error accessing WebSphere Portal via WebSEAL

Troubleshooting


Problem

When accessing WebSphere Portal via Tivoli Access Manager (TAM) WebSEAL, you receive the following message: [] 403 AuthenticationFailed[]. This technote will discuss a couple scenarios for which this problem can occur.

Symptom


SystemOut.log shows:

[5/21/09 6:43:16:036 MYT] 000000b4 WebAuthentica E   SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailed Exception: Basic Authentication failed.

Cause

TAM Authorization server is not started.

Environment

TAI ++ is the Trust Association Interceptor (TAI) configured in WebSphere Portal to allow external authentication by Tivoli Access Manager.

Diagnosing The Problem


Collect Tivoli Access Manager Integration MustGather information (see Related information below).

Case 1

Trace.log shows:

[5/24/09 6:28:36:734 MYT] 000022b0 TAMTrustAssoc >


com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus validateEstablishedTrust(HttpServletRequest) ENTRY
[5/24/09 6:28:36:734 MYT] 000022b0 TAMTrustAssoc 1
com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlusvalidate
EstablishedTrust(HttpServletRequest) SSO password not cached. Attempting to authenticate myuser
[5/24/09 6:28:36:744 MYT] 000022b0 TAMTrustAssoc 1
com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlusvalidate
EstablishedTrust(HttpServletRequest) Authentication failed:
[
HPDJA0116E   Cannot contact server.
]

When the TAI intercepts the request, it attempts to authenticate the user specified in the com.ibm.websphere.security.webseal.loginId property in the TAI settings in WebSphere Application Server. The actual authentication is performed using the TAM Authorization server when TAI++ is used as compared to the standard WebSEAL TAI. The property that specifies the contact information for the TAM Authorizaton server is retrieved from the PDPerm.properties file found in <was_home>/java/jre/PolicyDirector.

Case 2

Trace.log does not reveal any additional information regarding the exception. However, you confirm that a manually generated TAM junction is being used as opposed to one created via the enable-tam-tai or enable-tam-all configuration task. Further investigation reveals that mutual SSL is being used for the configuration, but the -U parameter was not included when creating the junction.

Resolving The Problem


Case1

Check the value for appsvr-authzsvrs in PdPerm.properties. The value should contain the contact details for the TAM authorization server used by Portal. Ensure the host and port information are correct and the authorization server is started.



Case 2

Recreate the junction using the -U parameter to ensure that trust will be validated between WebSEAL and WebSphere Application Server by using the Authorization header of the request. Note that the Websphere Portal configuration tasks enable-tam-tai and enable-tam-all will use the -U parameter when creating an SSL junction.

[{"Product":{"code":"SSHRKX","label":"WebSphere Portal"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"6.1;6.0","Edition":"Enable;Extend;Server;Express","Line of Business":{"code":"LOB31","label":"WCE Watson Marketing and Commerce"}}]

Document Information

More support for:
WebSphere Portal

Software version:
6.1, 6.0

Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Document number:
391605

Modified date:
03 December 2021

UID

swg21392488

Manage My Notification Subscriptions

Page Feedback