When a server instance in a WebSphere network deployment (ND) environment with global security is configured with the ITCAM for Application Diagnostics agent, the application may fail while accessing the Deployment Manager's AdminClient. This problem can happen in ITCAM for WebSphere v6.1 also.
Errors like the following can be seen in SystemErr.log or SystemOut.log:
javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getName operation on ThreadPool MBean because of insufficient or empty credentials
and the stack trace will have a method (like getAttribute, invoke) of com.ibm.ws.management.AdminClientImpl class trying to use SOAP or RMI connector to complete the operation.
If the Deployment Manager's connection properties are not specified in ITCAM for AD's properties, it uses WebSphere's AdminService to discover this. This returns an AdminClient to the Deployment Manager that does not have any credentials since it runs within the security context of the running process. This AdminClient is then cached by WebSphere's AdminClientFactory and then subsequently given to the application that fails since it does not have associated security credentials.
WebSphere network deployment (including cluster environments) with global security enabled
Resolving The Problem
If the application fails due to the above reason, check the <DC_HOME>/runtime/<server>/datacollector.properties and make sure the Deployment Manager's connection properties are available and set correctly:
deploymentmgr.connnection.type=SOAP (or RMI)
deploymentmgr.soap.connection=<dmgr_host>:<dmgr_soap_port> (if SOAP is used)
deploymentmgr.rmi.connection=<dmgr_host>:<dmgr_rmi_port> (if RMI is used)
Note that the same datacollector.properties also has two additional properties called deploymentmgr.rmi.host and deploymentmgr.rmi.port. Setting these will not resolve the issue.
Was this topic helpful?
17 June 2018