IBM Support

FileNet Content Engine Kerberos enabled CPE (Content Platform Engine )5.2.x generating, Authentication fails when calling content, error when accessing F5 LB(Load Balancer) alias based URL.

Troubleshooting


Problem

Kerberos authentication fails when calling CEWS(Content Engine Web Service) via LB based Alias URL generating "acceptSecContext call failed to establish security context!" .

Symptom

The following error is generated in the CPE JVM (SystemOut.log) log during attempted access via CEWS access LB URL :
==
[5/27/15 11:58:14:389 EDT] 000000e2 SystemOut O [KrbServiceLoginModule] acceptSecContext call failed to establish security context!
[5/27/15 11:58:14:389 EDT] 000000e2 SystemOut O [KrbServiceLoginModule] login failure: Failed Kerberos service ticket login: could not establish context
[5/27/15 11:58:14:404 EDT] 000000e2 LdapRegistryI E No user KerberosUser found
[5/27/15 11:58:14:404 EDT] 000000e2 LdapRegistryI E SECJ0336E: Authentication failed for user KerberosUser because of the following exception com.ibm.websphere.security.PasswordCheckFailedException: No user KerberosUser found
[5/27/15 11:58:14:420 EDT] 000000e2 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.security.PasswordCheckFailedException: No user KerberosUser found.
[5/27/15 11:58:14:420 EDT] 000000e2 SystemOut O [KrbServiceLoginModule] aborting

Cause

Issue for this CPE 5.2.x Cluster configuration where Kerberos login module was not being invoked on the second CPE node . The [KrbServiceLoginModule] "Engine-authn.jar" file was *NOT* installed in the second node "CPE2's" WAS /lib directory.

The KrbServiceLoginModule wasn't invoked by the CE WSI listener, which instead treated the assumed SOAP header (for working Kerberos configuration requires a valid Kerberos token in the Soap header)to a regular username/password one . The subsequent error generated showing this :
==

[5/27/15 11:58:14:389 EDT] 000000e2 SystemOut O [KrbServiceLoginModule] acceptSecContext call failed to establish security context!
[5/27/15 11:58:14:389 EDT] 000000e2 SystemOut O [KrbServiceLoginModule] login failure: Failed Kerberos service ticket login: could not establish context
[5/27/15 11:58:14:404 EDT] 000000e2 LdapRegistryI E No user KerberosUser found
[5/27/15 11:58:14:404 EDT] 000000e2 LdapRegistryI E SECJ0336E: Authentication failed for user KerberosUser because of the following exception com.ibm.websphere.security.PasswordCheckFailedException: No user KerberosUser found
[5/27/15 11:58:14:420 EDT] 000000e2 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.security.PasswordCheckFailedException: No user KerberosUser found.
[5/27/15 11:58:14:420 EDT] 000000e2 SystemOut O [KrbServiceLoginModule] aborting

==


Issue is with not being able to access the required Kerberos login module. "Engine-authn.jar" file *NOT* being in second node CPE2's "WAS_HOME /lib" directory. Once "Engine-authn.jar" file was added to the "WAS_HOME /lib" directory resolved issue . Successfully able to access CEWS via Kerberos enabled F5 LB URL for both CPE1 (node1) and CPE1(node2).

Environment

Kerberos enabled Content Engine

Clustered enabled Content Platform Engine 5.2.03 (Multiple Nodes)

WebSphere 8.5.x ND

Resolving The Problem

Ensure that the Kerberos login module "Engine-authn.jar" file is copied to all nodes in the cluster.

[{"Product":{"code":"SSNW2F","label":"FileNet P8 Platform"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"5.1;5.2;5.2.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

More support for:
FileNet P8 Platform

Software version:
5.1, 5.2, 5.2.1

Operating system(s):
AIX, HP-UX, Linux, Windows

Document number:
533121

Modified date:
17 June 2018

UID

swg21962831

Page Feedback