IBM Support

MustGather: Web Single Sign-on problems with WebSphere Application Server

Troubleshooting


Problem

Collecting data for problems with IBM WebSphere® Application Server versions 8.5 and 9.0 and Liberty using Web Single Sign-on (WebSSO). Gathering this MustGather information before you call IBM support can help you understand the problem and save time analyzing the data.

Resolving The Problem


The Web Single Sign-on components include:

For SSO issues involving a component that is not in this list, such as LTPA or Kerberos, see MustGather: Security problems for WebSphere Application Server. For SPNEGO, see MustGather: SPNEGO problems on WebSphere traditional.

  • Read first and MustGathers

    For a listing of all technotes, downloads, and educational materials specific to the Web Services Security component, search the WebSphere Application Server support site.


     
  • Exchange data with IBM Support

    To diagnose or identify a problem, it is sometimes necessary to provide Technical Support with data and information from your system. In addition, Technical Support might also need to provide you with tools or utilities for you to use during problem determination. You can submit files by using one of following methods to help speed problem diagnosis:


  • SSO trace specifications
    Avoid delay: The SSO runtimes emit configuration data in the trace only during server startup. Therefore, you must gather traces to send to IBM support from server startup.
    • WebSphere traditional

      Enter WebSphere traditional trace strings as one line with no breaks or spaces.

      OpenID Connect  (OIDC), OpenID 2.0, and JWT authentication

      *=info:com.ibm.ws.security.oidc.*=all:com.ibm.ws.security.openidconnect.*=all:com.ibm.ws.security.openid20.*=all:com.ibm.ws.security.web.*=all

      OAuth provider

      *=info:com.ibm.ws.security.oauth20.*=all:com.ibm.oauth.*=all:com.ibm.ws.security.web.*=all

      SAML Web Single Sign On

      *=info:com.ibm.ws.security.web.*=all:com.ibm.ws.security.saml.*=all:com.ibm.websphere.wssecurity.*=all:com.ibm.ws.wssecurity.*=all:com.ibm.ws.wssecurity.platform.audit.*=off

      SAML Web Single Sign On with WS-Security

      *=info:com.ibm.ws.security.web.*=all:com.ibm.ws.security.saml.*=all:com.ibm.websphere.wssecurity.*=all:com.ibm.ws.wssecurity.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:com.ibm.ws.webservices.multiprotocol.AgnosticService=all:com.ibm.ws.webservices.trace.*=all:com.ibm.ws.webservices.wssecurity.*=all:com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.websvcs.utils.SecurityContextMigrator=all:com.ibm.wsspi.wssecurity.*=all:com.ibm.xml.soapsec.*=all

      SAML Web Inbound

      *=info:com.ibm.ws.security.web.*=all:com.ibm.websphere.wssecurity.*=all:com.ibm.ws.wssecurity.*=all:com.ibm.ws.wssecurity.platform.audit.*=off
       
    • Liberty
      OpenID Connect (OIDC), OpenID 2.0, OAuth, and JWT authentication

      com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.security.*=all:com.ibm.oauth.*=all:com.ibm.wsspi.security.oauth20.*=all:org.openid4java.*=all:org.apache.http.client.*=all

      SAML Web Single Sign On

      com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.*=all:org.apache.xml.security.*=all:com.ibm.ws.http.*=all:com.ibm.ws.ssl.*=all:com.ibm.ws.channel.ssl.*=all:com.ibm.ws.transport.http.*=all:com.ibm.websphere.channelfw.ChannelUtils=all:org.opensaml.*=all
      All

      com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.security.*=all:com.ibm.oauth.*=all:com.ibm.wsspi.security.oauth20.*=all:org.openid4java.*=all:org.apache.http.client.*=all:org.apache.xml.security.*=all:com.ibm.ws.http.*=all:com.ibm.ws.ssl.*=all:com.ibm.ws.channel.ssl.*=all:com.ibm.ws.transport.http.*=all:com.ibm.websphere.channelfw.ChannelUtils=all:org.opensaml.*=all
  •  Enable browser trace
    • Chrome™
      1. Click the three dots to the right of the address bar:
      2. Click More Tools > Developer Tools
      3. On the Network tab, check the box that is labeled "Preserve log".
      4. Re-create the login.
      5. When complete, go back to the Network tab.
      6. In the Name/Status/Type/etc area, right-click any entry then select "Save as HAR with content".
      7. Send the HAR file.
    • Firefox®
      1. In the Firefox menu bar, click Tools > Web Developer > Network.
        1. If you don't have the menu bar, click the "Open menu" button on the upper right:
        2. At the end of the page, click Show / Hide Toolbars > Menu bar.
        3. Close the menu setting screen by pressing Esc.
      2. Click the Gear icon in that window:
      3. Under Common Preferences, select "Enable persistent logs".
      4. Re-create the login.
      5. When complete, go to the Network tab.
      6. In the Status/Method/File/etc area, right-click any entry, then select "Save all as HAR".
      7. Send the HAR file.
    • Internet Explorer™
      1. In the Internet Explorer menu bar, click Tools > F12 Developer Tools.
        1. If you don't have the menu bar, right-click the area around the address bar.
        2. Select Menu bar.
      2. Click the Network tab.
      3. If the "Clear entries on navigate" button is selected, clear it:
      4. Click the "Enable network traffic capturing" button:
      5. Re-create the login.
      6. When complete, go back to the Network tab.
      7. Click the "Export captured traffic" button:
      8. Send this .xml file.
    • Safari®
      In Safari, although you can preserve network logs of an SSO login, there is no way to export the data for you to send to IBM support. IBM support will add instructions to this section if they become available.
  • Collect data for WebSphere traditional
    This section is for collecting data for WebSphere traditional. If you want to collect data for Liberty, see the Collect data for Liberty section later in this document.

    To troubleshoot an SSO problem in WebSphere traditional, collect the information listed in the step-by-step instructions in this section.

    When all the information for your issue is ready, follow the instructions on Exchanging information with IBM Technical Support for problem determination to send the information and files that you collected.

    • Trace specifications
      Enter WebSphere traditional trace strings as one line with no breaks or spaces.
       
      OpenID Connect  (OIDC), OpenID 2.0, and JWT authentication

      *=info:com.ibm.ws.security.oidc.*=all:com.ibm.ws.security.openidconnect.*=all:com.ibm.ws.security.openid20.*=all:com.ibm.ws.security.web.*=all

      OAuth provider

      *=info:com.ibm.ws.security.oauth20.*=all:com.ibm.oauth.*=all:com.ibm.ws.security.web.*=all

      SAML Web Single Sign On

      *=info:com.ibm.ws.security.web.*=all:com.ibm.ws.security.saml.*=all:com.ibm.websphere.wssecurity.*=all:com.ibm.ws.wssecurity.*=all:com.ibm.ws.wssecurity.platform.audit.*=off

      SAML Web Single Sign On with WS-Security

      *=info:com.ibm.ws.security.web.*=all:com.ibm.ws.security.saml.*=all:com.ibm.websphere.wssecurity.*=all:com.ibm.ws.wssecurity.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:com.ibm.ws.webservices.multiprotocol.AgnosticService=all:com.ibm.ws.webservices.trace.*=all:com.ibm.ws.webservices.wssecurity.*=all:com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.websvcs.utils.SecurityContextMigrator=all:com.ibm.wsspi.wssecurity.*=all:com.ibm.xml.soapsec.*=all

      SAML Web Inbound

      *=info:com.ibm.ws.security.web.*=all:com.ibm.websphere.wssecurity.*=all:com.ibm.ws.wssecurity.*=all:com.ibm.ws.wssecurity.platform.audit.*=off
       
    • Step-by-step
      Avoid delay: The WebSphere SSO runtimes emit configuration data in the trace only during server startup. Therefore, you must gather traces to send to IBM support from server startup.
      Item to collect
      Comments / Instructions
      Problem description Provide a clear, specific problem description, including specific usage information and error scenario.
      Diagnostic questions
      1. When does the problem occur?
      2. How often does the problem occur?
      3. Did this work in the past? If so, did you make any changes to the system or SSO configuration? Explain.
      Single Sign-on configuration
      information
      Gather the following files:
      • (was_profile_root)/config/cells/(cell_name)/security.xml
      • For OAuth issues only:
        • A recursive archive file of (was_profile_root)/config/cells/(cell_name)/oauth20
      Single Sign-on trace Enable the Web Single Sign-on tracing that you want and reproduce the problem.

      Avoid delay: You must gather SSO traces from server startup to confirm that the components initialized without error.

      1. Determine your trace specification
      1. Expand the Trace specifications section earlier in this document.
      2. Note the trace specification that you need to use based on the TAI that you are using.
      3. Return to this step.

      2. Enable trace
      1. In the administrative console, expand Troubleshooting and select Logs and Trace.
      2. On the Logging and Tracing page, select your server and then Diagnostic Trace.
      3. Under Trace Output, select File.
        • The default values for Maximum File Size and Maximum Number of Historical Files are sufficient if you can re-create the problem with one request. However, if the problem is intermittent, it is necessary to increase the File Size to 50 MB and set an appropriate number of historical files.
      4. Click OK and save your configuration.
      5. Again expand Troubleshooting and select Logs and Trace.
      6. In the Logging and Tracing page, select your server and then Change Log Detail Levels.
      7. Enter the trace string that you chose earlier in the Determine your trace specification step.
      8. Click OK and save your configuration.
      9. Proceed to 'Reproduce the problem'

      3. Reproduce the problem
      Avoid delay: You must gather SSO traces from application server startup.
      1. On your application server on which the TAI is configured, do the following:
        1. Stop the application server
        2. Restart the application server
      2. Start a browser trace
        • See the 'Enable browser trace' section earlier in this document.
      3. Reproduce the problem, taking note of any relevant user and group names used, exact URL strings accessed, and general time stamps.

      4. Locate the trace file
      On a WebSphere traditional server, you can find the trace in the following location:
      • (was_profile_root)/logs/(server_name)/trace*.log

      Follow instructions to send diagnostic information to IBM support to send the files mentioned in the preceding steps.
       
  • Collect data for Liberty
    This section is for collecting data for Liberty. If you want to collect data for WebSphere traditional, see the Collect data for WebSphere traditional section earlier in this document.

    To troubleshoot an SSO problem in Liberty, collect the information listed in the step-by-step instructions in this section.

    When all the information for your issue is ready, follow the instructions on Exchanging information with IBM Technical Support for problem determination to send the information and files that you collected.

    • Trace specifications
      OpenID Connect (OIDC), OpenID 2.0, OAuth, and JWT authentication

      com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.security.*=all:com.ibm.oauth.*=all:com.ibm.wsspi.security.oauth20.*=all:org.openid4java.*=all:org.apache.http.client.*=all

      SAML Web Single Sign On

      org.apache.xml.security.*=all:com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.*=all:com.ibm.ws.http.*=all:com.ibm.ws.ssl.*=all:com.ibm.ws.channel.ssl.*=all:com.ibm.ws.transport.http.*=all:com.ibm.websphere.channelfw.ChannelUtils=all:org.opensaml.*=all
      All

      com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.security.*=all:com.ibm.oauth.*=all:com.ibm.wsspi.security.oauth20.*=all:org.openid4java.*=all:org.apache.http.client.*=all:org.apache.xml.security.*=all:com.ibm.ws.http.*=all:com.ibm.ws.ssl.*=all:com.ibm.ws.channel.ssl.*=all:com.ibm.ws.transport.http.*=all:com.ibm.websphere.channelfw.ChannelUtils=all:org.opensaml.*=all
    • Step-by-step
      Avoid delay: The Liberty SSO runtimes emit configuration data in the trace only during server startup. Therefore, you must gather traces to send to IBM support from server startup.
      Item to collect
      Comments / Instructions
      Problem description Provide a clear, specific problem description, including specific usage information and error scenario.
      Diagnostic questions
      1. When does the problem occur?
      2. How often does the problem occur?
      3. Did this work in the past? If so, did you make any changes to the system or SSO configuration? Explain.
      Single Sign-on configuration
      information
      Gather the following files:
       
      • At a minimum, send in server.xml and idpMetadata.xml (for SAML).
      • If you can obtain a recursive archive file of your Liberty installation, and that archive file is 500 mb or smaller, send a compressed, recursive archive file of your Liberty installation directory.
      Single Sign-on trace Enable the Web Single Sign-on tracing and reproduce the problem.

      Avoid delay: You must gather SSO traces from server startup to confirm that the components initialized without error.

      1. Determine your trace specification
      1. Expand the Trace specifications section earlier in this document.
      2. Note the trace specification that you need to use based on the feature that you are using.
      3. Return to this step.

      2. Enable trace
      To enable trace on Liberty:
      1. Follow the instructions in the Enabling Trace on Liberty section in Setup trace and get a full dump for WebSphere Liberty.
      2. Use the trace string that you chose earlier in the Determine your trace specification step.
      3. Proceed to 'Reproduce the problem'.

      3. Reproduce the problem
      Avoid delay: You must gather SSO traces from application server startup.
      1. On your Liberty server on which the feature is configured, do the following:
        1. Stop the Liberty server.
        2. Restart the Liberty server.
      2. Start a browser trace:
        • See the 'Enable browser trace' section earlier in this document.
      3. Reproduce the problem, taking note of any relevant user and group names used, exact URL strings accessed, and general time stamps.

      4. Locate the trace and log files
      On Liberty, by default, you can find the trace in the following location:
       
      • (wlp.install.dir)/usr/servers/(server_name)/logs
      If you do not see your trace in that directory, find the log directory configured on the logDirectory attribute in your server.xml file.

      5. Recursive archive the logs directory
      Recursive archive the directory that you identified in the previous step and send in the file. This action gathers the following files:
      • console.log
      • messages.log
      • trace.log
      • ffdc/*

      Follow instructions on Exchanging information with IBM Technical Support for problem determination to send the files mentioned in the preceding steps.
       

Note:

This document uses the term WebSphere traditional to refer to WebSphere Application Server v9.0 traditional, WebSphere Application Server v8.5 full profile, WebSphere Application Server v8.0 and earlier, WebSphere classic, traditional WebSphere, traditional WAS, and tWAS.
 


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000Ccx5AAC","label":"Security-\u003ESSO"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;9.0.0;9.0.5;CD0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
06 July 2022

UID

swg21971762