IBM Support

ITM Nuggets: Being locked out of the TEP client with an invalid username or password leads to headaches... here's the cure!

Technical Blog Post


Abstract

ITM Nuggets: Being locked out of the TEP client with an invalid username or password leads to headaches... here's the cure!

Body

image

 

 

Its a Monday morning, you have a heap of work to get through and you cant log in to the TEP. Your presented with the dreaded "KFWITM393E" error... Don't reach for those painkillers....The below explains how to get you back on your feet fast!

 

In the coming weeks/months there will be a series of helpful tips and hits to help you correct problems and improve your ITM infrastructure.

 Please feel free to link me your network

 

When logging into the Tivoli Enterprise Portal (TEP) you are presented with the following error message:


 

There are several reasons why this error can occur. The solutions below will show you how to check and resolve the most common causes.

 

How the authentication process works:

There are 3 types of authentication available to users in ITM.

  • TEPS Authentication
  • TEMS Operating system / Validate User Authentication
  • LDAP Authentication

With all 3 types of authentication, access to the Tivoli Enterprise Portal is controlled by user accounts that are defined in the portal server. The user ID must have an account created in the portal server to be able to gain access. These IDs control which user are authorized to log into the TEP, and also define the permission's for what each user can do. (what each user can see, access and modify)

 

 

TEPS Authentication

Tivoli Enterprise Portal Server authentication is solely managed by the user IDs defined in the TEP. If a user is listed has an ID in this repository, then that user can log into the TEP without any password, only the user ID is required.

You can check which IDs you have listed in the TEPS, by logging in to the TEP console with a valid user and selecting the user icon shown below:


 

TEMS Operating system / Validate User Authentication
This type of authentication is user security that is enabled on the HUB TEMS (Tivoli Enterprise Monitoring Server). This type of authentication requires a password as well as a user ID to log in to the Tivoli Enterprise Portal.

Password authentication is controlled by the host of the HUB TEMS. When a user logs in to the Tivoli Enterprise Portal, the Portal Server queries the HUB monitoring server to validate the account and sends the encrypted user ID and password. The HUB monitoring server validates the account by sending a request to the operating system to ensure the userid and password is correct. The Tivoli Enterprise Portal user ID's and associated passwords MUST be defined on the hub computer.

This is where the userid and password needs to be set on the HUB TEMS O/S for this authentication to work:
 

Operating system of the hub monitoring serverMethod of Tivoli Enterprise Portal password authentication
WindowsUser operating system accounts
Linux and UNIXPassword files
z/OSRACF, CA-ACF2, CA-TOP SECRET, or Network Access Method



You can check if you have this type of authentication active by reconfiguring the HUB TEMS component and checking the following settings on the first screen that appears. If the box next to "Security: Validate User " is selected, then it is enabled.

Note: If none of the options are checked "Security: Validate User" or "LDAP" then TEPS Authentication is in effect.






User authentication using LDAP

When you enable security on the HUB monitoring server, you have the option of selecting validation using LDAP, instead of the local registry for user authentication. The users you have created in the TEP are then mapped to the LDAP repository usernames and passwords. For this authentication to function correctly, the username in the TEP must match a user in the LDAP repository. The passwords are then authenticated against the information on the LDAP server.


NOTE: LDAP is not supported for hub monitoring servers on z/OS.


You can check to determine if you have this type of authentication active by reconfiguring the HUB TEMS component and checking the following settings on the first screen that appears. If the box next to "Security: Validate User" and also LDAP are selected, then it is enabled.







Check list of what to look for to resolve your issue:

  1. The User ID is defined in the ITM infrastructure
  2. Validate that the password is correct
  3. Character length of password with TEMS Operating system / Validate User Authentication

 

1. Ensure the user ID is defined in the ITM infrastructure

The user ID you enter must match the user ID on the portal server, If the user ID does not exist then the user will not be able to log in. You can check this in two ways:

 

 

  1. Log on to the portal server with a valid user ID and check the user that fails appears in the list. If it does not you will need to create it for access to be granted.
  2. You can also check what users exist by reviewing the contents of the TEPS database. This is a good method if no user ID can log in. All portal users are stored in a table called KFWUSER. When you query the table, the column labled "ID" should match the user ID you are trying to log in with. If all users are missing including "sysadmin" then you may wish to investigate if any recent changes have occurred on the TEPS or it's database that could have caused the contents to be removed.


 

 

 

2. Check password is correct

The next step is to check that the password you are using is correct. The best way to test this quickly is to try and log in to the HUB TEMS host operating system, with the username and password you used when you attempted to log in to the TEP. If the username and password fails to authenticate, then you can try to reset the password for that account from within the operating system where the HUB TEMS is located.

 

Example for windows 2008:

1. Open the Local user and Groups window.


These steps ensure that the password you are using is correct and the same one that is listed on the operating system account on the server where the HUB TEMS resides.


 

 

3. Check character length of password if using TEMS Operating system / Validate User Authentication

If you are using TEMS Operating system / Validate User Authentication (as described above) then there is a 15 character password limit. Due to this restriction, the TEPS will only pass 15 characters of the password for validation when TEMS authentication is used. To rectify this issue you can update the password for the user to a maximum of 15 characters in one of the following locations at the HUB TEMS.
 

Operating system of the hub monitoring serverMethod of Tivoli Enterprise Portal password authentication
WindowsUser operating system accounts
Linux and UNIXPassword files
z/OSRACF, CA-ACF2, CA-TOP SECRET, or Network Access Method

 

 

Next steps:
If all the above still did not resolve the issue, you may need to enable traces on the TEPS server to diagnose this problem further.

The recommended trace level would be:

ERROR (UNIT:ctsql IN ER) (UNIT:ctdata IN ER) (UNIT:ctauth ALL) 

This level of tracing will capture the SQL calls, the data calls and any information relating to the authorization that passes through the TEPS. This trace level will enable IBM Support to see any errors relating to the username and password failing as the request passes through the TEPS.


How to set the tracing:

 

Using the GUIFrom MTEMS (Manage Tivoli Enterprise Monitoring Services utility) :
1. Right click on Tivoli Enterprise Portal Server
2. Select Advanced -> Edit trace parms...
3. In the box labled "Enter RAS1 Filters:" enter the following without the "
"ERROR (UNIT:ctsql IN ER) (UNIT:ctdata IN ER) (UNIT:ctauth ALL)"
4. Select OK (to implement the change)
Editing the configuration file1. Open following file :
  • Windows : <ITM_HOME>\CNPS\kfwenv
  • Unix : <ITM_HOME>/config/cq.ini
2. Edit to set the value for KBB_RAS1 as following and save it.
KBB_RAS1 = ERROR (UNIT:ctsql IN ER) (UNIT:ctdata IN ER) (UNIT:ctauth ALL) 
(Caution : Make sure that the value of KBB_RAS1 is 
not enclosed in any - single or double - quotes).


If you wish to set the tracing dynamically so you don't need to restart the component then this technote will guide you through the steps:
http://www-01.ibm.com/support/docview.wss?uid=swg21266129


Recreate the problem
Once the trace has been set, restart the TEPS, then attempt to login to the TEPS and reproduce the error. Restarting the TEPS enables the new trace level.


Review the logs:
Then collect/review the last *_cq_* log files from the $CANDLEHOME/logs on the TEPS, as well as the ms.ini from the TEMS.

If you need to open a PMR with support we recommend you use the PDcollect utility and provide this collection with the PMR. PDcollect captures all the required logs as well as valuable system and environmental information required to diagnose your problem. You can use the link below for assistance in running PDcollect as well as all the command line options available to you.

http://pic.dhe.ibm.com/infocenter/tivihelp/v15r1/topic/com.ibm.itm.doc_6.2.3fp1/itm623fp1_cmdref118.htm

 

 

 

 

 

 



 

 

 

 

 

 

 

image

 

Check out all our other posts and updates:

Academy Blogs:                   
 http://ibm.co/1sPj9E8  
Academy Videos:                  http://bit.ly/1wFKveY
Academy Google+:               http://bit.ly/1sR5QTV
Academy Twitter Handle:     http://bit.ly/1CknfoF    

 

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

UID

ibm11082679