IBM Support

WebSphere Application Server Security configuration changes done with wsadmin are not activated immediately.

Troubleshooting


Problem

Some administrative actions (like mapping administrative users or groups to security roles) might not get activated immediately and require a restart of the JVM. For example, you want to map the group called "wasadmins" to the Administrator role: AdminTask.mapGroupsToAdminRole('[-roleName administrator -accessids [group:defaultWIMFileBasedRealm/cn=wasadmins,cn=groups,dc=mycompany,dc=com ] -groupids [wasadmins@defaultWIMFileBasedRealm ]]') AdminConfig.save()

Symptom

Although the configuration change has been saved with AdminConfig.save() you cannot login immediately, although your user is member of the "wasadmins" group.

If you login to the AdminConsole with the primary administrative user and go to the "Administrative group roles" page, the new group mapping will be listed.

If you quit the Console again, you can login with a member of the newly mapped group.

Cause

Some changes of the WAS configuration require a restart of the JVM, or at least a refresh of the configuration for the running instances.
This refresh is done, when you go to the ISC "Administrative group roles" page.

Resolving The Problem

When the configuration changes are completed and saved, you can force a refresh of the security configuration with the AdminControl action "refreshAll":

authGrpMgr = AdminControl.completeObjectName('WebSphere:type=AuthorizationGroupManager,*')


AdminControl.invoke(authGrpMgr, 'refreshAll')

Now the login with a newly mapped user is possible.

The above command will work fine for the DMgr or for a Base instance where you are connected to via wsadmin.
But if you want to execute tasks with the newly created user on federated nodes (e.g. start application server JVM, etc..) then the nodeagents also need to refresh the security configuration.

Which means, you need to extend the script e.g. like this:

authGrpMgr = AdminControl.queryNames('type=AuthorizationGroupManager,process=nodeagent,node=node1,*') AdminControl.invoke(authGrpMgr, 'refreshAll')

authGrpMgr = AdminControl.queryNames('type=AuthorizationGroupManager,process=nodeagent,node=node2,*') AdminControl.invoke(authGrpMgr, 'refreshAll')

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Administrative Scripting Tools (for example: wsadmin or ANT)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF014","label":"iOS"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5;8.0;7.0;6.1","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
15 June 2018

UID

swg21680088