IBM Support

Troubleshooting blocked or expired user(s) in API Connect Developer Portal v5

Troubleshooting


Problem

One or more users report being blocked from logging into the Developer Portal. The admin takes steps to unblock the user(s); however, the problem repeatedly reoccurs. 

Symptom

User(s) unable to login to Developer Portal

Cause

  1. Users can be "blocked" based upon the following settings:
    • Flood control (Administration » Configuration » System)
      • Failed login (IP) limit
        • Threshold for failed login limit from same IP met within the configured "failed login (IP) window"
      • Failed login (username) limit
        • Threshold for failed login limit from same user met within the configured "failed login (username) window"
    • Login Security (Administration » Configuration » People)
      • Maximum number of login failures before blocking a user 
        • Threshold for maximum number of login failures from a user met within the configured "Track time" window
      • Maximum number of login failures before soft blocking a host
        • Threshold for maximum number of login failures from a host met within the configured "Track time" window 
      • Maximum number of login failures before blocking a host 
        • Threshold for maximum number of login failures from a host met within the configured "Track time" window
  2. Users may be continually redirected to change their password immediately after changing it.
    • If a password expiry policy was configured by the admin user in a pre-v5082 installation, and the portal was later upgraded, the password policy will no longer execute as expected.
    • Resolving this problem will require assistance from IBM Support. Please collect all the documentation in the "Resolving the Problem" section below. 

Resolving The Problem

If the user is reported as blocked, the user or their client IP address may need to be unblocked in three places: 

  1. People menu
    • Login to site as admin and navigate to Administration » People » Expired Accounts
  2. Using reset_locked_user command from the CLI
    • The following message in syslog is the signature of a user being blocked by flood control: `Blocked user user@domain.com due to security configuration`
  3. Using reset_locked_host -r command from the CLI (available in 5.0.8.4 July build or later)
    • This unblocks any IPs that flood control has blocked due to too many failed login attempts from that IP address (default limit is 50). 

If user is still unable to login after the above steps, please do the following:

  1. Check to see if password expiry checks were ever enabled in the password policy.
    • Log into the DevPortal UI as admin,
    • Go to Configuration » People » Password policies » List
    • Click view and look for a password expiration setting.
    • Take a screenshot of the password policy settings
  2. Provide the values (or screenshot) for the following flood control properties (Administration » Configuration » System » Flood Control):
    • Failed login (IP) limit
    • Failed login (IP) window
    • Failed login (username) limit
    • Failed login (username) window
  3. Provide the values (or screenshot) for the following Login Security properties (Administration » Configuration » People):
    • Track time
    • Maximum number of login failures before blocking a user 
    • Maximum number of login failures before soft blocking a host 
    • Maximum number of login failures before blocking a host 
  4. ssh to the DevPortal as admin
    1. Issue command:
       
      mysql -e "show databases" > databases.out

    2. View databases.out file and note name for org site database as it will be used at the end of the mysql commands which follow in these instructions (referred to as <site db name>)
    3. Issue command:
       
      mysql -e "select * from flood" <site db name> > flood.out
      • If there are entries in this file and you are using a load balancer to front end the Developer Portal, please provide the IP address of LB.
    4. Issue command:
       
      mysql -e "select * from password_policy_expiration" <site db name> > pw_policy_expiration.out

    5. Issue command:
       
      mysql -e "select * from password_policy_force_change" <site db name> > pw_policy_force_change.out

    6. Generate DevPortal MustGather logs via command: `generate_logs`
  5. Upload the following files to the case:
    1. screenshot of password policy settings
    2. screenshot or values for flood control properties
    3. screenshot or values for login security properties
    4. databases.out
    5. flood.out
    6. IP address of load balancer if applicable from step 4.3
    7. pw_policy_expiration.out
    8. pw_policy_force_change.out
    9. MustGather logs from `generate_logs` command

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"Component":"Developer Portal","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"5.0.8.x","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
26 April 2019

UID

ibm10742587

Page Feedback