This article describes the issues you might encounter using
a Java Authorization Contract for Containers (JACC) authorization
provider. Tivoli Access Manager is bundled with WebSphere Application
Server as an authorization provider. However, you also can plug in
your own authorization provider.
Tivoli Access Manager as a Java Authorization Contract
for Containers authorization provider
You might encounter
the following issues when using Tivoli Access Manager as a JACC authorization
provider:
External providers for Java Authorization Contract
for Containers authorization provider
You might encounter
the following issues when you use an external provider for JACC authorization:
The server might fail to start after
configuring JACC
If the server does not start after JACC
is configured, check the following items:
- Ensure that WebSphere Application Server and Tivoli Access Manager
use the same Lightweight Directory Access Protocol (LDAP) server.
- If the message “Policy Director Authentication failed" is displayed,
ensure that the:
- WebSphere Application Server LDAP server ID is the same as the
“Administrator user” in the Tivoli Access Manager JACC configuration
panel.
- Verify that the Tivoli Access Manager Administrator distinguished
name (DN) is correct.
- Verify that the password of the Tivoli Access Manager administrator
has not expired and is valid.
- Ensure that the account is valid for the Tivoli Access Manager
administrator.
- If a message such as socket can’t
be opened for xxxx (where xxxx is a number) is
displayed, take the following actions:
- Go to the profile_root/etc/tam directory.
- Change xxxx to an available port number in the amwas.commomconfig.properties file.
If the node failed to start, change xxx to an available port
number in the amwas*cellName_nodeName_.properties file. If
the Application Server failed to start, change xxxx in the amwas*cellname_nodeName_serverName.properties file.
The application might not deploy
properly
When you click Save, the policy and role
information is propagated to the Tivoli Access Manager policy. This
process might take some time to finish. If the save fails, you must
uninstall the application and then reinstall it.
To access
an application after it is installed, you must wait 30 seconds, by
default, to start the application after you save.
The startServer command might
fail after you configure Tivoli Access Manager or a clean uninstall
did not take place after unconfiguring JACC.
If the cleanup
for JACC unconfiguration or start server fails after JACC is configured,
take the following actions:
- Remove Tivoli Access Manager properties
files from WebSphere Application Server.
The
following files must be removed.
profile_root/etc/pd/PolicyDirector/PDPerm.properties
profile_root/etc/pd/PolicyDirector/PdPerm.ks
profile_root/etc/tam/*
- Use a utility to clear the security configuration and return the
system to the state it was in before you configure the JACC provider
for Tivoli Access Manager. The utility removes all of the PDLoginModuleWrapper
entries as well as the Tivoli Access Manager authorization table entry
from the security.xml file, effectively removing the JACC
provider for Tivoli Access Manager. Backup the security.xml file
before running this utility.
Enter the following commands:
java -Djava.version=1.5 -classpath
"app_server_root/lib/com.ibm.ws.runtime_6.1.0.jar:CLASSPATH"
com.tivoli.pd.as.jacc.cfg.CleanSecXML fully_qualified_path/security.xml
An "HPDIA0202w An unknown user name
was presented to Access Manager" error might occur
You might
encounter the following error message if you try to use an existing
user in a Local Directory Access Protocol (LDAP) user registry with
Tivoli Access Manager:
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.:
AWXJR0007E A Tivoli Access Manager exception was caught. Details are:
"HPDIA0202W An unknown user name was presented to Access Manager."
This
problem might be caused by the host name exceeding predefined limits
with Tivoli Access Manager when it is configured against MS Active
Directory. In WebSphere Application Server, the maximum length of
the host name can not exceed 46 characters.
Check that the host
name is not fully qualified. Configure the machine so that the host
name does not include the host domain.
To correct this error,
complete the following steps:
- On the command line, type the following information to get a Tivoli
Access Manager command prompt:
pdadmin -a administrator_name -p administrator_password
The
pdadmin administrator_name prompt is displayed. For example:pdadmin -a administrator1 -p passw0rd
- At the pdadmin command prompt, import the user from the LDAP user
registry to Tivoli Access Manager by typing the following information:
user import user_name cn=user_name,o=organization_name,c=country
For
example:user import jstar cn=jstar,o=ibm,c=us
After importing the user to Tivoli Access Manager, you
must use the
user modify command to set the user account
to
valid. The following syntax shows how to use this command:
user modify user_name account-valid yes
For
example:
user modify jstar account-valid yes
For
information on how to import a group from LDAP to Tivoli Access Manager,
see the Tivoli Access Manager documentation.
An "HPDAC0778E The specified user's
account is set to invalid" error might occur
You might encounter
the following error message after you import a user to Tivoli Access
Manager and restart the client:
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.:
AWXJR0007E A Tivoli Access Manager exception was caught.
Details are: "HPDAC0778E The specified user's account is set to invalid."
To
correct this error, use the
user modify command to set the
user account to valid. The following syntax shows how to use this
command:
user modify user_name account-valid yes
For
example:
user modify jstar account-valid yes
An "HPDJA0506E Invalid argument: Null or
zero-length user name field for the ACL entry" error might occur
You
might encounter an error similar to the following message when you
propagate the security policy information from the application to
the provider using the wsadmin
propagatePolicyToJACCProvider command:
AWXJR0035E An error occurred while attempting to add member,
cn=agent3,o=ibm,c=us, to role AgentRole
HPDJA0506E Invalid argument: Null or zero-length user name field for
the ACL entry
To correct this error, create or import the
user, that is mapped to the security role to the Tivoli Access Manager.
For more information on propagating the security policy information,
see the documentation for your authorization provider.
An WASX7017E: Exception received while
running file "InsuranceServicesSingle.jacl" error might occur
After
the JACC provider and Tivoli Access Manager are enabled, when attempting
to install the application, which is configured with security roles
using the wsadmin command, the following error might occur:
WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl";
exception information: com.ibm.ws.scripting.ScriptingException: WASX7111E:
Cannot find a match for supplied option:
"[RuleManager, , , cn=mgr3,o=ibm,c=us|cn=agent3,o=ibm,c=us, cn=ManagerGro
up,o=ibm,c=us|cn=AgentGroup,o=ibm,c=us]" for task "MapRolesToUsers
The
$AdminApp MapRolesToUsers task option is no longer valid when Tivoli
Access Manager is used as the authorization server. To correct the
error, change MapRolesToUsers to TAMMapRolesToUsers.
Access denied exceptions accessing applications
when using JACC
In the case of Tivoli Access Manager, you
might see the following error message.
AWXJR0044E: The access decision for Permission, {0}, was denied because either the
PolicyConfiguration or RoleConfiguration objects did not get created successfully at
application installation time. RoleConfiguration exists = {false}, PolicyConfiguration
exists = {false}."
If the access denied exceptions are
not expected for the application, check the SystemOut.log files to
see if the security policy information was correctly propagated to
the provider.
If the security policy information for the application
is successfully propagated to the provider, the audit statements with
the message key SECJ0415I appear. However, if there was a problem
propagating the security policy information to the provider (for example:
network problems, JACC provider is not available), the SystemOut.log
files contain the error message with the message keys SECJ0396E (during
install) or SECJ0398E (during modification). The installation of the
application is not stopped due to a failure to propagate the security
policy to the JACC provider. Also, in the case of failure, no exception
or error messages appear during the save operation. When
the problem causing this failure is fixed, run the propagatePolicyToJaccProvider tool
to propagate the security policy information to the provider without
reinstalling the application.
A FileNotFoundException
error might occur
You might encounter memory shortage problems
when WebSphere Application Server runs with Tivoli Access Manager
as the JACC provider. To fix this issue after you configure Tivoli
Access Manager as the Java Authorization Contract for Containers (JACC)
provider, complete the following steps:
- Set the com.tivoli.pd.as.atcc.ATCCache.enabled property
to false in the amwas.amjacc.template.properties file. This
file is located in the PROFILE_HOME/config/cells/cell_name/ directory.
- Set the com.tivoli.pd.as.atcc.ATCCache.enabled property
to false in the amwas.NODENAME_SERVERNAME.amjacc.template.properties file.
This file is located in the PROFILE_HOME/etc/tam directory.
- Restart WebSphere Application Server.