Use this information if you are experiencing errors after security is enabled.
For
general tips on diagnosing and resolving security-related problems,
see the topic Troubleshooting
the security component.
If
the user registry configuration, user ID, and password appear correct,
use the WebSphere Application Server trace to determine the cause of the problem.
To enable security
trace, use the com.ibm.ws.security.*=all=enabled trace
specification.
If a user who is supposed to have access to a resource does not, a configuration step is probably missing. Review Authorizing access to administrative roles.
If
the user is granted required roles, but still fails to access the
secured resources, enable
security trace, using com.ibm.ws.security.*=all=enabled as
the trace specification. Collect trace information for further resolution.
Error Message: CWSCJ0314E: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to Problem Determination Guide for further information. {0}Permission/:{1}Code/:{2}{3}Stack Trace/:{4}Code Base Location/:{5}The Java security manager checkPermission method has reported a SecurityException exception .
The reported exception might be critical to the secure system. Turn on security trace to determine the potential code that might have violated the security policy. Once the violating code is determined, verify if the attempted operation is permitted with respect to Java 2 Security, by examining all applicable Java 2 security policy files and the application code.
For a review of Java security policies, see the Java 2 Security documentation at http://java.sun.com/j2se/1.3/docs/guide/security/index.html.
This error can result from installing the Java Message Service (JMS) API sample and then enabling security. You can follow the instructions in the Configure and Run page of the corresponding JMS sample documentation to configure the sample to work with WebSphere Application Server security.
You can verify the installation of the message-driven bean sample by launching the installation program, selecting Custom, and browsing the components which are already installed in the Select the features you like to install panel. The JMS sample is shown as Message-Driven Bean Sample, under Embedded Messaging.
You can also verify this installation by using the administrative console to open the properties of the application server that contains the samples. Select MDBSamples and click uninstall.
This error message can result from selecting Lightweight Third Party Authentication (LTPA) as the authentication mechanism, but not generating the LTPA keys. The LTPA keys encrypt the LTPA token.
CWSRV0020E: [Servlet Error]-[validator]: Failed to load servlet: java.security.AccessControlException: access denied (java.io.FilePermission app_server_root/systemApps/isclite.ear/isclite.war/WEB-INF/validation.xml read)
CWSRV0020E: [Servlet Error]-[validator]: Failed to load servlet: java.security.AccessControlException: access denied (java.io.FilePermission /WebSphere/V6R1M0/AppServer/systemApps/isclite.ear/isclite.war/WEB-INF/validation.xml read)
CWSRV0020E: [Servlet Error]-[validator]: Failed to load servlet: java.security.AccessControlException: access denied (java.io.FilePermission app_server_root/systemApps/isclite.ear/isclite.war/WEB-INF/validation.xml read)
For an explanation of
Java 2 security, how and why to enable or disable it, how it relates
to policy files, and how to edit policy files, see the Java 2 security topic in the information
center navigation. The topic explains that Java 2 security is not only used
by this product, but developers can also implement it for their business
applications. Administrators might need to involve developers, if
this exception is created when a client tries to access a resource
that is hosted by WebSphere Application Server.
CWSCJ0189E: Caught ParserException while creating template for application policy profile_root/config/cells/cell_name/nodes/node_name/app.policy
CWSCJ0189E: Caught ParserException while creating template for application policy /WebSphere/V6R1M0/AppServer1/profiles/profile_name/config/cells/cell_name/nodes/node_name/app.policy.
CWSCJ0189E: Caught ParserException while creating template for application policy profile_root/config/cells/cell_name/nodes/node_name/app.policy
Permission: app_server_root/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission app_server_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:app_server_root/installedApps/app1/JrasFVTApp.ear/RasLib.jar } Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission app_server_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete ) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:/app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:/app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.)
Permission: /WebSphere/AppServer/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission WebSphere/AppServer/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:/WebSphere/AppServer/installedApps/app1/JrasFVTApp.ear/RasLib.jar} Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission /WebSphere/AppServer/logs/server1/SystemOut_02.08.20_11.19.53.log delete) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:/WebSphere/AppServer/lib/securityimpl.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:/WebSphere/AppServer/lib/securityimpl.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.)
Permission: profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:profile_root/installedApps/app1/JrasFVTApp.ear/RasLib.jar } Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete ) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.) Permission: profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:profile_root/installedApps/app1/JrasFVTApp.ear/RasLib.jar} Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.) Permission: profile_root /logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission profile_root /logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:profile_root /installedApps/app1/JrasFVTApp.ear/RasLib.jar} Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission profile_root /logs/server1/SystemOut_02.08.20_11.19.53.log delete) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.)
If there are any syntax errors in the policy file or the ra.xml file, correct them with the policytool. Avoid editing the policy manually, because syntax errors can result.
Make sure the users matching the pattern exist in the registry. Contact your service representative if the problem persists.This additional information might not provide a clear user action if the user account repository is corrupted or the user loses connectivity between WebSphere Application Server and an external user account repository. The external user account repository, which is referred to as a repository in this document, might be a Lightweight Directory Access Protocol (LDAP) product.
When you create a new profile using either the Profile Management tool or the command-line manageprofiles utility, an error message displays that indicates either partial success or failure. The error message, which is located in the install_dir/logs/manageprofiles/profile_name_create.log file, might point to an error in either the generateKeysforSingleProfile task or the generateKeysForCellProfile task.
The Profile Creation tool and the manageprofiles utility invoke several tasks. The generateKeysForSingleProfile task is invoked when you create a stand-alone application server or a deployment manager profile. The generateKeysForCellProfile task is invoked when you create a cell profile. Both of these tasks are the first tasks to invoke the wsadmin commands. Although the log indicates an error in one of these tasks, the error might actually result from a wsadmin command failure and not an error in the security tasks.
To determine the actual cause of the problem, review the information that is provided in the following log files:
During migration of the dmgr, applications are reinstalled by default by the migration process. If the Version 6.1 dmgr is running during migration, the security policy information stored in the JACC providers is replaced during the application install process.
If security is not enabled either with zPMT dialogs or with ISPF customization dialogs immediately at installation time of the WebSphere Application Server for z/OS, the RACF definitions will not have been completely generated. When security is enabled later using the administrative console, a missing RACF statement prevents the WebSphere Application Server control region from starting. Review APAR PK36598 for more details on resolving this problem.