Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

OpenLDAP & Websphere 6

24 views
Skip to first unread message

75bl...@gmail.com

unread,
Feb 16, 2006, 5:37:03 AM2/16/06
to
Hi,

Based on the website "http://geocities.com/w_durairaj/openldap.htm",
I'm trying to use openldap as a JAAS authentification with Websphere 6.
However, when I try to start the deployement manager I've got :
<<
[16/02/06 10:16:13:558 CET] 0000000a WsServerImpl E WSVR0009E: Une
erreur s'est produite lors du démarrage
META-INF/ws-server-components.xml
[16/02/06 10:16:13:568 CET] 0000000a WsServerImpl E WSVR0009E: Une
erreur s'est produite lors du démarrage
com.ibm.ws.exception.RuntimeError: com.ibm.ws.exception.RuntimeError:
Cannot find uniqueID for the user
uid=user1,ou=people,dc=thunderbird,dc=org
at
com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:182)
at com.ibm.ws.runtime.WsServerImpl.start(WsServerImpl.java:120)
at com.ibm.ws.runtime.WsServerImpl.main(WsServerImpl.java:378)
at com.ibm.ws.runtime.WsServer.main(WsServer.java:50)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at com.ibm.ws.bootstrap.WSLauncher.main(WSLauncher.java:190)
Caused by: com.ibm.ws.exception.RuntimeError: Cannot find uniqueID for
the user uid=user1,ou=people,dc=thunderbird,dc=org
at
com.ibm.ws.security.core.ServerSecurityComponentImpl.start(ServerSecurityComponentImpl.java:319)
at
com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:821)
at
com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:649)
>>

For information I can access to LDAP with LDAP Browser for example.

On WAS, I've respected the settings displayed on the website, however
I've still got this strange error.

I'm using "openldap-2.2.29-db-4.3.29-openssl-0.9.8a-win32_Setup.exe".

Attached is the stack trace from openldap on mode debug 1.

Did you already saw that error ? Do you know a way to correct it ?

Regards,
75blured.
----

Attachments :

ber_scanf fmt (m}) ber:
>>> >>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=16 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 1028
do_bind: v3 anonymous bind
connection_get(1028): got connid=16
connection_read(1028): checking for input on id=16
ber_get_next
ber_get_next: tag 0x30 len 71 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> >>> dnPrettyNormal: <dc=thunderbird,dc=org>
=> ldap_bv2dn(dc=thunderbird,dc=org,0)
ldap_err2string
<= ldap_bv2dn(dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=thunderbird,dc=org)=0 Success
<<< dnPrettyNormal: <dc=thunderbird,dc=org>, <dc=thunderbird,dc=org>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=16 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("dc=thunderbird,dc=org")
ber_get_next
search_candidates: base="dc=thunderbird,dc=org" (0x00000001) scope=1
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_dn2idl( "dc=thunderbird,dc=org" )
<= bdb_dn2idl: id=2 first=2 last=3
=> bdb_presence_candidates (objectClass)
bdb_search_candidates: id=-1 first=2 last=3
ber_get_next on fd 1028 failed errno=10035 (WSAEWOULDBLOCK)
=> send_search_entry: dn="ou=people,dc=thunderbird,dc=org"
ber_flush: 79 bytes to sd 1028
<= send_search_entry
send_ldap_result: conn=16 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 1028
connection_get(1028): got connid=16
connection_read(1028): checking for input on id=16
ber_get_next
ber_get_next: tag 0x30 len 82 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> >>> dnPrettyNormal: <ou=people, dc=thunderbird,dc=org>
=> ldap_bv2dn(ou=people, dc=thunderbird,dc=org,0)
ldap_err2string
<= ldap_bv2dn(ou=people, dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ber_get_next
ber_get_next on fd 1028 failed errno=10035 (WSAEWOULDBLOCK)
ldap_err2string
<= ldap_dn2bv(ou=people,dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=people,dc=thunderbird,dc=org)=0 Success
<<< dnPrettyNormal: <ou=people,dc=thunderbird,dc=org>,
<ou=people,dc=thunderbird
,dc=org>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=16 op=2 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("ou=people,dc=thunderbird,dc=org")
search_candidates: base="ou=people,dc=thunderbird,dc=org" (0x00000003)
scope=1
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_dn2idl( "ou=people,dc=thunderbird,dc=org" )
<= bdb_dn2idl: id=1 first=4 last=4
=> bdb_presence_candidates (objectClass)
bdb_search_candidates: id=1 first=4 last=4
=> send_search_entry: dn="uid=user1,ou=people,dc=thunderbird,dc=org"
ber_flush: 75 bytes to sd 1028
<= send_search_entry
send_ldap_result: conn=16 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=0
ber_flush: 14 bytes to sd 1028
connection_get(1028): got connid=16
connection_read(1028): checking for input on id=16
ber_get_next
ber_get_next: tag 0x30 len 93 contents:
ber_get_next
ber_get_next on fd 1028 failed errno=10035 (WSAEWOULDBLOCK)
do_search
ber_scanf fmt ({miiiib) ber:
>>> >>> dnPrettyNormal: <uid=user1, ou=people, dc=thunderbird,dc=org>
=> ldap_bv2dn(uid=user1, ou=people, dc=thunderbird,dc=org,0)
ldap_err2string
<= ldap_bv2dn(uid=user1, ou=people, dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=user1,ou=people,dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=user1,ou=people,dc=thunderbird,dc=org)=0 Success
<<< dnPrettyNormal: <uid=user1,ou=people,dc=thunderbird,dc=org>,
<uid=user1,ou=p
eople,dc=thunderbird,dc=org>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=16 op=3 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("uid=user1,ou=people,dc=thunderbird,dc=org")
search_candidates: base="uid=user1,ou=people,dc=thunderbird,dc=org"
(0x00000004)
scope=1
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_dn2idl( "uid=user1,ou=people,dc=thunderbird,dc=org" )
<= bdb_dn2idl: get failed: DB_NOTFOUND: No matching key/data pair found
(-30989)

=> bdb_presence_candidates (objectClass)
bdb_search_candidates: id=0 first=0 last=0
bdb_search: no candidates
send_ldap_result: conn=16 op=3 p=3
send_ldap_response: msgid=4 tag=101 err=0
ber_flush: 14 bytes to sd 1028
connection_get(1028): got connid=16
connection_read(1028): checking for input on id=16
ber_get_next
ber_get_next: tag 0x30 len 80 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> >>> dnPrettyNormal: <uid=user1, ou=people, dc=thunderbird,dc=org>
=> ldap_bv2dn(uid=user1, ou=people, dc=thunderbird,dc=org,0)
ldap_err2string
<= ldap_bv2dn(uid=user1, ou=people, dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ber_get_next
ber_get_next on fd 1028 failed errno=10035 (WSAEWOULDBLOCK)
ldap_err2string
<= ldap_dn2bv(uid=user1,ou=people,dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=user1,ou=people,dc=thunderbird,dc=org)=0 Success
<<< dnPrettyNormal: <uid=user1,ou=people,dc=thunderbird,dc=org>,
<uid=user1,ou=p
eople,dc=thunderbird,dc=org>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=16 op=4 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("uid=user1,ou=people,dc=thunderbird,dc=org")
=> send_search_entry: dn="uid=user1,ou=people,dc=thunderbird,dc=org"
ber_flush: 154 bytes to sd 1028
<= send_search_entry
send_ldap_result: conn=16 op=4 p=3
send_ldap_response: msgid=5 tag=101 err=0
ber_flush: 14 bytes to sd 1028
connection_get(1028): got connid=16
connection_read(1028): checking for input on id=16
ber_get_next
ber_get_next: tag 0x30 len 69 contents:
ber_get_next
ber_get_next on fd 1028 failed errno=10035 (WSAEWOULDBLOCK)
do_search
ber_scanf fmt ({miiiib) ber:
>>> >>> dnPrettyNormal: <ou=people, dc=thunderbird,dc=org>
=> ldap_bv2dn(ou=people, dc=thunderbird,dc=org,0)
ldap_err2string
<= ldap_bv2dn(ou=people, dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=people,dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=people,dc=thunderbird,dc=org)=0 Success
<<< dnPrettyNormal: <ou=people,dc=thunderbird,dc=org>,
<ou=people,dc=thunderbird
,dc=org>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=16 op=5 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("ou=people,dc=thunderbird,dc=org")
=> send_search_entry: dn="ou=people,dc=thunderbird,dc=org"
ber_flush: 95 bytes to sd 1028
<= send_search_entry
send_ldap_result: conn=16 op=5 p=3
send_ldap_response: msgid=6 tag=101 err=0
ber_flush: 14 bytes to sd 1028
connection_get(1028): got connid=16
connection_read(1028): checking for input on id=16
ber_get_next
ber_get_next: tag 0x30 len 58 contents:
ber_get_next
ber_get_next on fd 1028 failed errno=10035 (WSAEWOULDBLOCK)
do_search
ber_scanf fmt ({miiiib) ber:
>>> >>> dnPrettyNormal: <dc=thunderbird,dc=org>
=> ldap_bv2dn(dc=thunderbird,dc=org,0)
ldap_err2string
<= ldap_bv2dn(dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=thunderbird,dc=org)=0 Success
<<< dnPrettyNormal: <dc=thunderbird,dc=org>, <dc=thunderbird,dc=org>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=16 op=6 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("dc=thunderbird,dc=org")
=> send_search_entry: dn="dc=thunderbird,dc=org"
ber_flush: 125 bytes to sd 1028
<= send_search_entry
send_ldap_result: conn=16 op=6 p=3
send_ldap_response: msgid=7 tag=101 err=0
ber_flush: 14 bytes to sd 1028
connection_get(1028): got connid=16
connection_read(1028): checking for input on id=16
ber_get_next
ber_get_next: tag 0x30 len 69 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> >>> dnPrettyNormal: <ou=people, dc=thunderbird,dc=org>
=> ldap_bv2dn(ou=people, dc=thunderbird,dc=org,0)
ldap_err2string
<= ldap_bv2dn(ou=people, dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ber_get_next
ber_get_next on fd 1028 failed errno=10035 (WSAEWOULDBLOCK)
ldap_err2string
<= ldap_dn2bv(ou=people,dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(ou=people,dc=thunderbird,dc=org)=0 Success
<<< dnPrettyNormal: <ou=people,dc=thunderbird,dc=org>,
<ou=people,dc=thunderbird
,dc=org>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=16 op=7 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("ou=people,dc=thunderbird,dc=org")
=> send_search_entry: dn="ou=people,dc=thunderbird,dc=org"
ber_flush: 95 bytes to sd 1028
<= send_search_entry
send_ldap_result: conn=16 op=7 p=3
send_ldap_response: msgid=8 tag=101 err=0
ber_flush: 14 bytes to sd 1028
connection_get(1028): got connid=16
connection_read(1028): checking for input on id=16
ber_get_next
ber_get_next: tag 0x30 len 58 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> >>> dnPrettyNormal: <dc=thunderbird,dc=org>
=> ldap_bv2dn(dc=thunderbird,dc=org,0)
ldap_err2string
<= ldap_bv2dn(dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ber_get_next
ber_get_next on fd 1028 failed errno=10035 (WSAEWOULDBLOCK)
ldap_err2string
<= ldap_dn2bv(dc=thunderbird,dc=org)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=thunderbird,dc=org)=0 Success
<<< dnPrettyNormal: <dc=thunderbird,dc=org>, <dc=thunderbird,dc=org>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=16 op=8 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("dc=thunderbird,dc=org")
=> send_search_entry: dn="dc=thunderbird,dc=org"
ber_flush: 125 bytes to sd 1028
<= send_search_entry
send_ldap_result: conn=16 op=8 p=3
send_ldap_response: msgid=9 tag=101 err=0
ber_flush: 14 bytes to sd 1028

Dexthor

unread,
Feb 16, 2006, 8:49:39 AM2/16/06
to
It looks like when you are accessing from WAS your DN is:
uid=user1,ou=people,dc=thunderbird,dc=org. Whereas the good binds have
DN as: uid=user1, ou=people, dc=thunderbird,dc=org

I remember to have run into problems with the spaces in the DNs. IBM
recommends to eliminate white spaces after commas. This will ensure
least possibility for errors. However, this could very well be OpenLDAP
issue too.

Can you try fixing the spaces either in the LDAP or in WAS and try to
see if it works ?

-Dexthor.

75bl...@gmail.com

unread,
Feb 16, 2006, 9:20:22 AM2/16/06
to

Dexthor a écrit :

I've fixed the spaces however it didn't change anything...

Cannot understand why it doesn't work well.

>
> -Dexthor.

Dexthor

unread,
Feb 16, 2006, 9:57:39 AM2/16/06
to
Did you use user1 as the Server User ID in the LDAP configuration ? If
not, what is the ID you have in there ? Are you able to atleast login
as that ID ?

Please give us the LDAP search filters you have in your configuration.
You can get them from AdminConsole -> Security -> Global Security ->
LDAP -> Advanced...

-Dexthor.

75bl...@gmail.com

unread,
Feb 17, 2006, 8:05:34 AM2/17/06
to
Now this is corrected !!!!
I've found it...

In fact it was in the filters which were not good for openldap.

On my configuration I need to set :
(LDAP User Registry)

Fields Values to set
Server user ID user1
Server user password *******
Type Custom
Host localhost
Port 389
Base distinguished name (DN) ou=people,dc=thunderbird,dc=org
Bind distinguished name (DN) uid=user1,ou=people,dc=thunderbird,dc=org
Bind password *******
Reuse connection V
SSL Configuration DefaultSSLConfiguration

Advanced Lightweight Directory Access Protocol (LDAP) user registry
settings

Fields Values to set
User filter (&(uid=%v)(objectClass=user))
Group Filter (&(cn=%v)(objectClass=group))
User ID map *:uid
Group ID map *:cn
Group member ID map memberof:member
Perform a nested group search V

I don't really understand the need to have the "Server user ID" and the
"Bind Distinguished name" cause they define the same values. Certainly
there is a good meaning for that double definition but I cannot find
it.

75Blured.

Dexthor

unread,
Feb 17, 2006, 8:40:36 AM2/17/06
to
Server User ID is the Super Admin ID for WAS. With this you can get
into WAS and do anything. Whereas BindDN is the LDAP ID that will allow
WAS to connect to LDAP and do searches or changes (WAS does not create
IDs in LDAP, however with sufficient privileges given to this BindDN,
you will be able to manage the LDAP too). BindDN need not be your LDAP
Admin and certainly need not have any access to WAS too.

I dont use openldap. Are the above filters good and working now ?? Most
of the times the GroupMemberID map filter gets into trouble with
non-IBM Directories. This is where you will need to spend time to get
it right for your LDAP, only if you want to use LDAP static groups.

If its still not working, let us know. Otherwise Cheers !!

-Dexthor.

75bl...@gmail.com

unread,
Feb 17, 2006, 11:55:28 AM2/17/06
to
The fact is that server user id value need to be present in the ldap
directory, otherwise, the following error is displayed (for example
using a person named meuhmeuh) :
<<
Authentication failed for user:
com.ibm.ws.console.security.ConnectToRuntimeException: null nested
exception is com.ibm.websphere.security.CustomRegistryException: No
user meuhmeuh found. Try again.
>>
So this user have to be present in LDAP.. no ?

Concerning the filters, they seems to be good for now. However there is
another but really linked problem.

Indeed, when I'm starting Dmgr, the server1 is not started. So I'm
going into the application server part of the admin console then click
on server1 then start button.
I've got the error message :
<<
Server server1 is not started please check the JVM logs.
>>

So In the log files of WAS, i've got :
<<
[2/17/06 15:42:21:998 CET] 00000045 SystemErr R
javax.management.JMRuntimeException: ADMN0022E: Access is denied for
the launchProcess operation on NodeAgent MBean because of insufficient
or empty credentials.
at
com.ibm.ws.management.connector.soap.SOAPConnectorClient.handleAdminFault(SOAPConnectorClient.java:686)
at
com.ibm.ws.management.connector.soap.SOAPConnectorClient.invokeTemplate(SOAPConnectorClient.java:653)
at
com.ibm.ws.management.connector.soap.SOAPConnectorClient.invoke(SOAPConnectorClient.java:512)
at
com.ibm.ws.management.connector.soap.SOAPConnectorClient.invoke(SOAPConnectorClient.java:332)
at $Proxy0.invoke(Unknown Source)
at
com.ibm.ws.management.AdminClientImpl.invoke(AdminClientImpl.java:191)
at
com.ibm.ws.management.AdminServiceImpl$1.run(AdminServiceImpl.java:995)
at
com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java(Compiled
Code))
at
com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.java:906)
at
com.ibm.ws.console.core.mbean.MBeanHelper.invoke(MBeanHelper.java:186)
at
com.ibm.ws.console.core.mbean.ServerMBeanHelper.startServer(ServerMBeanHelper.java:85)
at
com.ibm.ws.console.servermanagement.applicationserver.ApplicationServerCollectionAction.execute(ApplicationServerCollectionAction.java:333)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:275)
at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1486)
at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:528)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1287)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1239)
at
com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:113)
at
com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:82)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:670)
at
com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:294)
at
org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1070)
at
org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:273)
at
org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:455)
at
org.apache.struts.tiles.TilesRequestProcessor.processForwardConfig(TilesRequestProcessor.java:319)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)
at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1486)
at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:528)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1287)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1239)
at
com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:136)
at
com.ibm.ws.console.core.servlet.WSCUrlFilter.continueStoringTaskState(WSCUrlFilter.java:306)
at
com.ibm.ws.console.core.servlet.WSCUrlFilter.doFilter(WSCUrlFilter.java:185)
at
com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:142)
at
com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:121)
at
com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:82)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:670)
at
com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:2933)
at
com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:221)
at
com.ibm.ws.webcontainer.VirtualHost.handleRequest(VirtualHost.java:210)
at
com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1912)
at
com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:84)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
at
com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:101)
at
com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.handleAsyncComplete(SSLReadServiceContext.java:500)
at
com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.read(SSLReadServiceContext.java:462)
at
com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.read(SSLReadServiceContext.java:300)
at
com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:107)
at
com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.handleAsyncComplete(SSLReadServiceContext.java:500)
at
com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.read(SSLReadServiceContext.java:462)
at
com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.read(SSLReadServiceContext.java:300)
at
com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:107)
at
com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1686)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1462)
>>

Do you know how can I correct this ?

Best Regards,
- 75Blured

Dexthor

unread,
Feb 17, 2006, 8:52:31 PM2/17/06
to
Server UserID must be a valid user in the Security Repository, ie.,
your LDAP, same is the requirement for the BindDN too.

The first time you enable Global Security you have to bounce all Cell
servers including Nodeagent and then bounce dmgr. When they come up
they will look for security.

If you have completed Gobal Security enabling properly (assuming that
WAS validated the Server User ID) then restarting all servers is
sufficient. Then you will be able to manage and control them from dmgr.
If you are still getting above error, which usually means that the dmgr
is trying to contact server1, server1 is secured but not dmgr, you may
want bounce the nodeagent first and then force a Full
Resynchronization, after that bounce NodeAgent + Server1 that should do
it.

-Dexthor.

75bl...@gmail.com

unread,
Feb 20, 2006, 3:16:32 AM2/20/06
to
Thanks a lot for this answer. However you speaking about to 'bounce all
cell servers including node agents and then bounce dmgr'. Do you know
how to do it ? Is it the fact to do a synchronization ?

75bl...@gmail.com

unread,
Feb 20, 2006, 5:11:45 AM2/20/06
to
I've managed to do a syncNode.bat after having rebooted the machine.

This resolve a part of the problem : the server now starts well.

However when I try to redeploy the application, or make anything like
adding jdbc datasources I've got the following trace on the console :
<<
InformationsADMS0200I: The configuration synchronization started for
cell.
InformationsADMS0207I: Node Synchronization state for node:
websphereNode01 - initiate time: 2006.02.20 at 10:58:45:408 CET
complete time: 2006.02.20 at 10:58:47:276 CET result: Error No update
occurred.
ErreurADMS0206I: The configuration synchronization failed for node:
websphereNode01
AvertissementADMS0209W: The configuration synchronization complete for
cell, errors occurred.
>>

In the dmgr log files I've got the following entries :
<<
[2/20/06 11:04:37:015 CET] 00000026 RoleBasedAuth A SECJ0305I: The
role-based authorization check failed for admin-authz operation
ConfigRepository:getRepositoryEpoch. The user UNAUTHENTICATED (unique
ID: unauthenticated) was not granted any of the following required
roles: administrator, operator, monitor, configurator.
[2/20/06 11:04:37:484 CET] 00000025 RoleBasedAuth E SECJ0306E: No
received or invocation credential exist on the thread. The Role based
authorization check will not have an accessId of the caller to check.
The parameters are: access check method
propagateNotifications:[Ljavax.management.Notification; on resource
NotificationService and module NotificationService. The stack trace is
java.lang.Exception: Invocation and received credentials are both null
at
com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess(RoleBasedAuthorizerImpl.java:251)
at
com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:1799)
at
com.ibm.ws.management.AdminServiceImpl.access$400(AdminServiceImpl.java:101)
at
com.ibm.ws.management.AdminServiceImpl$1.run(AdminServiceImpl.java:988)


at
com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java(Compiled
Code))
at
com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.java:906)
at

com.ibm.ws.management.connector.AdminServiceDelegator.invoke(AdminServiceDelegator.java:157)
at sun.reflect.GeneratedMethodAccessor33.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled
Code))
at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
at
com.ibm.ws.management.connector.soap.SOAPConnector.invoke(SOAPConnector.java:338)
at
com.ibm.ws.management.connector.soap.SOAPConnector.service(SOAPConnector.java:204)

at
com.ibm.ws.management.connector.soap.SOAPConnection.handleRequest(SOAPConnection.java:55)

at
com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java:680)

at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:484)

at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java(Compiled
Code))

.

[2/20/06 11:04:37:514 CET] 00000025 RoleBasedAuth A SECJ0305I: The
role-based authorization check failed for admin-authz operation
NotificationService:propagateNotifications:[Ljavax.management.Notification;.
The user UNAUTHENTICATED (unique ID: unauthenticated) was not granted
any of the following required roles: administrator.

[2/20/06 11:05:06:953 CET] 000000cb DeploymentMan A ADMS0207I: Node
Synchronization state for node: websphereNode01 - initiate time:
2006.02.20 at 11:04:36:945 CET
complete time: 2006.02.20 at 11:04:37:374 CET
result: Error
No update occurred.
>>

I don't understand why it says : The user UNAUTHENTICATED (unique ID:
unauthenticated) was not granted any of the following required roles:
administrator) as I'm authentificated to access to the administrative
console.

Do you know how to avoid that ?

Regards,
blured.

75bl...@gmail.com

unread,
Feb 20, 2006, 6:02:07 AM2/20/06
to
This problem is avoided by :
. Desactivating security
. restart the machine
. restart only the deployment manager
. make a synchNode by hand
(c:\ibm\appserver\profiles\appserver01\bin\synchNode localhost)
. start the server1 by hand
(c:\ibm\appserver\profiles\appserver01\bin\startNode server1)
. activate the security
. start the node and indicate explicitely the user and password to use
c:\ibm\appserver\profiles\appserver01\bin\startNode.bat -username user1
-password password
. Go to the admin console to start the server1

Regards,
Blured.

Dexthor

unread,
Feb 20, 2006, 9:03:22 AM2/20/06
to
Though I dont completely agree with the steps you have listed, as long
as it works you are good.

You dont have to reboot your server(host) when you are doing Global
Security. There are Stop and Start commands that you can use to
stop/start WAS services.

So, now you are free of security related errors ?

-Dexthor.

75bl...@gmail.com

unread,
Feb 20, 2006, 9:57:29 AM2/20/06
to
Yep :)

The problem was I cannot use stop/start command for the WAS service,
cause the nodeAgent was linked with an old buggy security settings and
I cannot desactivate it. By restarting the machine it didn't start and
I was able to restart it with good parameters by hand.

Thanks for your help.

0 new messages