Configure stand-alone LDAP over SSL can login to WAS but not Portal
scott....@hyro.com
Also i have found that I can use ldap credentials to log in to WAS Deployment Mgr, but cannot use ldap creds to log in to Portal. Portal still requires the same creds for login that were generated from install.
jwi...@us.ibm.com
http://www.ibm.com/support/docview.wss?rs=null&ca=portall2&uid=swg21313184
Check to see if the /config/cells//security.xml matches that on the DMGR. With standalone LDAP, that should be the primary consideration for authentication, though you will also want to verify .../wim/config/ is synchronized as well to make sure authorization works correctly.
After making sure the security configuration is sychronized, if the task still fails, post where you're running the task & the error message. Sometimes ConfigTrace.log will contain helpful information in troubleshooting these types of problems.
scott....@hyro.com
My restarts have been in as follows, i have conducted several of these:
1. stopManager.bat, from the dmgr_profile_root\bin directory
2. stopNode.bat -username admin_userid -password admin_password from the wp_profile_root\bin directory
3. stopServer.bat server1 -username admin_userid -password admin_password, from the wp_profile_root\bin directory
4. stopServer.bat WebSphere_Portal -username admin_userid -password admin_password, from the wp_profile_root\bin directory
5. startManager.bat, from the dmgr_profile_root\bin directory
6. startNode.bat, from the wp_profile_root\bin directory
7. startServer.bat server1, from the wp_profile_root\bin directory
8. startServer.bat WebSphere_Portal, from the wp_profile_root\bin directory
When i check 'the /config/cells/ /security.xml matches that on the DMGR' - it does not match.
The portal security.xml is missing the relevant ldap details that dmgr has:
portal
---------
dmgr
-----------
also the last properties tags vary:
portal
-----------
DMGR
------------
Also the wimconfig.xml files have considerable differences, ldap related.
What is the best approach to synchronize this data?
Can i simply overwrite the files? or is there a process to follow?
scott....@hyro.com
After attempting to start the nodeagent i am noticing the following in the Node Agent SystemOut.log:
[3/04/09 09:26:39:611 EST] 00000011 SystemOut O CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=#######, O=######, ST=######, C=AU" was sent from target host:port "null:null". The signer may need to be added to local trust store "D:/IBM/WebSphere/wp_profile/config/cells/VRWP/trust.p12" located in SSL configuration alias "CellDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "No trusted certificate found".
[3/04/09 09:26:39:611 EST] 00000011 SystemOut O
[3/04/09 09:26:39:669 EST] 0000000a LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://######:636.
[3/04/09 09:26:39:669 EST] 0000000a UserRegistryI A SECJ0136I: Custom Registry:com.ibm.ws.security.registry.ldap.LdapRegistryImpl has been initialized
[3/04/09 09:26:40:012 EST] 0000000a LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://########:636.
[3/04/09 09:26:40:313 EST] 0000000a LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://########:636.
[3/04/09 09:26:40:513 EST] 0000000a LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://########:636.
[3/04/09 09:26:40:541 EST] 0000000a ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl initialize FFDC0009I: FFDC opened incident stream file D:\IBM\WebSphere\wp_profile\logs\ffdc\nodeagent_0000000a_09.04.03_09.26.40_0.txt
[3/04/09 09:26:40:570 EST] 0000000a ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl resetIncidentStream FFDC0010I: FFDC closed incident stream file D:\IBM\WebSphere\wp_profile\logs\ffdc\nodeagent_0000000a_09.04.03_09.26.40_0.txt
[3/04/09 09:26:40:584 EST] 0000000a ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl open FFDC0009I: FFDC opened incident stream file D:\IBM\WebSphere\wp_profile\logs\ffdc\nodeagent_0000000a_09.04.03_09.26.40_1.txt
[3/04/09 09:26:40:599 EST] 0000000a ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl resetIncidentStream FFDC0010I: FFDC closed incident stream file D:\IBM\WebSphere\wp_profile\logs\ffdc\nodeagent_0000000a_09.04.03_09.26.40_1.txt
[3/04/09 09:26:40:613 EST] 0000000a LdapRegistryI E SECJ0352E: Could not get the users matching the pattern cn=portaladmin,o=##### because of the following exception javax.naming.CommunicationException: simple bind failed: #######:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:212)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2652)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:298)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:208)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:81)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:679)
This leads me to two things, i will bring over the /wp_profile/config/cells/VRWP/trust.p12 file from dmgr.
1. After i created a static cluster i did not have access to WAS Console on portal. Therefore i have only imported the LDAP server's SSL certificate in to the server trust store of the DMGR which i believe is now the was mgmt console for the cluster - therefore websphere portal - is this logic correct.
2. Should i be able to access WAS Console on portal after creating static cluster, if so how?
3. Does this provide some clues as to why this environment is in the state it is in?