Administrators unable to install portlet applications through Administration portlets

Technote (troubleshooting)


Problem

Administrative users are unable to install portlet applications through the Administration portlets. If the administrator logs into IBM WebSphere Portal and immediately installs portlet applications, the process works. If the administrator logs into WebSphere Portal and browses pages before installing portlet applications, the install fails.

The scenario fails for both administrative users with different RDNs:

cn=wpsadmin, ou=users, o=com
uid=adminuser, ou=employees, o=com

Symptom

The following exceptions appear in the Portal SystemOut.log file:


    [datetime] 0000004e LTPAServerObj E SECJ0373E: Cannot create credential for the user due to failed validation of the LTPA token. The exception is java.lang.NullPointerException
      at
    com.ibm.ws.wmm.MRMWrapper.WMMURGetUserSecurityName(MRMWrapper.java:494)
      at
    com.ibm.websphere.wmm.registry.WMMUserRegistry.getUserSecurityName(WMMUs
    erRegistry.java:1009)
    .....
    [datetime] 0000004e RoleBasedAuth E SECJ0306E: No received or invocation credential exist on the thread. The Role based authorization check will not have an accessId of the caller to check.
    ....
    [datetime] 0000004e RoleBasedAuth A SECJ0305I: The role-based authorization check failed for admin-authz operation AppManagement:listApplications:java.util.Hashtable:java.lang.String.
    The user UNAUTHENTICATED (unique ID: unauthenticated) was not granted any of the following required roles: administrator, operator, monitor, configurator.
    [datetime] 00000045 WAS5Admin E com.ibm.wps.pe.mgr.appserveradmin.WAS5Admin initVars EJPPH0010E: Failed to retrieve and initialize runtime variables from Application Server.
    [datetime] 00000045 WAS5Admin E
    com.ibm.wps.pe.mgr.appserveradmin.WAS5Admin constructor EJPPH0007E: Instantiation of the administration module for Portal context /wps failed.
    [datetime] 00000045 AbstractAppli E
    com.ibm.wps.pe.mgr.AbstractApplicationManagerImpl installWebModule_IISSU EJPPE0013E: Installation of Web Module from WAR file C:\WEBSPH~1\PORTAL~1\deployed\portlet.war failed.
    ....
    Caused by: com.ibm.wps.pe.mgr.exceptions.InstanceException: EJPPE0001E: Instantiation of AppServerAdminManager failed.
    ....
    Caused by: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the listApplications operation on AppManagement MBean because of insufficient or empty credentials.
    ...

Cause

After enabling WMM tracing, you can see that the user is not returned at the getExternalMember() method.

Non-working code:

    [datetime] 00000224 WMM Trace Log > com.ibm.ws.wmm.MemberRepositoryManager API: getMember(MemberIdentifier memberId, StringSet attributeNames, String context) Entry
    [cn=wpsadmin, ou=users, o=com / null] [uid] com.ibm.websphere.wmm

    [datetime] 00000224 WMM Trace Log > com.ibm.ws.wmm.MemberRepositoryManager boolean needsQueryProfileRepository(String memberDN) Entry cn=wpsadmin, ou=users, o=com
    [datetime] 00000224 WMM Trace Log > com.ibm.ws.wmm.MemberRepositoryManager StringSet[] validateAndDivideAttributeNames(short memberTypeId, StringSet attributeNames, int repositoryIndex) Entry 1
    [uid] 0
    ....................
    [datetime] 00000224 WMM Trace Log < com.ibm.ws.wmm.ldap.LdapBeanImpl LdapBean findByDN(String DN, StringSet wmmAttributeNames) Exit memberType:0, memberId:[cn=wpsadmin, ou=users, o=comI /
    e1f31fc0-0849-102b-8852-9e11f257y43c, null], DN:cn=wpsadmin, ou=users, o=com, objectClass:objectClass: top, person, organizationalPerson, inetOrgPerson, ePerson,
    [datetime] 00000224 WMM Trace Log >
    com.ibm.ws.wmm.ldap.LdapBeanImpl ExternalMember getExternalMember() Entry
    [datetime] 00000224 WMM Trace Log <
    com.ibm.ws.wmm.ldap.LdapBeanImpl ExternalMember getExternalMember() Exit memberType:0,
    externalMemberIdentifier:[cn=wpsadmin, ou=users, o=com /
    e1f31fc0-0849-102b-8852-9e11f257y43c, null], parentExternalMemberIdentifier:[ ou=users, o=com / null, LDAP1]
    {}
Working code:
    [datetime] 0000021f WMM Trace Log > com.ibm.ws.wmm.MemberRepositoryManager API: getMember(MemberIdentifier memberId, StringSet attributeNames, String context) Entry
    [cn=wpsadmin, ou=users, o=com / null] [sn, cn, ibm-primaryEmail, uid,
    givenName, preferredLanguage] com.ibm.websphere.wmm
    [datetime] 0000021f WMM Trace Log > com.ibm.ws.wmm.MemberRepositoryManager boolean needsQueryProfileRepository(String memberDN) Entry cn=wpsadmin, ou=users, o=com
    [datetime] 0000021f WMM Trace Log > com.ibm.ws.wmm.MemberRepositoryManager StringSet[]
    validateAndDivideAttributeNames(short memberTypeId, StringSet
    attributeNames, int repositoryIndex) Entry 1
    [sn, cn, ibm-primaryEmail, uid, givenName, preferredLanguage]
    0
    ..............
    [datetime] 0000021f WMM Trace Log < com.ibm.ws.wmm.ldap.LdapBeanImpl LdapBean findByDN(String DN, StringSet wmmAttributeNames) Exit memberType:0, memberId:[cn=wpsadmin, ou=users, o=com /
    e1f31fc0-0849-102b-8852-9e11f257y43c, null], DN:cn=wpsadmin, ou=users, o=com, objectClass:objectClass: top, person, organizationalPerson, inetOrgPerson, ePerson,
    [datetime] 0000021f WMM Trace Log > com.ibm.ws.wmm.ldap.LdapBeanImpl ExternalMember getExternalMember() Entry
    [datetime] 0000021f WMM Trace Log < com.ibm.ws.wmm.ldap.LdapBeanImpl ExternalMember getExternalMember() Exit memberType:0, externalMemberIdentifier:[cn=wpsadmin, ou=users, o=com / e1f31fc0-0849-102b-8852-9e11f257y43c, null], parentExternalMemberIdentifier:[ou=users, o=com / null, LDAP1]
    {cn=cn:wpsadmin}
As shown in this working call, the getExternalMember() method returns "cn=cn:wpsadmin" while the non-working instance returns "{}" (an empty result).

Diagnosing the problem

Review the following WMM settings:


In the wmm.xml file, "uid" is configured as RDN of Person type and the "cn" is configured as RDN of Group type.

While a DN is passed to the WMM API, WMM quickly determines its member type by comparing its RDN with "rdnAttrTypes" in the wmm.xml file. Since "cn=wpsadmin, ou=users, o=com" has RDN = 'cn', WMM treats it as a Group type.


Resolving the problem

WMM does not support two RDN types (uid and cn) for one specific member type. Therefore, to make WMM find the "uid" from the LDAP repository for a Group type, one workaround is to add the Group type into the "uid" definition in the wmmLDAPServerAttributes.xml file.


1. Change the "uid" to add the Group type in the wmmLDAPServerAttributes.xml file as follows:

    From:
      <attributeMap wmmAttributeName="uid"
      pluginAttributeName="uid"
      applicableMemberTypes="Person"
      requiredMemberTypes="Person"
      dataType="String"
      valueLength="256"
      multiValued="false"/>
    To:
      <attributeMap wmmAttributeName="uid"
      pluginAttributeName="uid"
      applicableMemberTypes="Person;Group"
      requiredMemberTypes="Person"
      dataType="String"
      valueLength="256"
      multiValued="false"/>

2. Restart Portal (standalone) or checkout/checkin/resync (cluster).

3. Test the cn user who should now be able to update portlets.

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Portal End of Support Products
WebSphere Portal

Software version:

6.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

Enable, Express, Extend, Server

Reference #:

1305110

Modified date:

2013-08-03

Translate my page

Machine Translation

Content navigation