In the following scenario you might not be able to synchronize the node configuration with the deployment manager in a clustered environment and may receive error message SECJ0373E.
- You created a WebSphere Process Server deployment manager profile that is automatically configured with a file-based repository (global security enabled).
- At least one custom node was federated to the cell. The node includes the security configuration that is set on the deployment manager.
- The node agent of the federated custom node is up and running.
- You change the user name of the system administrator or operator role in the file-based repository.
After you change the user name of the system administrator, the node synchronization on the custom profile fails. The failure occurs whether you enable automatic node synchronization or you synchronize nodes manually using the administrative console or the syncNode command. The following runtime exception is logged in the SystemOut.log file of the node agent:
[1/1/09 10:10:10:100 CEST] 00000001 RoleBasedAuth A SECJ0305I: The role-based authorization check failed for admin-authz operation NodeSync:isNodeSynchronized. The user wpsadmin (unique ID: wpsadmin) was not granted any of the following required roles: adminsecuritymanager, deployer, administrator, operator, monitor, configurator.
[1/1/09 10:10:10:200 CEST] 00000001 LTPAServerObj E SECJ0373E: Cannot create credential for the user <null> due to failed validation of the LTPA token. The exception is com.ibm.websphere.wim.exception.EntityNotFoundException: CWWIM4001E The 'uid=wpsadmin,o=defaultWIMFileBasedRealm' entity was not found.
In a security-enabled environment, you must provide the user name and password for stopping the server. The new user for the administrator or operator role is not yet propagated to the federated node. Therefore, the operation fails.
When you change the user name of the system administrator or operator in the current repository (for example, file-based or Lightweight Directory Access Protocol (LDAP)), the change immediately takes effect on the deployment manager. The new user configuration is not changed in the repository, but it is changed in the WebSphere Application Server security configuration files. At this point, the node still uses the previously configured user name for synchronization and authorization because it is not synchronized with the new security configuration. Subsequently, attempt to synchronize the node fail.
This problem occurs in a clustered environment and with all supported user registries.
Resolving the problem
When you change the user name of the system administrator or operator role, make sure that at least one user is mapped to this role. To solve the problem, follow these instructions:
- Stop all of the node agents of all custom nodes that are federated to the cell.
- Log in to the administrative console of the deployment manager.
- Verify that at least one user is available in the repositories and is mapped to the administrator or operator role. The information in the user repository is not changed. Mappings to the security roles are stored in configuration files only.
- Save the changes to the master configuration.
- On each node agent, run the syncNode command manually.
After all of the nodes are synchronized with the configuration of the deployment manager, synchronization works properly. To avoid the problem, use one of the following workarounds:
- Keep the current administrative user in the repository. Map an additional user to the administrator or operator role. Recycle the environment to make the new user available to all nodes, and then delete or rename the old user account.
- Instead of mapping user names to the administrative roles, use a group of users. As long as multiple users members of the group are in the repository, you can synchronize the nodes using another user name.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.