IBM Support

Collecting Data: Portal Access Control (PAC) for WebSphere Portal

Technote (troubleshooting)


Problem

Collecting troubleshooting data for Portal Access Control issues with IBM WebSphere Portal expedites time to resolution by enabling IBM Support to provide informed problem analysis.

Resolving the problem

If you have already contacted IBM Support and must collect data to determine the nature of a problem in WebSphere Portal, review the information below for the available methods of data collection. Otherwise, review Collecting Data: Read first for WebSphere Portal.

Collecting Portal Access Control information

Problems with Portal Access Control include: unable to deploy portlets due to lack of administrative rights, unable to perform administrative actions, unable to take proper actions on resources, such as pages and portlets, unable to search users or groups, unable to run XMLAccess, etc.

Detailed Problem Description

  • Step-by-step process to recreate the problem.
  • Error message if any shown in the web browser or in logs; take screenshots if possible.
  • Special conditions such as only some user IDs having the problem but not others; use of non-standard or custom objectclasses or attributes; LDAP referrals or dynamic groups.
  • Whether the issue is intermittent or can be recreated at will.

System Information
  • Fix pack level of WebSphere Portal and WebSphere Application Server and interim fixes installed.
  • Platform and configuration (cluster or stand-alone, how many nodes if clustered, and so on).
  • Edge components, HTTP server, Load Balancer.
  • Network topology: remote or local servers, firewall configuration.
  • LDAP server vendor, version, user and group configuration and so on if available, provide the LDIF output of affected users and/or groups.
  • Database server type and version as well as JDBC driver info.
  • Specify whether there are third-party security components or other solutions such as Tivoli Access Manager integrated into the environment.

Enable Tracing
Enable the following traces:

    com.ibm.websphere.wim.*=all:com.ibm.ws.wim.*=all:com.ibm.wsspi.wim.*=all:
    com.ibm.wps.ac.impl.AccessControlConfigFederator=all:
    com.ibm.wps.puma.*=all:com.ibm.wps.ac.impl.AccessControlFederator=all:
    com.ibm.wps.engine.Servlet=all:com.ibm.wps.engine.phases.*=all: com.ibm.wps.services.puma.*=all:com.ibm.wps.um.*=all:
    com.ibm.wps.sso.*=all

The trace string should be set as one continuous line with no line breaks and are separated with a colon (:).

We strongly recommend to increase the size of log files to 20 MB or more and historical copies to 20 or more.

If using rule based user groups, append the following string to the above trace:

:com.ibm.wps.vmm.adapter.*=all

If an External Security Manager (ESM) such as Tivoli Access Manager or Computer Associates' eTrust SiteMinder is configured for access control, add the following trace strings in addition to the above (colon separated and with no spaces):

    : com.ibm.wps.ac.esm.*=all:wps.ibm.wps.ac.authtable.*=all

For further information regarding logging and tracing, refer to the InfoCenter.

Collect logs and configuration data:

1. Recreate the problem and run wpcollector to collect the trace and server configuration data. Note the date and time when the problem was recreated in your update to IBM Support.

    2. Generate a full export using XMLaccess with ExportRelease.xml as input,
    <WP_root>/bin/xmlaccess.bat/.sh -in <WP_root>/doc/xml-samples/ExportRelease.xml -user <portaladmin> -pwd <password> -url http://<portalhost>:10039/wps/config -out pmrXXXXX.BBB.CCC.fullexport.xml
      where <password> is the password of <portaladmin>. If the problem is in a virtual portal, the full export should be taken from the virtual portal context (.../wps/config/<vpcontext>).

    3. Generate a list of invalid user references that exist in the WebSphere Portal database:
    <WP_root>/bin/xmlaccess.bat/.sh -in <WP_root>/doc/xml-samples/CleanupUsers.xml -user <portaladmin> -pwd <password> -url http://<portalhost>:10039/wps/config -out pmrXXXXX.BBB.CCC.invalidUserRefs.xml

      4. LDIF output: If the problem is related to permission settings for users and/or groups, generate LDIF output from the LDAP server for the objects involved.

      5. List any notable PAC configurations: If specialized access control settings are used, such as role-blocks and nested groups or dynamic group configurations, please specify them clearly.

      Send these files to IBM Support by using the instructions outlined in Exchanging information with IBM Technical Support for problem determination.

      Related Information

      Document information

      More support for: WebSphere Portal
      Problem Determination

      Software version: 7.0, 8.0, 8.5

      Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS

      Software edition: Enable, Express, Extend, Hypervisor Edition, Server

      Reference #: 1450830

      Modified date: 14 February 2011


      Translate this page: