Impersonation may fail in a Portal clustered environment

Technote (troubleshooting)


Problem

Impersonation may fail in a clustered environment if the OriginalUserCredential in the WebSphere Application Server security subject is missing.

Cause

There are 1 of 2 two causes for this issue:

1) Known defect - Ensure APAR PM34927 is installed on all nodes in the cluster. For Portal 61x clusters, ensure you run "apply-PM34927" after installing the APAR as an individual iFix, or, run "apply-cumfix" if installing the APAR as a part of a cumulative fix.

2) Configuration issue - WebSphere Application Server attribute propagation not enabled.

This document will assume the APAR fix PM34927 has been installed and the manual configuration task run successfully. Case #2 will be detailed further in this document.


Diagnosing the problem

When impersonation occurs, data about the original user who begins impersonation is stored in the WebSphere Application Server security subject of the impersonated user. Specifically, a new public credential called the OriginalUserCredential contains the DN of the original user. When the impersonation process finishes and a call is made to return to the original user, the presence of the OriginalUserCredential allows the return to the original user successfully. When the OriginalUserCredential is missing, returning to the original user may fail.



To determine if the OriginalUserCredential is missing from Collect the data from each node in the cluster outlined in the following document: Collecting Data: Login for WebSphere Portal 6.1


Review traces from each node. For one node in the cluster, observe Impersonation initiates OriginalUserCredential to be set in subject:

[timestamp] 000000d7 Impersonation 3                      
com.ibm.wps.portletservice.impersonation.impl.ImpersonationServiceImpl
doImpersonate created subject for user to be impersonated
OriginalUserCredentialCredential:[DN=uid=originalUser,o=ibm
SN=uid=originalUser,o=ibm]]



During impersonation, it is possible for the original user and the impersonated user to be load balanced to different nodes. The OriginalUserCredential should be pushed to all nodes in the cluster. However, if the condition outlined by this Technote is occurring, on another node in the cluster, when impersonation finishes, no OriginalUserCredential is present in subject:

[timestamp] 000000bc Impersonation >
com.ibm.wps.auth.impersonation.impl.ImpersonationLogoutFilter logout
ENTRY
[timestamp] 000000bc ContextManage <  getCallerSubject
Exit
Subject:
Principal: testRealm/uid=impersonatedUser,o=ibm
 Public Credential: com.ibm.ws.security.auth.WSCredentialImpl@1dec1dec
 Private Credential:
com.ibm.ws.security.token.SingleSignonTokenImpl@34103410

Resolving the problem

As the OriginalUserCredential is set in the subject, it must be available for other servers in the cluster to participate in successful impersonation in cases where the node switches during an impersonation session. Thus, attribute propagation must be enabled to ensure that the subject is propagated to all servers in the realm.




To enable attribute propogation in WebSphere 6.1:
1) Login to the WebSphere Application Server / Deployment Manager.
2) Navigate to Security > Secure administration, applications, and infrastructure > Web Security > single sign-on (SSO)
3) Click the check box next to "Web inbound security attribute propagation"
4) Save changes. Sync nodes.
5) Restart the Deployment Manager, nodeagent(s), and Portal server(s).




To enable attribute propagation in WebSphere 7.0:
1) Login to the Deployment Manager.
2) Navigate to Security > Global security > Single sign-on (SSO) > Web and SIP Security > Single sign-on (SSO)
3) Click the check box next to "Web inbound security attribute propagation"
4) Save changes. Sync nodes.
5) Restart the Deployment Manager, nodeagent(s), and Portal server(s).







See the Related information for further details on such propagation.


Related information

PM34927: Impersonation in a cluster
Security attribute propagation
Enabling security attribute propagation
Collecting Data: Login for WebSphere Portal 6.1


Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Portal
Security

Software version:

6.1, 7.0, 8.0

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition:

Enable, Extend, Server

Reference #:

1580430

Modified date:

2012-12-07

Translate my page

Machine Translation

Content navigation