IBM Support

Cannot log on to the WebSphere Application Server administrative console after upgrading the IMS Server from 8.1 to 8.2

Troubleshooting


Problem

Cannot log on to the WebSphere Application Server administrative console (Integrated Solutions Console) after upgrading the IMS Server from 8.1 to 8.2.

Cause

In version 8.1, the IMS Server uses the Active Directory Services Interface (ADSI) to connect to enterprise directories.

In version 8.2, the IMS Server uses the virtual member manager (VMM) component for federated repositories.

When you log on to the Integrated Solutions Console, the virtual member manager searches for the user credential on all the configured repositories, including the internal file repository. The authentication fails if the same user ID exists in any of the configured repositories and the internal file repository.

In version 8.2, if the WebSphere Application Server administrator user exists on both a configured Active Directory or LDAP server and an internal file repository, an error occurs, because the virtual member manager component finds the same user in more than one repository.

Resolving The Problem

Disable administrative security

Use the wsadmin command-line tool to disable administrative security.

Procedure

  1. Switch off security by using the wsadmin tool:
    1. In a command prompt, go to <was_home>\bin
    2. Type wsadmin -CONNTYPE none.
    3. In the wsadmin command prompt, type securityoff.
    4. Type exit.
  2. Complete one of the following tasks:
    • For a stand-alone deployment, restart the WebSphere Application Server.
      1. Identify the process ID for the application server process. You can determine the application server process ID by opening the <was_home>\profiles\<appsvr_profile>\logs\<server>\<server>.pid file in a text editor. For example: 2868
      2. Start the Windows Task Manager and click the Processes tab. If the PID column is not displayed, you can enable it. Click View > Select Columns. Select the PID (Process Identifier) check box.
      3. Locate the process ID for the server, and select the associated java.exe process.
      4. Right-click the java.exe process, and click End Process.
      5. Start the application server process. Run <was_home>\profiles\<appsvr_profile>\bin\startServer.bat <server>.
    • For a network deployment, restart the deployment manager.
      1. Identify the process ID for the deployment manager process. You can determine the deployment manager process ID by opening the <was_home>\profiles\<dmgr_profile>\logs\dmgr\dmgr.pid file in a text editor. For example: 1504
      2. Start the Windows Task Manager and click the Processes tab. If the PID column is not displayed, you can enable it. Click View > Select Columns. Select PID (Process Identifier) check box.
      3. Locate the process ID for the deployment manager, and select the associated java.exe process.
      4. Right-click the java.exe process, and click End Process.
      5. Start the deployment manager process. Run <was_home>\profiles\<dmgr_profile>\bin\startManager.bat.
  3. Log on to the administrative console with the WebSphere administrator user ID. For example: wasadmin

Back to top

Change the primary WebSphere administrative account

Procedure

  1. Click Security > Global Security.
  2. Under User account repository, ensure Federated repositories is selected.
  3. Click Configure.
  4. Specify a new primary administrative user name. For example: wasadmin2
    Note: Ensure that the name for the new primary administrative user ID does not exist in any of the configured directory services and is not likely to be created in the future.
  5. Click OK.
  6. Complete the Password and Confirm password fields.
  7. Click OK.
  8. In the Messages box, click Save.
  9. Click Apply.
  10. In the Messages box, click Save.

Back to top

Enable administrative security

Procedure

  1. In the administrative console, click Security > Global Security.
  2. Select the Enable administrative security check box.
  3. Clear the Use Java 2 security to restrict application access to local resources.
  4. Click Apply.
  5. In the Messages box, click Save.

Back to top

Restart the WebSphere Application Server

Procedure

  • To restart the WebSphere Application Server in a stand-alone deployment:
    1. Stop the WebSphere Application Server. Run <was_home>\profiles\<appsrv_profile>\bin\stopServer.bat <server> -username <original_admin_user_ID>
    2. Start the WebSphere Application Server. Run<was_home>\profiles\<appsrv_profile>\bin\startServer.bat <server>
  • To restart the WebSphere Application Server in a network deployment:
    1. Stop the deployment manager.

      Run <was_home>\profiles\<dmgr_profile>\bin\stopManager.bat -username <original_admin_user_ID>

    2. Start the deployment manager.

      Run <was_home>\profiles\<dmgr_profile>\bin\startManager.bat

    3. Restart the nodes and servers one by one:
      1. If node agent and server services are added to Windows Services, change the Startup Type to manual.
      2. Restart the computer.
      3. After the computer is restarted, synchronize the nodes manually with the cell from the command prompt.

        Run <was_home>\profiles\<custom_profile>\bin\syncNode.bat <dmgr_host> <dmgr_soap_connector_port> -username <new_admin_user_ID> -password <new_admin_user_ID_password>

      4. Start the node. Run <was_home>\profiles\<custom_profile>\bin\startNode.bat
      5. Start the server. Run <was_home>\profiles\<custom_profile>\bin\startServer.bat <server>
      6. If the Windows services Startup Type was changed, revert to the original setting.

Back to top

Update the WebConfAdmins group

Procedure

  1. In the WebSphere administrative console, click Users and Groups > Manage Groups.
  2. Search for the group WebConfAdmins.
  3. Click the Members tab.
  4. Click Add Users.
  5. Search for the new primary administrative user ID you created. For example: wasadmin2
  6. Select the user and click Add.
  7. Click Close.

Back to top

Finishing up

After you verify that the process is working, consider completing the following tasks.

Procedure

  1. Remove the previous primary WebSphere administrator account from the WebConfAdmins group.
  2. Delete the previous primary WebSphere administrator account.
  3. Update the application server service configuration.
    Important: If you are using Windows services to manage the starting and stopping of the deployment manager, node agent and application server services, stopping the services from Windows services will no longer work. To resolve the problem, update the services with the correct configuration. See http://www.ibm.com/support/docview.wss?uid=swg21397335.

[{"Product":{"code":"SS9JLE","label":"IBM Security Access Manager for Enterprise Single Sign-On"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IMS Server","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.1;8.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21584580

Page Feedback