IBM Support

HMGR0149E is issued even with security disabled in ALL nodes

Troubleshooting


Problem

You notice HMGR0149E issued even with security disabled in ALL nodes.

Symptom

HMGR0149E: An attempt to open a connection to core group <Coregroup_Name> has been rejected. The sending process has a name of <Name or IP addr> and an IP address of <IP address>.  Global security in the local process is Disabled. Global security in the sending process is Disabled. The received token starts with ab1c234:56abc7848e4:-8000. The exception is <null>

Cause

The HAManager component will authenticate LTPA tokens when configured over DCS_SECURE, regardless of whether security is enabled or not.

Environment

All WebSphere Application Server environments where DCS_SECURE is configured.

Diagnosing The Problem

If the log shows the above message, and both the sending and local process have global security disabled, you could be running into the issue described in this technote. If one of the processes has global security enabled and the other one disabled, you need to change one of them to match the other to exclude a security mismatch as the potential problem.

Resolving The Problem

Resolve LTPA token mismatch or remove DCS_SECURE setting, and run syncNode.sh from each of the node directories to synchronize the nodes with the Deployment Manager.

LTPA token mismatch

There are several reasons why LTPA tokens can get mismatched. One of the most common ones is that autogeneration of LTPA tokens is enabled, but automatic synchronization is disabled. For more information on how to check those settings see the Knowledge Center articles titled "Disabling automatic generation of Lightweight Third Party Authentication keys" and "File synchronization service settings" for the respective version you are running. Both settings have to either be disabled or enabled.

Another example for a mismatch could be that realms are not set up correctly, or other security related issues. Sometimes the ffdc logs can shed more light on the underlying problem.

DCS_SECURE setting

The DCS_SECURE setting can be removed by changing the Transport chain for the coregroup mentioned in the message.



1. In the administrative console, click Servers > Core groups > Core group settings and select the respective core group

2. Under Transport type > Channel Framework
change the transport chain from DCS_SECURE to DCS

If none of these suggestions resolve the situation, contact IBM support for assistance.

[{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"High Availability (HA)","Platform":[{"code":"PF025","label":"Platform Independent"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0.0.0;8.5;8.0;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21596835