Troubleshooting
Problem
If WebSphere Application Server security is enabled on both IBM InfoSphere Information Server and IBM InfoSphere Master Data Management, then some specific security configuration is required to enable cross-cell single sign-on.
Symptom
The following are examples of errors that appear in the WebSphere Application Server Systemout.log file when security is not correctly configured for cross-cell communication:
- CSIv2Effectiv W JSAS1479W: The target realm [ASBRealm] does not match the current realm [defaultWIMFileBasedRealm]. Specify the target realm in the Trusted target realms field. From the AdminConsole, go to: Security -> Global Security -> RMI/IIOP security -> CSIv2 Outbound Authentication.
- JSAS1477W: SECURITY CLIENT/SERVER CONFIG MISMATCH: The client security configuration (sas.client.props or outbound settings in GUI) does not support the server security configuration for the following reasons:
ERROR 1: JSAS0809E: The current OID is RSA but this is not an Admin request.
ERROR 2: JSAS0603E: The server does not support SSL/TLS, but the client is configured to require it. - ERROR - javax.naming.NoPermissionException: NO_PERMISSION exception caught:
>> SERVER (id=4773e3aa, host=xxxx) TRACE START:
>> org.omg.CORBA.NO_PERMISSION: Validation of LTPA token failed due to invalid keys or token type. vmcid: 0x49424000 minor code: 300 completed: No
Cause
This issue occurs when security is not correctly configured to enable cross-cell communication between InfoSphere MDM and InfoSphere Information Server.
Resolving The Problem
Complete the following four procedures to ensure that application server security is correctly set to enable cross-cell communication:
- Enabling cross-cell single sign-on
- Enabling security attribute propagation
- Configuring SSL communication
- Configuring cross realm communication
Note: These procedures assume a scenario where security is enabled for both servers and each server has its own user registry.
Enabling cross-cell single sign-on
1. Export the Lightweight Third Party Authentication (LTPA) key from IBM InfoSphere Information Server:
a. Log in to the WebSphere Application Server administration console on the IBM InfoSphere Information Server machine.
b. Navigate to the Global security Authentication, LTPA panel.
c. In the Password and Confirm password fields, type your password.
d. In the Key file name field, type the file path and name of the LTPA key.
e. Click Export Keys.
f. Copy the exported key file to the InfoSphere MDM server machine.
g. Click OK.
2. Import the LTPA key to InfoSphere MDM server:
a. Log in to the WebSphere Application Server administration console on the InfoSphere MDM server machine.
b. Navigate to the Security Global security Authentication, LTPA panel.
c. In the Password and Confirm password fields, type the password for the IBM InfoSphere Information Server LTPA key.
d. In the Fully qualified key file name field, type the file path and name of the key file that you exported from IBM InfoSphere Information Server.
e. Click Import keys.
f. Click OK.
Enabling security attribute propagation
1. Log in to the WebSphere Application Server administration console on the InfoSphere MDM server machine.
2. Navigate to Security Global security RMI/IIOP security CSIv2 outbound communications.
3. Select the Propagate security attributes check box.
4. Under Transport layer, change transport to ‘SSL-supported’ if not already selected.
Note: By default, SSL-required is selected but in InfoSphere Information Server, the inbound transport is configured to TCP/IP only (NO-SSL). SSL-supported will allow both SSL and non-SSL communication between servers.
5. Click OK to save the settings.
6. Synchronize the nodes.
7. Restart the deployment manager, the node agent, and InfoSphere MDM server.
Configuring SSL communication
1. Log in to the WebSphere Application Server administration console on the InfoSphere MDM server machine.
2. Navigate to SSL certificate and key management Key stores and certificates CellDefaultTrustStore Signer certificates.
Note: CellDefaultTrustStore or NodeDefaultTrustStore should be selected according to the server environment settings. For Enterprise Edition, by default the CellDefaultTrustStore is used.
3. Click Retrieve from port and provide the QualityStage server host name, alias name, and port (such as 9043).
4. Click Retrieve signer information to verify the certificate.
5. Click OK to save the settings.
6. Synchronize the nodes.
7. Restart the deployment manager, the node agent, and InfoSphere MDM server.
Configuring cross realm communication
1. Log in to the WebSphere Application Server administration console on the InfoSphere MDM server machine.
2. Navigate to Security Global security RMI/IIOP security CSIv2 outbound communications.
3. Click Trusted authentication realms – outbound.
4. On the Trusted authentication realms – outbound screen, select Trust realms as indicated below, then click Add External Realm…
5. Specify ASBRealm as the External realm name, click OK.
6. Click OK to save the settings.
7. Synchronize the nodes.
8. Restart the deployment manager, the node agent, and InfoSphere MDM server.
Note: For information about cross realm communication, see the WebSphere Application Server documentation: http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.nd.multiplatform.doc/ae/csec_sec_multiple_domains.html
[{"Product":{"code":"SSPVUA","label":"IBM InfoSphere Master Data Management Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"10.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSPVUA","label":"IBM InfoSphere Master Data Management Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21652437