Troubleshooting
Problem
Customer installed a new TDWC 9.1 on the same server where his old TDWC 8.6 FP02 was installed. When running the tdwcUpgrade.sh script to migrate his data from the old TDWC 8.6 to the new TDWC 9.1, it fails with error CTGWA2183E
Symptom
The following error can be found in the preupgrade.log:
CTGWA2129I Start running preupgrade script.
com.ibm.tivoli.tip.upgrade.exceptions.UpgradeException: CTGWA2183E Fail to validate username/password. Please make sure the Tivoli Integrated Portal server is started and username/password is correct.
CTGWA2129I Start running preupgrade script.
com.ibm.tivoli.tip.upgrade.exceptions.UpgradeException: CTGWA2183E Fail to validate username/password. Please make sure the Tivoli Integrated Portal server is started and username/password is correct.
Cause
The TDWC 8.6 configuration in the customer environment is using a customized Trust Association Interceptor and is integrated with WebSeal.
Trust Association Interceptor (TAI) is interfering with this preupgrade script.
Trust Association Interceptor (TAI) is interfering with this preupgrade script.
Environment
Linux
Diagnosing The Problem
1). Check the preupgrade.log for errors like these:
-----------------------------
...
/opt/maestro/TWA/eWAS/profiles/TIPProfile/upgrade/bin/preupgrade.sh
"/opt/maestro/TWA/eWAS/profiles/TIPProfile" --username "maestro" --password ******
CTGWA2129I Start running preupgrade script.
com.ibm.tivoli.tip.upgrade.exceptions.UpgradeException: CTGWA2183E Fail Portal server is started and username/password is correct.
2). Check the systemout.log for TAI errors like these:
CWSPN0009E: SPNEGO Trust Association Interceptor configuration JVM property is false or not set, no further processing will be done..
If you are not using the SPNEGO TAI, you can ignore this message.
[7/23/14 13:53:31:479 CEST] 00000001 E UOW=null
source=com.ibm.ws.security.web.TrustAssociationManager org=IBM prod=WebSphere component=Application Server thread=[main]
-----------------------------
...
/opt/maestro/TWA/eWAS/profiles/TIPProfile/upgrade/bin/preupgrade.sh
"/opt/maestro/TWA/eWAS/profiles/TIPProfile" --username "maestro" --password ******
CTGWA2129I Start running preupgrade script.
com.ibm.tivoli.tip.upgrade.exceptions.UpgradeException: CTGWA2183E Fail Portal server is started and username/password is correct.
2). Check the systemout.log for TAI errors like these:
CWSPN0009E: SPNEGO Trust Association Interceptor configuration JVM property is false or not set, no further processing will be done..
If you are not using the SPNEGO TAI, you can ignore this message.
[7/23/14 13:53:31:479 CEST] 00000001 E UOW=null
source=com.ibm.ws.security.web.TrustAssociationManager org=IBM prod=WebSphere component=Application Server thread=[main]
Resolving The Problem
Migrate TDWC 8.6. Preliminary steps:
The TDWC 8.6 configuration in the customer environment is using a customized Trust Association Interceptor and is integrated with WebSeal.
Removing these integrations allows the upgrade complete successfully.
In detail, the customer could edit the TDWC 8.6 security.xml and perform the following changes (after he created a backup copy of the file):
• Change the enabled value of the TrustAssociation from “true” to “false”:
<trustAssociation xmi:id="TrustAssociation_1" enabled="true">
• Remove the line related to the customer Trust Association Interceptor:
• <interceptors xmi:id="TAInterceptor_1354633176045" interceptorClassName="com.kbc.ed2.websphere.IvUserInterceptor"/>
• Change the lines related to the webSeal SSL Configuration from:
• <setting xmi:id="SecureSocketLayer_TIPNode_1" clientKeyAlias="webseal" serverKeyAlias="webseal" clientAuthentication="false" securityLevel="HIGH" enableCryptoHardwareSupport="false" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="SSL_TLS" keyStore="KeyStore_1354633373173" trustStore="KeyStore_1354633373173" trustManager="TrustManager_TIPNode_2 TrustManager_TIPNode_1" keyManager="KeyManager_TIPNode_1">
• <properties xmi:id="Property_1354633415518" name="600" value=""/>
• </setting>
• to:
• <setting xmi:id="SecureSocketLayer_TIPNode_1" clientAuthentication="false" securityLevel="HIGH" enableCryptoHardwareSupport="false" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="SSL_TLS" keyStore="KeyStore_TIPNode_1" trustStore="KeyStore_TIPNode_2" trustManager="TrustManager_TIPNode_2 TrustManager_TIPNode_1" keyManager="KeyManager_TIPNode_1"/>
• Change the Authentication mode of the WebContainer from “persisting” to “lazy”
• <webAuthAttrs xmi:id="DescriptiveProperty_8" name="com.ibm.wsspi.security.web.webAuthReq" value="persisting" required="false" type="String" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="lazy,persisting,always" inclusive="false" firstClass="false"/>
Run the TDWC 8.6 to 9.1 migration as documented
Run the migration procedure as documented in the TDWC 9.1 Manuals. It should complete without errors
Post-migration Steps
Now the customer could re-apply the changes he reverted in the 8.6 instances and that has not been forwarded to the 9.1 instance.
Customer can edit the TDWC 9.1 security.xml file and manually re-apply the changes mentioned in the first chapter.
The TDWC 8.6 configuration in the customer environment is using a customized Trust Association Interceptor and is integrated with WebSeal.
Removing these integrations allows the upgrade complete successfully.
In detail, the customer could edit the TDWC 8.6 security.xml and perform the following changes (after he created a backup copy of the file):
• Change the enabled value of the TrustAssociation from “true” to “false”:
<trustAssociation xmi:id="TrustAssociation_1" enabled="true">
• Remove the line related to the customer Trust Association Interceptor:
• <interceptors xmi:id="TAInterceptor_1354633176045" interceptorClassName="com.kbc.ed2.websphere.IvUserInterceptor"/>
• Change the lines related to the webSeal SSL Configuration from:
• <setting xmi:id="SecureSocketLayer_TIPNode_1" clientKeyAlias="webseal" serverKeyAlias="webseal" clientAuthentication="false" securityLevel="HIGH" enableCryptoHardwareSupport="false" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="SSL_TLS" keyStore="KeyStore_1354633373173" trustStore="KeyStore_1354633373173" trustManager="TrustManager_TIPNode_2 TrustManager_TIPNode_1" keyManager="KeyManager_TIPNode_1">
• <properties xmi:id="Property_1354633415518" name="600" value=""/>
• </setting>
• to:
• <setting xmi:id="SecureSocketLayer_TIPNode_1" clientAuthentication="false" securityLevel="HIGH" enableCryptoHardwareSupport="false" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="SSL_TLS" keyStore="KeyStore_TIPNode_1" trustStore="KeyStore_TIPNode_2" trustManager="TrustManager_TIPNode_2 TrustManager_TIPNode_1" keyManager="KeyManager_TIPNode_1"/>
• Change the Authentication mode of the WebContainer from “persisting” to “lazy”
• <webAuthAttrs xmi:id="DescriptiveProperty_8" name="com.ibm.wsspi.security.web.webAuthReq" value="persisting" required="false" type="String" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="lazy,persisting,always" inclusive="false" firstClass="false"/>
Run the TDWC 8.6 to 9.1 migration as documented
Run the migration procedure as documented in the TDWC 9.1 Manuals. It should complete without errors
Post-migration Steps
Now the customer could re-apply the changes he reverted in the 8.6 instances and that has not been forwarded to the 9.1 instance.
Customer can edit the TDWC 9.1 security.xml file and manually re-apply the changes mentioned in the first chapter.
[{"Product":{"code":"SSGSPN","label":"IBM Workload Scheduler"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"8.6;9.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
19 April 2019
UID
swg21691416