Security configuration and enablement errors

Use this information to troubleshoot problems with configuring or enabling security.

Note: This topic references one or more of the application server log files. As a recommended alternative, you can configure the server to use the High Performance Extensible Logging (HPEL) log and trace infrastructure instead of using SystemOut.log , SystemErr.log, trace.log, and activity.log files on distributed and IBM® i systems. You can also use HPEL in conjunction with your native z/OS® logging facilities. If you are using HPEL, you can access all of your log and trace information using the LogViewer command-line tool from your server profile bin directory. See the information about using HPEL to troubleshoot applications for more information on using HPEL.

What kind of error are you seeing?

LTPA password not set. validation failed error message
The setupClient.bat or setupClient.sh file is not working correctly
Java HotSpot Server VM warning
If you successfully configured security, but are now having problems accessing web resources or the administrative console, refer to Errors or access problems after enabling security.
NMSV0610I: A NamingException is being thrown from a javax.naming.Context implementation
Performance servlet displays authorization errors and cannot provide statistics
Name value is invalid displays when migrating users and groups after the JACC provider for Tivoli is configured
Sun JDK can not read a PKCS12 keystore created by the Application Server
Calling a secure resource from a non-secure resource is not supported

[AIX Solaris HP-UX Linux Windows] [IBM i] For general tips on diagnosing and resolving security-related problems, see the topic Troubleshooting the security component.

`LTPA password not set. validation failed` error message

LTPA password not set. validation failed message displayed as error in the administrative console after saving administrative or application security settings

This error can be caused if, when configuring WebSphere Application Server security, LTPA is selected as the authentication mechanism and the LTPA password field is not set. To resolve this problem:

Select Security > Global security > Authentication mechanisms and expiration > LTPA.
Complete the password and confirm password fields.
Click OK.
Try setting administrative or application security again.

The setupClient.bat or setupClient.sh file is not working correctly

The setupClient.bat file on Windows operating systems and the setupClient.sh file on Linux® and UNIX-based platforms incorrectly specify the location of the SOAP security properties file.

In the setupClient.bat file, the correct location is:

set CLIENTSOAP=-Dcom.ibm.SOAP.ConfigURL=file:%WAS_HOME%/properties/soap.client.props

In the setupClient.sh file, the CLIENTSOAP variable is:

CLIENTSOAP=-Dcom.ibm.SOAP.ConfigURL=file:$WAS_HOME/properties/soap.client.props

In the setupClient.bat and the setupClient.sh files, complete the following steps:

Remove the leading slash ( / ) after file:.
Change sas to soap.

Java HotSpot Server VM warning

After you enable security on HP-UX 11i platforms, the following error in the native_stdout.log file occurs, along with a core dump and WebSphere Application Server does not start:

Java HotSpot(TM) Server VM warning: 
Unexpected Signal 11 occurred under user-defined signal handler 0x7895710a

To work around this error, apply the fixes recommended by Hewlett Packard for Java™ from the Hewlett Packard support site at the following URL: https://www.hp.com.

For current information available from IBM Support on known problems and their resolution, see the IBM Support page.

IBM Support has documents that can save you time gathering information needed to resolve this problem. Before opening a PMR, see the IBM Support page.

NMSV0610I: A NamingException is being thrown from a javax.naming.Context implementation

If you use CSIv2 inbound authentication, basic authentication is required, and Java clients running with com.ibm.CORBA.validateBasicAuth=true might fail with the following exception:

If you use CSIv2 inbound authentication, basic authentication is required, and Java™ 
clients running with com.ibm.CORBA.validateBasicAuth=true might fail with the 
following exception:

NMSV0610I: A NamingException is being thrown from a javax.naming.Context 
           implementation. Details follow:

Context implementation: com.ibm.ws.naming.jndicos.CNContextImpl
Context method: lookupExt
Context name: TestaburgerNode01Cell/nodes/TestaburgerNode01/servers/server1
Target name: SecurityServer
Other data: "" ""
Exception stack trace: javax.naming.NoPermissionException: NO_PERMISSION 
exception caught. Root exception is org.omg.CORBA.NO_PERMISSION: 
vmcid: 0x49421000 minor code: 92 completed: No
...
SECJ0395E: Could not locate the SecurityServer at host/port:9.42.72.27/9100 
to validate the userid and password entered. You may need to specify valid 
securityServerHost/Port in (WAS_INSTALL_ROOT)/properties/sas.client.props file.

To fix this problem, modify the com.ibm.CORBA.validateBasicAuth=false property in the client's sas.clients.props file, which is located in WAS_HOME/profiles/<profile-name>/properties, and then run the client.

Performance servlet displays authorization errors and cannot provide statistics

In WebSphere Application Server Version 6.1, when administrative security is enabled, the administration service is locked down. However, if application security is not enabled, an authentication challenge does not occur for incoming requests and, consequently, credentials do not exist for the performance servlet to access the administration service.

If administrative security is enabled, you also must enable application security for the performance servlet to process incoming requests.

`Name value is invalid` displays when migrating users and groups after the JACC provider for Tivoli is configured

[AIX Solaris HP-UX Linux Windows] [IBM i] When you use the migrateEAR utility to migrate the changes that were made to console users and groups after the JACC provider for Tivoli® Access Manager is configured, the following configuration error displays in the systemOut.log file.

[z/OS] When you use the migrateEAR utility to migrate the changes that were made to console users and groups after the JACC provider for Tivoli Access Manager is configured, the following configuration error displays in the appropriate output of the job log file.

<specialSubjects> name value is invalid

Note: Because the SystemOut log file does not exist on the z/OS operating system, check the output of the appropriate job log on the z/OS operating system.

The migrateEAR utility migrates the user and group data that is contained in the admin-authz.xml file. However, the migrateEAR utility does not convert the XML tags that are listed in the admin-authz.xml file if the pdwas-admin group is added to the administrator access control list (ACL) in Tivoli Access Manager prior to migration.

To resolve this error, enter the following command in padadmin to check whether the pdwas-admin group is in the administrator ACL before you migrate:

acl show
_WebAppServer_deployedResources_Roles_administrator_admin-authz_ACL

The following result should display:

ACL Name:
_WebAppServer_deployedResources_Roles_administrator_admin-authz_ACL
Description: Created by the Tivoli Access Manager
for Websphere Application Server Migration Tool.
Entries:
User sec_master TcmdbsvaBR1
Group pdwas-admin T[WebAppServer]i

If the pdwas-admin group is not listed, then enter the following command in pdadmin to modify the ACL to add the pdwas-admin group:

acl modify 
_WebAppServer_deployedResources_Roles_administrator_admin
-authz_ACL set gruop pdwas-admin T [WebAppServer]i

Sun JDK can not read a PKCS12 keystore created by the Application Server

A Sun JDK is not able to read a PKCS12 keystore created by the Application Server. The reason for this is that the PKCS12 implementation used by the IBM SDK and the Application Server is different than the implementation used by the Sun JDK. The difference causes problems when a Sun JDK is used to read the default trustore, trust.p12, or keystore, key.P12 created by the Application Server.

Because the truststore can not be read by the Sun JDK, you must first extract the certificates from the trustore using an IBM SDK. You can then import these certificates into a keystore that the Sun JDK can recognize correctly, such as a JKS keystore.

Calling a secure resource from a non-secure resource is not supported

If you have a non-secure resource (such as a JSP or a servlet) that calls a secure resource, the application might fail if the non-secure resource collects data from users and then posts this data to secure JSP or servlet files for processing.

To avoid this situation, structure your web application so that users are forced to login before the application performs any HTTP POST actions to the secure JSP or servlet files. To accomplish this, secure the first resource using whatever security mechanism that you choose (such as basic auth, form-login or cert).

This restriction is because basic auth and form-login use the servlet sendRedirect method, which has several implications for the user. The sendRedirect method is used twice during basic auth and form-login.

The sendRedirect method initially displays the basic auth or form-login page in the web browser. It later redirects the web browser back to the originally requested protected page. The sendRedirect(String URL) method tells the web browser to use the HTTP GET request to access the page that is specified in the web address. If HTTP POST is the first request to a protected JSP or servlet file, and no previous authentication or login occurred, then HTTP POST is not delivered to the requested page. However, HTTP GET is delivered because basic auth and form-login use the sendRedirect method, which behaves as an HTTP GET request which attempts to display a requested page after a login occurs.