ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/trb/trbsecurity.htm

102 lines
5.9 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Troubleshoot: Security</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h3>Troubleshoot: Security</h3>
<p>Use these resources to determine the cause of problems that occur when using
the application server security.</p>
<ul>
<li>
<p>Check the application server standard output and standard error log files.
See <a href="trblogs.htm">WebSphere Application Server - Express log files</a> for
more information.</p>
</li>
<li>
<p>When troubleshooting security-related problems, consider the following:</p>
<p><strong>Does the problem occur when security is disabled?</strong> <br>
The problem may be a result of the enablement of security. More troubleshooting
is necessary to ensure the problem is security related. </p>
<p><strong>Did security appear to initialize properly?</strong> <br>
The following sequence of messages generated in the SystemOut.log indicate
normal code initialization of an application server. This varies based
on the configuration, but the message are similar: </p>
<pre>SASRas A JSAS0001I: Security configuration initialized.
SASRas A JSAS0002I: Authentication protocol: CSIV2/IBM
SASRas A JSAS0003I: Authentication mechanism: SWAM
SASRas A JSAS0004I: Principle name: BIRKt20/pbirk
SASRas A JSAS0005I: SecurityCurrent registered.
SASRas A JSAS0006I: Security connection interceptor initialized.
SASRas A JSAS0007I: Client request interceptor registered.
SASRas A JSAS0008I: Server request interceptor registered.
SASRas A JSAS0009I: IOR interceptor registered.
NameServerIMP I NMSV0720I: Do Security service listener registration.
SecurityCompo A SECJ0242A: Security service is starting
UserRegistryI A SECJ0136I:
Custom Registry:com.IBM.ws.security.registry.nt.NTLocalDomainRegistryIm
has been initialized
SecurityCompo A SECJ0202A: Admin application initialized successfully
SecurityCompo A SECJ0203A: Naming application initialized successfully
SecurityCompo A SECJ0204A: Rolebased authorizer initialized successfully
SecurityCompo A SECJ0205A: Security Admin mBean registered successfully
SecurityCompo A SECJ0243A: Security service started successfully
SecurityCompo A SECJ0210A: Security enabled true
</pre>
<p><strong>Is there a stack trace or exception printed in the SystemOut.log?</strong> <br>
The stack trace will log any code incorrectly initialized, failing components,
and the failing class. </p>
<p><strong>Is this a distributed security problem or a local security problem?</strong></p>
<ul>
<li>
<p>If the problem is local, the code involved does not make a remote
method invocation, then troubleshooting is isolated to a single process.
It is important to know when a problem is local or distributed since
the behavior of the Object Request Broker (ORB), among other components,
is different between the two.</p>
</li>
<li>
<p>Once a remote method invocation takes place, a different security
code path is entered. When you know the problem involves two or more
servers, check the log files of all servers involved. If possible,
make sure the timestamps on all machines match as closely as possible
to identify request and reply pairs from two different processes easier.</p>
</li>
</ul>
<p><strong>Is the problem related to authentication or authorization?</strong> <br>
Most security problems fall under one of these two categories. Authentication
is the process of determining who the caller is. Authorization is the
process of validating that the caller has the proper authority to invoke
the requested method. When authentications fails, typically this is related
to either the authentication protocol, authentication mechanism, or user
registry. When authorization fails, this is usually related to the application
bindings from assembly or deployment and to the identity of the caller
who is accessing the method and the roles required by the method. </p>
<p><STRONG>Does the problem seem to be related SSL?</STRONG> <br>
The Secure Socket Layer (SSL) is a separate layer of security. Troubleshooting
SSL is differant than troubleshooting authentication and authorization
problems. SSL errors are often caused by incorrect configurations. Each
keystore used by a client must contain the certificate of the Certificate
Authority (CA) that signed the certificate used by the server. During
mutal authentication, the server requires the client to present a cerfticate
for authorization. Each server keystore must contain the certificate
of the CA that signed the certificate presented by the client. Another
common error are configurations where the client and the server do not
have common configured SSL cipher suites.</p>
<p><strong>Is the problem related to Java 2 Security? </strong> <br>
If Java 2 Security is enabled, deployers and administrators are required
to make sure that all applications are granted required permissions,
otherwise, applications may fail to run.</p>
</li>
<li>Read the release notes. See <a href="http://www-1.ibm.com/servers/eserver/iseries/software/websphere/wsappserver/express/docs/relnotesexp50.html" target="_new">WebSphere
Application Server - Express Release Notes</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center" border="0"> for
more information.</li>
</ul>
</body>
</html>