334 lines
18 KiB
HTML
334 lines
18 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
<html>
|
||
|
<head>
|
||
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
||
|
|
||
|
<title>Troubleshoot: Enabling security</title>
|
||
|
</head>
|
||
|
<BODY>
|
||
|
<!-- Java sync-link -->
|
||
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
||
|
<h4><a name="trbsecprobs2"></a>Troubleshoot: Enabling security</h4>
|
||
|
|
||
|
<p>What kind of errors are you seeing?</p>
|
||
|
<ul>
|
||
|
<li><a href="#authenterr">Authentication error accessing
|
||
|
a Web page</a></li>
|
||
|
<li><a href="#authorerr">Authorization error accessing
|
||
|
a Web page</a></li>
|
||
|
<li><a href="#secj0314e">Error Message: SECJ0314E:
|
||
|
Current Java 2 security policy reported a potential violation</a></li>
|
||
|
<li><a href="#msgs0508e">MSGS0508E: The JMS Server
|
||
|
security service was unable to authenticate user ID: error displayed
|
||
|
in SystemOut.log when starting an application server</a></li>
|
||
|
<li><a href="#secj0237e">Error Message: SECJ0237E:
|
||
|
One or more vital LTPAServerObject configuration attributes are null or not
|
||
|
available after enabling security and starting the application server.</a></li>
|
||
|
<li><a href="#acexcep">An
|
||
|
AccessControlException is reported in the SystemOut.log.</a></li>
|
||
|
<li><a href="#secj0336e">Error Message: SECJ0336E:
|
||
|
Authentication failed for user {0} because of the following exception {1}</a></li>
|
||
|
</ul>
|
||
|
|
||
|
<p>For general tips on diagnosing and resolving
|
||
|
security-related problems, see <a href="trbsecurity.htm">Troubleshoot: Security</a>.</p>
|
||
|
|
||
|
<p>If you do not see a problem that resembles
|
||
|
yours, or if the information provided does not solve your problem, see <a href="../intro/support.htm">Get support for WebSphere Application Server - Express</a> in the <em>Overview</em> topic for more information.</p>
|
||
|
|
||
|
<p><a name="authenterr"></a><b>Authentication error accessing a Web page</b></p>
|
||
|
|
||
|
<p>Possible causes for authentication errors include:</p>
|
||
|
|
||
|
<ul>
|
||
|
<li><strong>Incorrect user name or passwords.</strong> Check the user name and password
|
||
|
and make sure they are correct.</li>
|
||
|
<li><strong>Security configuration error : User registry type is not set correctly.</strong> Check the user registry property in global security settings in the administrative
|
||
|
console. Verify that it is the intended user registry.</li>
|
||
|
<li><strong>Internal program error.</strong> If the client application is a Java standalone
|
||
|
program, this program might not gather or send credential information correctly.</li>
|
||
|
</ul>
|
||
|
|
||
|
<p>If the user registry configuration,
|
||
|
user ID, and password appear correct, use the WebSphere Application Server - Express trace function to determine the cause of the problem. To enable security trace, use the
|
||
|
<strong>com.ibm.ws.security.*=all=enabled</strong> trace
|
||
|
specification. See <a href="trbappsrvtrace.htm">Use the WebSphere Application Server - Express trace service</a> for more information.</p>
|
||
|
|
||
|
<p><a name="authorerr"></a><b>Authorization error accessing a Web page</b></p>
|
||
|
|
||
|
<p>If a user who should have access to a resource does not, there is probably a
|
||
|
missing configuration step. Review <a href="../sec/seccfg.htm">Configure WebSphere security</a> in the <em>Security</em> topic for more information.</p>
|
||
|
<p>Make sure to check the following:</p>
|
||
|
<ul>
|
||
|
<li>Check required roles for the accessed Web resource.</li>
|
||
|
<li>Check the authorization table to make sure that the user, or the groups
|
||
|
to which the user belongs, is assigned to one of the required roles.</li>
|
||
|
<li>View required roles for the Web resource in the deployment descriptor
|
||
|
of the Web resource.</li>
|
||
|
<li>View the authorization table for the application that contains the Web
|
||
|
resource, using the administrative console.</li>
|
||
|
<li>Test with a user who is granted the required roles, to see if the user
|
||
|
can access the problem resources.</li>
|
||
|
<li>If the problem user is required to have one or more of the required roles,
|
||
|
use the administrative console to assign that user to required roles. Then
|
||
|
stop and restart the application.</li>
|
||
|
</ul>
|
||
|
|
||
|
<p>If the user is granted required
|
||
|
roles, but still fails to access the secured resources, enable security trace, using <strong>com.ibm.ws.security.*=all=enabled</strong> as
|
||
|
the trace specification. Collect trace information for further resolution. See <a href="trbappsrvtrace.htm">Use the WebSphere Application Server - Express trace service</a> for more information.</p>
|
||
|
|
||
|
<p><a name="secj0314e"></a><b>Error Message: SECJ0314E: Current Java
|
||
|
2 security policy reported a potential violation on server </b></p>
|
||
|
|
||
|
<p>If you find errors on your server similar to:</p>
|
||
|
<pre>Error Message: SECJ0314E: Current Java 2 Security policy reported
|
||
|
a potential violation of Java 2 Security Permission.
|
||
|
Please refer to Problem Determination Guide for further information.
|
||
|
{0}Permission\:{1}Code\:{2}{3}Stack Trace\:{4}Code Base Location\:{5}
|
||
|
</pre>
|
||
|
<p>The Java security manager <tt>checkPermission()</tt> method has
|
||
|
reported an exception, <tt>SecurityException</tt>.</p>
|
||
|
|
||
|
<p><strong>The reported exception might be critical to the secure system.</strong> Turn on security trace to determine the potential code that might have violated the security policy. Once the violating code is determined, verify if the attempted operation
|
||
|
is permitted with respect to Java 2 Security, by examining all applicable
|
||
|
Java 2 security policy files and the application code.</p>
|
||
|
|
||
|
<p>A more detailed report is enabled by either configuring RAS trace into debug mode, or
|
||
|
specifying a Java property.</p>
|
||
|
<ul>
|
||
|
<li>Check the trace enabling section for instructions on how to configure
|
||
|
RAS trace into debug mode.</li>
|
||
|
<li>In the administrative console, expand <strong>Application Servers --> <em>server
|
||
|
name</em> --> ProcessDefinition --> Java Virtual Machine</strong> in the <strong>Generic JVM arguments</strong> panel.<ul>
|
||
|
<li>Add the run-time flag <strong>java.security.debug</strong>.</li>
|
||
|
<li>Valid values: <dl><dt><strong>access</strong></dt><dd>Print all debug information including: required permission, code, stack,
|
||
|
and code base location.</dd><dt><strong>stack</strong></dt><dd>Print debug information including: required permission, code, and stack.</dd><dt><strong>failure</strong></dt><dd>Print debug information including: required permission and code.</dd></dl></li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
</ul>
|
||
|
|
||
|
<p>For a review of Java security policies and what they mean, see
|
||
|
the Java 2 Security documentation at <a target="_blank" href="http://java.sun.com/j2se/1.3/docs/guide/security/index.html">http://java.sun.com/j2se/1.3/docs/guide/security/index.html</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center" border="0">.</p>
|
||
|
|
||
|
<p><strong>Tip:</strong> If
|
||
|
the application is running with a Java Mail API, this message might be benign.
|
||
|
You can update the /QIBM/UserData/WebASE51/ASE/<em>instance</em>/
|
||
|
installedApps/META-INF/was.policy file to grant the following permissions to the application:</p>
|
||
|
<ul>
|
||
|
<li><samp>permission java.io.FilePermission "${user.home}${/}.mailcap", "read"; </samp></li>
|
||
|
<li><samp>permission java.io.FilePermission "${user.home}${/}.mime.types", "read"; </samp></li>
|
||
|
<li><samp>permission java.io.FilePermission "${java.home}${/}lib${/}mailcap",
|
||
|
"read"; </samp></li>
|
||
|
<li><samp>permission java.io.FilePermission "${java.home}${/}lib${/}mime.types",
|
||
|
"read"; </samp></li>
|
||
|
</ul>
|
||
|
|
||
|
<p><a name="msgs0508e"></a><b>Error message: MSGS0508E: The JMS Server
|
||
|
security service was unable to authenticate user ID:" error displayed in SystemOut.log
|
||
|
when starting an application server</b></p>
|
||
|
|
||
|
<p>This error can result from installing the JMS messaging API sample and then enabling
|
||
|
security. You can follow the instructions in the Configure and Run page of the
|
||
|
corresponding JMS sample documentation to configure the sample to work with WebSphere
|
||
|
Application Server - Express security.</p>
|
||
|
|
||
|
<p><a name="secj0237e"></a><b>Error message: SECJ0237E: One or more
|
||
|
vital LTPAServerObject configuration attributes are null or not available after
|
||
|
enabling security and starting the application server.</b></p>
|
||
|
|
||
|
<p>This error message can result from selecting LTPA as the authentication mechanism, but
|
||
|
not generating the LTPA keys. The LTPA keys encrypt the LTPA token.</p>
|
||
|
|
||
|
<p>To resolve this problem:</p>
|
||
|
<ol>
|
||
|
<li>Click <strong>System Administration --> Console users --> LTPA</strong></li>
|
||
|
<li>Enter a password, which can be anything.</li>
|
||
|
<li>Enter the same password in <strong>Confirm Password</strong>.</li>
|
||
|
<li>Click <strong>Apply</strong>.</li>
|
||
|
<li>Click <strong>Generate Keys</strong>.</li>
|
||
|
<li>Click on <strong>Save</strong>.</li>
|
||
|
</ol>
|
||
|
|
||
|
<p><a name="acexcep"></a><b>The
|
||
|
exception AccessControlException, is reported in the SystemOut.log</b></p>
|
||
|
|
||
|
<p>The problem is related to the Java 2 Security feature of WebSphere Application
|
||
|
Server - Express, the API-level security framework that is implemented in WebSphere
|
||
|
Application Server - Express Version 5. An exception similar to the following example
|
||
|
displays. The error message and number can vary.</p>
|
||
|
<pre>
|
||
|
E SRVE0020E: [Servlet Error]-[validator]: Failed to load servlet:
|
||
|
java.security.AccessControlException:
|
||
|
access denied (java.io.FilePermission
|
||
|
/QIBM/UserData/WebASE51/ASE/<em>instance</em>/installedApps/maeda/
|
||
|
adminconsole.ear/adminconsole.war/
|
||
|
WEB-INF/validation.xml read)
|
||
|
</pre>
|
||
|
|
||
|
<p>For an explanation of Java 2 security, how and why to enable or disable
|
||
|
it, how it relates to policy files, and how to edit policy files, see <a href="../sec/seccj2.htm">Configure Java 2 security</a> in
|
||
|
the <em>Security</em> topic. The topic explains that Java 2 security
|
||
|
is not only used by this product, but developers can also implement it for
|
||
|
their business applications. Administrators might need to involve developers,
|
||
|
if this exception is thrown when a client tries to access a resource hosted
|
||
|
by WebSphere Application Server - Express.</p>
|
||
|
|
||
|
<p>Possible causes of these errors include:</p>
|
||
|
<ul>
|
||
|
<li>Syntax errors in a policy file.</li>
|
||
|
<li>Syntax errors in permission specifications in the ra.xml file
|
||
|
bundled in a .rar file. This case applies to resource
|
||
|
adapters that support connector access to CICS or other resources.</li>
|
||
|
<li>An application is missing the specified permission in a policy file, or
|
||
|
in permission specifications in an ra.xml file bundled
|
||
|
in a .rar file </li>
|
||
|
<li>The class path is not set correctly, preventing the permissions for the resource.xml
|
||
|
file for SPI from being correctly created.</li>
|
||
|
<li>A library called by an application, or the application, is missing a doPrivileged
|
||
|
block to support access to a resource. </li>
|
||
|
<li>Permission is specified in the wrong policy file.</li>
|
||
|
</ul>
|
||
|
|
||
|
<p>To resolve these problems:</p>
|
||
|
<ul>
|
||
|
<li>Check all of the related policy files to verify that the permission shown
|
||
|
in the exception, for example java.io.FilePermission, is specified.</li>
|
||
|
<li>Look for a related ParserException in the SystemOut.log file
|
||
|
which reports the details of the syntax error. For example:
|
||
|
<pre>SECJ0189E: Caught ParserException while creating template
|
||
|
for application policy
|
||
|
/QIBM/UserData/WebASE51/ASE/<em>instance</em>/config/cells/<em>server</em>/
|
||
|
nodes/<em>server</em>/app.policy.
|
||
|
The exception is com.ibm.ws.security.util.ParserException: line 18: expected
|
||
|
';', found 'grant'
|
||
|
</pre>
|
||
|
</li>
|
||
|
<li>Look for a message similar to: SECJ0325W: The permission <strong>permission</strong>
|
||
|
specified in the policy file is unresolved.</li>
|
||
|
<li><P>Check the call stack to determine which method does not have the permission.
|
||
|
Identify the class path of this method. If it is hard to identify the method,
|
||
|
enable the Java2 security Report.</P>
|
||
|
<ul>
|
||
|
<li><P>Configuring RAS trace by specifying com.ibm.ws.security.core.*=all=enabled,
|
||
|
or specifying a Java <strong>property.java.security.debug</strong> property. See <a href="trbappsrvtrace.htm">Use the WebSphere Application Server - Express trace service</a> for more information. Valid values for the <strong>java.security.debug</strong> property are:</p>
|
||
|
<dl><dt><strong>access</strong></dt><dd>Print all debug information including: required permission, code, stack,
|
||
|
and code base location.</dd><dt><strong>stack</strong></dt><dd>Print debug information including: required permission, code, and stack.</dd><dt><strong>failure</strong></dt><dd>Print debug information including: required permission and code.</dd></dl></li>
|
||
|
<li><p>The report shows:</p>
|
||
|
<dl><dt><strong>Permission</strong></dt><dd>the missing permission.</dd><dt><strong>Code</strong></dt><dd>which method has the problem.</dd><dt><strong> Stack Trace</strong></dt><dd>where the access violation occurred.</dd><dt><strong>CodeBaseLocation</strong></dt><dd>the detail of each stack frame.</dd></dl>
|
||
|
<p>Usually, Permission and Code are enough to identify the
|
||
|
problem. The following example illustrates a report:</p>
|
||
|
<pre>
|
||
|
Permission:
|
||
|
/QIBM/UserData/WebASE51/ASE/<em>instance</em>/logs/server1/
|
||
|
SystemOut_02.08.20_11.19.53.log
|
||
|
:
|
||
|
access denied (java.io.FilePermission
|
||
|
/QIBM/UserData/WebASE51/ASE/<em>instance</em>/logs/server1/
|
||
|
SystemOut_02.08.20_11.19.53.log
|
||
|
delete)
|
||
|
|
||
|
Code:
|
||
|
com.ibm.ejs.ras.RasTestHelper$7 in
|
||
|
{file:/QIBM/UserData/WebASE51/ASE/<em>instance</em>/installedApps/
|
||
|
maeda/JrasFVTApp.ear/RasLib.jar
|
||
|
}
|
||
|
|
||
|
Stack Trace:
|
||
|
|
||
|
java.security.AccessControlException: access denied (java.io.FilePermission
|
||
|
/QIBM/UserData/WebASE51/ASE/<em>instance</em>/logs/server1/
|
||
|
SystemOut_02.08.20_11.19.53.log delete
|
||
|
)
|
||
|
at java.security.AccessControlContext.checkPermission
|
||
|
(AccessControlContext.java(Compiled Code))
|
||
|
at java.security.AccessController.checkPermission
|
||
|
(AccessController.java(Compiled Code))
|
||
|
at java.lang.SecurityManager.checkPermission
|
||
|
(SecurityManager.java(Compiled Code))
|
||
|
.
|
||
|
Code Base Location:
|
||
|
|
||
|
com.ibm.ws.security.core.SecurityManager :
|
||
|
file:/QIBM/ProdData/WebASE51/ASE/lib/securityimpl.jar
|
||
|
|
||
|
ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader
|
||
|
Permissions granted to CodeSource
|
||
|
(file:/QIBM/ProdData/WebASE51/ASE/lib/securityimpl.jar <no certificates>
|
||
|
|
||
|
{
|
||
|
(java.util.PropertyPermission java.vendor read);
|
||
|
(java.util.PropertyPermission java.specification.version read);
|
||
|
(java.util.PropertyPermission line.separator read);
|
||
|
(java.util.PropertyPermission java.class.version read);
|
||
|
(java.util.PropertyPermission java.specification.name read);
|
||
|
(java.util.PropertyPermission java.vendor.url read);
|
||
|
(java.util.PropertyPermission java.vm.version read);
|
||
|
(java.util.PropertyPermission os.name read);
|
||
|
(java.util.PropertyPermission os.arch read);
|
||
|
}
|
||
|
( This list continues.)
|
||
|
</pre>
|
||
|
|
||
|
</li>
|
||
|
</ul></li>
|
||
|
<li>If the method is SPI, check the resources.xml file
|
||
|
to ensure that the class path is correct.</li>
|
||
|
<li>To confirm that all of the policy files are loaded correctly, or what
|
||
|
permission each class path is granted, enable the trace with <strong>com.ibm.ws.security.policy.*=all=enabled</strong>.
|
||
|
All loaded permissions are listed in the trace.log file.
|
||
|
Search for the app.policy, was.policy and ra.xml files.
|
||
|
To check the permission list for a class path, search for <strong>Effective
|
||
|
Policy for classpath</strong>.</li>
|
||
|
<li>If there are any syntax errors in the policy file or ra.xml file,
|
||
|
correct them with the policy tool. Avoid editing the policy manually, because syntax errors can result. For more information, see <a href="../sec/seccupol.htm">Create and edit policy files with the policy tool</a> in the <em>Security</em> topic.</li>
|
||
|
<li>If a permission is listed as <strong>Unresolved</strong>, it does not
|
||
|
take effect. Verify that the specified permission name is correct.</li>
|
||
|
<li>If the class path specified in the resource.xml file
|
||
|
is not correct, correct it.</li>
|
||
|
<li>If a required permission does not exist in either the policy files or
|
||
|
the ra.xml file, examine the application code to see
|
||
|
if you need to add this permission. If so, add it to the proper policy file
|
||
|
or ra.xml file.</li>
|
||
|
<li>If the permission should not be granted outside of the specific method
|
||
|
that is accessing this resource, modify the code needs to use a doPrivileged
|
||
|
block. </li>
|
||
|
<li>If this permission does exist in a policy file or a ra.xml file
|
||
|
and they were loaded correctly, but the class path still does not have the
|
||
|
permission in its list, the location of the permission might not be correct.
|
||
|
See <a href="../sec/seccj2.htm">Configure Java 2 Security</a> in
|
||
|
the <em>Security</em> topic to determine in which policy file
|
||
|
or ra.xml file that permission should be specified.</li>
|
||
|
</ul>
|
||
|
|
||
|
<p><strong>Tip:</strong> If the application is running with the Java Mail API,
|
||
|
you can update the /QIBM/UserData/WebASE51/ASE/<em>instance</em>/installedApps/<em>server</em>/<em>application.ear</em>/META-INF/was.policy file to grant the following permissions to the application:</p>
|
||
|
<ul>
|
||
|
<li><tt>permission java.io.FilePermission "${user.home}${/}.mailcap", "read"; </tt></li>
|
||
|
<li><tt>permission java.io.FilePermission "${user.home}${/}.mime.types", "read"; </tt></li>
|
||
|
<li><tt>permission java.io.FilePermission "${java.home}${/}lib${/}mailcap",
|
||
|
"read"; </tt></li>
|
||
|
<li><tt>permission java.io.FilePermission "${java.home}${/}lib${/}mime.types",
|
||
|
"read"; </tt></li>
|
||
|
</ul>
|
||
|
|
||
|
<p><a name="secj0336e"></a><b>Error Message: SECJ0336E: Authentication
|
||
|
failed for user {0} because of the following exception {1}</b></p>
|
||
|
|
||
|
<p>This error message results if the user ID indicated is not found in the LDAP user
|
||
|
registry. To resolve this problem:</p>
|
||
|
<ol>
|
||
|
<li>Verify that your user ID and password are correct.</li>
|
||
|
<li>Verify that the user ID exists in the registry.</li>
|
||
|
<li>Verify that the base distinguished name (DN) is correct.</li>
|
||
|
<li>Verify that the user filter is correct.</li>
|
||
|
<li>Verify that the bind DN and the password for the bind DN are correct.
|
||
|
If the bind DN and password are not specified, add the missing information
|
||
|
and retry.</li>
|
||
|
<li>Verify that the host name and LDAP type are correct.</li>
|
||
|
</ol>
|
||
|
<p>Consult with the administrator of the user registry if the problem persists.</p>
|
||
|
</body>
|
||
|
</html>
|