ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/trb/trbsecprobs2.htm

334 lines
18 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Troubleshoot: Enabling security</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h4><a name="trbsecprobs2"></a>Troubleshoot: Enabling security</h4>
<p>What kind of errors are you seeing?</p>
<ul>
<li><a href="#authenterr">Authentication error accessing
a Web page</a></li>
<li><a href="#authorerr">Authorization error accessing
a Web page</a></li>
<li><a href="#secj0314e">Error Message: SECJ0314E:
Current Java 2 security policy reported a potential violation</a></li>
<li><a href="#msgs0508e">MSGS0508E: The JMS Server
security service was unable to authenticate user ID: error displayed
in SystemOut.log when starting an application server</a></li>
<li><a href="#secj0237e">Error Message: SECJ0237E:
One or more vital LTPAServerObject configuration attributes are null or not
available after enabling security and starting the application server.</a></li>
<li><a href="#acexcep">An
AccessControlException is reported in the SystemOut.log.</a></li>
<li><a href="#secj0336e">Error Message: SECJ0336E:
Authentication failed for user {0} because of the following exception {1}</a></li>
</ul>
<p>For general tips on diagnosing and resolving
security-related problems, see <a href="trbsecurity.htm">Troubleshoot: Security</a>.</p>
<p>If you do not see a problem that resembles
yours, or if the information provided does not solve your problem, see <a href="../intro/support.htm">Get support for WebSphere Application Server - Express</a> in the <em>Overview</em> topic for more information.</p>
<p><a name="authenterr"></a><b>Authentication error accessing a Web page</b></p>
<p>Possible causes for authentication errors include:</p>
<ul>
<li><strong>Incorrect user name or passwords.</strong> Check the user name and password
and make sure they are correct.</li>
<li><strong>Security configuration error : User registry type is not set correctly.</strong> Check the user registry property in global security settings in the administrative
console. Verify that it is the intended user registry.</li>
<li><strong>Internal program error.</strong> If the client application is a Java standalone
program, this program might not gather or send credential information correctly.</li>
</ul>
<p>If the user registry configuration,
user ID, and password appear correct, use the WebSphere Application Server - Express trace function to determine the cause of the problem. To enable security trace, use the
<strong>com.ibm.ws.security.*=all=enabled</strong> trace
specification. See <a href="trbappsrvtrace.htm">Use the WebSphere Application Server - Express trace service</a> for more information.</p>
<p><a name="authorerr"></a><b>Authorization error accessing a Web page</b></p>
<p>If a user who should have access to a resource does not, there is probably a
missing configuration step. Review <a href="../sec/seccfg.htm">Configure WebSphere security</a> in the <em>Security</em> topic for more information.</p>
<p>Make sure to check the following:</p>
<ul>
<li>Check required roles for the accessed Web resource.</li>
<li>Check the authorization table to make sure that the user, or the groups
to which the user belongs, is assigned to one of the required roles.</li>
<li>View required roles for the Web resource in the deployment descriptor
of the Web resource.</li>
<li>View the authorization table for the application that contains the Web
resource, using the administrative console.</li>
<li>Test with a user who is granted the required roles, to see if the user
can access the problem resources.</li>
<li>If the problem user is required to have one or more of the required roles,
use the administrative console to assign that user to required roles. Then
stop and restart the application.</li>
</ul>
<p>If the user is granted required
roles, but still fails to access the secured resources, enable security trace, using <strong>com.ibm.ws.security.*=all=enabled</strong> as
the trace specification. Collect trace information for further resolution. See <a href="trbappsrvtrace.htm">Use the WebSphere Application Server - Express trace service</a> for more information.</p>
<p><a name="secj0314e"></a><b>Error Message: SECJ0314E: Current Java
2 security policy reported a potential violation on server </b></p>
<p>If you find errors on your server similar to:</p>
<pre>Error Message: SECJ0314E: Current Java 2 Security policy reported
a potential violation of Java 2 Security Permission.
Please refer to Problem Determination Guide for further information.
{0}Permission\:{1}Code\:{2}{3}Stack Trace\:{4}Code Base Location\:{5}
</pre>
<p>The Java security manager <tt>checkPermission()</tt> method has
reported an exception, <tt>SecurityException</tt>.</p>
<p><strong>The reported exception might be critical to the secure system.</strong> Turn on security trace to determine the potential code that might have violated the security policy. Once the violating code is determined, verify if the attempted operation
is permitted with respect to Java 2 Security, by examining all applicable
Java 2 security policy files and the application code.</p>
<p>A more detailed report is enabled by either configuring RAS trace into debug mode, or
specifying a Java property.</p>
<ul>
<li>Check the trace enabling section for instructions on how to configure
RAS trace into debug mode.</li>
<li>In the administrative console, expand <strong>Application Servers --&gt; <em>server
name</em> --&gt; ProcessDefinition --&gt; Java Virtual Machine</strong> in the <strong>Generic JVM arguments</strong> panel.<ul>
<li>Add the run-time flag <strong>java.security.debug</strong>.</li>
<li>Valid values: <dl><dt><strong>access</strong></dt><dd>Print all debug information including: required permission, code, stack,
and code base location.</dd><dt><strong>stack</strong></dt><dd>Print debug information including: required permission, code, and stack.</dd><dt><strong>failure</strong></dt><dd>Print debug information including: required permission and code.</dd></dl></li>
</ul>
</li>
</ul>
<p>For a review of Java security policies and what they mean, see
the Java 2 Security documentation at <a target="_blank" href="http://java.sun.com/j2se/1.3/docs/guide/security/index.html">http://java.sun.com/j2se/1.3/docs/guide/security/index.html</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center" border="0">.</p>
<p><strong>Tip:</strong> If
the application is running with a Java Mail API, this message might be benign.
You can update the /QIBM/UserData/WebASE51/ASE/<em>instance</em>/
installedApps/META-INF/was.policy file to grant the following permissions to the application:</p>
<ul>
<li><samp>permission java.io.FilePermission &quot;${user.home}${/}.mailcap&quot;, &quot;read&quot;; </samp></li>
<li><samp>permission java.io.FilePermission &quot;${user.home}${/}.mime.types&quot;, &quot;read&quot;; </samp></li>
<li><samp>permission java.io.FilePermission &quot;${java.home}${/}lib${/}mailcap&quot;,
&quot;read&quot;; </samp></li>
<li><samp>permission java.io.FilePermission &quot;${java.home}${/}lib${/}mime.types&quot;,
&quot;read&quot;; </samp></li>
</ul>
<p><a name="msgs0508e"></a><b>Error message: MSGS0508E: The JMS Server
security service was unable to authenticate user ID:&quot; error displayed in SystemOut.log
when starting an application server</b></p>
<p>This error can result from installing the JMS messaging API sample and then enabling
security. You can follow the instructions in the Configure and Run page of the
corresponding JMS sample documentation to configure the sample to work with WebSphere
Application Server - Express security.</p>
<p><a name="secj0237e"></a><b>Error message: SECJ0237E: One or more
vital LTPAServerObject configuration attributes are null or not available after
enabling security and starting the application server.</b></p>
<p>This error message can result from selecting LTPA as the authentication mechanism, but
not generating the LTPA keys. The LTPA keys encrypt the LTPA token.</p>
<p>To resolve this problem:</p>
<ol>
<li>Click <strong>System Administration --&gt; Console users --&gt; LTPA</strong></li>
<li>Enter a password, which can be anything.</li>
<li>Enter the same password in <strong>Confirm Password</strong>.</li>
<li>Click <strong>Apply</strong>.</li>
<li>Click <strong>Generate Keys</strong>.</li>
<li>Click on <strong>Save</strong>.</li>
</ol>
<p><a name="acexcep"></a><b>The
exception AccessControlException, is reported in the SystemOut.log</b></p>
<p>The problem is related to the Java 2 Security feature of WebSphere Application
Server - Express, the API-level security framework that is implemented in WebSphere
Application Server - Express Version 5. An exception similar to the following example
displays. The error message and number can vary.</p>
<pre>
E SRVE0020E: [Servlet Error]-[validator]: Failed to load servlet:
java.security.AccessControlException:
access denied (java.io.FilePermission
/QIBM/UserData/WebASE51/ASE/<em>instance</em>/installedApps/maeda/
adminconsole.ear/adminconsole.war/
WEB-INF/validation.xml read)
</pre>
<p>For an explanation of Java 2 security, how and why to enable or disable
it, how it relates to policy files, and how to edit policy files, see <a href="../sec/seccj2.htm">Configure Java 2 security</a> in
the <em>Security</em> topic. The topic explains that Java 2 security
is not only used by this product, but developers can also implement it for
their business applications. Administrators might need to involve developers,
if this exception is thrown when a client tries to access a resource hosted
by WebSphere Application Server - Express.</p>
<p>Possible causes of these errors include:</p>
<ul>
<li>Syntax errors in a policy file.</li>
<li>Syntax errors in permission specifications in the ra.xml file
bundled in a .rar file. This case applies to resource
adapters that support connector access to CICS or other resources.</li>
<li>An application is missing the specified permission in a policy file, or
in permission specifications in an ra.xml file bundled
in a .rar file </li>
<li>The class path is not set correctly, preventing the permissions for the resource.xml
file for SPI from being correctly created.</li>
<li>A library called by an application, or the application, is missing a doPrivileged
block to support access to a resource. </li>
<li>Permission is specified in the wrong policy file.</li>
</ul>
<p>To resolve these problems:</p>
<ul>
<li>Check all of the related policy files to verify that the permission shown
in the exception, for example java.io.FilePermission, is specified.</li>
<li>Look for a related ParserException in the SystemOut.log file
which reports the details of the syntax error. For example:
<pre>SECJ0189E: Caught ParserException while creating template
for application policy
/QIBM/UserData/WebASE51/ASE/<em>instance</em>/config/cells/<em>server</em>/
nodes/<em>server</em>/app.policy.
The exception is com.ibm.ws.security.util.ParserException: line 18: expected
';', found 'grant'
</pre>
</li>
<li>Look for a message similar to: SECJ0325W: The permission <strong>permission</strong>
specified in the policy file is unresolved.</li>
<li><P>Check the call stack to determine which method does not have the permission.
Identify the class path of this method. If it is hard to identify the method,
enable the Java2 security Report.</P>
<ul>
<li><P>Configuring RAS trace by specifying com.ibm.ws.security.core.*=all=enabled,
or specifying a Java <strong>property.java.security.debug</strong> property. See <a href="trbappsrvtrace.htm">Use the WebSphere Application Server - Express trace service</a> for more information. Valid values for the <strong>java.security.debug</strong> property are:</p>
<dl><dt><strong>access</strong></dt><dd>Print all debug information including: required permission, code, stack,
and code base location.</dd><dt><strong>stack</strong></dt><dd>Print debug information including: required permission, code, and stack.</dd><dt><strong>failure</strong></dt><dd>Print debug information including: required permission and code.</dd></dl></li>
<li><p>The report shows:</p>
<dl><dt><strong>Permission</strong></dt><dd>the missing permission.</dd><dt><strong>Code</strong></dt><dd>which method has the problem.</dd><dt><strong> Stack Trace</strong></dt><dd>where the access violation occurred.</dd><dt><strong>CodeBaseLocation</strong></dt><dd>the detail of each stack frame.</dd></dl>
<p>Usually, Permission and Code are enough to identify the
problem. The following example illustrates a report:</p>
<pre>
Permission:
/QIBM/UserData/WebASE51/ASE/<em>instance</em>/logs/server1/
SystemOut_02.08.20_11.19.53.log
:
access denied (java.io.FilePermission
/QIBM/UserData/WebASE51/ASE/<em>instance</em>/logs/server1/
SystemOut_02.08.20_11.19.53.log
delete)
Code:
com.ibm.ejs.ras.RasTestHelper$7 in
{file:/QIBM/UserData/WebASE51/ASE/<em>instance</em>/installedApps/
maeda/JrasFVTApp.ear/RasLib.jar
}
Stack Trace:
java.security.AccessControlException: access denied (java.io.FilePermission
/QIBM/UserData/WebASE51/ASE/<em>instance</em>/logs/server1/
SystemOut_02.08.20_11.19.53.log delete
)
at java.security.AccessControlContext.checkPermission
(AccessControlContext.java(Compiled Code))
at java.security.AccessController.checkPermission
(AccessController.java(Compiled Code))
at java.lang.SecurityManager.checkPermission
(SecurityManager.java(Compiled Code))
.
Code Base Location:
com.ibm.ws.security.core.SecurityManager :
file:/QIBM/ProdData/WebASE51/ASE/lib/securityimpl.jar
ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader
Permissions granted to CodeSource
(file:/QIBM/ProdData/WebASE51/ASE/lib/securityimpl.jar &lt;no certificates&gt;
{
(java.util.PropertyPermission java.vendor read);
(java.util.PropertyPermission java.specification.version read);
(java.util.PropertyPermission line.separator read);
(java.util.PropertyPermission java.class.version read);
(java.util.PropertyPermission java.specification.name read);
(java.util.PropertyPermission java.vendor.url read);
(java.util.PropertyPermission java.vm.version read);
(java.util.PropertyPermission os.name read);
(java.util.PropertyPermission os.arch read);
}
( This list continues.)
</pre>
</li>
</ul></li>
<li>If the method is SPI, check the resources.xml file
to ensure that the class path is correct.</li>
<li>To confirm that all of the policy files are loaded correctly, or what
permission each class path is granted, enable the trace with <strong>com.ibm.ws.security.policy.*=all=enabled</strong>.
All loaded permissions are listed in the trace.log file.
Search for the app.policy, was.policy and ra.xml files.
To check the permission list for a class path, search for <strong>Effective
Policy for classpath</strong>.</li>
<li>If there are any syntax errors in the policy file or ra.xml file,
correct them with the policy tool. Avoid editing the policy manually, because syntax errors can result. For more information, see <a href="../sec/seccupol.htm">Create and edit policy files with the policy tool</a> in the <em>Security</em> topic.</li>
<li>If a permission is listed as <strong>Unresolved</strong>, it does not
take effect. Verify that the specified permission name is correct.</li>
<li>If the class path specified in the resource.xml file
is not correct, correct it.</li>
<li>If a required permission does not exist in either the policy files or
the ra.xml file, examine the application code to see
if you need to add this permission. If so, add it to the proper policy file
or ra.xml file.</li>
<li>If the permission should not be granted outside of the specific method
that is accessing this resource, modify the code needs to use a doPrivileged
block. </li>
<li>If this permission does exist in a policy file or a ra.xml file
and they were loaded correctly, but the class path still does not have the
permission in its list, the location of the permission might not be correct.
See <a href="../sec/seccj2.htm">Configure Java 2 Security</a> in
the <em>Security</em> topic to determine in which policy file
or ra.xml file that permission should be specified.</li>
</ul>
<p><strong>Tip:</strong> If the application is running with the Java Mail API,
you can update the /QIBM/UserData/WebASE51/ASE/<em>instance</em>/installedApps/<em>server</em>/<em>application.ear</em>/META-INF/was.policy file to grant the following permissions to the application:</p>
<ul>
<li><tt>permission java.io.FilePermission &quot;${user.home}${/}.mailcap&quot;, &quot;read&quot;; </tt></li>
<li><tt>permission java.io.FilePermission &quot;${user.home}${/}.mime.types&quot;, &quot;read&quot;; </tt></li>
<li><tt>permission java.io.FilePermission &quot;${java.home}${/}lib${/}mailcap&quot;,
&quot;read&quot;; </tt></li>
<li><tt>permission java.io.FilePermission &quot;${java.home}${/}lib${/}mime.types&quot;,
&quot;read&quot;; </tt></li>
</ul>
<p><a name="secj0336e"></a><b>Error Message: SECJ0336E: Authentication
failed for user {0} because of the following exception {1}</b></p>
<p>This error message results if the user ID indicated is not found in the LDAP user
registry. To resolve this problem:</p>
<ol>
<li>Verify that your user ID and password are correct.</li>
<li>Verify that the user ID exists in the registry.</li>
<li>Verify that the base distinguished name (DN) is correct.</li>
<li>Verify that the user filter is correct.</li>
<li>Verify that the bind DN and the password for the bind DN are correct.
If the bind DN and password are not specified, add the missing information
and retry.</li>
<li>Verify that the host name and LDAP type are correct.</li>
</ol>
<p>Consult with the administrator of the user registry if the problem persists.</p>
</body>
</html>