Troubleshoot: Security

Use these resources to determine the cause of problems that occur when using the application server security.

• Check the application server standard output and standard error log files. See WebSphere Application Server - Express log files for more information.

• When troubleshooting security-related problems, consider the following:

  Does the problem occur when security is disabled?
  The problem may be a result of the enablement of security. More troubleshooting is necessary to ensure the problem is security related.

  For more information, see Troubleshoot: Enabling security.

  Did security appear to initialize properly?
  The following sequence of messages generated in the SystemOut.log indicate normal code initialization of an application server. This varies based on the configuration, but the message are similar:

  SASRas        A JSAS0001I: Security configuration initialized.
  SASRas        A JSAS0002I: Authentication protocol: CSIV2/IBM
  SASRas        A JSAS0003I: Authentication mechanism: SWAM
  SASRas        A JSAS0004I: Principle name: BIRKt20/pbirk
  SASRas        A JSAS0005I: SecurityCurrent registered.
  SASRas        A JSAS0006I: Security connection interceptor initialized.
  SASRas        A JSAS0007I: Client request interceptor registered.
  SASRas        A JSAS0008I: Server request interceptor registered.
  SASRas        A JSAS0009I: IOR interceptor registered.
  
  NameServerIMP I NMSV0720I: Do Security service listener registration.
  SecurityCompo A SECJ0242A: Security service is starting
  UserRegistryI A SECJ0136I: 
          Custom Registry:com.IBM.ws.security.registry.nt.NTLocalDomainRegistryIm
          has been initialized
  SecurityCompo A SECJ0202A: Admin application initialized successfully
  SecurityCompo A SECJ0203A: Naming application initialized successfully
  SecurityCompo A SECJ0204A: Rolebased authorizer initialized successfully
  SecurityCompo A SECJ0205A: Security Admin mBean registered successfully
  SecurityCompo A SECJ0243A: Security service started successfully
  SecurityCompo A SECJ0210A: Security enabled true
  

  Is there a stack trace or exception printed in the SystemOut.log?
  The stack trace will log any code incorrectly initialized, failing components, and the failing class.

  Is this a distributed security problem or a local security problem?

  • If the problem is local, the code involved does not make a remote method invocation, then troubleshooting is isolated to a single process. It is important to know when a problem is local or distributed since the behavior of the Object Request Broker (ORB), among other components, is different between the two.

  • Once a remote method invocation takes place, a different security code path is entered. When you know the problem involves two or more servers, check the log files of all servers involved. If possible, make sure the timestamps on all machines match as closely as possible to identify request and reply pairs from two different processes easier.

  Is the problem related to authentication or authorization?
  Most security problems fall under one of these two categories. Authentication is the process of determining who the caller is. Authorization is the process of validating that the caller has the proper authority to invoke the requested method. When authentications fails, typically this is related to either the authentication protocol, authentication mechanism, or user registry. When authorization fails, this is usually related to the application bindings from assembly or deployment and to the identity of the caller who is accessing the method and the roles required by the method.

  Does the problem seem to be related SSL?
  The Secure Socket Layer (SSL) is a separate layer of security. Troubleshooting SSL is different than troubleshooting authentication and authorization problems. SSL errors are often caused by incorrect configurations. Each keystore used by a client must contain the certificate of the Certificate Authority (CA) that signed the certificate used by the server. During mutual authentication, the server requires the client to present a certificate for authorization. Each server keystore must contain the certificate of the CA that signed the certificate presented by the client. Another common error are configurations where the client and the server do not have common configured SSL cipher suites.

  Is the problem related to Java 2 Security?
  If Java 2 Security is enabled, deployers and administrators are required to make sure that all applications are granted required permissions, otherwise, applications may fail to run.

• Read the release notes:

  • WebSphere Application Server - Express V5.1.0.X Release Notes (http://www.ibm.com/servers/eserver/iseries/software/websphere/wsappserver/
    express/docs/relnotesexp51.html)
  • WebSphere Application Server - Express V5.1.1 Release Notes (http://www.ibm.com/servers/eserver/iseries/software/websphere/wsappserver/
    express/docs/relnotesexp511.html)