IBM A survival guide for troubleshooting LDAP

decorumgroveInternet και Εφαρμογές Web

7 Αυγ 2012 (πριν από 5 χρόνια και 3 μήνες)

5.033 εμφανίσεις

Tivoli Workload Scheduler

© 2009 IBM Corporation

A survival guide for troubleshooting LDAP





& live exercises





francesco.carteri@it.ibm.com

Tivoli Workload Scheduler

© 2009 IBM Corporation

2

Agenda




Introduction to LDAP


Troubleshooting approach


Troubleshooting scenarios


Memo, LDAP templates, useful links


Live exercises


Q & A

Tivoli Workload Scheduler

© 2009 IBM Corporation

3

What is LDAP?




The
Lightweight Directory Access Protocol

in a directory of objects with
attributes organized in a logical and hierarchical manner.




The
LDAP
Entry

is the LDAP basic concept modeled around real world
components such as people, organizations, objects. Is a collection of


attributes

which have
type

and
value.




For example, an entry representing a person might belong to the class "person".
Membership in the "person" class would require the entry to contain "cn"
"telephoneNumber", “uid”, “mail”, and other attributes.




The contents of the entries in a subtree are governed by a
schema
that defines a
set of rules that govern the kinds of information that the server can hold (Attribute
Syntaxes, Matching Rules, Attribute Types, Object Classes, etc).



Tivoli Workload Scheduler

© 2009 IBM Corporation

4

LDAP tree example 1

ou=americas

ou=EMEA

uid:EMEAusr1

cn: Euro People1

mail: EMEAusr1@test.it

uid:EMEAusr2

cn: Euro People2

mail: EMEAusr2@test.it

uid:EMEAusr3

cn: Euro People3

mail: EMEAusr3@test.it

uid:EMEAusr4

cn: Eurp People4

mail: EMEAusr4@test.it

uid:EMEAusr5

cn: Euro People5

mail: EMEAusr5@test.it

uid:EMEAusr6

cn: Euro People6

mail: EMEAusr6@test.it

uid:APusr1

cn: Asian People1

mail: APusr1@test.it

uid:APusr2

cn: Asian People2

mail: APusr2@test.it

uid:APusr3

cn: Asian People3

mail: APusr3@test.it

uid:APusr4

cn: Asian People4

mail: APusr4@test.it

uid:APusr5

cn: Asian People5

mail: APusr5@test.it

uid:APusr6

cn: Asian People6

mail: APusr6@test.it

uid:AMusr1

cn: American People1

mail: AMusr1@test.it

uid:AMusr2

cn: American People2

mail: AMusr2@test.it

uid:AMusr3

cn: American People3

mail: AMusr3@test.it

uid:AMusr4

cn: American People4

mail: AMusr4@test.it

uid:AMusr5

cn: American People5

mail: AMusr5@test.it

uid:AMusr6

cn: American People6

mail: AMusr6@test.it

operators

developers

configurators

GROUP

GROUP

GROUP

dc=test

dc=it

ou=asiapacific

The root Domain
Context

A group of person

The organizational unit

LDAP entry

Tivoli Workload Scheduler

© 2009 IBM Corporation

5

LDAP tree example 2

ou=SWG

ou=TIVOLI

DTMdev1

TWSdev1

CCMDBdev1

DTMmark1

TWSmark1

CCMDBmark1

DTMserv1

TWSserv1

CCMDBserv1

TWS

DTM

CCMDB

ou=LOTUS

STdev1

Notesdev1

OFFICEdev1

STmark1

Notesmark1

OFFICEmark1

STserv1

Notesserv1

OFFICEserv1

NOTES

ST

OFFICE

SOAdev1

WASdev1

PORTALdev1

ou=WEBSPHERE

SOAmark1

WASmark1

PORTALmark1

SOAserv1

WASserv1

PORTALserv1

WAS

SOA

PORTAL

1

2

3

A group

dc=romelab

dc=it

dc=ibm,dc=com

The organizational unit

LDAP entry

The root Domain
Context

Tivoli Workload Scheduler

© 2009 IBM Corporation

6

Examples of Distinguished Names

dc=it

dc=test

ou=americas

cn=American People1

dn: CN=American People1,OU=americas,DC=test,DC=it

dc=com

dc=ibm

dc=romelab

ou=TIVOLI

uid=TWSdev1

dn: uid=
TWSdev1
,
ou=TIVOLI,ou=SWG,dc=romelab,dc=it,dc=ibm,dc=com

ou=SWG

In the LDAP tree structure at each level there is a relative distinguished name (RDN)
which identifies it (eg ou = SWG). The union of all the RDN, taken in succession from
the leaf node until the root is the distinguished name (DN), a string that uniquely
represents an entry in the directory.

Tivoli Workload Scheduler

© 2009 IBM Corporation

7

LDAP server supported by TWS


IBM TIVOLI DIRECTORY SERVER



MICROSOFT ACTIVE DIRECTORY



SUN ONE DIRECTORY SERVER

WAS

LDAP SERVER

Tivoli Workload Scheduler

© 2009 IBM Corporation

8

LDAP troubleshooting diagram

Start

Prepare/

Update the

security file

Can

websphere

start?

Can

Login to

TDWC?

Run the LDAP

Validator Tool

Is it valid?

Yes

No

Finish

Yes

Check error on log file

Yes

No

Check Validator errors

Start

WAS

No

Using an LDAP Browser or

an LDIF, repair wrong values

Change

WAS

security

1

alternate flow

2

2.1

3

4



Tivoli Workload Scheduler

© 2009 IBM Corporation

9



STEP 1


Prepare sec file &

STEP 2.1
--
Check LDIF

dn: CN=American People1,OU=americas,DC=test,DC=it

objectClass: top

changetype: add

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn: American People1

sn: People1

givenName: American

distinguishedName: CN=American
People1,OU=americas,DC=test,DC=it

displayName: American People1

memberOf: CN=configurators,DC=test,DC=it

name: American People1

sAMAccountName: AMusr1

sAMAccountType: 805306368

userPrincipalName: AMusr1@test.it

objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=test,DC=it

mail: AMusr1@test.it

.....

.....

activeUserRegistry=LDAP


########################################################

LDAP Panel

########################################################

LDAPServerId=AMusr1@test.it

LDAPPassword=mypwd

LDAPServerType=ACTIVE_DIRECTORY

LDAPHostName=nc125088.romelab.it.ibm.com

LDAPPort=389

LDAPBaseDN=dc=test,dc=it

LDAPBindDN="CN=ldap bind,DC=test,DC=it"

LDAPBindPassword= mypwd

LDAPsearchTimeout=120

LDAPreuseConnection=true

LDAPIgnoreCase=true

LDAPsslEnabled=false

LDAPsslConfig=DefaultNode/DefaultSSLSettings

########################################################

Advanced LDAP Panel

########################################################

LDAPUserFilter=(&(mail=%v)(objectCategory=user))

LDAPGroupFilter=(&(cn=%v)(objectcategory=group))

LDAPUserIdMap=*:cn

LDAPGroupIdMap=*:cn

LDAPGroupMemberIdMap=memberof:member

LDAPCertificateFilter=

LDAPCertificateMapMode=EXACT_DN

LDIF entry

security props file

Tivoli Workload Scheduler

© 2009 IBM Corporation

10

STEP 2


Run the LDAP Validator Tool

GO STEP 4

GO STEP 3

Download it at:
OPAL

Or

Tivoli Workload Scheduler

© 2009 IBM Corporation

11

1.
Check Validation Errors in order to focus to the potentials wrong properties
and to the suggested actions.


2.
Using an LDAP Browser or an exported LDIF file analize the interested LDAP
entries in order to:



Verify the Distinguished Name in order to correct the
LDAPServerId
,
LDAPBaseDN

and
LDAPBindDN




Verify
objectClass and other properties comparing with the properties and
objectClass defined into the
LDAPUserFilter and LDAPGroupFilter



Remember that
users and groups must be in the sub tree of the
LDAPBaseDN


STEP 3


Check Errors and Repair



Tivoli Workload Scheduler

© 2009 IBM Corporation

12

STEP 4


Change WebSphere security



1.
Stop WAS
StopWas

2.
Backup WAS configuration
backupConfig

3.
Dump your current security properties
showSecurityProperties

4.
Customize security properties

5.
Load new properties
changeSecurityProperties

6.
Restart WAS
StartWas

Note: Once switched to LDAP, local users could not logon to WAS anymore

Tivoli Workload Scheduler

© 2009 IBM Corporation

13

Troubleshooting LDAP

http://www.flickr.com/photos/beautyinmetal/2044961071

Tivoli Workload Scheduler

© 2009 IBM Corporation

14


LDAP



Extract the LDIF file from the LDAP server with an LDAP Browser.


An Open source LDAP Browser:

http://www.jxplorer.org/


websphere

Run the collector.sh (bat) under WAS_DIR/bin. The JAR produced

contains the websphere configuration and all logs and traces.


Analize logs under, WAS_DIR
\
profiles
\
profilename
\
logs
\
servername


Analize WAS_DIR
\
profiles
\
profilename
\
config
\
cells
\
DefaultNode
\
security.xml


note
: the output of the showSecurityProperties wastool contains the key and attributes read

from the security.xml file


What documentation for troubleshooting?

Tivoli Workload Scheduler

© 2009 IBM Corporation

15

Troubleshooting LDAP (was start failure 1)

Websphere is configured with LDAP, but cannot start. T
he SystemOut.log shows:

[6/22/09 18:07:47:278 CEST] 0000000a LdapRegistryI A SECJ0419I: The user registry is currently connected
to the LDAP server ldap://nc125088.romelab.it.ibm.com:389.

....

[6/22/09 17:49:27:811 CEST] 0000000a WsServerImpl E WSVR0009E: Error occurred during startup

com.ibm.ws.exception.RuntimeError: com.ibm.ws.exception.RuntimeError:
javax.naming.NameNotFoundException
:
[
LDAP: error code 32

-

No Such Object]; remaining name
'ou=asiapacific,dc=test,dc=it'


at com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:199)


at com.ibm.ws.runtime.WsServerImpl.start(WsServerImpl.java:140)

....

Check with an LDIF the
LDAPBaseDN

specified on the security properties and ensure that the
LDAPServerId
exists on the the LDAP
(
see ldap tree
)

########################################################

LDAP Panel

########################################################

LDAPServerId=AMusr1@test.it

LDAPPassword=******

LDAPServerType=ACTIVE_DIRECTORY

LDAPHostName=nc1250881.romelab.it.ibm.com

LDAPPort=389

LDAPBaseDN=
ou=asiapacific
,dc=test,dc=it

LDAPBindDN="CN=ldap bind,DC=test,DC=it"

LDAPBindPassword=******

Fix:

-
Delete
ou=asiapacific
, or

-
change with
ou=americas

Tivoli Workload Scheduler

© 2009 IBM Corporation

16

Troubleshooting LDAP (was start failure 2)

Websphere is configured with LDAP, but cannot start. T
he SystemOut.log shows:

[6/22/09 18:31:08:187 CEST] 00000011 LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server
ldap://nc125088.romelab.it.ibm.com:389.

....

[6/22/09 18:31:15:515 CEST] 0000000a WsServerImpl E WSVR0009E: Error occurred during
startupcom.ibm.ws.exception.RuntimeError: com.ibm.ws.exception.RuntimeError:
javax.naming.AuthenticationException
: [
LDAP: error code 49
-

80090308: LdapErr
: DSID
-
0C090334, comment:
AcceptSecurityContext error, data 525, vece

....

Check the
LDAPBindDN

or
LDAPBindPassword

specified on the security properties. Ask to the LDAP administrator for a correct user
and password to perform LDAP queries

########################################################

LDAP Panel

########################################################

LDAPServerId=AMusr1@test.it

LDAPPassword=******

LDAPServerType=ACTIVE_DIRECTORY

LDAPHostName=nc1250881.romelab.it.ibm.com

LDAPPort=389

LDAPBaseDN=dc=test,dc=it

LDAPBindDN="
CN=ldap bind wrong
,DC=test,DC=it"

LDAPBindPassword=******

Fix:


-

LDAPBindDN

is wrong

Tivoli Workload Scheduler

© 2009 IBM Corporation

17

Troubleshooting LDAP (was start failure 3)

Websphere is configured with LDAP, but cannot start. T
he SystemOut.log shows:

[6/22/09 18:50:04:170 CEST] 0000000a ContextManage E SECJ0270E: Failed to get actual credentials. The
exception is com.ibm.websphere.security.PasswordCheckFailedException:
No user AMusr1@test.it found


at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.checkPassword(LdapRegistryImpl.java:311)


at com.ibm.ws.security.registry.UserRegistryImpl.checkPassword(UserRegistryImpl.java:308)


at com.ibm.ws.security.ltpa.LTPAServerObject.authenticate(LTPAServerObject.java:766)

....

Check with an LDIF the properties used on the
LDAPUserFilter

ensuring that the properties exist and matches with user specified
with the
LDAPServerID
. (
see LDIF example
)

########################################################

LDAP Panel

########################################################

LDAPServerId=AMusr1@test.it

....

########################################################

Advanced LDAP Panel

########################################################

LDAPUserFilter=(&(
sAMAccountName
=%v)(objectCategory=
userclasswrong
))

LDAPGroupFilter=(&(cn=%v)(objectcategory=group))

Fix:

-
userclasswrong

do not exist as
objectClass


-
sAMAccountName

is not
congruent with the mail specified
as
LDAPServerId


Tivoli Workload Scheduler

© 2009 IBM Corporation

18

Troubleshooting LDAP (was start failure 4)

The TDWC is configured with LDAP, webpshere cannot start. T
he SystemOut.log shows:

[6/22/09 17:44:52:167 CEST] 0000000a LdapRegistryI E SECJ0352E: Could not get the users matching the
pattern AMusr1@test.it because of the following exception
javax.naming.CommunicationException
:
nc1250881.romelab.it.ibm.com:389 [Root exception is java.net.UnknownHostException:
nc1250881.romelab.it.ibm.com]


Check the
LDAPHostName

specified on the security properties, verify that the host exist and can be reachable on the network. Try to
telnet to that host on the
LDAPPort

specified

########################################################

LDAP Panel

########################################################

LDAPServerId=AMusr1@test.it

LDAPPassword=******

LDAPServerType=ACTIVE_DIRECTORY

LDAPHostName=
nc1250881.romelab.it.ibm.com

LDAPPort=389

LDAPBaseDN=dc=test,dc=it

LDAPBindDN="CN=ldap bind,DC=test,DC=it"

LDAPBindPassword=******

Fix:


nc1250881.romelab.it.ibm.com


is not reachable on the network, ask to
network administrator

Tivoli Workload Scheduler

© 2009 IBM Corporation

19

Troubleshooting: LDAP (portfolio missing TDWC)

After configuring TDWC with LDAP, websphere starts, the log
-
in with an webpshere administrator user
AMusr1@test.it

is successful but I cannot on the left portfolio there is no any any TDWC menu. Instead the log
-
in
fails with a user “
APusr1@test.it

not administrative
and the SystemOut.log shows:


SECJ0118E: Authentication error during authentication for user
APusr1@test.it

Assign (if it that has been not done yet) a TDWC role to the user
AMusr1@test.it
,
APusr1@test.it

. Follow this steps:


Login in the TDWC with the websphere administrator user


Open on the portfolio the menu “
Users and Groups





Administrative User Roles




Specify the user name on the panel and assign one of the role (
TWSWEBUIAdministrator, TWSWEBUIConfigurator,
TWSWEBUIAnalyst,TWSWEBUIDeveloper
)


Press “Apply” to add the user.

Solution1

########################################################

LDAP Panel

########################################################

LDAPServerId=AMusr1@test.it

LDAPPassword=******

....

The
LDAPServerId is the
Websphere administrator thus
it can perform
administrative task on the
was admin console (ISC
based)

Tivoli Workload Scheduler

© 2009 IBM Corporation

20

Troubleshooting: LDAP (authentication failure)

The TDWC is configured with LDAP, the log
-
in with an webpshere administrator user is successful but the TDWC
roles cannot be associated to a new user
APusr1@test.it

and a message appears:

No User was found in User
Registry Repository with this name.



LdapRegistryI E SECJ0350E: Could not get the uniqueId of the user
APusr1@test.it
.

Check if the user

APusr1@test.it

can be found on the
LDAPBaseDN

specified on the security configuration.

Solution example

########################################################

LDAP Panel

########################################################

LDAPServerId=AMusr1@test.it

LDAPPassword=******

LDAPServerType=ACTIVE_DIRECTORY

LDAPHostName=nc1250881.romelab.it.ibm.com

LDAPPort=389

LDAPBaseDN=
ou=americas
,dc=test,dc=it

LDAPBindDN="CN=ldap bind,DC=test,DC=it"

LDAPBindPassword=******

Fix:

-
Delete
ou=americas

Tivoli Workload Scheduler

© 2009 IBM Corporation

21

LTPA keys


The LTPA are keys that have to be aligned among the Websphere servers to enable the
Single
-
Sign
-
On
.



With LTPA alignment the user can log
-
in the TDWC (get the authentication) and connect to a
TWS distributed or z/OS connector engine without specify additional credentials.

SSL certificates


The certificates needs to have aligned among the Websphere to get the SSL communication
working.



The Installed SSL certificates are not always aligned, but depends on product versions



The SSL certificates are used to encrypt communication among the Websphere of the
TDWC and the TWS distributed or z/OS connector


Tivoli Workload Scheduler

© 2009 IBM Corporation

22

Troubleshooting LTPA (engine connection failure 1)

The TDWC cannot connect to a z/OS connector engine. The following message appear on the SystemOut.log of
the TDWC:

AWSUI0766E Test connection to [

] : failed.

AWSUI0833E The operation could not be completed. There has been a communication failure.

The internal message is: AWSJCO005E WebSphere Application Server has given the following error: CORBA
NO_PERMISSION 0x49424300 No; nested exception is:
org.omg.CORBA.NO_PERMISSION:
Trace from server:
1198777258 at host hostname1.com


org.omg.CORBA.NO_PERMISSION: Subject is null. Authentication Failed
.
vmcid: 0x49424000 minor code: 300 completed: No at
com.ibm.ISecurityLocalObjectBaseL13Impl.PrincipalAuthFailReason.map_auth_fail_to_minor_code(PrincipalAuthFa
ilReason.java:83) at
com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRI.receive_request(CSIServerRI.java:2337)

....

1) Enable LTPA authentication in the z/OS connector, running:



webui.sh
-
operation enable
-
user user1
-
password pwd1
-
port 31128
-
pwdLTPA secret
-
server server1



the LTPA keys file is also produced in a properties file like
/tmp/ltpaxxxxx.properties


2) In case TDWC and z/OS connector are configured with the same LDAP server, it needs to align the LTPA keys between the
websphere, thus it needs to import on the TDWC the
/tmp/ltpaxxxxx.properties

produced
:


./manage_ltpa.sh
-
operation import
-
profilepath /opt/tws/isc/eWAS/profiles/twaprofile
-
ltpafile
ltpaxxxxx.properties
-
ltpapassword secret
-
user user1
-
password secret
-
port 28880
-
server twaserver1

3) Restart servers.

Solution example

Tivoli Workload Scheduler

© 2009 IBM Corporation

23

Troubleshooting SSL (engine connection failure 2)

The TDWC cannot connect to a z/OS connector engine. The following message appear on the SystemOut.log of
the TDWC:


AWSUI0766E Test connection to [

] : failed.

AWSUI0833E The operation could not be completed. There has been a communication failure.

The internal message is: AWSJCO005E WebSphere Application Server has given the following error: CORBA
MARSHAL 0x4942f89a No;
nested exception is: org.omg.CORBA.MARSHAL
: Trace from server: 1198777258 at host
hostname1 >>

org.omg.CORBA.MARSHAL: Unable to read value from underlying bridge :
CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E:
javax.net.ssl.SSLHandshakeException

-

The
client and server could not negotiate the desired level of security. Reason: com.ibm.jsse2.util.g: No
trusted certificate found vmcid: IBM minor code: 89A completed: No


1) EXPORT from TDWC the self
-
signed certificate


WAS_DIR/java/jre/bin/keytool
-
export
-
rfc
-
alias server
-
file /tmp/default_jks.cert

keystore
WAS_DIR/profiles/twaprofile/etc/TWSServerKeyFile.jks
-
storetype JKS
-
storepass default



2) IMPORT into the z/OS connector trust keystore:

make a backup copy of ZCONN_DIR/appserver/profiles/twszconnprofile/etc/TWSServerTrustFile.jks

./keytool
-
import
-
rfc
-
alias webui
-
file /tmp/default_jks.cert
-
keystore
ZCONN_DIR/appserver/profiles/twszconnprofile/etc/TWSServerTrustFile.jks
-
storetype JKS
-
storepass default
-
noprompt

3) Restart servers.

Solution example

Tivoli Workload Scheduler

© 2009 IBM Corporation

24

Troubleshooting (engine connection failure 3)

The TDWC cannot connect to a z/OS connector engine. The following message appear on the TDWC:


[6/5/09 13:21:19:549 EDT] 00000092 ConnException E AWSJCO005E WebSphere Application Server has given the
following error:
A communication failure occurred while attempting to obtain an initial context with the
provider URL: "corbaloc:iiop:146.125.11.65:31127".

Make sure that any bootstrap address information in the
URL is correct and that the target name server is running. A bootstrap address with no port specification
defaults to port 2809. Possible causes other than an incorrect bootstrap address or unavailable name
server include the network environment and workstation network configuration..

Check the port numbers and the IP address, and if the server is up and running. Verify that the host exist and can be reachab
le
on the
network. Try to telnet to that host on the
specified port number.



Solution example

Tivoli Workload Scheduler

© 2009 IBM Corporation

25

Troubleshooting (engine connection failure 4)

TDWC and TWS configured with LDAP. The test connection fails. The following message appear on the
SystemOut.log file on the TDWC:

[6/23/09 17:48:17:221 CEST] 00000026 ConnException E com.ibm.tws.conn.exception.ConnRemoteException
ConnException(Throwable e) AWSJCO005E WebSphere Application Server has given the following error: CORBA
NO_PERMISSION 0x49424306 No; nested exception is:





….

The following message appear on the SystemOut.log file on the TWS:

[6/23/09 18:07:44:533 CEST] 00000023 ConnException E AWSJCO028E The object cannot be accessed because the
user "
AMusr1@test.it
" is not defined in the Security file.

1)
Dump the TWS native security


dumpsec > sec.txt

2)
Edit sec.txt
, adding the section for the
user
AMusr1@test.it



USER MAESTRO2


CPU=@+LOGON=AMusr2@test.it

BEGIN



END

3)
Apply the sec.txt file


makesec sec.txt

Solution example

Tivoli Workload Scheduler

© 2009 IBM Corporation

26

Troubleshooting PMR (wrong pwd configured)

Websphere cannot be started. The following message appear on the SystemOut.log file:


[05/06/09 11:31:01:765 BRT] 0000000a WSKeyStore 3 Cannot open keystore URL:
C:/TWA/eWAS/profiles/twaprofile/etc/TWSServerTrustFile.jks


java.io.IOException:
Keystore was tampered with, or password was incorrect


at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)


at java.security.KeyStore.load(KeyStore.java:1173)


at com.ibm.ws.ssl.config.WSKeyStore$1.run(WSKeyStore.java:487)





….

1)
Restore all original password for the SSL keystore (TWSServerTrustFile.jks).

2)
Check the right password
opening the keystore with the graphical tool
WAS_DIR/java/jre/bin/ikeyman

tool to check what is the right
password (the password used are “default” and “WebAS” depending on the product version and on the keystore). The keystores ar
e u
nder
the directory:
C:
\
Programmi
\
IBM
\
TWA
\
eWAS
\
profiles
\
twaprofile
\
etc


3) Run:
TDWC_DIR/wastools/changeSecurityProperties.sh

passing a text file containing the original password:



keyFilePassword=default


trustFilePassword=default



4) Restart server.

Solution example

Tivoli Workload Scheduler

© 2009 IBM Corporation

27

Troubleshooting PMR (was start failure 1)

The LDAP validator tool returns a failure information.


Validate LDAPUserFilter with LDAPServerId (WAS administrator) login: FAILED



EXPLANATION: "the LDAP query was not able to find <LDAPServerId=tws_connect>". USER ACTION: "check the LDAPBaseDN and
LDAPUserFilter."



Websphere cannot start and the SystemOut.log shows:

[12/06/09 10:27:55:742 BRT] 0000000a LdapRegistryI < checkPassword Exit


com.ibm.websphere.security.PasswordCheckFailedException:
No user tws_connect found


at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.checkPassword(LdapRegistryImpl.java:319)

...

Looking at the security properties a simple error was present:


LDAPServerId=tws_connect

LDAPBaseDN=cn=users,dc=sicredi,
dc=com
,dc=br

LDAPBindDN=cn=tws_connect,cn=users,dc=sicredi,
dc=net
,dc=br



In the
LDAPBaseDN

is present dc=com, but in the
LDAPBindDN

is present
dc=net
. Then it is not possible that the user
tws_connect
has two different Distinguished Name.



ACTION
: Put in a file sec.txt the properties above changing where required. Run
changeSecurityProperties.sh

sec.txt. Restart WAS

Solution example

Tivoli Workload Scheduler

© 2009 IBM Corporation

28

Troubleshooting PMR (was start failure 2)

Websphere could not be started because LDAP Authentication failure

1
-

ensured that the LDAP server was reachable with a telnet on the LDAP port




2
-

changed the was security with the
changeSecurityProperties.sh

using the security properties file of the customer and changing

only the parameters below:



from: activeUserRegistry=custom


to: activeUserRegistry=LDAP

from: LDAPBaseDN=dc=alaskaair,dc=com


to: LDAPBaseDN=ou=people,dc=osouth,dc=alaskaair,dc=com

from LDAPBindDN=CN=ldap bind,DC=alaskaair,DC=com


to:
LDAPBaseDN=uid=maestro,ou=people,dc=osouth,dc=alaskaair,dc=com

from LDAPBindPassword=bindpassword

to: LDAPBindPassword=maestro

from: LDAPUserFilter=(&(uid=%v)(objectclass=inetOrgPerson))


to:
LDAPUserFilter=(&(uid=%v)(objectclass=posixAccount))




3
-

restarted the WAS



The activeUserRegistry was defined initially as custom, because this is the default value after the TWS engine installation.

Bu
t the custom means
that the websphere will use the PAM authentication and not the LDAP. For understanding the right DN and

LDAPUserFilter

we checked the
properties of the maestro user with the LDAP client of the customer. As explained to the customer, the
LDAPBaseDN

value set where the user will
be found (authenticated) on the LDAP tree, thus only the users defined under
ou=people,dc=osouth,dc=alaskaair,dc=com

will be
authenticated.


Solution example

Tivoli Workload Scheduler

© 2009 IBM Corporation

29

Memo

1.
The LTPA keys must be aligned (use script
manage_ltpa
to export/import), when
TDWC
and TWS distributed/zConnector are installed on the same box with separate Websphere
or are configured with the same LDAP server.


2.
Disable the automatic generation of LTPA token keys to avoid the LTPA expiration


3.
After installing the zConnector run
webui.sh

script to enable LTPA and restart Websphere.
Old release of the zConnector can only generate LTPA then export it, but with the latest
release it can be also export it.
Take care: Each time you run webui.sh a new LTPA key are
generated, then it must be imported on the TDWC.


4.
After import/export the LTPA, Websphere must be restarted.


5.
Each time you run showSecurityProperties all the passwords are written as hidden chars
(*******), then before running the changeSecurityProperties remember the change the
password value or to remove the related property.

Tivoli Workload Scheduler

© 2009 IBM Corporation

30

LDAP templates

activeUserRegistry=LDAP


###############################################

LDAP Panel

###############################################

LDAPServerId=TWSAdmin

LDAPPassword=mypassword

LDAPServerType=IBM_DIRECTORY_SERVER

LDAPHostName=ldapserver.mycompany.com

LDAPPort=389

LDAPBaseDN=dc=mycompany,dc=com

LDAPBindDN=CN=ldap bind,DC=mycompany,DC=com

LDAPBindPassword=bindpassword

LDAPsearchTimeout=120

LDAPreuseConnection=true

LDAPIgnoreCase=true

LDAPsslEnabled=false

LDAPsslConfig=DefaultNode/DefaultSSLSettings


###############################################
Advanced LDAP Panel

###############################################
LDAPUserFilter=(&(uid=%v)(objectclass=person))

LDAPGroupFilter=(&(cn=%v)(objectclass=groupOfNames)))

LDAPUserIdMap=*:uid

LDAPGroupIdMap=*:cn

LDAPGroupMemberIdMap=ibm
-
allGroups:member

LDAPCertificateFilter=

LDAPCertificateMapMode=EXACT_DN

activeUserRegistry=LDAP


###############################################

LDAP Panel

###############################################

LDAPServerId=TWSAdmin

LDAPPassword=mypassword

LDAPServerType=ACTIVE_DIRECTORY

LDAPHostName=ldapserver.mycompany.com

LDAPPort=389

LDAPBaseDN=dc=mycompany,dc=com

LDAPBindDN=CN=ldap bind,DC=mycompany,DC=com

LDAPBindPassword=bindpassword

LDAPsearchTimeout=120

LDAPreuseConnection=true

LDAPIgnoreCase=true

LDAPsslEnabled=false

LDAPsslConfig=DefaultNode/DefaultSSLSettings


###############################################
Advanced LDAP Panel

###############################################
LDAPUserFilter=(&(sAMAccountName=%v)(objectCategory=user))

LDAPGroupFilter=(&(cn=%v)(objectCategory=group))

LDAPUserIdMap=*:sAMAccountName

LDAPGroupIdMap=*:cn

LDAPGroupMemberIdMap=memberof:member

LDAPCertificateFilter=

LDAPCertificateMapMode=EXACT_DN

activeUserRegistry=LDAP


###############################################

LDAP Panel

###############################################

LDAPServerId=TWSAdmin

LDAPPassword=mypassword

LDAPServerType=IPLANET

LDAPHostName=ldapserver.mycompany.com

LDAPPort=389

LDAPBaseDN=dc=mycompany,dc=com

LDAPBindDN=CN=ldap bind,DC=mycompany,DC=com

LDAPBindPassword=bindpassword

LDAPsearchTimeout=120

LDAPreuseConnection=true

LDAPIgnoreCase=true

LDAPsslEnabled=false

LDAPsslConfig=DefaultNode/DefaultSSLSettings


###############################################
Advanced LDAP Panel

###############################################
LDAPUserFilter=(&(uid=%v)(objectclass=inetOrgPerson))

LDAPGroupFilter=(&(cn=%v)(objectclass=groupofuniquenames))

LDAPUserIdMap=*:uid

LDAPGroupIdMap=*:cn

LDAPGroupMemberIdMap=*:uniqueMember

LDAPCertificateFilter=

LDAPCertificateMapMode=EXACT_DN

Tivoli Workload Scheduler

© 2009 IBM Corporation

31

Useful links

Config WebSphere with LDAP
-
RACF

link

Align LTPA keys on TDWC
-
TWS

link

Enable LTPA on zOS Connector

link

Wastools to change security

link

Configuration example for Active
Directory

link

templates

How to avoid browser security
warnings messages when log
-
in

link

Tivoli Dynamic Workload Console
(TDWC): connection failures with
TWS z/OS Connector.

link

Troubleshooting when the engine
connection does not work

link

Disabling the automatic generation
of LTPA token_keys

link

LDAP validator download

link

TWS infocenter

link

Tivoli Workload Scheduler

© 2009 IBM Corporation

32

Live excercises

http://www.flickr.com/photos/frf_kmeron/3586818113/

Tivoli Workload Scheduler

© 2009 IBM Corporation

33

Demo Scenarios


Validate with the LDAP Validator a security file


Apply it to Websphere


Put a error on the security file


Start WebSphere


Check failure message on the log file


Change the security file and iterate the procedure


Add a file with a list of user and run the LDAP Validator



Configure TDWC and TWS with LDAP


Assign a TDWC role to a user


Login with the user and create an engine connection


Show a test connection failure


Dumpsec and makesec adding the user


Test connection again

Tivoli Workload Scheduler

© 2009 IBM Corporation

34

Are you sleeping?

?

Yes

No

Q&A

Finish