Showing posts with label pdadmin. Show all posts
Showing posts with label pdadmin. Show all posts

07 February 2012

SECJ0053E and AWXJR0044E: PolicyConfiguration exists = false

If you are working on WAS with JACC configured against Tivoli Access Manager (or other external authorization provider, but I assume TAM is the most popular) in your application development cycle you may stumble upon the following error sequence:
[2/7/12 11:24:45:304 CET] 000000c8 SecurityColla A   SECJ0053E: Authorization failed for defaultRealm/username while invoking (Bean)XyEAR-2.2#XyzBean.jar#soapAction:5 JACC Authorization failed for bean: xyzvBean
[2/7/12 11:24:45:660 CET] 0000003d AMWASJACCMess I   com.tivoli.pd.as.jacc.TAMPolicy implies(ProtectionDomain, Permission): permission = perm.toString()
0x864297004
AWXJR0044E   The access decision for Permission, (javax.security.jacc.EJBMethodPermission xyz), was denied because either the PolicyConfiguration or RoleConfiguration objects did not get created successfully at application installation time.  RoleConfiguration exists = true, PolicyConfiguration exists = false.

It is more probable to occur right after application update (new version deployed, for instance).

Here are the things you may do to steer out of this trouble:

 


  1. Ensure all necessary protected object exist in TAM policy database (use pdadmin or WPM - TAM console deployed on WAS)
  2. Update role definition in your authorization provider with:

    Global security > External authorization providers

    choosing "Update with application names listed" and typing in your application name (as appears in Enterprise Applications tab), then Apply

  3. If point 2. fails, follow this sequence: stop application, remove application from server, stop application server, clean temp directories for this server, start server and redeploy application. It should bind with TAM properly this time. After that, restart the server again.
 Good luck.

20 December 2011

pdadmin login fail after migration

There are time that you want to do some unusual stuff with Tivoli Access Manager such as migrate whole TAM instance to a different machine/environment. I did that when trying to replicate KVM environment to a different location, with changing target KVMs IPs to exactly match original one and all the rest as well, including LDAP.

That last component replacement seemed to be a bit too harsh for TAM, and despite copying secAuthority suffix data 1:1, after starting KVM machine and trying to log into pdadmin, I failed to authenticate.

After some investigation it turned out that after copying security suffix data into LDAP, you then need to apply TAM acls to secAuthority objects with ivrgy tool, such as:

/opt/PolicyDirector/sbin/ivrgy_tool -h ldap_host -389 -D "<LDAP_admin_id>" -w <LDAP_admin_pwd> add-acls domain_name

where domain_name is usually Default, but you may also have something more fancy :)

good luck, feel free to comment.

14 October 2011

UTF-8 characters in pdadmin (TAM 6.1)

Recently I came across the following problem: how to import LDAP users that have UTF-8 (Polish) characters into TAM with pdadmin? When you simply run pdadmin and use user import command, you will get the result as in following example:

user import elenaciezka "cn=Elena Ciężka,ou=1,ou=2,ou=3,O=myorg,C=PL"

Could not perform the administration request
Error: HPDMG0755W   The specified Distinguished Name (DN) does not exist. (status 0x14c012f3)


As you can easily add these users with Web Portal Manager, that means there is *the way* to do it with pdadmin, which is useful if you want to import more than ten-s of users...

A little googling and the solution to this problem is to use command files as input to pdadmin, which contain UTF-8 characters of your choice. but that's a little peculiar as you need to prepare the command file as ANSI type :)

So, that's what you need to do:
  1. prepare command file, setting UTF-8 encoding first so you get:

    user import elenaciezka "cn=Elena Ciężka,ou=1,ou=2,ou=3,O=myorg,C=PL"
  2. change the encoding to ANSI and you see:

    user import elenaciezka "cn=Elena Ciężka,ou=1,ou=2,ou=3,O=myorg,C=PL"
  3. save the file (say: tam_import.txt) and copy it to your target system using binary mode (most safe in terms of transmission of some strange stuff)
  4. before running pdadmin set shell to use your locale:

    export LANG=pl_PL.utf-8

  5. and you can finally use your file:

    pdadmin -a sec_master -p your_password tam_import.txt
And that should be all. for file conversion you can use text editor of your choice, my preference is the ultimate Notepad++ (seriously guys, n++ is awesome!!) and for transfer any scp client (WinSCP, I prefer).

Good luck guys, and come back for more.