Showing posts with label pdconfig. Show all posts
Showing posts with label pdconfig. Show all posts

30 July 2012

HPDAZ0602E Corrupted file: Insufficient information to contact a Policy Server (SECJ0391E)

Now, a few words about possible problems when configuring external JACC authorization provider for WebSphere App Server, namely - Tivoli Access Manager. The key issue here always lies in obtaining Policy Server's certificate for JRE to authenticate later on. This can be done in various ways (sslsrvcfg, pdconfig etc.) and obviously, the results may vary depending on the way used - at least it seems so.
Anyway, recently I was asked what may be the reason for the following error appearing in the logs:

[7/25/12 10:07:44:950 CEST] 00000013 AMWASConfigMe I   com.tivoli.pd.as.jacc.cfg.TAMConfigController execute() AWXJC0048E   An error occurred during the configuration. The details are: com.tivoli.pd.as.jacc.cfg.ConfigActionFailedException:
[java.lang.IllegalStateException: HPDAZ0602E   Corrupted file: Insufficient information to contact a Policy Server.
]

Wrappered Exception:
java.lang.IllegalStateException: HPDAZ0602E   Corrupted file: Insufficient information to contact a Policy Server..


This one happened during JACC configuration attempt from the WAS admin console, when console reported that action cannot be successfully completed. "Insufficient information" could only mean that JRE is trying to register with Policy Server, but fails to trust/present valid certificate. Unfortunately, we were stubborn, and hoped that action will complete during server restart. But after saving configuration and restarting server, it fails to start! In the logs we could see:

[7/25/12 10:19:49:404 CEST] 00000000 distSecurityC E   SECJ0391E: Error when setting the Policy object to the provider's policy implementation com.tivoli.pd.as.jacc.TAMPolicy. The exception is com.tivoli.pd.as.jacc.util.JACCException: AWXJR0006E   The file, /opt/ibm/WebSphere/AppServer/profiles/PSS1UPRB01DMgr/etc/tam/amwas.PSS1UPRB01DMgr_dmgr.amjacc.properties, was not found.
    at com.tivoli.pd.as.jacc.TAMPolicy.init(TAMPolicy.java:680)
    at com.tivoli.pd.as.jacc.TAMPolicy.<init>(TAMPolicy.java:97)
    at java.lang.J9VMInternals.newInstanceImpl(Native Method)
    at java.lang.Class.newInstance(Class.java:1345)


which meant that WAS has got JACC enabled, but in fact had failed to provide proper configuration file for amwas/jacc. We gave it some thinking and first, we had to recover from this fatal condition: by editing security.xml we disabled security and disabled using JACC in section:

<security:Security xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:orb.securityprotocol="http://www.ibm.com/websphere/appserver/schemas/5.0/orb.securityprotocol.xmi" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Security_1" useLocalSecurityServer="true" useDomainQualifiedUserNames="false" enabled="true" cacheTimeout="600" issuePermissionWarning="false" activeProtocol="BOTH" enforceJava2Security="false" enforceFineGrainedJCASecurity="false" appEnabled="true" dynamicallyUpdateSSLConfig="true" allowBasicAuth="true" activeAuthMechanism="LTPA_1" activeUserRegistry="WIMUserRegistry_1" defaultSSLSettings="SSLConfig_1"> <--- change bold to FALSE


<authConfig xmi:id="AuthorizationConfig_1" useJACCProvider="true">  <-- change bold to FALSE   


After that server went up again and we gave a bit thinking to the problem. It turned out to be awfully simple and...well, strange ? We had to add hostname of the WAS machine to policy server's /etc/hosts. Possibly this can be also solved by adding WAS hostname to DNS, anyway, pdmgrd must be able to resolve WAS's IP based on presented hostname. Then, we were able to complete JACC configuration successfully, turn security back on for the whole cell, save and restart and all worked like a wonder!

Why do I say it was strange? Because my suspicion is that different PD.jar packages (or more precisely: pd.* classes) responsible for connecting to Policy Server do this in a different way. I'm too weak a programmer to dig this up and resolve it 100%, but I just know that you may get different results when a) configuring JRE from pdconfig b) using sslsrvcfg and c) configuring JACC from WAS (WebSphere's embedded TAM) - eventually, you just need to see what works best for you.

Good luck, leave a comment if it helped!



30 May 2012

PDJRTE for TAI++ config error: java.lang.NullPointerException at com.tivoli.pd.jutil.jb.getCACert(jb.java:129)

If you work with complex TAM&J2EE deployments, you will most probably come to the point where you need to use TAI++ trust association scheme to tie your J2EE server (either WebSphere or some other) with TAM&WebSeal system. In particular, this is useful when you want to authenticate users in WebSeal to "let them in" to your backend server but leave authorization for J2EE application to it's internal mechanisms (based on LDAP, for example). If you want to read more on TAI/TAI++ you can do it here or here.
However, in TAI++ scenario you will most probably come to the point when you will need to configure your Java Runtime for Policy Director (usually done in pdconfig or with pdjrtecfg directly). What WAS really needs for TAI++ is essentialy address of Policy Server, it's certificate to be trusted (downloaded during PDJRTEconfig) and registration with TAM pdmgrd as a member of security domain. These information is stored in (not strictly set, but reasonable to do it so) .conf and .key files producedafter invoking java com.tivoli.pd.jcfg.SvrSslCfg but first you need to have your PDJRTE configured.

 I tried this with WebSphere App Server's (WAS 7 and TAM 6.1.0.5) java first and usually you do it by sourcing WAS environment first and then using pdconfig. However, in WAS 7 there's a class conflicts of some kind and when you go to pdconfig and choose to configure WAS java (normally /opt/ibm/WebSphere/AppServer/java/jre) to be the runtime for Policy Director in picks proper java, but fails to finish the configuration with nasty error:

Configuration of Access Manager Runtime for Java is in progress.
This might take several minutes.
java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
        at java.lang.reflect.Method.invoke(Method.java:611)
        at com.tivoli.pd.jcfg.PDJrteCfg.config(PDJrteCfg.java:245)
        at com.tivoli.pd.jcfg.PDJrteCfg.interactCfg(PDJrteCfg.java:1307)
        at com.tivoli.pd.jcfg.PDJrteCfg.invoke(PDJrteCfg.java:1460)
        at com.tivoli.pd.jcfg.PDJrteCfg.main(PDJrteCfg.java:350)
Caused by:
[java.lang.NullPointerException
]

Wrappered Exception:
java.lang.NullPointerException
        at com.tivoli.pd.jutil.jb.getCACert(jb.java:129)
        ... 8 more
Caused by: java.lang.NullPointerException
        at org.apache.harmony.security.fortress.Services$NormalServices.createDefaultProviderInstance(Services.java:286)
        at org.apache.harmony.security.fortress.Services$NormalServices.getService(Services.java:423)
        at org.apache.harmony.security.fortress.Services$NormalServices.access$2100(Services.java:141)
        at org.apache.harmony.security.fortress.Services.getService(Services.java:824)
        at org.apache.harmony.security.fortress.Engine.getInstance(Engine.java:133)
        at java.security.KeyFactory.getInstance(KeyFactory.java:81)
        at com.ibm.security.x509.X509Key.buildX509Key(X509Key.java:275)
        at com.ibm.security.x509.X509Key.parse(X509Key.java:189)
        at com.ibm.security.x509.X509Key.parse(X509Key.java:215)
        at com.ibm.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:112)
        at com.ibm.security.x509.X509CertInfo.parse(X509CertInfo.java:966)
        at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:236)
        at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:222)
        at com.ibm.security.x509.X509CertImpl.parse(X509CertImpl.java:2285)
        at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:227)
        at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:213)
        at com.tivoli.pd.jutil.jb.getCACert(jb.java:51)
        ... 8 more

[java.lang.reflect.InvocationTargetException
]

Wrappered Exception:
java.lang.reflect.InvocationTargetException
        at com.tivoli.pd.jcfg.PDJrteCfg.config(PDJrteCfg.java:51)
        at com.tivoli.pd.jcfg.PDJrteCfg.interactCfg(PDJrteCfg.java:1307)
        at com.tivoli.pd.jcfg.PDJrteCfg.invoke(PDJrteCfg.java:1460)
        at com.tivoli.pd.jcfg.PDJrteCfg.main(PDJrteCfg.java:350)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
        at java.lang.reflect.Method.invoke(Method.java:611)
        at com.tivoli.pd.jcfg.PDJrteCfg.config(PDJrteCfg.java:245)
        ... 3 more
Caused by:
[java.lang.NullPointerException
]

Wrappered Exception:
java.lang.NullPointerException
        at com.tivoli.pd.jutil.jb.getCACert(jb.java:129)
        ... 8 more
Caused by: java.lang.NullPointerException
        at org.apache.harmony.security.fortress.Services$NormalServices.createDefaultProviderInstance(Services.java:286)
        at org.apache.harmony.security.fortress.Services$NormalServices.getService(Services.java:423)
        at org.apache.harmony.security.fortress.Services$NormalServices.access$2100(Services.java:141)
        at org.apache.harmony.security.fortress.Services.getService(Services.java:824)
        at org.apache.harmony.security.fortress.Engine.getInstance(Engine.java:133)
        at java.security.KeyFactory.getInstance(KeyFactory.java:81)
        at com.ibm.security.x509.X509Key.buildX509Key(X509Key.java:275)
        at com.ibm.security.x509.X509Key.parse(X509Key.java:189)
        at com.ibm.security.x509.X509Key.parse(X509Key.java:215)
        at com.ibm.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:112)
        at com.ibm.security.x509.X509CertInfo.parse(X509CertInfo.java:966)
        at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:236)
        at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:222)
        at com.ibm.security.x509.X509CertImpl.parse(X509CertImpl.java:2285)
        at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:227)
        at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:213)
        at com.tivoli.pd.jutil.jb.getCACert(jb.java:51)
        ... 8 more
java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
        at java.lang.reflect.Method.invoke(Method.java:611)
        at com.tivoli.pd.jcfg.PDJrteCfg.config(PDJrteCfg.java:245)
        at com.tivoli.pd.jcfg.PDJrteCfg.interactCfg(PDJrteCfg.java:1307)
        at com.tivoli.pd.jcfg.PDJrteCfg.invoke(PDJrteCfg.java:1460)
        at com.tivoli.pd.jcfg.PDJrteCfg.main(PDJrteCfg.java:350)
Caused by:
[java.lang.NullPointerException
]

Wrappered Exception:
java.lang.NullPointerException
        at com.tivoli.pd.jutil.jb.getCACert(jb.java:129)
        ... 8 more
Caused by: java.lang.NullPointerException
        at org.apache.harmony.security.fortress.Services$NormalServices.createDefaultProviderInstance(Services.java:286)
        at org.apache.harmony.security.fortress.Services$NormalServices.getService(Services.java:423)
        at org.apache.harmony.security.fortress.Services$NormalServices.access$2100(Services.java:141)
        at org.apache.harmony.security.fortress.Services.getService(Services.java:824)
        at org.apache.harmony.security.fortress.Engine.getInstance(Engine.java:133)
        at java.security.KeyFactory.getInstance(KeyFactory.java:81)
        at com.ibm.security.x509.X509Key.buildX509Key(X509Key.java:275)
        at com.ibm.security.x509.X509Key.parse(X509Key.java:189)
        at com.ibm.security.x509.X509Key.parse(X509Key.java:215)
        at com.ibm.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:112)
        at com.ibm.security.x509.X509CertInfo.parse(X509CertInfo.java:966)
        at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:236)
        at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:222)
        at com.ibm.security.x509.X509CertImpl.parse(X509CertImpl.java:2285)
        at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:227)
        at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:213)
        at com.tivoli.pd.jutil.jb.getCACert(jb.java:51)
        ... 8 more

The configuration failed.


Press Enter to continue.


I suppose it is because WAS 7 has it's own PD.jar file which may even be newer than the one supplied with TAM 6.1.0.5 <-- that's the version we're talking here about. Or it is because WAS 7 uses java 6, whereas tam works fine with java 5 - I can't tell exactly.

Anyway, what to do about it? Simply point pdconfig to a different java. For example, bundled with TAM base package is ibm java 5. Install it (it is in /opt/ibm/java2-i386-50/ directory), export it's path:

export PATH=$PATH:/opt/ibm/java2-i386-50/java/jre

and try pdconfig to configure pdjrte again. It should succeed now.

To obtain information for using with TAI++, run now SvrSslCfg with the java you just configured eg.:

/opt/ibm/java2-i386-50/jre/bin/java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd ***** -appsvr_id ******-host ***** -mode remote -port 8925 -policysvr tamsec-p2-1:7135:1 -authzsvr tamsec-p2-1:7136:1 -cfg_file domainname.cfg -key_file domainname.key -cfg_action create -domain domainname

and later supply it to WAS as TAI++ inteceptor config item.

Good Luck!