Skip to Content
0
Former Member
Jun 18, 2015 at 07:30 AM

Maximo 7.5, Websphere 8.5.5 with LDAP - Agentry 6.0.36.0 Authentication problem

994 Views

Hi,

We upgraded our WAS server and WAS Client from 7.0.x to 8.5.5.5 and now the Syclo server is not able to authenticate with the WAS server. We tackled several things (see below), but now we are stucked. See below the detais:

Versions:

Agentry 6.0.36, Work Manager 7.5.2

WAS and WAS client: <version>8.5.5.5</version>

Error message:

Server::login::Server::login begin

Server::login:: loginid = maxadmin

User::initMxSession::User::initMxSession begin

java.rmi.AccessException: CORBA NO_PERMISSION 0x0 No; nested exception is:

org.omg.CORBA.NO_PERMISSION:

>> SERVER (id=4773e3aa, host=v-wamint-01-d.mavir.hu) TRACE START:

>> org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException: ; nested e

xception is:

com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization faile

d for ??? while invoking (Bean)MAXIMODEV#mboejb.jar#accesstokenprovider getAcces

sToken::1 is not granted any of the required roles: maximouser vmcid: 0x0 mi

nor code: 0 completed: No

>> at com.ibm.ws.security.core.SecurityCollaborator.performAuthori

zation(SecurityCollaborator.java:631)

>> at com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke(E

JSSecurityCollaborator.java:266)

>> at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapt

er.preInvoke(EJBSecurityCollaboratorAdapter.java:83)

>> at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapt

er.preInvoke(EJBSecurityCollaboratorAdapter.java:43)

>> at com.ibm.ejs.container.EJSContainer.notifySecurityCollaborato

rPreInvoke(EJSContainer.java:3895)

>> at com.ibm.ejs.container.EJSContainer.preInvokeAfterActivate(EJ

SContainer.java:3825)

>> at com.ibm.ejs.container.EJSContainer.preInvoke(EJSContainer.ja

va:2965)

>> at psdi.security.ejb.EJSRemoteStatelessaccesstokenprovider_87da

f10b.getAccessToken(Unknown Source)

>> at psdi.security.ejb._EJSRemoteStatelessaccesstokenprovider_87d

af10b_Tie._get_accessToken(_EJSRemoteStatelessaccesstokenprovider_87daf10b_Tie.j

ava:163)

>> at psdi.security.ejb._EJSRemoteStatelessaccesstokenprovider_87d

af10b_Tie._invoke(_EJSRemoteStatelessaccesstokenprovider_87daf10b_Tie.java:87)

>> at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(Serv

erDelegate.java:631)

>> at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.ja

va:501)

>> at com.ibm.rmi.iiop.ORB.process(ORB.java:623)

>> at com.ibm.CORBA.iiop.ORB.process(ORB.java:1581)

>> at com.ibm.rmi.iiop.Connection.doRequestWork(Connection.java:31

51)

>> at com.ibm.rmi.iiop.Connection.doWork(Connection.java:3016)

>> at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:63)

>> at com.ibm.ws.giop.threadpool.WorkQueueElement.dispatch(WorkQue

ueElement.java:174)

>> at com.ibm.ws.giop.filter.GiopFilterChain.processMessage(GiopFi

lterChain.java:203)

>> at com.ibm.ws.giop.threadpool.PooledThread.handleRequest(Pooled

Thread.java:81)

>> at com.ibm.ws.giop.threadpool.PooledThread.run(PooledThread.jav

a:102)

>> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)

>> SERVER (id=4773e3aa, host=v-wamint-01-d.mavir.hu) TRACE END.

vmcid: 0x0 minor code: 0 completed: No

at com.ibm.CORBA.iiop.UtilDelegateImpl.mapSystemException(UtilDelegateIm

pl.java:278)

at javax.rmi.CORBA.Util.mapSystemException(Util.java:78)

at psdi.security.ejb._AccessTokenProviderRemote_Stub.getAccessToken(_Acc

essTokenProviderRemote_Stub.java:254)

at com.ibm.tivoli.maximo.thinclient.MXThinClientSession$GetAccessTokenPr

ivilegedAction.run(MXThinClientSession.java:244)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAs(Subject.java:356)

at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:133)

at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:91)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.

java:57)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces

sorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:606)

at com.ibm.tivoli.maximo.thinclient.MXThinClientSession.getRemoteAccessT

oken(MXThinClientSession.java:181)

at com.ibm.tivoli.maximo.thinclient.MXAbstractClientSession.getMXServer(

MXAbstractClientSession.java:64)

at psdi.util.RMISession.connect(RMISession.java:56)

at com.syclo.maximomobile.ldap.WebSphereThinClient.launch(WebSphereThinC

lient.java:84)

at com.syclo.maximomobile.MXSessionFactory.getMXSession(MXSessionFactory

.java:48)

at com.syclo.maximomobile.User.doAppServerAuthentication(User.java:336)

at com.syclo.maximomobile.User.initMxSession(User.java:275)

at com.syclo.maximomobile.workmanager.User.initMxSession(User.java:58)

at com.syclo.maximomobile.Server.login(Server.java:144)

Caused by: org.omg.CORBA.NO_PERMISSION:

>> SERVER (id=4773e3aa, host=v-wamint-01-d.mavir.hu) TRACE START:

>> org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException: ; nested e

xception is:

com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization faile

d for ??? while invoking (Bean)MAXIMODEV#mboejb.jar#accesstokenprovider getAcces

sToken::1 is not granted any of the required roles: maximouser vmcid: 0x0 mi

nor code: 0 completed: No

>> at com.ibm.ws.security.core.SecurityCollaborator.performAuthori

zation(SecurityCollaborator.java:631)

>> at com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke(E

JSSecurityCollaborator.java:266)

>> at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapt

er.preInvoke(EJBSecurityCollaboratorAdapter.java:83)

>> at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapt

er.preInvoke(EJBSecurityCollaboratorAdapter.java:43)

>> at com.ibm.ejs.container.EJSContainer.notifySecurityCollaborato

rPreInvoke(EJSContainer.java:3895)

>> at com.ibm.ejs.container.EJSContainer.preInvokeAfterActivate(EJ

SContainer.java:3825)

>> at com.ibm.ejs.container.EJSContainer.preInvoke(EJSContainer.ja

va:2965)

>> at psdi.security.ejb.EJSRemoteStatelessaccesstokenprovider_87da

f10b.getAccessToken(Unknown Source)

>> at psdi.security.ejb._EJSRemoteStatelessaccesstokenprovider_87d

af10b_Tie._get_accessToken(_EJSRemoteStatelessaccesstokenprovider_87daf10b_Tie.j

ava:163)

>> at psdi.security.ejb._EJSRemoteStatelessaccesstokenprovider_87d

af10b_Tie._invoke(_EJSRemoteStatelessaccesstokenprovider_87daf10b_Tie.java:87)

>> at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(Serv

erDelegate.java:631)

>> at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.ja

va:501)

>> at com.ibm.rmi.iiop.ORB.process(ORB.java:623)

>> at com.ibm.CORBA.iiop.ORB.process(ORB.java:1581)

>> at com.ibm.rmi.iiop.Connection.doRequestWork(Connection.java:31

51)

>> at com.ibm.rmi.iiop.Connection.doWork(Connection.java:3016)

>> at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:63)

>> at com.ibm.ws.giop.threadpool.WorkQueueElement.dispatch(WorkQue

ueElement.java:174)

>> at com.ibm.ws.giop.filter.GiopFilterChain.processMessage(GiopFi

lterChain.java:203)

>> at com.ibm.ws.giop.threadpool.PooledThread.handleRequest(Pooled

Thread.java:81)

>> at com.ibm.ws.giop.threadpool.PooledThread.run(PooledThread.jav

a:102)

>> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)

>> SERVER (id=4773e3aa, host=v-wamint-01-d.mavir.hu) TRACE END.

vmcid: 0x0 minor code: 0 completed: No

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct

orAccessorImpl.java:57)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingC

onstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:526)

at com.ibm.rmi.iiop.ReplyMessage._getSystemException(ReplyMessage.java:3

40)

at com.ibm.rmi.iiop.ReplyMessage.getSystemException(ReplyMessage.java:21

1)

at com.ibm.rmi.iiop.ClientResponseImpl.getSystemException(ClientResponse

Impl.java:235)

at com.ibm.rmi.corba.ClientDelegate.invoke(ClientDelegate.java:501)

at com.ibm.CORBA.iiop.ClientDelegate.invoke(ClientDelegate.java:1223)

at com.ibm.rmi.corba.ClientDelegate.invoke(ClientDelegate.java:674)

at com.ibm.CORBA.iiop.ClientDelegate.invoke(ClientDelegate.java:1253)

at org.omg.CORBA.portable.ObjectImpl._invoke(ObjectImpl.java:484)

at psdi.security.ejb._AccessTokenProviderRemote_Stub.getAccessToken(_Acc

essTokenProviderRemote_Stub.java:244)

... 18 more

User::initMxSession::null

Server::login:: for maxadmin caught AgentryException logging in user maxadmin -

null

Server::loginFailed::Server::loginFailed begin

User::disconnect::User::disconnect begin

User::disconnect::did not call _mxSession.disconnect()!

User::disconnect::User::disconnect end

Server::loginFailed::maxadmin

Event: 0, 6, maxadmin: Invalid Password

It seems the Syclo server is already pushing through the auth request to Maximo, but then it dies. The Syclo reaches Maximo as we are able the see the error messages in the systemout.log. When I type the good pwd i receive this message in maximo:


[6/16/15 15:05:31:289 CEST] 00000133 SecurityColla A SECJ0053E: Authorization failed for ??? while invoking (Bean)MAXIMODEV#mboejb.jar#accesstokenprovider getAccessToken::1 is not granted any of the required roles: maximouser

When I type a wrong pwd in the syclo pop up window I receive this message in maximo systemout:

[6/16/15 15:11:51:842 CEST] 00000133 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4529E The password verification for the 'XXXXXYYYYYYY' principal name failed. Root cause: 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; Resolved object: 'com.sun.jndi.ldap.LdapCtx@98b01f0''..


Now, what I did to get this far 😊 (as I had to change a couple things to at least reach Maximo after we moved to WAS 8.5.5.5):

- Agentry.ini (classpath, nonstd java opt) checked and updated to make the classes available (In the WASCLIENT folder I had to create an ENDORSED folder and copy a couple jar file to make those available (required for nonstandard java option section in Agentry.ini)

- WAS Global security Inbound-outbound changed from SSL required to SSL Supported (IBM org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible, after migration to version 8. - United States)

- Nodes, dmr restarted, checked etc. (IBM SECJ0053E: Authorization failed for /UNAUTHENTICATED - United States)


This is where are we at the moment. I'm open for suggestions, ideas.


cheers


Gergő Bozsó