cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Maximo 7.5, Websphere 8.5.5 with LDAP - Agentry 6.0.36.0 Authentication problem

Go to solution
Former Member

on ‎06-18-2015 8:30 AM

0 Kudos

Hi,

We upgraded our WAS server and WAS Client from 7.0.x to 8.5.5.5 and now the Syclo server is not able to authenticate with the WAS server. We tackled several things (see below), but now we are stucked. See below the detais:

Versions:

Agentry 6.0.36, Work Manager 7.5.2

WAS and WAS client:  <version>8.5.5.5</version>

Error message:

Server::login::Server::login begin

Server::login:: loginid = maxadmin

User::initMxSession::User::initMxSession begin

java.rmi.AccessException: CORBA NO_PERMISSION 0x0 No; nested exception is:

        org.omg.CORBA.NO_PERMISSION:

        >> SERVER (id=4773e3aa, host=v-wamint-01-d.mavir.hu) TRACE START:

        >>    org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException:  ; nested e

xception is:

        com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization faile

d for ??? while invoking (Bean)MAXIMODEV#mboejb.jar#accesstokenprovider getAcces

sToken::1  is not granted any of the required roles: maximouser   vmcid: 0x0  mi

nor code: 0  completed: No

        >>       at com.ibm.ws.security.core.SecurityCollaborator.performAuthori

zation(SecurityCollaborator.java:631)

        >>       at com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke(E

JSSecurityCollaborator.java:266)

        >>       at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapt

er.preInvoke(EJBSecurityCollaboratorAdapter.java:83)

        >>       at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapt

er.preInvoke(EJBSecurityCollaboratorAdapter.java:43)

        >>       at com.ibm.ejs.container.EJSContainer.notifySecurityCollaborato

rPreInvoke(EJSContainer.java:3895)

        >>       at com.ibm.ejs.container.EJSContainer.preInvokeAfterActivate(EJ

SContainer.java:3825)

        >>       at com.ibm.ejs.container.EJSContainer.preInvoke(EJSContainer.ja

va:2965)

        >>       at psdi.security.ejb.EJSRemoteStatelessaccesstokenprovider_87da

f10b.getAccessToken(Unknown Source)

        >>       at psdi.security.ejb._EJSRemoteStatelessaccesstokenprovider_87d

af10b_Tie._get_accessToken(_EJSRemoteStatelessaccesstokenprovider_87daf10b_Tie.j

ava:163)

        >>       at psdi.security.ejb._EJSRemoteStatelessaccesstokenprovider_87d

af10b_Tie._invoke(_EJSRemoteStatelessaccesstokenprovider_87daf10b_Tie.java:87)

        >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(Serv

erDelegate.java:631)

        >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.ja

va:501)

        >>       at com.ibm.rmi.iiop.ORB.process(ORB.java:623)

        >>       at com.ibm.CORBA.iiop.ORB.process(ORB.java:1581)

        >>       at com.ibm.rmi.iiop.Connection.doRequestWork(Connection.java:31

51)

        >>       at com.ibm.rmi.iiop.Connection.doWork(Connection.java:3016)

        >>       at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:63)

        >>       at com.ibm.ws.giop.threadpool.WorkQueueElement.dispatch(WorkQue

ueElement.java:174)

        >>       at com.ibm.ws.giop.filter.GiopFilterChain.processMessage(GiopFi

lterChain.java:203)

        >>       at com.ibm.ws.giop.threadpool.PooledThread.handleRequest(Pooled

Thread.java:81)

        >>       at com.ibm.ws.giop.threadpool.PooledThread.run(PooledThread.jav

a:102)

        >>       at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)

        >> SERVER (id=4773e3aa, host=v-wamint-01-d.mavir.hu) TRACE END.

  vmcid: 0x0  minor code: 0  completed: No

        at com.ibm.CORBA.iiop.UtilDelegateImpl.mapSystemException(UtilDelegateIm

pl.java:278)

        at javax.rmi.CORBA.Util.mapSystemException(Util.java:78)

        at psdi.security.ejb._AccessTokenProviderRemote_Stub.getAccessToken(_Acc

essTokenProviderRemote_Stub.java:254)

        at com.ibm.tivoli.maximo.thinclient.MXThinClientSession$GetAccessTokenPr

ivilegedAction.run(MXThinClientSession.java:244)

        at java.security.AccessController.doPrivileged(Native Method)

        at javax.security.auth.Subject.doAs(Subject.java:356)

        at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:133)

        at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:91)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.

java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces

sorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:606)

        at com.ibm.tivoli.maximo.thinclient.MXThinClientSession.getRemoteAccessT

oken(MXThinClientSession.java:181)

        at com.ibm.tivoli.maximo.thinclient.MXAbstractClientSession.getMXServer(

MXAbstractClientSession.java:64)

        at psdi.util.RMISession.connect(RMISession.java:56)

        at com.syclo.maximomobile.ldap.WebSphereThinClient.launch(WebSphereThinC

lient.java:84)

        at com.syclo.maximomobile.MXSessionFactory.getMXSession(MXSessionFactory

.java:48)

        at com.syclo.maximomobile.User.doAppServerAuthentication(User.java:336)

        at com.syclo.maximomobile.User.initMxSession(User.java:275)

        at com.syclo.maximomobile.workmanager.User.initMxSession(User.java:58)

        at com.syclo.maximomobile.Server.login(Server.java:144)

Caused by: org.omg.CORBA.NO_PERMISSION:

        >> SERVER (id=4773e3aa, host=v-wamint-01-d.mavir.hu) TRACE START:

        >>    org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException:  ; nested e

xception is:

        com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization faile

d for ??? while invoking (Bean)MAXIMODEV#mboejb.jar#accesstokenprovider getAcces

sToken::1  is not granted any of the required roles: maximouser   vmcid: 0x0  mi

nor code: 0  completed: No

        >>       at com.ibm.ws.security.core.SecurityCollaborator.performAuthori

zation(SecurityCollaborator.java:631)

        >>       at com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke(E

JSSecurityCollaborator.java:266)

        >>       at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapt

er.preInvoke(EJBSecurityCollaboratorAdapter.java:83)

        >>       at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapt

er.preInvoke(EJBSecurityCollaboratorAdapter.java:43)

        >>       at com.ibm.ejs.container.EJSContainer.notifySecurityCollaborato

rPreInvoke(EJSContainer.java:3895)

        >>       at com.ibm.ejs.container.EJSContainer.preInvokeAfterActivate(EJ

SContainer.java:3825)

        >>       at com.ibm.ejs.container.EJSContainer.preInvoke(EJSContainer.ja

va:2965)

        >>       at psdi.security.ejb.EJSRemoteStatelessaccesstokenprovider_87da

f10b.getAccessToken(Unknown Source)

        >>       at psdi.security.ejb._EJSRemoteStatelessaccesstokenprovider_87d

af10b_Tie._get_accessToken(_EJSRemoteStatelessaccesstokenprovider_87daf10b_Tie.j

ava:163)

        >>       at psdi.security.ejb._EJSRemoteStatelessaccesstokenprovider_87d

af10b_Tie._invoke(_EJSRemoteStatelessaccesstokenprovider_87daf10b_Tie.java:87)

        >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(Serv

erDelegate.java:631)

        >>       at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.ja

va:501)

        >>       at com.ibm.rmi.iiop.ORB.process(ORB.java:623)

        >>       at com.ibm.CORBA.iiop.ORB.process(ORB.java:1581)

        >>       at com.ibm.rmi.iiop.Connection.doRequestWork(Connection.java:31

51)

        >>       at com.ibm.rmi.iiop.Connection.doWork(Connection.java:3016)

        >>       at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:63)

        >>       at com.ibm.ws.giop.threadpool.WorkQueueElement.dispatch(WorkQue

ueElement.java:174)

        >>       at com.ibm.ws.giop.filter.GiopFilterChain.processMessage(GiopFi

lterChain.java:203)

        >>       at com.ibm.ws.giop.threadpool.PooledThread.handleRequest(Pooled

Thread.java:81)

        >>       at com.ibm.ws.giop.threadpool.PooledThread.run(PooledThread.jav

a:102)

        >>       at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)

        >> SERVER (id=4773e3aa, host=v-wamint-01-d.mavir.hu) TRACE END.

  vmcid: 0x0  minor code: 0  completed: No

        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct

orAccessorImpl.java:57)

        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingC

onstructorAccessorImpl.java:45)

        at java.lang.reflect.Constructor.newInstance(Constructor.java:526)

        at com.ibm.rmi.iiop.ReplyMessage._getSystemException(ReplyMessage.java:3

40)

        at com.ibm.rmi.iiop.ReplyMessage.getSystemException(ReplyMessage.java:21

1)

        at com.ibm.rmi.iiop.ClientResponseImpl.getSystemException(ClientResponse

Impl.java:235)

        at com.ibm.rmi.corba.ClientDelegate.invoke(ClientDelegate.java:501)

        at com.ibm.CORBA.iiop.ClientDelegate.invoke(ClientDelegate.java:1223)

        at com.ibm.rmi.corba.ClientDelegate.invoke(ClientDelegate.java:674)

        at com.ibm.CORBA.iiop.ClientDelegate.invoke(ClientDelegate.java:1253)

        at org.omg.CORBA.portable.ObjectImpl._invoke(ObjectImpl.java:484)

        at psdi.security.ejb._AccessTokenProviderRemote_Stub.getAccessToken(_Acc

essTokenProviderRemote_Stub.java:244)

        ... 18 more

User::initMxSession::null

Server::login:: for maxadmin caught AgentryException logging in user maxadmin -

null

Server::loginFailed::Server::loginFailed begin

User::disconnect::User::disconnect begin

User::disconnect::did not call _mxSession.disconnect()!

User::disconnect::User::disconnect end

Server::loginFailed::maxadmin

Event: 0, 6, maxadmin: Invalid Password

It seems the Syclo server is already pushing through the auth request to Maximo, but then it dies. The Syclo reaches Maximo as we are able the see the error messages in the systemout.log. When I type the good pwd i receive this message in maximo:


[6/16/15 15:05:31:289 CEST] 00000133 SecurityColla A SECJ0053E: Authorization failed for ??? while invoking (Bean)MAXIMODEV#mboejb.jar#accesstokenprovider getAccessToken::1 is not granted any of the required roles: maximouser

When I type a wrong pwd in the syclo pop up window I receive this message in maximo systemout:

[6/16/15 15:11:51:842 CEST] 00000133 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4529E The password verification for the 'XXXXXYYYYYYY' principal name failed. Root cause: 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; Resolved object: 'com.sun.jndi.ldap.LdapCtx@98b01f0''..


Now, what I did to get this far (as I had to change a couple things to at least reach Maximo after we moved to WAS 8.5.5.5):

- Agentry.ini (classpath, nonstd java opt) checked and updated to make the classes available (In the WASCLIENT folder I had to create an ENDORSED folder and copy a couple jar file to make those available (required for nonstandard java option section in Agentry.ini)

- WAS Global security Inbound-outbound changed from SSL required to SSL Supported (IBM org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible, after migration to version 8. -...)

- Nodes, dmr restarted, checked etc. (IBM SECJ0053E: Authorization failed for /UNAUTHENTICATED - United States)


This is where are we at the moment. I'm open for suggestions, ideas.


cheers


Gergő Bozsó


Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-29-2015 12:58 PM
0 Kudos

Hi,

we finally solved this issue which caused by the Websphere Application Server and Application Client upgrade with additional JAVA JDK, JRE upgrade!

Here is a small guide what we did to make the Syclo Agentry conenction avaible through wasclient 8.5.5.5 and Java 1.7_79:

Install Java jdk-7u79-windows-x64.exe to C:\Java17

Modify Environmental Path with the updated Java (like you have in the Syclo install guide)

Install Websphere Application client 8.5.5 to C:\IBM\WebSphere855 (do NOT install to programfiles or any directory with SPACE)

Make the necessary changes in the Agentry.ini

  • classPath=./Java/businessobjects.jar;./Java/mbojava.jar;./Java/mboejbclient.jar;./Java/Agentry-v5.jar;./Java/S4MxWM-7.5.2.0.jar;./Java/ini4j.jar;./Java/icu4j.jar;./Java;C:/IBM/WebSphere855/AppClient/properties;C:/IBM/WebSphere855/AppClient/lib/startup.jar;C:/IBM/WebSphere855/AppClient/lib/bootstap.jar;C:/IBM/WebSphere855/AppClient/lib/lmproxy.jar;C:/IBM/WebSphere855/AppClient/lib/urlprotocols.jar;./Java/S4Mx-Rounds-7.5.2.0.jar
  • nonStandardJavaOptions=-Djava.endorsed.dirs=C:\IBM\WEBSPH~2\APPCLI~1\java\jre\lib\endorsed -Djava.ext.dirs=C:\Java17\JDK17~1.0_7\jre\lib\ext;C:\IBM\WEBSPH~2\APPCLI~1\lib;C:\IBM\WEBSPH~2\APPCLI~1\plugins

You need to create an endorsed folder under the new Appclient855 folder, and then copy below files from c:\IBM\WebSphere855\AppClient\java\jre\lib\ to c:\IBM\WebSphere855\AppClient\java\jre\lib\endorsed

  • ibmorb.jar
  • ibmorbapi.jar
  • ibmcfw.jar

Modify the JavaBe.ini file to reflect the new wasclient path for the sas.client.props file

Modify sas.client.props under the the wasclient properties folder

  1. com.ibm.CORBA.validateBasicAuth=false
  2. com.ibm.CSI.performClientAuthenticationRequired=true
  3. com.ibm.CSI.performTransportAssocSSLTLSRequired=false

Now you need to copy orb.properties file from c:\IBM\WebSphere855\AppClient\java\jre\lib\ to C:\Java17\jdk1.7.0_79\jre\lib

Change WAS Global setting Global security > CSIv2 inbound communications and outbound from SSL Required to SSL Supported

Create a new property int he WAS console Global Security > Custom properties

  1. com.ibm.websphere.security.registry.propagateExceptionsToClient=true
Show replies
Show replies
bill_froelich
Product and Topic Expert
Product and Topic Expert
‎06-29-2015 3:29 PM
0 Kudos

Thanks for sharing your solution.

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎08-24-2015 7:38 PM
0 Kudos

This worked for me with one change.  When modifying the sas.client.props I had to change Supported instead of Required to false.  Required was already false for me.

Modify sas.client.props under the the wasclient properties folder

c. com.ibm.CSI.performTransportAssocSSLTLSSupported=false

--Bill

Answers (0)

Ask a Question