I am building the SSO between IBM ISAM & LIberty profile using LTPA token, The ISAM is configured with LDAP authentication and i have added same LDAP users into liberty server.xml basic registry. Now after the ISAM authentication i am not able to see the my liberty and i see the below error in the liberty log.
stack trace Stack Dump = com.ibm.ws.security.registry.EntryNotFoundException: cn=f4a3e7df53e9caf8dfd3,o=xxx,c=us,dc=xxx,dc=com does not exist at com.ibm.ws.security.registry.basic.internal.BasicRegistry.getUserSecurityName(BasicRegistry.java:506) at com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule.setUpTemporaryUserSubject(TokenLoginModule.java:130) at com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule.login(TokenLoginModule.java:76) at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:53) at
Configuration Details
In the liberty ltpa.keys the realm is "com.ibm.websphere.ltpa.Realm=BasicRealm" and this what used in the above junction.
In server.xml
basicRegistry id="basic" realm="BasicRealm"
user name="loginID=user#mail.com,cn=f4a3e7df53e9caf8dfd3,o=xxx,c=xx,dc=xxx,dc=com" password="qazwsx1234"
group name="LDAPgroupUsers"
member name="loginID=user#mail.com,cn=f4a3e7df53e9caf8dfd3,o=xxx,c=xx,dc=xxx,dc=com"
group
basicRegistry
webApplication contextRoot="my-demo" id="MyDemo" location="MyDemo.war" name="MyDemo"
application-bnd
security-role name="LDAPUsersRole"
group name="LDAPgroupUsers"
security-role
application-bnd
webApplication
I feel the ltpa2token passed to liberty and i can see it from the below log, So it must some issue the way i configured the user patterns in basicRegistry mentioned in server.xml .... Any clue?
Object type = com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule
tc = class com.ibm.websphere.ras.TraceComponent#8f59a5c2
strings[0] = "TraceComponent[com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule,class com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule,[Authentication],com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages,null]"
accessId = "user:BasicRealm/cn=f4a3e7df53e9caf8dfd3,o=xxx,c=us,dc=xxx,dc=com"
recreatedToken = class com.ibm.ws.security.token.ltpa.internal.LTPAToken2#255023a9
tc = class com.ibm.websphere.ras.TraceComponent#cb94b8a1
I have queried the user in LDAP and added the same pattern (name="cn=f4a3e7df53e9caf8dfd3,o=xxx,c=xx,dc=xxx,dc=com) as in server.xml
then it worked.
Thanks Tamboli.
Related
Spring Version: 5.0.8.RELEASE
Spring Boot Dependencies Version: 2.0.4.RELEASE
Java Version: 1.8.0_131
Spring Boot Admin reports that a client is down. However I can see that the client is running by navigating to it in the browser. On the details view for the client in Sprint Boot Admin the message under the health section is "Fetching health failed, Network Error". There are three URLs shown in the header of the details page:
http://localhost:8090/WorkOrderPrinting
http://localhost:8090/WorkOrderPrinting/manage
http://localhost:8090/WorkOrderPrinting/manage/health
Clicking them opens the respective views. Here is the output from the health view:
{"status":"UP","details":{"diskSpace":{"status":"UP","details":{"total":80482930688,"free":77726302208,"threshold":10485760}},"db":{"status":"UP","details":{"tenantRoutingDataSource":{"status":"UP","details":{"database":"Informix Dynamic Server","hello":104}},"userSetTenantRoutingDS":{"status":"UP","details":{"database":"Informix Dynamic Server","hello":104}},"dataSourceCbCommon":{"status":"UP","details":{"database":"Informix Dynamic Server","hello":104}},"dataSourceCbOrg":{"status":"UP","details":{"database":"Informix Dynamic Server","hello":104}}}}}}
It seems to be telling me that the client application is up and running. So I am not sure why Sprint Boot Admin UI is not reflecting that.
I have a second application running as a client and its working as expected. The result of the health URL is the same.
{"status":"UP","details":{"diskSpace":{"status":"UP","details":{"total":80482930688,"free":77726248960,"threshold":10485760}},"db":{"status":"UP","details":{"tenantRoutingDataSource":{"status":"UP","details":{"database":"Informix Dynamic Server","hello":104}},"userSetTenantRoutingDS":{"status":"UP","details":{"database":"Informix Dynamic Server","hello":104}},"dataSourceCbCommon":{"status":"UP","details":{"database":"Informix Dynamic Server","hello":104}},"dataSourceCbOrg":{"status":"UP","details":{"database":"Informix Dynamic Server","hello":104}}}}}}
The Spring Boot Admin Server log shows this error for Work Order Printing. Again, not sure why the URLs are working, but the log shows an error.
2018-09-13 09:19:19.071 DEBUG 5208 --- [ parallel-2] d.c.b.a.server.services.StatusUpdater : Update status for Instance(id=6212ad7c5ab4, version=1, registration=Registration(name=Work Order Printing Development, managementUrl=http://localhost:8090/WorkOrderPrinting/manage, healthUrl=http://localhost:8090/WorkOrderPrinting/manage/health, serviceUrl=http://localhost:8090/WorkOrderPrinting, source=http-api), registered=true, statusInfo=StatusInfo(status=DOWN, details={error=Found, status=302}), statusTimestamp=2018-09-13T13:15:08.169Z, info=Info(values={}), endpoints=Endpoints(endpoints={health=Endpoint(id=health, url=http://localhost:8090/WorkOrderPrinting/manage/health)}), buildVersion=null)
Spring Boot Admin Server Config
server.servlet.context-path=/adminserver
logging.file=/var/log/eti/webui/adminserver.log
logging.level.de.codecentric.boot.admin.server=INFO
Failing Client Config
#Admin Panel config
#
#This is the URL for the admin panel that this application will send its information to
spring.boot.admin.client.url=http://localhost:8080/adminserver
#This is required when deploying to Tomcat because the Admin panel cant seem to determine what the URL will be on its own
spring.boot.admin.client.instance.service-base-url=http://localhost:8090
#This is the name that will be displayed in the admin panel for this application
spring.boot.admin.client.instance.name=Work Order Printing
#
spring.boot.admin.auto-registration=true
#
#Actuator config needed to expose endpoints to admin panel
#
management.endpoints.web.base-path=/manage
management.endpoints.web.exposure.include:*
management.endpoint.health.show-details=always
Working Client Config
#Admin Panel config
#
#This is the URL for the admin panel that this application will send its information to
spring.boot.admin.client.url=http://localhost:8080/adminserver
#This is required when deploying to Tomcat because the Admin panel cant seem to determine what the URL will be on its own
spring.boot.admin.client.instance.service-base-url=http://localhost:8085
#This is the name that will be displayed in the admin panel for this application
spring.boot.admin.client.instance.name=LaunchPad
spring.boot.admin.auto-registration=true
#
#Actuator config needed to expose endpoints to admin panel
#
management.endpoints.web.base-path=/manage
management.endpoints.web.exposure.include:*
management.endpoint.health.show-details=always
So the problem turned out to be a configuration issue on my end. The Admin Server log shows the following:
2018-09-13 09:19:19.071 DEBUG 5208 --- [ parallel-2] d.c.b.a.server.services.StatusUpdater : Update status for Instance(id=6212ad7c5ab4, version=1, registration=Registration(name=Work Order Printing Development, managementUrl=http://localhost:8090/WorkOrderPrinting/manage, healthUrl=http://localhost:8090/WorkOrderPrinting/manage/health, serviceUrl=http://localhost:8090/WorkOrderPrinting, source=http-api), registered=true, statusInfo=StatusInfo(status=DOWN, details={error=Found, status=302}), statusTimestamp=2018-09-13T13:15:08.169Z, info=Info(values={}), endpoints=Endpoints(endpoints={health=Endpoint(id=health, url=http://localhost:8090/WorkOrderPrinting/manage/health)}), buildVersion=null)
Its basically saying that there is a 302 (redirect) happening so it cant reach the URL. The reason for this that I forgot to allow access to the URLs in Spring Security config. I could get to them with the browser because I was logged in. Spring Boot Admin could not, because it was not logged in.
I added a rule to allow access to the /manage/ urls
public void configure(WebSecurity web) throws Exception
{
web.ignoring().antMatchers("/css/**", "/fonts/**", "/img/**", "/js/**", "/close", "/webjars/**", "/manage/**");
}
I was preparing production environment to deploy my ADF web application developed in jdeveloper 12.2.1. Installed and configured weblogic 12.2.1.1.0(latest version) and database( Oracle DB 11g) in different servers. I tired to deploy a simple demo application which worked smoothly. But when i tired to deploy my application with MDS enabled which also having login credentials it's not get loading. Application and servers(3 managed servers added in a cluster) are active and its health is fine.
While I checked the log i can found the error message as below:
weblogic.kernel.Default (self-tuning)'> <OracleSystemUser> <BEA1-00A6CDC0DF4E2399D225> <c21c09b7-a391-47ae-b2eb-0d8dc5bec343-00000d61> <1477317511991> <[severity-value: 64] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-010227> <EJB exception occurred during invocation from home or business: oracle.wsm.policymanager.bean.ejb.impl.UsageTracker_oi3aq7_Intf generated exception
: java.lang.SecurityException: WSM-02084 : Access denied. Permission "oracle.wsm.security.PolicyManagerPermission" is required to access the wsm policy manager "UsageTracker" method "recordUsage".>
I am stuck with this issues. Tried by starting and stopping servers and deploy and undeploy application many times.
Any help would be appreciable.
Thanks in advance.
You may want to check the suggestions on "SOA Suite 12.2.1 - OWSM WSM-02084 issue" from Michel Schildmeijer.
He suggests editing the policy.Accessor and adding oracle.wsm.security.PolicyManagerPermission for resource UsageTracker#recordUsage to the wsm-pm Application Stripe via "Fusion Middleware Control" under WebLogic Domain > Security > Application Policies.
https://community.oracle.com/blogs/mnemonic/2016/10/16/soa-suite-1221-owsm-wsm-02084-issue
I am using the GORM option to store the generated token in database for my Grails 3.x application using grails spring security rest plugin.
The application generates the token but does not get stored in database. Do we need to override the tokenStorage method and have our own implementation to store the token in database
The plugin properties configured in application.groovy are listed below
grails.plugin.springsecurity.rest.token.validation.useBearerToken = false
grails.plugin.springsecurity.rest.login.endpointUrl = '/api/login'
grails.plugin.springsecurity.rest.token.validation.headerName = 'X-Auth-Token'
grails.plugin.springsecurity.rest.token.storage.useJwt = false
grails.plugin.springsecurity.rest.token.storage.useGorm=true
grails.plugin.springsecurity.rest.token.storage.gorm.tokenDomainClassName='com.auth.AuthenticationToken'
grails.plugin.springsecurity.rest.token.storage.gorm.tokenValuePropertyName='token'
grails.plugin.springsecurity.rest.token.storage.gorm.usernamePropertyName='username'
grails.plugin.springsecurity.rest.login.passwordPropertyName = 'password'
grails.plugin.springsecurity.rest.login.useJsonCredentials = true
grails.plugin.springsecurity.rest.login.useRequestParamsCredentials = false
grails.plugin.springsecurity.rest.token.rendering.authoritiesPropertyName = 'permissions'
Make sure you have added the following to your build.gradle:
compile 'org.grails.plugins:spring-security-rest:2.0.0.M2'
compile 'org.grails.plugins:spring-security-rest-gorm:2.0.0.M2'
And you have defined the following in application.groovy or application.yml
grails.plugin.springsecurity.rest.token.storage.useGorm=true
grails.plugin.springsecurity.rest.token.storage.gorm.tokenDomainClassName = 'com.yourdomain.AuthenticationToken'
grails.plugin.springsecurity.rest.token.storage.gorm.tokenValuePropertyName = 'tokenValue'
grails.plugin.springsecurity.rest.token.storage.gorm.usernamePropertyName = 'username'
There is almost no information to help you. No build configuration, no logs, no idea how the requests are made...
But from the description of your problem, my guess is that you are missing the GORM module in your classpath. It's clearly stated in the documentation.
Be also sure to read the what's new in 2.0 chapter.
I had the same problem, token not stored and no error messages seen.
After installing the GORM plugin:
compile "org.grails.plugins:spring-security-rest-gorm:2.0.0.M2"
I could login and a token was saved into the table.
I would like to enable trace for DB2 which I'm accessing via datasource in WebSphere Application Server version 8.
In the server's bootstrap.properties file after the variable com.ibm.ws.logging.trace.specification= add the following code:
for version 6 or later:
*=info:WAS.j2c=all:RRA=all:WAS.database=all:Transaction=all
for version 5:
RRA=all=enabled:WAS.database=all=enabled:J2C=all=enabled
More info can be found on IBM website: https://www-304.ibm.com/support/docview.wss?rs=71&uid=swg21196160#wasconnection
In you datasource you need to specify the traceLevel property as well.
Example:
<dataSource id="db2" jndiName="jdbc/db2" jdbcDriverRef="DB2Driver" >
<properties.db2.jcc databaseName="myDB" traceLevel="-1"/>
</dataSource>
Actually it depends on the WebSphere version and the way DB2 is used. I'll try to summarize your options, for more details look at the links at the bottom.
WebSphere Application Server (Full Profile)
You have the following options:
You can enable general database related tracing via WebSphere tracing infrastructure.
In the WebSphere web admin console go to Troubleshooting > Logging and tracing > serverName > Change log detail levels and either on the Runtime tab (effective immediately) or on Configuration tab (effective after restart) set the trace to *=info:WAS.database=all or more detailed *=info:WAS.j2c=all:RRA=all:WAS.database=all:Transaction=all. This trace string is general, for JDBC connection, not only for DB2.
You can enable DB2 datasource trace related options.
In the WebSphere web admin console go to Resources > JDBC > Data sources > datasourceName > Custom properties. Im the custom properties set trace related properties, the most important ones are:
traceLevel - specifies the level of trace, determined by a bitwise combination of constants:
TRACE_NONE=0,
TRACE_CONNECTION_CALLS=1,
TRACE_STATEMENT_CALLS=2,
TRACE_RESULT_SET_CALLS=4,
TRACE_DRIVER_CONFIGURATION=16,
TRACE_CONNECTS=32,
TRACE_DRDA_FLOWS=64,
TRACE_RESULT_SET_META_DATA=128,
TRACE_PARAMETER_META_DATA=256,
TRACE_DIAGNOSTICS=512,
TRACE_SQLJ=1024,
TRACE_META_CALLS=8192,
TRACE_DATASOURCE_CALLS=16384,
TRACE_LARGE_OBJECT_CALLS=32768,
TRACE_SYSTEM_MONITOR=131072,
TRACE_TRACEPOINTS=262144,
TRACE_ALL=-1.
traceFile - specifies file to store the trace output
WebSphere Liberty Profile
In the folder LIBERTY_HOME/usr/servers/server_name create bootstrap.properties with the following variable for DB2 (for other databases check link at the bottom):
com.ibm.ws.logging.trace.specification=*=audit=enabled:com.ibm.ws.db2.logwriter=all=enabled
Specifying trace via system property
When you use unmanaged connections got from DriverManager, you cannot set driver trace properties via data source. In that case you can create property file with the following contents:
db2.jcc.traceDirectory=/tmp/jcctrace
db2.jcc.traceFile=trace
db2.jcc.traceFileAppend=false
db2.jcc.traceLevel=-1
and specify path to it as JVM system property:
-Ddb2.jcc.propertiesFile=pathToFile/fileName.properties
Useful links:
Tracing with the IBM Data Server driver for JDBC
JDBC trace configuration (Full profile
Enabling JDBC Tracing for the Liberty profile
for version 6 or later:
*=info:WAS.j2c=all:RRA=all:WAS.database=all:Transaction=all
And for version 5:
RRA=all=enabled:WAS.database=all=enabled:J2C=all=enabled
I need to monitor WAS liberty profiles i made some configuration changes in sever.xml
<feature>restConnector-1.0</feature>^M
<feature>jsp-2.2</feature>^M
<feature>appSecurity-1.0</feature>^M
<feature>ssl-1.0</feature>
<feature>monitor-1.0</feature>^M
but when i am connecting with rest port i am only getting following mbeans regarding websphere
WebSphere
WebSphere:feature=restConnector,type=FileService,name=FileService
WebSphere:service=com.ibm.websphere.application.ApplicationMBean,name=WLProject
WebSphere:feature=channelfw,type=endpoint,name=defaultHttpEndpoint-ssl
WebSphere:feature=restConnector,type=FileTransfer,name=FileTransfer
WebSphere:service=com.ibm.websphere.application.ApplicationMBean,name=kohls
WebSphere:service=com.ibm.ws.kernel.filemonitor.FileNotificationMBean
WebSphere:service=com.ibm.websphere.application.ApplicationMBean,name=worklightadmin
WebSphere:feature=channelfw,type=endpoint,name=defaultHttpEndpoint
WebSphere:service=com.ibm.websphere.application.ApplicationMBean,name=worklightconsole
WebSphere:name=com.ibm.ws.jmx.mbeans.generatePluginConfig
WebSphere:service=com.ibm.websphere.application.ApplicationMBean,name=_analytics
WebSphere:name=com.ibm.ws.config.serverSchemaGenerator
WebSphere:service=com.ibm.websphere.application.ApplicationMBean,name=_MobileBrowserSimulator
WebSphere:service=com.ibm.websphere.application.ApplicationMBean,name=nsecom
not able to get threadpool, webcontaineer mbeans , is there any configuration i have to do??
Maybe update to the latest Liberty version and try to test with jconsole. I'm running v8.5.5.3 and it works fine. I'm using the following command to start jconsole using rest connector (all in one line, formatted for readability):
jconsole
-J-Djava.class.path=C:\
IBM\WebSphere\LibertyIM\java\java_1.7_32\lib\jconsole.jar;C:\IBM\WebSphere\Liber
tyIM\java\java_1.7_32\lib\tools.jar;C:\IBM\WebSphere\wlp\clients\restConnector.j
ar
-J-Djavax.net.ssl.trustStore=C:/IBM/WebSphere/wlp/usr/servers/monitoringServe
r/resources/security/key.jks
-J-Djavax.net.ssl.trustStorePassword=password
-J-Djavax.net.ssl.trustStoreType=jks
-J-Duser.language=en
I can see ThreadPoolStats and ServletStats. For SessionStats or ConnectionPoolStats your application actually needs to use the feature (e.g. session or connection to db) to be visible in jconsole and have mbean.