16 julio 2010

SECJ0373E: Cannot create credential for the user due to failed validation of the LTPA token.

Problem / Problema:
We have 2 environments... a cluster of WPS and an standalone WCM. After of change the configuration of realm to federated ldap repository, we tried to rename the wcm realm name to the name of portal realm, but the WCM not started correctly; we can to navigate on Admin Console but when we're trying to open the wcm portal, the server just show a error indicating that some portal services can't be started.
Tenemos dos ambientes... un cluster de WebSphere Portal y un Web Content Manager. Después de cambiar la configuración del realm para federated, tratamos de renombrar el realm del WCM con el nombre del realm del portal (para que funcione el Single Sign On), pero el WCM no inicia correctamente; podemos navegar en la Consola de Administración del WAS pero cuando tratamos de ingresar al portal, solo nos muestra un error indicando que algunos servicios del portal no pudieron ser iniciados.


Trace:

SECJ0373E: Cannot create credential for the user due to failed validation of the LTPA token. The exception is com.ibm.websphere.security.CustomRegistryException: The realm in the token: apiconzldap.apiconz.info:389 does not match the current realm: PortalWcmRealmFederated
at com.ibm.ws.security.ltpa.LTPAServerObject.getRelativeName(LTPAServerObject.java:1473)
at com.ibm.ws.security.ltpa.LTPAServerObject.getSecurityName(LTPAServerObject.java:1421)
at com.ibm.ws.security.ltpa.LTPAServerObject.validate(LTPAServerObject.java:1259)
at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginModule.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706)
at javax.security.auth.login.LoginContext.login(LoginContext.java:603)
at com.ibm.ws.security.auth.JaasLoginHelper.jaas_login(JaasLoginHelper.java:289)
at com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManagerImpl.java:2874)
at com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManagerImpl.java:2737)
at com.ibm.ws.security.web.WebAuthenticator.validate(WebAuthenticator.java:1640)
at com.ibm.ws.security.web.WebAuthenticator.validateCookie(WebAuthenticator.java:599)
at com.ibm.ws.security.web.WebAuthenticator.handleSSO(WebAuthenticator.java:520)
at com.ibm.ws.security.web.WebAuthenticator.handleCustomLogin(WebAuthenticator.java:743)
at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:1497)
at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:1373)
at com.ibm.ws.security.web.WebCollaborator.authorize(WebCollaborator.java:670)
at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:318)
at com.ibm.ws.webcontainer.webapp.WebAppSecurityCollaborator.preInvoke(WebAppSecurityCollaborator.java:141)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:486)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:90)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:751)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1478)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:125)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:267)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture$1.run(AsyncChannelFuture.java:205)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1497)


Diagnostic / Diagnostico:
We found that the old realm name is still in one of the Portal database tables. If we update the realm in the table the exception when the portal starts should be resolved.
Encontramos que el nombre antiguo del realm está aun en una de las tablas de la base de datos del Portal. Si actualizamos el real en la tabla la excepción cuando el porta se inicia debería ser resuelta.
Solution / Solución
1) Login into WCM database.
2) Backup data on RELEASE.VP_DESC table.
db2 connect to RELEASE
db2 "select * from RELEASE.VP_DESC" > RELEASE.VP_DESC.TXT
3) Make change of realm name on security option from WAS 
apiconzldap.apiconz.info:389 -> PortalWcmRealmFederated
4) Stop the portal.
./stopServer.sh WebSphere_Portal -username wpsbind -password password
5) Make update to table.
db2 "update RELEASE.VP_DESC set REALM='apiconzldap.apiconz.info:389' where RELEASE.VP_DESC.REALM='PortalWcmRealmFederated'";  
6) Start the portal.
1) Ingresar a base de datos del WCM.
2) Respaldar datos de la tabla RELEASE.VP_DESC
db2 connect to RELEASE
db2 "select * from RELEASE.VP_DESC" > RELEASE.VP_DESC.TXT
3) Realizar cambio de nombre de Realm en las opciones de Seguridad del WAS.
apiconzldap.apiconz.info:389 -> PortalWcmRealmFederated
4) Bajar el portal.
./stopServer.sh WebSphere_Portal -username wpsbind -password password
5) Realizar actualización de datos en la bd.
db2 "update RELEASE.VP_DESC set REALM='apiconzldap.apiconz.info:389' where RELEASE.VP_DESC.REALM='PortalWcmRealmFederated'";
6) Subir el portal
Publicar un comentario