Embed Size (px)
Citation preview
Security Troubleshooting Guide
1 CCMDB Security.........................................................................................................31.1 WAS authentication.............................................................................................3
1.1.1 New user cannot login.................................................................................31.2 VMMSync configuration.....................................................................................5
1.2.1 Partial Sync..................................................................................................51.2.2 New users/groups missing...........................................................................71.2.3 User attributes missing................................................................................9
1.3 CCMDB Authorization......................................................................................131.3.1 403 Authorization error.............................................................................131.3.2 Start Center Authorization.........................................................................13
2 TADDM Security (VMM option).............................................................................132.1 TADDM Authentication....................................................................................13
2.1.1 Administrator login failure........................................................................132.1.2 User login failure.......................................................................................14
2.2 TADDM Authorization.....................................................................................162.2.1 User without TADDM role can login........................................................162.2.2 TADDM Security Upgrade Issues.............................................................16
3 CCMDB Eco-System Integration..............................................................................173.1 TADDM Single Sign-On...................................................................................17
3.1.1 LTPA token issues.....................................................................................173.1.2 SSO domain issue......................................................................................17
3.2 TADDM SSO authorization issues....................................................................193.2.1 SSO successful but authorization error......................................................19
3.3 TADDM Authorization Synchronization..........................................................203.3.1 Collection fails to save...............................................................................21
1 CCMDB SecurityBackground:
Change and Configuration Management Database (CCMDB) is installed with application-server security turned on. The task of authenticating the user is delegated to WebSphere Application Server. When a user is successfully authenticated by WebSphere Application Server, CCMDB creates a security profile for the user in order to make authorization decisions. In order for CCMDB to create a security profile, the user record must be present in database repository. In other words, even if the user is successfully authenticated, in order to log in to the start center the user record needs to be created in the Maximo database. This task is accomplished by configuring the VMMSync crontask to query relevant system users using VMM runtime APIs and create their records in the Maximo database.For more information about authentication, authorization, and configuring security, refer to the CCMDB information center.
1.1 WebSphere Application Server authentication
1.1.1 New user cannot loginA new user was successfully added to the directory server but cannot log in into CCMDB.
Condition 1:User was added to directory information tree (DIT) that is not configured under VMM.
Message in SystemOut.log:
[4/8/07 18:27:10:828 CDT] 0000003d LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is <null>.
Fix:Make sure the user is created under proper location in the directory server or federate an addition subtree under VMM.
Condition 2:CCMDB is setup to require membership to J2EE role (default: maximouser) before allowing a user to login into the system.
Browser messageInternet Explorer – HTTP 403 Forbidden
Exception in SystemOut.log4/8/07 18:51:52:937 CDT] 00000038 WebCollaborat A SECJ0129E: Authorization failed for maxadmin while invoking GET on maximo_host:/maximo/ui/login, Authorization failed, Not granted any of the required roles: maximouserFixAssign the proper group to the user in the directory server (in this case maximouser) or map the J2EE role to “All authenticated”. In order for modified J2EE role mapping to be effective MXServer should be restarted.
*Note: CCMDB (7.1&7.11) the install maps this role to “All authenticated” by default.
1.2 VMMSync configuration
1.2.1 Partial Sync Some of the users from the directory server are synchronized but cannot see other users and group membership don’t show up.
Condition 1:Duplicate email ids:
Exception is SystemOut.log[4/8/07 13:42:18:640 CDT] 0000006b SystemOut O 08 Apr 2007 13:42:14:125 [ERROR] Failed to initialize the VMMSyncCronTask. This message will be repeated if the initialization fails again when the task is run the next time.psdi.security.vmm.VMMSyncException: Failed to perform VMM user synchronization.
at psdi.security.vmm.VMMSynchronizer.syncVMMUsers(VMMSynchronizer.java:654)at psdi.security.vmm.VMMSynchronizer.performSync(VMMSynchronizer.java:345)at psdi.security.vmm.VMMSyncTask.performTask(VMMSyncTask.java:348)at psdi.security.vmm.VMMSyncCronTask.cronAction(VMMSyncCronTask.java:190)
at psdi.server.CronTaskManager.callCronMethod(CronTaskManager.java:1338)at psdi.server.CronTaskManager.access$300(CronTaskManager.java:83)at psdi.server.CronTaskManager$CronThread.run(CronTaskManager.java:1750)
Caused by: psdi.security.vmm.VMMSyncException: Failed to synchronize VMM user data to database.
at psdi.security.vmm.DefaultVMMSyncAdapter.syncUser(DefaultVMMSyncAdapter.java:86)at psdi.security.vmm.VMMSynchronizer.syncVMMUsers(VMMSynchronizer.java:623)... 6 more
Caused by: com.ibm.db2.jcc.b.SqlException: One or more values in the INSERT statement, UPDATE statement, or foreign key update caused by a DELETE statement are not valid because the primary key, unique constraint or unique index identified by "2" constrains table "MAXIMO.EMAIL" from having duplicate values for the index key.
at com.ibm.db2.jcc.b.sf.d(sf.java:1396)at com.ibm.db2.jcc.c.jb.l(jb.java:367)at com.ibm.db2.jcc.c.jb.a(jb.java:64)at com.ibm.db2.jcc.c.w.a(w.java:48)at com.ibm.db2.jcc.c.dc.b(dc.java:302)at com.ibm.db2.jcc.b.tf.cb(tf.java:1719)at com.ibm.db2.jcc.b.tf.d(tf.java:2319)at com.ibm.db2.jcc.b.tf.Y(tf.java:540)at com.ibm.db2.jcc.b.tf.executeUpdate(tf.java:523)at
psdi.security.vmm.DefaultVMMSyncAdapter.insertRecord(DefaultVMMSyncAdapter.java:843)at psdi.security.vmm.DefaultVMMSyncAdapter.syncUser(DefaultVMMSyncAdapter.java:80)
Fix: Make sure that no 2 users have same email ids in the directory server .
Condition 2:User(s) has mail attribute set to a null value in the directory server .
Exception in SystemOut.log
psdi.security.vmm.VMMSyncException: Failed to perform VMM user synchronization.at psdi.security.vmm.VMMSynchronizer.syncVMMUsers(VMMSynchronizer.java:654)at psdi.security.vmm.VMMSynchronizer.performSync(VMMSynchronizer.java:345)
at psdi.security.vmm.VMMSyncTask.performTask(VMMSyncTask.java:348)at psdi.security.vmm.VMMSyncCronTask.cronAction(VMMSyncCronTask.java:190)at psdi.server.CronTaskManager.callCronMethod(CronTaskManager.java:1338)at psdi.server.CronTaskManager.access$300(CronTaskManager.java:83)at psdi.server.CronTaskManager$CronThread.run(CronTaskManager.java:1750)
Caused by: psdi.security.vmm.VMMSyncException: Failed to synchronize VMM user data to database.
at psdi.security.vmm.DefaultVMMSyncAdapter.syncUser(DefaultVMMSyncAdapter.java:86)at psdi.security.vmm.VMMSynchronizer.syncVMMUsers(VMMSynchronizer.java:623)... 6 more
Caused by: com.ibm.db2.jcc.b.SqlException: One or more values in the INSERT statement, UPDATE statement, or foreign key update caused by a DELETE statement are not valid because the primary key, unique constraint or unique index identified by "2" constrains table "MAXIMO.EMAIL" from having duplicate values for the index key.
at com.ibm.db2.jcc.b.sf.d(sf.java:1396)at com.ibm.db2.jcc.c.jb.l(jb.java:367)at com.ibm.db2.jcc.c.jb.a(jb.java:64)at com.ibm.db2.jcc.c.w.a(w.java:48)at com.ibm.db2.jcc.c.dc.b(dc.java:302)at com.ibm.db2.jcc.b.tf.cb(tf.java:1719)at com.ibm.db2.jcc.b.tf.d(tf.java:2319)at com.ibm.db2.jcc.b.tf.Y(tf.java:540)at com.ibm.db2.jcc.b.tf.executeUpdate(tf.java:523)at
psdi.security.vmm.DefaultVMMSyncAdapter.insertRecord(DefaultVMMSyncAdapter.java:843)at psdi.security.vmm.DefaultVMMSyncAdapter.syncUser(DefaultVMMSyncAdapter.java:80)
Fix: Make sure that the attribute is removed from the directory server or a value is provided for email.
Condition 3:
1.2.2 New users/groups missingNew users and groups added to the directory server do not show up in CCMDB
Condition 1:VMM component cache is turned on and is timeout are greater than VMMSync schedule.
Fix:Update VMMSync schedule so that VMM cache expires before next sync or disable VMM cache for each directory server federated under VMM.
Condition 2:VMMSync crontask usermapping or groupmapping attributes were updated to point to a new location in directory information tree (DIT).A new crontask instance was added for a multiple user directory setup.
Fix:In order for any of the above changes to take affect MXServer needs to be restarted.
1.2.3 User attributes missingOnce the sync is completed users have firstname and display name attributes missing in Maximo user application. The directory server user attributes and queried by VMMSync crontask from the directory server and mapped to user columns in the Maximo database repository. The LDAP attribute to user column mapping is defined in the VMMSync configuration under usermapping parameter.
CCMDB (7.1 & 7.11) ships with following mapping:
<table name="PERSON"> <keycolumn name="PERSONID" type="UPPER">uid</keycolumn>
<column name="FIRSTNAME" type="ALN">givenName</column> <column name="LASTNAME" type="ALN">sn</column> <column name="DISPLAYNAME" type="ALN">displayName</column>
<column name="ADDRESSLINE1" type="ALN">street</column> <column name="STATEPROVINCE" type="ALN">st</column> <column name="CITY" type="ALN">l</column> <column name="POSTALCODE" type="ALN">postalCode</column> <column name="COUNTRY" type="ALN">c</column> <column name="STATUS" type="UPPER">{ACTIVE}</column> <column name="TRANSEMAILELECTION" type="UPPER">{NEVER}</column> <column name="VIP" type="YORN">{0}</column> <column name="STATUSDATE" type="ALN">{:sysdate}</column> <column name="ACCEPTINGWFMAIL" type="YORN">{1}</column> <column name="LOCTOSERVREQ" type="YORN">{1}</column> <column name="PERSONUID" type="INTEGER">{:uniqueid}</column> <column name="HASLD" type="YORN">{0}</column> <column name="LANGCODE" type="UPPER">{en}</column> </table>
Condition 1:Attributes not present in directory server.
Fix 1:Make sure that user objects have the ‘displayname’ and ‘givenname’ attributes.
Fix 2:If you decide not to introduce the additional attribute for the user object the problem can also be addressed by modifying the mapping to an attribute that is already present in the directory server . Remember to restart MXServer after updating the usermapping parameter.
<column name="FIRSTNAME" type="ALN">cn</column> <column name="LASTNAME" type="ALN">sn</column> <column name="DISPLAYNAME" type="ALN">cn</column>
1.3 CCMDB Authorization
1.3.1 403 Authorization errorRefer to section 1.1.1 condition 2.
1.3.2 Start Center AuthorizationUser with proper J2EE role performs successful authentication but it not given access to CCMDB start center.
Error generated by the web UI.
Fix:Make sure that user in question has membership to proper security group in CCMDB. Users are assigned group membership in directory server and should wait for a successful sync before they can use the system. Consult CCMDB Infocenter for group membership required for various permissions.
2 Tivoli Application Dependency Discovery Manager (TADDM) Security (VMM option)
When installing with the VMM security option TADDM relies on the CCMDB security framework to provide following features:User repository – TADDM pluggable security component exploits remote VMM API (VMM provided by CCMDB middleware) to provide a user repository. In this way TADDM and CCMDB share common user repository, which eases user management and facilitates SSO integration between two products.Authentication Service – TADDM further relies on CCMDB authentication service for user authentication, LTPA token generation and validation.
As such TADDM relies on VMM and authentication service (both hosted on CCMDB) to be properly up and running in order to provide appropriate security function. Further TADDM has to be correctly configured so as to exploit these remote services.
2.1 TADDM Authentication
2.1.1 Administrator login failureAdministrator cannot login following install.
Condition 1:Provided TADDM was properly installed and configured with the VMM option the administrator login might fail because the administrator user was not created in the directory server .
Fix:This user is not automatically created during install and needs to be added manually post install.
2.1.2 User login failureUser cannot login into TADDM.
Condition 1:Authentication service is not started.
Error in TADDM trace.log[4/8/07 19:47:32:609 CDT] 00000025 security E Login failed:CTGES0008E The Authentication Client received a fault from the Authentication Service. Fault reason: "(404)Not Found"
Fix:Make sure that the authentication service (authensvc_ctges application) is properly installed and started.
Condition 2:TADDM authentication client is misconfigured and cannot connect to authentication service. Confirm that following parameters specified in TADDM authentication client properties file (ibmessclientauthncfg.properties) are correct.
authnServiceURL=http://stwin2003.austin.ibm.com:9080/TokenService/services/Trust
If hostname is incorrect following messaged is logged to TADDM trace.log
[4/8/07 20:12:25:156 CDT] 0000000f security E Login failed:CTGES0008E The Authentication Client received a fault from the Authentication Service. Fault reason: "java.net.UnknownHostException: stwin.austin.ibm.com"
If port is incorrect following messaged is logged to TADDM trace.log
[4/8/07 20:19:48:171 CDT] 0000000e security E Login failed:CTGES0008E The Authentication Client received a fault from the Authentication Service. Fault reason: "java.net.ConnectException: Connection refused: connect"
Condition 3:TADDM user repository module is misconfigured and cannot connect to remote VMM interfaces. Confirm that following parameters specified in the TADDM properties file (collation.properties) are correct.
If any of the properties show below are incorrect
com.collation.security.auth.websphereHost=stwin2003.austin.ibm.comcom.collation.security.auth.webspherePort=9809
Following messages will be posted in TADDM SecurityManager.log
2007-04-09 00:03:31,656 SecurityManager [P=7921:O=0:CT] ERROR jini.SecurityManagerServiceImpl - VMMUserRegistry:init(): Fatal
NamingException initializing VMM user management module: A communication failure occurred while attempting to obtain an initial context with the provider URL: "corbaloc:iiop:stwin2003.austin.ibm.com:9808". Make sure that any bootstrap address information in the URL is correct and that the target name server is running.
If any of the properties shown below are incorrect
com.collation.security.auth.VMMAdminUsername=wasadmincom.collation.security.auth.VMMAdminPassword=q5UxHsPW0zFbzkuBUPENzQ==
Following messages will be posted in TADDM SecurityManager.log
2007-04-09 00:16:36,203 SecurityManager [P=781593:O=0:CT] ERROR jini.SecurityManagerServiceImpl - VMMUserRegistry:init(): Fatal LoginException initializing VMM user management module: Authentication Failed.
Condition 4:
Following error messages will be posted in TADDM trace.log (trace set at DEBUG level)
5/8/08 12:23:39:566 GMT-06:00] 00000013 security E Error getting token descriptor from credential token (credential expired): null
TADDM and WAS servers system time (system clock) causes the TADDM received an expired token.
Fix:Make sure the clocks for WAS and TADDM servers are synchronized.
2.2 TADDM Authorization
2.2.1 User without TADDM role can loginThis behavior is observed when TADDM data-level security is turned off. With data-level security disabled all TADDM objects are assigned to a default access collection and every authenticated user has operator permission.
Fix:Set com.collation.security.enabledatalevelsecurity to true in collation.properties. Mare sure that TADDM server is restarted for the change to take effect.
2.2.2 TADDM Security Upgrade IssuesIf TADDM is installed with local file-based repository option and later reconfigured to use VMM option, depending on customer setup following issues can be encountered:
Users with non administrator role seems to have administrator permissionUsers with no TADDM roles can login even if data-level security is turned on.
Condition 1: This occurs because the old file-based repository authorization file is still present on the system. So even though TADDM security was reconfigured to use VMM the security manager component is still enforcing the older authorization policy created in the older setup.
Fix:Make sure that old policy files are deleted from <TADDM_HOME>\dist\var\policy\ibmsecauthz\policy\rolemapping\AuthorizationManagerPolicyContextId_role.
3 CCMDB Eco-System Integration
3.1 TADDM Single Sign-OnMake sure all the TADDM login problems discussed in previous section are not present. Successful TADDM login setup is a prerequisite to SSO setup.
3.1.1 LTPA token issues
Message posted in TADDM trace.log
[4/9/07 17:35:31:609 CDT] 00000018 security E Login failed:CTGES0008E The Authentication Client received a fault from the Authentication Service. Fault reason: "The specified RequestSecurityToken is not understood."
Fix:Make sure that LTPA token is exported from Authentication service and imported into WebSphere Application Server. Refer to CCMDB install guide for detailed instructions.
3.2 TADDM SSO authorization issues
3.2.1 SSO successful but authorization errorThis occurs when login is successful but no TADDM role is assigned to the SSO user.
Message in TADDM trace.log
[4/10/07 1:02:07:437 CDT] 00000037 XACMLPolicyPa W XACMLPolicyParser XACMLPolicyParser() CWRGS4116W No location has been provided for the XACML policy schema file. XML schema validation has been disabled.
Fix:Make sure the SSO user has proper TADDM role-level authorization. If the SSO is being performed as part of launch-in-context make sure the CI being launched is part of collection(s) and the user has access to that collection. Refer next section for further details.
3.3 TADDM Authorization SynchronizationCCMDB and TADDM share common CI data objects, access to which can be restricted by authorization policy. Both CCMDB and TADDM utilize the access collection framework to implement data-level security. Authorization synchronization module was implemented to ease the setting up and enforcement of a common data-level authorization policy. The synchronization has two important aspects to it.
1. Access collection created in CCMDB using collection application is synchronized to TADDM access collections.
2. Groups assigned to access collections in CCMBD should have same assignment in TADDM.
3.3.1 Collection fails to saveThe assumption here is that the authorization synchronization between CCMDB and TADDM has been enabled. Refer to Infocenter for steps to enable this component. This occurs when the CCMDB server cannot properly connect to TADDM server due to any of the following conditions:
Condition 1:Incorrect hostname or port information.
Message returned on the browser.
Message posted to SystemOut.log.
[4/10/07 16:21:55:937 CDT] 0000003a SystemOut O 10 Apr 2007 16:21:55:937 [ERROR] java.rmi.ConnectException: com.collation.proxy.api.client.ApiConnectionFailureException: java.rmi.ConnectException:
at com.collation.proxy.api.client.ApiConnectionImpl.init(ApiConnectionImpl.java:293)at com.ibm.cdb.api.client.ApiConnectionFactory.getApiConnection(ApiConnectionFactory.java:58)at com.ibm.cdb.api.ApiFactory.getApiConnection(ApiFactory.java:158)at com.ibm.tivoli.maximo.authsync.TADDMHandler.invoke(TADDMHandler.java:128)at com.ibm.tivoli.maximo.authsync.AuthSyncColExit.setDataOut(AuthSyncColExit.java:149)at psdi.iface.migexits.ExternalExit.callExitsOut(ExternalExit.java:60)
Condition 2:Incorrect username or password information.
Message returned on the browser.
Message posted to SystemOut.log.
[4/10/07 16:33:10:296 CDT] 00000045 SystemOut O 10 Apr 2007 16:33:10:296 [ERROR] com.collation.proxy.api.client.ApiException: CTJOX0130E The password specified is not correct.com.collation.proxy.api.client.ApiLoginException: com.collation.proxy.api.client.ApiException: CTJOX0130E The password specified is not correct.
at com.collation.proxy.api.client.ApiSessionImpl.init(ApiSessionImpl.java:155)at com.ibm.cdb.api.client.ApiSessionFactory.getSession(ApiSessionFactory.java:63)at com.ibm.cdb.api.ApiFactory.getSession(ApiFactory.java:167)at com.ibm.tivoli.maximo.authsync.TADDMHandler.invoke(TADDMHandler.java:136)at com.ibm.tivoli.maximo.authsync.AuthSyncColExit.setDataOut(AuthSyncColExit.java:149)at psdi.iface.migexits.ExternalExit.callExitsOut(ExternalExit.java:60)
Fix:Make sure the hostname and port information provided on the TADDMEP endpoint is correct.
Condition 3:If you are using SSL transport (port 9531 instead of 9530) to connect to TADDM and haven’t downloaded java certificate on to the CCMDB node, the connection will result in failure.
Message returned on the browser.
Message posted to SystemOut.log.
[4/10/07 16:37:19:546 CDT] 0000003a SystemOut O 10 Apr 2007 16:37:19:546 [ERROR] java.rmi.ConnectException: com.collation.proxy.api.client.ApiConnectionFailureException: java.rmi.ConnectException:
at com.collation.proxy.api.client.ApiConnectionImpl.init(ApiConnectionImpl.java:293)at com.ibm.cdb.api.client.ApiConnectionFactory.getApiConnection(ApiConnectionFactory.java:58)at com.ibm.cdb.api.ApiFactory.getApiConnection(ApiFactory.java:158)at com.ibm.tivoli.maximo.authsync.TADDMHandler.invoke(TADDMHandler.java:122)at com.ibm.tivoli.maximo.authsync.AuthSyncColExit.setDataOut(AuthSyncColExit.java:149)at psdi.iface.migexits.ExternalExit.callExitsOut(ExternalExit.java:60)
Fix:Make sure the certificate is downloaded from the TADDM machine and copy to proper location on CCMDB node. Refer to Infocenter for details.
*Note: similar issue can arise when assigning a collection to a security group if any of the information discussed above is not correctly provided.
