Hi,

I have 3 machines: 1 running the deployment manager and the 2 others running
1 was5 app server on each.
The 2 was5 machines are part of the same cell.
The operating system is Linux RH8 and all of the 3 machines are running
version 5.0.2.3

That's the scenario:
After enabling the global security I'm not able to start and stop servers
from the admin console.
I started the deployment manager using the command:
./startManager.sh -username user -password pw.
I started the 2 node agents using the command: ./startNode.sh -username
user -password pw.

If I try to start the servers from the admin console I get the error below.
If I start them from the command line passing user and password they start
with no problem.

I have already tried to sync them, using the command ./syncNode
dmhost -username user -password pw. I got a message showing the
synchronization was successfully done.

Does anybody know what could be the problem ?

Thanks a lot,

Ronaldo Queiroz.

[2/18/04 18:07:52:588 BRT] 1ad87670 RoleBasedAuth A SECJ0305I: Role based
authorization check failed for security name <null>, accessId
NO_CRED_NO_ACCESS_ID while invoking method getRepositoryEpoch on resource
ConfigRepository and module ConfigRepository.
[2/18/04 18:07:53:309 BRT] 1adb7670 LTPAServerObj E SECJ0375E: Mismatch of
realms during token validation.
[2/18/04 18:07:53:313 BRT] 1adb7670 LTPAServerObj E SECJ0373E: Cannot create
credential for the user <null> during the Validation of the token. The
exception is com.ibm.websphere.security.CustomRegistryException: The realm
in the token: labsrv6.lab.brq.com does not match the current realm:
labsrv7.lab.brq.com

[ Post a follow-up to this message ]

Ronaldo,
I guess you are useing LocalOS as registry ?
LocalOS is not supported in a multi-node environment even if that is not
very clear stated in the doc's. See url (paste it together)
http://www-1.ibm.com/support/docvie...EQTP&q1=localos
&uid=swg21139779&loc=en_US&cs=utf-8&lang=en+en

Regards
Bo Nilsson
Software Group
IBM Sweden

Ronaldo Queiroz wrote:
> Hi,
>
> I have 3 machines: 1 running the deployment manager and the 2 others runni
ng
> 1 was5 app server on each.
> The 2 was5 machines are part of the same cell.
> The operating system is Linux RH8 and all of the 3 machines are running
> version 5.0.2.3
>
> That's the scenario:
> After enabling the global security I'm not able to start and stop servers
> from the admin console.
> I started the deployment manager using the command:
> ./startManager.sh -username user -password pw.
> I started the 2 node agents using the command: ./startNode.sh -username
> user -password pw.
>
> If I try to start the servers from the admin console I get the error below
.
> If I start them from the command line passing user and password they start
> with no problem.
>
> I have already tried to sync them, using the command ./syncNode
> dmhost -username user -password pw. I got a message showing the
> synchronization was successfully done.
>
> Does anybody know what could be the problem ?
>
> Thanks a lot,
>
> Ronaldo Queiroz.
>
> [2/18/04 18:07:52:588 BRT] 1ad87670 RoleBasedAuth A SECJ0305I: Role based
> authorization check failed for security name <null>, accessId
> NO_CRED_NO_ACCESS_ID while invoking method getRepositoryEpoch on resource
> ConfigRepository and module ConfigRepository.
> [2/18/04 18:07:53:309 BRT] 1adb7670 LTPAServerObj E SECJ0375E: Mismatch of
> realms during token validation.
> [2/18/04 18:07:53:313 BRT] 1adb7670 LTPAServerObj E SECJ0373E: Cannot crea
te
> credential for the user <null> during the Validation of the token. The
> exception is com.ibm.websphere.security.CustomRegistryException: The realm
> in the token: labsrv6.lab.brq.com does not match the current realm:
> labsrv7.lab.brq.com
>
>

[ Post a follow-up to this message ]

Ronaldo,

You can try to update the <WAS_HOME>/properties/soap.client.props file with:
com.ibm.SOAP.securityEnabled=true
com.ibm.SOAP.loginUserid=yourID
com.ibm.SOAP.loginPassword=yourPW

I remember getting it to work before. But you'll have to encode the password
in soap.client.props using PropFilePasswordEncoder otherwise password will
stay in clear text.

CheKim Chhuor
IBM Poughkeepsie



"Bo Nilsson" <bo.nilsson@se.ibm.com> wrote in message
news:c12lk6$42n2$1@news.boulder.ibm.com...
> Ronaldo,
> I guess you are useing LocalOS as registry ?
> LocalOS is not supported in a multi-node environment even if that is not
> very clear stated in the doc's. See url (paste it together)
> http://www-1.ibm.com/support/docvie...EQTP&q1=localos
> &uid=swg21139779&loc=en_US&cs=utf-8&lang=en+en
>
> Regards
> Bo Nilsson
> Software Group
> IBM Sweden
>
> Ronaldo Queiroz wrote: 
running 
servers 
below. 
start 
based 
resource 
of 
create 
realm 
>

[ Post a follow-up to this message ]

I got the same problem.
Even I setup the soap.client.props as described.
BTW, should / should not use Local OS User registry ?

Many many thanks !


"CheKim Chhuor" <chhuor@us.ibm.com> wrote in message news:<c1gfh6$66gm$1@news.boulder.ibm.c
om>...
> Ronaldo,
>
> You can try to update the <WAS_HOME>/properties/soap.client.props file wit
h:
> com.ibm.SOAP.securityEnabled=true
> com.ibm.SOAP.loginUserid=yourID
> com.ibm.SOAP.loginPassword=yourPW
>
> I remember getting it to work before. But you'll have to encode the passwo
rd
> in soap.client.props using PropFilePasswordEncoder otherwise password will
> stay in clear text.
>
> CheKim Chhuor
> IBM Poughkeepsie
>
>
>
> "Bo Nilsson" <bo.nilsson@se.ibm.com> wrote in message
> news:c12lk6$42n2$1@news.boulder.ibm.com... 
>  running 
>  servers 
>  below. 
>  start 
>  based 
>  resource 
>  of 
>  create 
>  realm 

[ Post a follow-up to this message ]

I seem to remember to change the following file (if you use Network
Deployment the might exist in both app server and nd installation
directories)

$WAS_HOME/properties/sas.client.props

Change the value of the following property from "prompt" to "properties":

com.ibm.CORBA.loginSource=properties



$WAS_HOME/properties/soap.client.props


set the following properties:

com.ibm.SOAP.loginUserid=userid

com.ibm.SOAP.loginPassword=password


A good deal of this is described in the Redbook SG 24-6573 "WebSphere v5
Security" in appendix D and chapter 10.

Cheers

Stefan


"Jonathan Kwok" <jonathan_kwok_kw@hotmail.com> wrote in message
news:d8dcb234.0403020031.2db95b1@posting.google.com...
> I got the same problem.
> Even I setup the soap.client.props as described.
> BTW, should / should not use Local OS User registry ?
>
> Many many thanks !
>
>
> "CheKim Chhuor" <chhuor@us.ibm.com> wrote in message
news:<c1gfh6$66gm$1@news.boulder.ibm.com>... 
with: 
password 
will 
not 
http://www-1.ibm.com/support/docvie...EQTP&q1=localos 
running 
./startNode.sh -username 
Mismatch 
Cannot 
The 

[ Post a follow-up to this message ]

Hi Bo, I have the same setup as Ronaldo, 2 Base and 1 Deployment Manager of 
version 5.1. 
If i want to enable Global Security then I have to options according the inf
ocenter ;

1. <i>Use a LDAP registry</i>
2. <i>Use a custom registry.</i>

<i>Option 1</i> is not really an option for us, we only have access to a Nov
ell eDirectory 8.1.7 and that directory isnīt supported or what?

<i>Option 2</i>, Is it not t the best way to implement the registry in a dat
abase that are accesible from every component in the setup, further this app
roach are as well best suited for performance and scalability, or what?

In the infocenter, IBM doesnīt recomend to implement option 2 that relies on
 any component that are available in WAS in e.g datasources. Do you have any
 good approach how to do this, normal JDBC connectivty doesnt performt that 
well, or?

Any suggestions or idea's

Best regards
Niclas (Sweden)

[ Post a follow-up to this message ]

Niclas wrote:
> Hi Bo, I have the same setup as Ronaldo, 2 Base and 1 Deployment Manager
> of version 5.1.
> If i want to enable Global Security then I have to options according
> the infocenter ;
>
> 1. <i>Use a LDAP registry</i>
> 2. <i>Use a custom registry.</i>
>
> <i>Option 1</i> is not really an option for us, we only have access to
> a Novell eDirectory 8.1.7 and that directory isnīt supported or what?

You might want to try it and see if it works - in general WAS will work
with any LDAP, even if not explicitly supported (which really just means
that IBM has tested with it)
>
> <i>Option 2</i>, Is it not t the best way to implement the registry in
> a database that are accesible from every component in the setup,
> further this approach are as well best suited for performance and
> scalability, or what?

Building a custom registry is complicated, don't underestimate that. You
have to understand that security initialization happens before the
appserver is fully up and running, so not all components are available.
Also the Node Agent and Deployment Manager need access to the CUR, and
at least the Node doesn't have a J2EE infrastructure.

> In the infocenter, IBM doesnīt recomend to implement option 2 that
> relies on any component that are available in WAS in e.g datasources.
> Do you have any good approach how to do this, normal JDBC connectivty
> doesnt performt that well, or?

Is not that it isn't recommended, it's that it won't work. You wil
either have to roll your own connection pooling or use whatever your
jdbc driver provides.

[ Post a follow-up to this message ]