Express (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Manage realms in a federated repository > Virtual member manager > Troubleshoot and Support > Support issues and limitations > Authentication issues and limitations
Unable to authenticate when a repository is down
If one or more configured repository is down, you are unable to authenticate or stop WAS.
Problem
The following exception or a similar exception may occur, which indicates that a connection to the back-end repository cannot be established:
CWWIM4520E The 'javax.naming.CommunicationException: Extdomain1.altext.ibm.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]' naming exception occurred during processing. at com.ibm.ws.wim.adapter.ldap.LdapConnection.reCreateDirContext(LdapConnection.java:613) at com.ibm.ws.wim.adapter.ldap.LdapConnection.search(LdapConnection.java:2419)
Solution
Ensure that your back-end repository is running, and you are able to connect to it. In case more than one repository is configured, all of the configured repositories should be up and running.
If the problem persists, it is due to a security feature of virtual member manager. If one or more configured repository is down, you cannot log in (even as admin) or stop WebSphere Application Server, regardless of the repository in which your particular ID is stored. Virtual member manager always checks all repositories before authenticating.
To disable this security feature, use the createIdMgrRealm or updateIdMgrRealm wsadmin command to set the –allowOperationIfReposDown parameter to true. The default value of the allowOperationIfReposDown parameter is false. After you disable this security feature, even if one of the configured repositories is down, virtual member manager works with the other active repositories. We can login successfully, as long as the login user ID and password are in a repository that is active.
If you set the value of allowOperationIfReposDown parameter to true, the following behavior can be expected:
Start WAS
The allowOperationIfReposDown parameter is not applicable when the server is starting up. Whether the server can startup successfully or not with offline repositories depends entirely on the repository type. LDAP repositories do not require the LDAP servers to be up for successful server startup. Depending on your context pool settings, an LDAP repository may not even try to communicate with the LDAP server until the first request is made to read a user's profile. During server startup, WAS looks up the administrator's profile. Ifthe LDAP server is offline, you may experience delays. Other repository types (including custom) may fail server startup if the repository is offline. This behavior is entirely dependent on the repository type.
Log into to WAS
The allowOperationIfReposDown parameter applies when you log into the WAS. After WebSphere Application Server has started successfully, even if one or more of the repositories go down, but if your user ID is in one of the active repositories, you can login and perform any operation including stopping the server.
Stop WAS
The allowOperationIfReposDown parameter applies when you are shutting down the server using wasadmin -userid -password. See the previous subheading, Logging into the WAS, for behavior during login. For more information about the allowOperationIfReposDown parameter and the createIdMgrRealm or updateIdMgrRealm wsadmin commands, see IdMgrRealmConfig command group in the WAS information center. (If you are using WAS version 6.1, to disable this security feature, first apply the PK78677 patch or install WAS fixpack 6.1.0.23 or above, and then change the configuration accordingly.)
Parent topic: Authentication issues and limitations