Network Deployment (Distributed operating systems), v8.0 > Reference > Troubleshoot tips
Service integration bus security: Troubleshooting tips
Use this set of specific tips to help you troubleshoot problems you experience when working with a secure service integration bus.
To help you identify and resolve service integration bus security-related problems, use the WAS trace and logging facilities as described in Trace and logging configuration .
If you encounter a problem that you think might be related to service integration bus security, you can check for error messages in the WAS administrative console, and in the application server SystemOut.log file. We can also enable the application server debug trace to provide a detailed exception dump.
New feature: Beginning in WAS v8.0 you can configure the server to use the High Performance Extensible Logging (HPEL) log and trace infrastructure instead of using SystemOut.log , SystemErr.log, trace.log, and activity.log files or native z/OS logging facilities. If you are using HPEL, you can access all of your log and trace information using the LogViewer command-line tool from your server profile bin directory. See the information about using HPEL to troubleshoot applications for more information on using HPEL.New feature:
WAS system messages are logged from a variety of sources, including application server components and applications. Messages logged by application server components and associated IBM products start with a unique message identifier that indicates the component or application that issued the message. The prefix for the service integration bus security component is CWSII.
The Troubleshooter reference: Messages contains information about all WAS messages, indexed by message prefix. For each message there is an explanation of the problem, and details of any action that you can take to resolve the problem.
Here is a set of tips to help you troubleshoot commonly-experienced problems:
- After you migrate a v5.1 application server to WAS v7.0 or later, existing web services clients can no longer use SOAP over JMS to access services hosted on the migrated server.
- When you try and make a connection by using a user ID in an authorized group, access is denied when using LDAP
After you migrate a v5.1 application server to WAS v7.0 or later, existing web services clients can no longer use SOAP over JMS to access services hosted on the migrated server.
Before you migrated the v5.1 application server, no user ID or password was required on the target MQ Series queue. After the application server is migrated to v7.0 or later, and to use the default messaging provider (the service integration bus), client requests fail because basic authentication is now enabled. The problem appears as a log message:
SibMessage W [:] CWSIT0009W: A client request failed in the application server with endpoint <endpoint_name> in bus your_bus with reason: CWSIT0016E: The user ID null failed authentication in bus your_bus.In WAS v7.0 or later, when you use a service integration bus and WAS security is enabled for the server or cell, by default the service integration bus queue destination inherits the security characteristics of the server or cell. So if the server or cell has basic authentication enabled, then the client request fails.
To resolve the problem, we have three choices (in order of security, from least secure to most secure):
- Disable security.
- For an equivalent level of security to the configuration on v5.1, modify the settings for the service integration bus that hosts the queue destination so that bus security is disabled and therefore the bus does not inherit security characteristics from the server or cell.
- For a greater level of security than the configuration on v5.1, configure basic authentication on each client that uses the service.
To disable WAS security, refer to Enable and disable security using scripting, or Global security settings.
To disable bus security, use the admin console to complete the following steps:
- Navigate to Service integration -> Buses -> bus_name.
- Clear the Secure check box.
- Save your changes.
To configure basic authentication on each client, use either the admin console or wsadmin.sh. To complete the task by using wsadmin, see Configure web service client port information using wsadmin.sh and use the WebServicesClientBindPortInfo wsadmin task option.
To complete the task by using the admin console, complete the following steps:
- Navigate to Applications -> Application Types -> WebSphere enterprise applications -> application_name -> Web Modules or EJB Modules > module_name > Web services: Client security bindings .
- Click HTTP basic authentication to access the "Configuring HTTP basic authentication with the administrative console" panel.
- Enter the values in the panel.
- Save your changes to the master configuration.
When you try and make a connection by using a user ID in an authorized group, access is denied when using LDAP
One of the possible causes is the group name, if you are using an Lightweight Directory Access Protocol (LDAP) registry. When you specify the group authorization permissions, the distinguished name (DN) should be used as the group name. If you specify a common name (CN) for the group name users in that group cannot be authorized.
Steps to change the group name from CN to DN depends on where the problem occurred.
- If we have problem connecting to a service integration bus, see Administer the bus connector role, and remove any groups with CN group names, and replace them with DN group names.
- If we have problem sending a message to a destination, see Administer destination roles, and remove any groups with CN group names, and replace them with DN group names.
- If we have problems sending topics to a topic space, see Administer topic space root roles, and remove any groups with CN group names, and replace them with DN group names.
- For any other problems refer to the appropriate section on Administer authorization permissions on how to modify the group name.