Hi Gianluca,
When you connect to AAC/Fed runtime (https://localhost:443 on appliance), the username and password presented in Basic Auth header are validated against the built-in user registry of the runtime. You can see the users defined in the LMI by going to AAC-->User Registry.
Make sure that easuser is defined and, if necessary, change the password so that you know what it is.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Fri February 05, 2021 10:07 AM
From: Gianluca Mamone
Subject: CWWKS1100A: Authentication did not succeed for user ID easuser
Hi,
I'm struggling with an error found on AAC traces:
[2/5/21 15:41:53:027 CET] 00000056 id=00000000 oli.am.fim.ws.oidc.tai.OIDCTrustAssociationInterceptorOnPrem 2 isTargetInterceptor(HttpServletRequest) Request URI: /rtss/authz/services/AuthzService
[2/5/21 15:41:53:027 CET] 00000056 id=00000000 oli.am.fim.ws.oidc.tai.OIDCTrustAssociationInterceptorOnPrem < isTargetInterceptor(HttpServletRequest) RETURN false
[2/5/21 15:41:53:030 CET] 00000056 id=00000000 com.ibm.ws.security.wim.registry.util.LoginBridge E CWIML4537E: The login operation could not be completed. The specified principal name easuser is not found in the back-end repository.
com.ibm.wsspi.security.wim.exception.PasswordCheckFailedException: CWIML4537E: The login operation could not be completed. The specified principal name easuser is not found in the back-end repository.
at com.ibm.ws.security.wim.ProfileManager.loginImpl(ProfileManager.java:1870)
at com.ibm.ws.security.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:254)
at com.ibm.ws.security.wim.ProfileManager.login(ProfileManager.java:217)
at com.ibm.ws.security.wim.VMMService.login(VMMService.java:246)
at com.ibm.ws.security.wim.registry.util.LoginBridge.checkPassword(LoginBridge.java:116)
at com.ibm.ws.security.wim.registry.WIMUserRegistry.checkPassword(WIMUserRegistry.java:151)
at com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:75)
at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:51)
at sun.reflect.GeneratedMethodAccessor46.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:788)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:196)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(AccessController.java:734)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:696)
at javax.security.auth.login.LoginContext.login(LoginContext.java:597)
at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.doLoginContext(JAASServiceImpl.java:343)
at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.performLogin(JAASServiceImpl.java:329)
at com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl.performLogin(JAASServiceImpl.java:314)
at com.ibm.ws.security.authentication.internal.AuthenticationServiceImpl.performJAASLogin(AuthenticationServiceImpl.java:495)
at com.ibm.ws.security.authentication.internal.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:209)
at com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator.basicAuthenticate(BasicAuthAuthenticator.java:126)
at com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator.handleBasicAuth(BasicAuthAuthenticator.java:117)
at com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator.authenticate(BasicAuthAuthenticator.java:70)
at com.ibm.ws.webcontainer.security.WebAuthenticatorProxy.authenticate(WebAuthenticatorProxy.java:101)
at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.authenticateRequest(WebAppSecurityCollaboratorImpl.java:1211)
at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.determineWebReply(WebAppSecurityCollaboratorImpl.java:967)
at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.performSecurityChecks(WebAppSecurityCollaboratorImpl.java:656)
at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:574)
at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:459)
at com.ibm.ws.webcontainer.osgi.collaborator.CollaboratorHelperImpl.preInvokeCollaborators(CollaboratorHelperImpl.java:270)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1114)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1010)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:75)
at com.ibm.ws.webcontainer40.servlet.CacheServletWrapper40.handleRequest(CacheServletWrapper40.java:83)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:938)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1134)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:415)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:374)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:546)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:480)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:345)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:316)
at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1100)
at com.ibm.ws.channel.ssl.internal.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:675)
at com.ibm.ws.channel.ssl.internal.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1824)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:504)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:574)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:958)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1047)
at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:820)
As suggested in this IBM document, I tried both:
Resolving The Problem
1) In the WebSEAL instance configuration modify the basic-auth-passwd value to the correct password for the userid provided in the basic-auth-user entry. Typically you will see "basic-auth-user = easuser" set in the tfim-cluster:oauth-cluster stanza.
By default the basic-auth-passwd entry is not visible in the WebSEAL configuration. You can add basic-auth-passwd, with a value, right after "basic-auth-user = easuser" entry in the tfim-cluster:oauth-cluster stanza. Save and deploy the changes and restart the WebSEAL instance.
Next time the WebSEAL instance is restarted the password will be obfuscated.
OR
2) Remove/comment the following entries in the tfim-cluster:oauth-cluster stanza.
server = 9,https://localhost:443/TrustServerWS/SecurityTokenServiceWST13
ssl-keyfile = pdsrv.kdb
ssl-keyfile-stash = pdsrv.sth
basic-auth-user = easuser
basic-auth-passwd =
But the error is still there. Any suggestion?
Thanks a lot
------------------------------
Gianluca Mamone
Cybertech
Rome
------------------------------