IBM Security Verify

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!

1. Currently the CLI uses '/etc/passwd' and the LMI uses a different registry for authentication (either a local file based user registry or an external LDAP user registry).  In the upcoming 10.0.1 release we have provided the option of using the LMI user registry for authentication to the CLI;
2. There was originally an oversight in the implementation of the AAC user registry support which meant that you couldn't manage group membership.  The Web services were available, but the panels were not implemented in the LMI.  This oversight has been corrected in the upcoming 10.0.1 release.

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!

1. Currently the CLI uses '/etc/passwd' and the LMI uses a different registry for authentication (either a local file based user registry or an external LDAP user registry).  In the upcoming 10.0.1 release we have provided the option of using the LMI user registry for authentication to the CLI;
2. There was originally an oversight in the implementation of the AAC user registry support which meant that you couldn't manage group membership.  The Web services were available, but the panels were not implemented in the LMI.  This oversight has been corrected in the upcoming 10.0.1 release.

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!

Hi Jon and Joao

I'm working on changing the password for easuser and believe that I've changed it everywhere but the fed trace log still reports 

[11/9/23, 7:35:16:982 CET] 00000cba id=00000000 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID easuser. An invalid user ID or password was specified.

I cannot find out why.

I've searched a snapshot file and found the easuser also stored in a 

\etc\policies\cml\mga\runtime_profile\runtime_profile14_0_0.xml

Could this be the culprit? A way to fix it?

BR,  Carsten

1. Currently the CLI uses '/etc/passwd' and the LMI uses a different registry for authentication (either a local file based user registry or an external LDAP user registry).  In the upcoming 10.0.1 release we have provided the option of using the LMI user registry for authentication to the CLI;
2. There was originally an oversight in the implementation of the AAC user registry support which meant that you couldn't manage group membership.  The Web services were available, but the panels were not implemented in the LMI.  This oversight has been corrected in the upcoming 10.0.1 release.

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!

Hi Jon and Joao

I'm working on changing the password for easuser and believe that I've changed it everywhere but the fed trace log still reports 

[11/9/23, 7:35:16:982 CET] 00000cba id=00000000 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID easuser. An invalid user ID or password was specified.

I cannot find out why.

I've searched a snapshot file and found the easuser also stored in a 

\etc\policies\cml\mga\runtime_profile\runtime_profile14_0_0.xml

Could this be the culprit? A way to fix it?

BR,  Carsten

1. Currently the CLI uses '/etc/passwd' and the LMI uses a different registry for authentication (either a local file based user registry or an external LDAP user registry).  In the upcoming 10.0.1 release we have provided the option of using the LMI user registry for authentication to the CLI;
2. There was originally an oversight in the implementation of the AAC user registry support which meant that you couldn't manage group membership.  The Web services were available, but the panels were not implemented in the LMI.  This oversight has been corrected in the upcoming 10.0.1 release.

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!

Hi Scott

I mean in all Reverse Proxy instances using BA for calling fed-runtime

and likewise with some junctions with fed-runtime as backend.

BR Carsten

Hi Jon and Joao

I'm working on changing the password for easuser and believe that I've changed it everywhere but the fed trace log still reports 

[11/9/23, 7:35:16:982 CET] 00000cba id=00000000 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID easuser. An invalid user ID or password was specified.

I cannot find out why.

I've searched a snapshot file and found the easuser also stored in a 

\etc\policies\cml\mga\runtime_profile\runtime_profile14_0_0.xml

Could this be the culprit? A way to fix it?

BR,  Carsten

1. Currently the CLI uses '/etc/passwd' and the LMI uses a different registry for authentication (either a local file based user registry or an external LDAP user registry).  In the upcoming 10.0.1 release we have provided the option of using the LMI user registry for authentication to the CLI;
2. There was originally an oversight in the implementation of the AAC user registry support which meant that you couldn't manage group membership.  The Web services were available, but the panels were not implemented in the LMI.  This oversight has been corrected in the upcoming 10.0.1 release.

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!

Hi again

I just made at test and the password in

\etc\policies\cml\mga\runtime_profile\runtime_profile14_0_0.xml

in the snapshot file gets changed when I change the password i  User Registry and create at new snapshot. So that is not the culprit.

I've checked all the federations identify mappings, but no one is using BA for fed-runtime.

Where else could the easuser password be specified?

BR Carsten

Hi Scott

I mean in all Reverse Proxy instances using BA for calling fed-runtime

and likewise with some junctions with fed-runtime as backend.

BR Carsten

Hi Jon and Joao

I'm working on changing the password for easuser and believe that I've changed it everywhere but the fed trace log still reports 

[11/9/23, 7:35:16:982 CET] 00000cba id=00000000 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID easuser. An invalid user ID or password was specified.

I cannot find out why.

I've searched a snapshot file and found the easuser also stored in a 

\etc\policies\cml\mga\runtime_profile\runtime_profile14_0_0.xml

Could this be the culprit? A way to fix it?

BR,  Carsten

1. Currently the CLI uses '/etc/passwd' and the LMI uses a different registry for authentication (either a local file based user registry or an external LDAP user registry).  In the upcoming 10.0.1 release we have provided the option of using the LMI user registry for authentication to the CLI;
2. There was originally an oversight in the implementation of the AAC user registry support which meant that you couldn't manage group membership.  The Web services were available, but the panels were not implemented in the LMI.  This oversight has been corrected in the upcoming 10.0.1 release.

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!

Hi again

I just made at test and the password in

\etc\policies\cml\mga\runtime_profile\runtime_profile14_0_0.xml

in the snapshot file gets changed when I change the password i  User Registry and create at new snapshot. So that is not the culprit.

I've checked all the federations identify mappings, but no one is using BA for fed-runtime.

Where else could the easuser password be specified?

BR Carsten

Hi Scott

I mean in all Reverse Proxy instances using BA for calling fed-runtime

and likewise with some junctions with fed-runtime as backend.

BR Carsten

Hi Jon and Joao

I'm working on changing the password for easuser and believe that I've changed it everywhere but the fed trace log still reports 

[11/9/23, 7:35:16:982 CET] 00000cba id=00000000 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID easuser. An invalid user ID or password was specified.

I cannot find out why.

I've searched a snapshot file and found the easuser also stored in a 

\etc\policies\cml\mga\runtime_profile\runtime_profile14_0_0.xml

Could this be the culprit? A way to fix it?

BR,  Carsten

1. Currently the CLI uses '/etc/passwd' and the LMI uses a different registry for authentication (either a local file based user registry or an external LDAP user registry).  In the upcoming 10.0.1 release we have provided the option of using the LMI user registry for authentication to the CLI;
2. There was originally an oversight in the implementation of the AAC user registry support which meant that you couldn't manage group membership.  The Web services were available, but the panels were not implemented in the LMI.  This oversight has been corrected in the upcoming 10.0.1 release.

• Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
  
  • Used when we ssh to the appliance
  • Since no one can change /etc/passwd, we cannot create additional users of this type.
• LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
  • We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
  • We can create new users here and groups with different permissions for ISAM management.
  • I can find the predefined group named isam-tenants.
  • If I change the password of admin in LMI, it affects the password of the Appliance user.
  • If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
• Local LDAP (or remote)
  • Used by the policy server for authentication and authorization, where we can find sec_master

• Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
• If I create a new user what is it used for?
• I can't find a way to create new groups, but I can assign users to adminGroup group.
• The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!