Hi,

There is a WAS environment in our company configured with "Federated repositories", e.g: LDAP registry and file registry, the "Primary administrative user" created in file registry. Recently there was a LDAP server down, at that time, ALL admin users could not login to Admin Console, even with "Primary Administrative User" which created in File Registry, this is definitely not the way "Federated repositories" should work, even with LDAP server down, file registry user should have no problem to login Admin Console, right?

Can anybody tell me why and how to make it working properly?

Thanks !

Eric

Hi EricYP,

  I think that is working as expected but you can solve the "problem"

  Look at this link
 
  When using a federated repository, is there a way to ensure that my file-based registry will continue to function when a LDAP server is down?
  www.ibm.com/developerworks/websphere/tec...
 
  Hope this helps.  Tell us if you need more support.

Regards, 

try this
Enable the checkbox

Hi Joseph,

  In what version of WAS do you have the option? appear when you have more than one repository (makes sense)?


  In V6.1 and V7 with only fileBaseRepository I haven't. 


 
In v7 the commands are:

• Using Jacl:
  

  $AdminTask updateIdMgrRealm
  {-allowOperationIfReposDown true}

  
  


• Using Jython string:
  

  AdminTask.updateIdMgrRealm
   ('[-allowOperationIfReposDown true]')

  
  


• Using Jython list:
  

  AdminTask.updateIdMgrRealm
   (['-allowOperationIfReposDown', 'true'])

  
  

  thanks in advance

Regards

Activating that checkbox (which to my knowledge indeed only appears if there are multiple repositories configured) should work, however you should only activate it if you know what you are doing:

From what I understood, the reason for this behaviour (no login when one repository is down) is that WebSphere checks each repository during authentication. If the user is found once, authentication is successfull. If the user is found in multiple repositories, authentication fails - websphere cannot be sure if the authenticated user is the "right user" who should have the configured privileges. Therefore if one of the configured repositories is down, websphere cannot perform this check and therefore authentication fails.

If you only have the primary user in file based registry, activating that checkbox should be OK. If not, please consider the above. 

Thanks all for your response and interesting in the topic, esp. thanks to Gabriel for the prompt reply.

The status right now is: I have enabled "allowOperationIfReposDown" in 2 of our environments(total 4), and trying to request a LDAP downtime (a bit hard, as LDAP srvrs are under other dept)to make verification, and meanwhile I crossed my fingers hope one of the LDAP servers go crash so I'd know the result immediately!

Anyway, I'll keep you guys posted !

Have a nice day !

Eric

I hope you don't mind that I hop onto this conversation as this is my exact issue. 

I am using WAS v7 FP 25 with Federated Repositories (defaultWIMFileBasedRealm and Novell eDirectory LDAP).  Couple weeks ago our certificate with the LDAP server expired, so I had to disable security so I could log in and fix the problem with the certificate.  I was very happy when I found this post.  I do have a few questions:

Which command do I use (create or update)?

$AdminTask createIdMgrRealm -name ibmRealm -allowOperationIfReposDown true
$AdminTask updateIdMgrRealm -name ibmRealm -allowOperationIfReposDown true

Am I creating a new IdMgrRealm using a different name other than defaultWIMFileBasedRealm, or am I updating the defaultWIMFileBasedRealm?

Thank you in advance for any help.

Personally, I only recommend file-based for admin backdoor access. File-based means each cell is independent. Good for test, but as soon as you get many users ie developers and testers it get's out of control and should only be used as a backdoor for say a generic secure wasadmin type ace when needed in an emergency. I still think WAS complicates the virtual realms config still and really has only improved marginally in Was 8.x, but is definitely more stable there!

I am writing an audit Jython class as part of a OO Jython workshop to to be presented in IBM Impact if approved and can be used to audit the local file-based repos. Obviously LDAP in test is better even it is an open source like Apache DS or OpenLDAP. Prod should be more robust like TDS.

My blog has references to LDAP stuff, and if you look around you should also find some security automation and a sample OO security audit Jython code in a few weeks time. This will help people in this situation going forward.

blog.webspheretools.com

Cheers

 Steve

[quote author=195388057 post=528291377]

Thanks all for your response and interesting in the topic, esp. thanks to Gabriel for the prompt reply.

The status right now is: I have enabled "allowOperationIfReposDown" in 2 of our environments(total 4), and trying to request a LDAP downtime (a bit hard, as LDAP srvrs are under other dept)to make verification, and meanwhile I crossed my fingers hope one of the LDAP servers go crash so I'd know the result immediately!

Anyway, I'll keep you guys posted !

Have a nice day !

Eric[/quote]

Perhaps you could simulate a downtime in one of your testing stages (preferrable a "lab" which only you use) by either blocking ldap access via a local firewall or by reconfiguring the ldap hostname (in websphere security) to a "dead end". Either way, websphere is unable to access ldap.

I thought I would add one more comment to back up the previous comments from Christoph when testing use firewall blocking or a port forward to no where or a wrong port or changing local host file might work I can't remember in what sit WAS caches the hostname but I do know it will store it. This kind of test allows for WAS not to be restarted and thus provides a better LDAP test. A restart invalidates config for LDAP testing if you know what I mean. Not all bits of WAS are yet dynamic, thought getting better every release!

Hi Brian,

For my case, I use "update" as assumption was that "allowOperationIfReposDown" has already been created, but after update command, I found out "allowOperationIfReposDown" is actually newly created within wimconfig.xml, so personally, I don't think there is difference between "create" and "update", if possible, you can try both, for safety, I suggest use "update".

Cheers !
Eric

Sometimes a few of the underlying Mbean wrappers don't all get tested in regression testing.

Here is one small example of many I have for advanced OO style coding for for Jython you can use this class template I invented to give you very powerful control as you scale many config types as opposed to one liner semi-hard coded code. It can help improve the underlying Jython you code going forward. Looks  complex, but not really.

blog.webspheretools.com/2012/08/31/websp...

Note there are AdminTask functions which are really wrapper for parameterised wrappers around the actual Mbeans. They are continually added over time in each new  release of WAS. Not all Mbeans are available this format and where as AdminConfig is really the closet direct link to the Mbean and matching XML file used to store the MBeans config. Quite clever, hope this helps improve the LDAP/Security scripting. And not too off topic, just had it there and thought it may be useful.

Cheers

Hi,

I have a good news to share with you, below jython script working perfect to enable file based user id still working when LDAP server is down:

AdminTask.updateIdMgrRealm (['-name', 'defaultWIMFileBasedRealm', '- allowOperationIfReposDown', 'true'])

I have just tested out it with LDAP server down.

So whoever has same issue/concern, please go ahead with this method. 

One more finding is that above updateIdMgrRealm command would NOT only change values within wimconfig.xml, it would change other files as well which I'm not sure what files are, that means just backup wimconfig.xml file is not enough if you want to restore back to original setting later, this is an interesting topic we can do further investigation.

Thanks, have a nice day !
Eric

Eric,

  Thank you very much for taking the time to respond.
 
  That's the way to get a better community


kind regards

Hi All,

I added a user in user roles,which is storing in file based repository..is there any other repository to store ifso what is that and how can we add users using jython..please advice