WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Problems with Websphere when Security is enabled

    Posted Mon February 28, 2022 02:36 PM
    Edited by Stephanie Wilkerson Tue March 01, 2022 12:16 PM
    Hello,

    we want deploy a application which was programmed by another company. We have configured the WebSphere and everything is working fine when the global security is disabled. However, if we enable the security we got following error:

    [2/28/22 19:07:25:018 UTC] 000000e4 AdminServiceI A   ADMN0008I: The getAttributes method results in exception com.ibm.websphere.management.exception.AdminException: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getThreadCount operation on Scheduler MBean because of insufficient or empty credentials.

    Apart from that I have following jacl File which describes how to create the user. So I tried it which different combinations. I created user in the admin Console which I named MBeanAccessUser and gave him the different roles but none of them has worked for me.

    Thank you very much.

    $AdminTask applyWizardSettings {-secureApps true -secureLocalResources false  -adminName system -adminPassword system -userRegistryType WIMUserRegistry}
    $AdminConfig save

    $AdminTask mapGroupsToAdminRole {-roleName administrator -groupids Admin}
    $AdminTask mapGroupsToAdminRole {-roleName operator -groupids Admin}
    $AdminTask mapGroupsToAdminRole {-roleName deployer -groupids Admin}
    $AdminTask mapGroupsToAdminRole {-roleName iscadmins -groupids Admin}
    $AdminTask mapGroupsToAdminRole {-roleName configurator -groupids Admin}
    $AdminTask mapGroupsToAdminRole {-roleName adminsecuritymanager -groupids Admin}
    $AdminTask mapGroupsToAdminRole {-roleName monitor -groupids Admin}
    $AdminTask mapUsersToAdminRole {-roleName monitor -userids MBeanAccessUser}

    $AdminConfig save

    #add this property for correct userlogins
    $AdminTask setAdminActiveSecuritySettings {-customProperties {"com.ibm.websphere.security.JAASAuthData.removeNodeNameGlobal=false"}}
    $AdminConfig save


    ------------------------------
    Alper Özdemir
    ------------------------------


  • 2.  RE: Problems with Websphere when Security is enabled

    Posted Tue March 01, 2022 02:34 AM
    Hello Alper,

      Can you put the complet stack error, what follows to ADMN0022E. What version of WAS are you running?

      When you enable the security are you able to access the admin console?

      Thank you very much.

    Regards

    ------------------------------
    Gabriel Aberasturi
    Versia tecnologias emergentes
    ------------------------------

    Original Message


  • 3.  RE: Problems with Websphere when Security is enabled

    Posted Tue March 01, 2022 12:43 PM
    Hello Gabriel,

    i am running Traditional WebSphere on docker provided from here https://hub.docker.com/r/ibmcom/websphere-traditional
    My Version is 9.0.5.10.
    I am able to access the admin console. The Application just doesn't work.
    Here are the stack errors:

    [3/1/22 10:49:24:373 UTC] 0000010a AdminServiceI A   ADMN0008I: The getAttributes method results in exception com.ibm.websphere.management.exception.AdminException: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getQueueLength operation on Tracking MBean because of insufficient or empty credentials.

        at com.ibm.ws.management.AdminServiceImpl.getAttributes(AdminServiceImpl.java:1011)

        at com.ibm.ws.management.PlatformMBeanServer.getAttributes(PlatformMBeanServer.java:697)

        at abaxx.core.services.ManagementService.getAttributes(ManagementService.java:265)

        at abaxx.glue.ibm.websphere.MBeanAccessBean.getAttributes(MBeanAccessBean.java:37)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)

        at java.lang.reflect.Method.invoke(Method.java:508)

        at com.ibm.ejs.container.EJSContainer.invokeProceed(EJSContainer.java:5347)

        at com.ibm.ejs.container.interceptors.InvocationContextImpl.proceed(InvocationContextImpl.java:652)

        at com.ibm.ws.cdi.ejb.impl.InterceptorChain.proceed(InterceptorChain.java:120)

        at com.ibm.ws.cdi.ejb.impl.EJBCDIInterceptorWrapper.invokeInterceptors(EJBCDIInterceptorWrapper.java:140)

        at com.ibm.ws.cdi.ejb.impl.EJBCDIInterceptorWrapper.aroundInvoke(EJBCDIInterceptorWrapper.java:56)

        at sun.reflect.GeneratedMethodAccessor117.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)

        at java.lang.reflect.Method.invoke(Method.java:508)

        at com.ibm.ejs.container.interceptors.InterceptorProxy.invokeInterceptor(InterceptorProxy.java:201)

        at com.ibm.ejs.container.interceptors.InvocationContextImpl.proceed(InvocationContextImpl.java:632)

        at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:73)

        at com.ibm.ws.cdi.ejb.impl.WeldSessionBeanInterceptorWrapper.aroundInvoke(WeldSessionBeanInterceptorWrapper.java:58)

        at sun.reflect.GeneratedMethodAccessor116.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)

        at java.lang.reflect.Method.invoke(Method.java:508)

        at com.ibm.ejs.container.interceptors.InterceptorProxy.invokeInterceptor(InterceptorProxy.java:201)

        at com.ibm.ejs.container.interceptors.InvocationContextImpl.proceed(InvocationContextImpl.java:632)

        at com.ibm.ejs.container.interceptors.InvocationContextImpl.doAroundInterceptor(InvocationContextImpl.java:306)

        at com.ibm.ejs.container.interceptors.InvocationContextImpl.doAroundInvoke(InvocationContextImpl.java:273)

        at com.ibm.ejs.container.EJSContainer.invoke(EJSContainer.java:5239)

        at abaxx.glue.ibm.websphere.EJSLocal0SLMBeanAccessBean_4eeb70df.getAttributes(EJSLocal0SLMBeanAccessBean_4eeb70df.java)

        at abaxx.glue.ibm.websphere.ManagementServiceAdapterBean.getAttributes(ManagementServiceAdapterBean.java:67)

        at abaxx.core.services.ManagementService.getAttributes(ManagementService.java:222)

        at abaxx.core.services.management.MonitoringTask.execute(MonitoringTask.java:30)

        at abaxx.core.services.ScheduledTask.execute(ScheduledTask.java:107)

        at abaxx.core.services.internal.scheduler.TaskWorker.executeTask(TaskWorker.java:153)

        at abaxx.core.services.internal.scheduler.TaskWorker.run(TaskWorker.java:116)

        at com.ibm.ws.asynchbeans.SubmittedTask.run(SubmittedTask.java:711)

        at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)

    Caused by: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getQueueLength operation on Tracking MBean because of insufficient or empty credentials.

        at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:2517)

        at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:2319)

        at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:2087)

        at com.ibm.ws.management.AdminServiceImpl.getAttributes(AdminServiceImpl.java:984)

        ... 36 more

     

    [3/1/22 10:49:24:377 UTC] 0000010a SystemOut     O   2022-03-01 10:49:24.377+00:00 | ERROR | 915 | Could not retrieve mbean attribute: javax.management.RuntimeOperationsException: Exception occured trying to invoke the getter on the MBean | MBeanAccessBean

    [3/1/22 10:49:24:365 UTC] 00000106 AdminServiceI A   ADMN0008I: The getAttributes method results in exception com.ibm.websphere.management.exception.AdminException: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getThreadCount operation on Scheduler MBean because of insufficient or empty credentials.

        at com.ibm.ws.management.AdminServiceImpl.getAttributes(AdminServiceImpl.java:1011)

        at com.ibm.ws.management.PlatformMBeanServer.getAttributes(PlatformMBeanServer.java:697)

        at abaxx.core.services.ManagementService.getAttributes(ManagementService.java:265)

        at abaxx.glue.ibm.websphere.MBeanAccessBean.getAttributes(MBeanAccessBean.java:37)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)

        at java.lang.reflect.Method.invoke(Method.java:508)

        at com.ibm.ejs.container.EJSContainer.invokeProceed(EJSContainer.java:5347)

        at com.ibm.ejs.container.interceptors.InvocationContextImpl.proceed(InvocationContextImpl.java:652)

        at com.ibm.ws.cdi.ejb.impl.InterceptorChain.proceed(InterceptorChain.java:120)

        at com.ibm.ws.cdi.ejb.impl.EJBCDIInterceptorWrapper.invokeInterceptors(EJBCDIInterceptorWrapper.java:140)

        at com.ibm.ws.cdi.ejb.impl.EJBCDIInterceptorWrapper.aroundInvoke(EJBCDIInterceptorWrapper.java:56)

        at sun.reflect.GeneratedMethodAccessor117.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)

        at java.lang.reflect.Method.invoke(Method.java:508)

        at com.ibm.ejs.container.interceptors.InterceptorProxy.invokeInterceptor(InterceptorProxy.java:201)

        at com.ibm.ejs.container.interceptors.InvocationContextImpl.proceed(InvocationContextImpl.java:632)

        at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:73)

        at com.ibm.ws.cdi.ejb.impl.WeldSessionBeanInterceptorWrapper.aroundInvoke(WeldSessionBeanInterceptorWrapper.java:58)

        at sun.reflect.GeneratedMethodAccessor116.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)

        at java.lang.reflect.Method.invoke(Method.java:508)

        at com.ibm.ejs.container.interceptors.InterceptorProxy.invokeInterceptor(InterceptorProxy.java:201)

        at com.ibm.ejs.container.interceptors.InvocationContextImpl.proceed(InvocationContextImpl.java:632)

        at com.ibm.ejs.container.interceptors.InvocationContextImpl.doAroundInterceptor(InvocationContextImpl.java:306)

        at com.ibm.ejs.container.interceptors.InvocationContextImpl.doAroundInvoke(InvocationContextImpl.java:273)

        at com.ibm.ejs.container.EJSContainer.invoke(EJSContainer.java:5239)

        at abaxx.glue.ibm.websphere.EJSLocal0SLMBeanAccessBean_4eeb70df.getAttributes(EJSLocal0SLMBeanAccessBean_4eeb70df.java)

        at abaxx.glue.ibm.websphere.ManagementServiceAdapterBean.getAttributes(ManagementServiceAdapterBean.java:67)

        at abaxx.core.services.ManagementService.getAttributes(ManagementService.java:222)

        at abaxx.core.services.management.MonitoringTask.execute(MonitoringTask.java:30)

        at abaxx.core.services.ScheduledTask.execute(ScheduledTask.java:107)

        at abaxx.core.services.internal.scheduler.TaskWorker.executeTask(TaskWorker.java:153)

        at abaxx.core.services.internal.scheduler.TaskWorker.run(TaskWorker.java:116)

        at com.ibm.ws.asynchbeans.SubmittedTask.run(SubmittedTask.java:711)

        at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)

    Caused by: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getThreadCount operation on Scheduler MBean because of insufficient or empty credentials.

        at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:2517)

        at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:2319)

        at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:2087)

        at com.ibm.ws.management.AdminServiceImpl.getAttributes(AdminServiceImpl.java:984)

        ... 36 more


    Thank you very much.

    ------------------------------
    Alper Özdemir
    ------------------------------

    Original Message


  • 4.  RE: Problems with Websphere when Security is enabled

    Posted Wed March 02, 2022 03:31 AM
    Alper,

    So when you start docker container have you specified a password (mounting a file to docker in /tmp/PASSWORD)? or you only have started the container?

    If you have started the container only (without password file) as docker instructions says by default security is enabled


    > In both cases a secure profile is created with an admin user ID of *wsadmin* and a generated password. The generated password can be retrieved from the container using the following command:
    >
    > docker exec test cat /tmp/PASSWORD


    where *test* is your CONTAINER_NAME


    check that you are able to login in the console with wsadmin user and PASSWORD

    https://localhost:9043/ibm/console/login.do?action=secure

    If you are able you need to edit soap.client.propos the next file inside the container.

    1. Go into container docker exec -ti CONTAINER_NAME bash
    2. cd /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/properties
    3. Edit the file soap.client.props
    4. vi soap.client.props
    com.ibm.SOAP.securityEnabled=true
    com.ibm.SOAP.loginUserid=wsadmin
    com.ibm.SOAP.loginPassword=PASSWORD
    5. exit vi ([ESC] + : + x) ;-)
    6. exit container.
    7. stop the container docker stop CONTAINER_NAME
    8. start the container docker start CONTAINER_NAME


    Hope this helps

    regards

    ------------------------------
    Gabriel Aberasturi
    Versia tecnologias emergentes
    ------------------------------

    Original Message


  • 5.  RE: Problems with Websphere when Security is enabled

    Posted Wed March 02, 2022 10:02 AM
      |   view attached
    Hey Gabriel,

    it seems like it did something, but I get nearly the same error. It says:

    [3/2/22 14:56:18:160 UTC] 000000a4 SystemOut     O   2022-03-02 14:56:18.160+00:00 | ERROR | 909 | Could not retrieve mbean attribute: javax.management.RuntimeOperationsException: Exception occured trying to invoke the getter on the MBean | MBeanAccessBean

    [3/2/22 14:56:18:160 UTC] 000000a9 RoleBasedAuth A   SECJ0305I: The role-based authorization check failed for admin-authz operation JDBC:getConnectionsInUse.  The user UNAUTHENTICATED (unique ID: unauthenticated) was not granted any of the following required roles: configurator, administrator, auditor, monitor, deployer, adminsecuritymanager, operator.

    And then follows the above described ADMN0008I Error.

    Apart from that I get attached screen on my application. I tried to create a user "unauthenticated" with the described roles but it didn't worked. Thank you very much!




    ------------------------------
    Alper Özdemir
    ------------------------------

    Original Message


  • 6.  RE: Problems with Websphere when Security is enabled

    Posted Wed March 02, 2022 10:46 AM
    Hi Alper,

    Ok, do the same steps to edit soap.client.props but now with sas.client.props (is in the same place), edit the next properties:

    com.ibm.CORBA.loginSource=properties

    # RMI/IIOP user identity
    com.ibm.CORBA.loginUserid=wsadmin
    com.ibm.CORBA.loginPassword=PASSWORD

    Hope this helps.

    Regards

    ------------------------------
    Gabriel Aberasturi
    Versia tecnologias emergentes
    ------------------------------

    Original Message


  • 7.  RE: Problems with Websphere when Security is enabled

    Posted Thu March 03, 2022 03:54 AM
    Hey Gabriel,

    unfortunately I get still the same error message.


    ------------------------------
    Alper Özdemir
    ------------------------------

    Original Message


  • 8.  RE: Problems with Websphere when Security is enabled

    Posted Thu March 03, 2022 04:37 AM
    Hello Alper,

    Seems that you have an administrative client that is trying to access to MBEans inside the application. You haven't any type of configuration or requierements from development team to deploy the application? any role or user to create and map?

    at abaxx.glue.ibm.websphere.EJSLocal0SLMBeanAccessBean_4eeb70df.getAttributes(EJSLocal0SLMBeanAccessBean_4eeb70df.java)

    at abaxx.glue.ibm.websphere.ManagementServiceAdapterBean.getAttributes

    Here some documentation about development of admin clients

    https://www.ibm.com/docs/en/was/9.0.5?topic=apis-developing-administrative-client-program


    The next step is enable traces to determine which component of the application is failing.

    From admin console
    Troubleshooting -> Logs and traces -> Server1 -> change log details level -> runtime (tab) and put *=all (will be to verbose, then we can filter) then stop and start the application again.

    Hope this helps.

    Regards

    ------------------------------
    Gabriel Aberasturi
    Versia tecnologias emergentes
    ------------------------------

    Original Message