Wednesday, 18 November 2009

SECJ0375E: Mismatch of realms during token validation

More notes from the front-line. Whilst trying to get WebSphere Portal <-> Lotus Connections <-> Lotus Quickr to place nicely using the Lightweight Third Party Authentication (LTPA) mechanism to achieve Single Sign-On, we were hitting these two messages: -

SECJ0375E: Mismatch of realms during token validation
SECJ0373E: Cannot create credential for the user <null> due to failed validation of the LTPA token. The exception is com.ibm.websphere.security.CustomRegistryException: The realm in the token: domino.uk.ibm.com:389 does not match the current realm: defaultWIMFileBasedRealm

This was being displayed in SystemOut.log on the Connections server. The second message really says it all.

When we configured the underlying WebSphere Application Server 6.1.0.23 instance for security, using a Federated Repository, Domino LDAP etc., we failed to change the realm name, but left it at the default of defaultWIMFileBasedRealm.

Interestingly, the LC25 Information Centre does imply that it's OK to leave it as-is: -

  • On the Federated Repositories page, enter an administrative user ID (for example, wasadmin) in the Primary administrative user name field. You can leave the other default settings, such as Realm name, unchanged.
    Note: The administrative user ID must be unique, and must not exist in the LDAP repository to be federated.


  • However, the LTPA token that had been generated on the portal server ( WebSphere Portal Server 6.1.0.2 running on WebSphere Application Server 6.1.0.25 ), and contained the line: -

    com.ibm.websphere.ltpa.Realm=domino.uk.ibm.com\:389

    The solution ?

    We simply changed the Realm Name from defaultWIMFileBasedRealm to domino.uk.ibm.com:389 and then restarted Connections.

    Job done, next .....

    3 comments:

    Brownie said...

    Thanks Dave. I just needed this!

    Adam

    davidpa20 said...

    Dave could you explain me how to change Realm Name defaulWIMFileBasedRealm, i am dummy at lotus Connections and Websphere.

    Thanks in advance

    Dave Hay said...

    David

    a) log into the WebSphere Application Server Integrated Solutions Console (ISC) as the WebSphere administrative user
    b) navigate to 'Security' -> 'Secure administration, applications and infrastructure'
    c) under 'User Account Repository', you should have 'Federated repositories' configured as the 'Current realm definition'
    d) ensure that 'Available realm definitions' is also set as 'Federated repositories'
    e) click on the 'Configure' button to the right of the 'Available realm definitions' pulldown
    f) set the 'Realm name' field to something that matches the realm of the other servers requiring SSO with Connections
    g) set the 'Primary administrative user name' to that of a user within the LDAP that all servers are using
    h) click 'OK'
    i) Click 'Save'
    j) Restart WebSphere Application Server

    You should now be in sync.

    If in doubt, check the above BEFORE you do it with a local WebSphere Application Server administrator.

    Note to self - use kubectl to query images in a pod or deployment

    In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...