Wednesday, 10 April 2013

CWWIM4529E and SECJ0369E seen when authenticating a user in WebSphere Application Server

If you see exceptions such as: -

[08/04/13 13:11:01:956 BST] 0000001d LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4529E  The password verification for the 'wasadmin' principal name failed. Root cause: 'javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; Resolved object: 'com.sun.jndi.ldap.LdapCtx@a9d2c4f9''..

[08/04/13 12:35:42:483 BST] 0000001c LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.wim.exception.WIMException.
[08/04/13 12:35:42:485 BST] 0000001c FormLoginExte E   SECJ0118E: Authentication error during authentication for user wasadmin

[08/04/13 12:34:41:460 BST] 0000001c UserRegistryI E   SECJ0363E: Cannot create credential for the user wasadmin because of the following exception com.ibm.websphere.wim.exception.WIMException
[08/04/13 12:34:41:469 BST] 0000001c LTPAServerObj E   SECJ0373E: Cannot create credential for the user wasadmin due to failed validation of the LTPA token. The exception is com.ibm.websphere.wim.exception.WIMException

and, most tellingly: -

[08/04/13 12:46:28:546 BST] 00000024 exception     E com.ibm.ws.wim.adapter.file.was.FileAdapter create
                                 com.ibm.websphere.wim.exception.EntityAlreadyExistsException: CWWIM4501E  An entity with same unique name, 'uid=wasadmin,o=defaultWIMFileBasedRealm', or same RDN value already exists.

and ( in SystemErr.log ): -

[08/04/13 12:46:28:557 BST] 00000024 SystemErr     R com.ibm.websphere.wim.exception.EntityAlreadyExistsException: CWWIM4501E  An entity with same unique name, 'uid=wasadmin,o=defaultWIMFileBasedRealm', or same RDN value already exists.

there's a very good chance that you do have TWO wasadmin accounts :-)

In our case, we were using wasadmin from the File-Based Registry, which was working perfectly UNTIL we added LDAP.

After much faffing about, we realised that we did indeed have a duplicate ID problem and, when we checked the LDAP, lo and behold, there was another account called wasadmin.

Strangely, this had worked a few weeks back, so I can only assume that (a) the LDAP-based wasadmin was new or (b) it had previously had the same password as the local account, but had been subsequently changed.

Bottom line, when adding LDAP, check that you're not going to hit this problem …. BEFORE you hit this problem.

If in doubt, make sure that the account you use when creating the profile ( which automagically creates the File-Based Registry ) is going to be unique, unique, unique.

:-)


No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...