Thursday, 9 August 2018

Deploying IBM MDM on WAS - Interesting quirk - CWWIM4537E for d9u6m12g7w

So I'm working through the implementation of another IBM Master Data Management (MDM) Advanced Edition (AE) stack, this time using MDM AE 11.5.0.5.

I'm installing it onto WebSphere Application Server (WAS) Network Deployment (ND) 8.5.5.13.

Unlike other products with which I've worked, the installation is a bit more interactive, in that the deployment using IBM Installation Manager (IIM) requires connectivity to both the database ( Oracle in my case ) and to WAS ND.

Therefore, it's necessary to have an existing ( but new ) WAS cell, with a Deployment Manager (DM) and managed node.

Having created my Deployment Manager, and started it, I was working through IIM using it's console mode, and one step: -


requires connectivity to the DM.

This wasn't working, so I checked the DM log: -

cat /opt/ibm/WebSphere/AppServer/profiles/Dmgr01/logs/dmgr/SystemOut.log

and was surprised to see: -

SystemOut.log:[09/08/18 09:45:42:971 BST] 0000010c LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4537E  No principal is found from the 'd9u6m12g7w' principal name..

Given that I'd "told" IIM that the User name was wasadmin, I couldn't see where d9u6m12g7w was coming from.

It seemed to be an internal SOAP user that IIM was sending, for no apparent reason.

In case I'd missed something, I even created a user called d9u6m12g7w in WAS, and gave it full access ( as for the wasadmin user itself ), but then saw this: -

SystemOut.log:[09/08/18 09:49:48:747 BST] 0000010a LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4513E  The password match failed for the 'd9u6m12g7w' principal name..

which kinda makes sense - if IIM is using a "random" user, it's probably also using a "random" password.

I dug around and found this: -


which, although it references an older version of MDM, made some sense.

The solution ( well, I'd call it a circumvention ) is this: -

Resolving the problem

Performing a new installation of InfoSphere MDM v11.4 on WebSphere Application Server v8.5.5.12 using the IBM Installation Manager GUI panels

• Open the WebSphere Application Server Integrated Solutions console (admin console).
• Go to System Administration > Deployment Manager > Java and Process Management > Process definition > Java Virtual Machine > Custom Properties.
• Add the property com.ibm.ws.management.connector.soap.disableSOAPAuthCheck with a value of true.
• Restart the Deployment Manager.

Optional: After the InfoSphere MDM installation is complete, delete the property com.ibm.ws.management.connector.soap.disableSOAPAuthCheck and restart the Deployment Manager.

Having restarted the DM, and retried the IIM step, I get further, although I still see this: -

[09/08/18 10:30:24:097 BST] 00000101 LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4513E  The password match failed for the 'd9u6m12g7w' principal name..
[09/08/18 10:30:24:100 BST] 00000101 RoleBasedAuth A   SECJ0305I: The role-based authorization check failed for admin-authz operation Server:getProcessType.  The user UNAUTHENTICATED (unique ID: unauthenticated) was not granted any of the following required roles: monitor, auditor, configurator, administrator, deployer, operator, adminsecuritymanager.


Weird

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...