IBM BS029ML Self Help Guide - Page 142
/12/07 11:17:03:153 CDT] 04d SecurityColla A, 6/12/07 11:16:37:824 CDT] 04d LTPAServerObj E
![]() |
View all IBM BS029ML manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 142 highlights
Association Interceptor configuration. Further investigation should be done with the traces enabled, using the trace strings given in Table 4-5 on page 107. The more complicated cases are from the failure of multiple servers. Besides the things mentioned above, you may want to verify the following: All participating servers share the same DNS domain, which should be the one configured as the SSO domain. As stated before, the SSO domain cannot be blank in this case. All participating servers share the same LTPA key. All participating servers are configured to the same user registry and port number, for example, LDAP. A couple of cases are given in Example 4-17 and Example 4-18. Example 4-17 SSO failure case: mismatched realm [6/12/07 11:16:37:762 CDT] 0000004d LTPAServerObj E SECJ0375E: Mismatch of realms during token validation. [6/12/07 11:16:37:824 CDT] 0000004d LTPAServerObj E SECJ0373E: Cannot create credential for the user due to failed validation of the LTPA token. The exception is com.ibm.websphere.security.CustomRegistryException: The realm in the token: tamdirprod.mayo.edu:389 does not match the current realm: WMMRealm [6/12/07 11:17:03:153 CDT] 0000004d SecurityColla A SECJ0053E: Authorization failed for WMMRealm/m024534 while invoking (Bean)ejb/MemberServiceHome getMember(com.ibm.websphere.wmm.datatype.MemberIdentifier,com.ibm.websphere.wmm.da tatype.StringSet):1 securityName: WMMRealm/testuser1;accessID: user:WMMRealm/uid=testuser1,ou=people,ou=dept,o=acme.com is not granted any of the required roles: Everyone This failure is due to the mismatched user registry realm. When WMMUR is configured, the default realm is "WMMRealm". If other systems are configured to use the realm, such as "corpldap.acem.com:389", the configuration in the global security of WebSphere Application Server must be configured to use the same realm. In the case of WMMUR, you need to add a custom property called userRegistryRealm and give the value to the shared user registry realm. This is shown in Example 4-4 on page 111. Example 4-18 SSO failure case: BadPaddingException [8/13/07 11:12:48:127 CDT] 00000097 LTPACrypto 3 BadPaddingException validating token, normal when token generated from other factory. Given final block not properly padded [8/13/07 11:12:48:127 CDT] 00000097 LTPACrypto 3 Total decryption time: 1 [8/13/07 11:12:48:127 CDT] 00000097 LTPAServerObj 3 Calling tokenFactory[2].validateTokenBytes() [8/13/07 11:12:48:127 CDT] 00000097 AuthzPropToke > AuthzPropToken from byte[] Entry [8/13/07 11:12:48:129 CDT] 00000097 AuthzPropToke 3 Before parsing, length: 169 string: B4> l
![](/manual_guide/products/ibm-bs029ml-self-help-guide-6d3dd71/142.png)