• Post Reply Bookmark Topic Watch Topic
  • New Topic

WAS security  RSS feed

Jun Hong
Ranch Hand
Posts: 181
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I used performLogin method in LoginHelper. Is there a timeout for credential? Say, I perform login. Do i need to do that again 5 hours later? The problem is that I got Credentials are inValid message.
Here is the details:
10:08liujo Hi, we have an urgent problem with Websphere 4.0.
10:08liujo It throws "Credentials are invalid" error message.
10:08liujo This happens when our corba server, acting as the
10:08liujo client to the app server, has been connected to the
10:08liujo app server for a while (a day or two). Then all subsequent
10:08liujo calls to ejb functions are rejected.
10:09liujo Any idea why and how to fix the problem?
10:10liujo Let me add that
10:10liujo Even re-login fails to revalidate the credentials.
10:18poppro yep
10:18liujo ctrl-g
10:19liujo xxx
10:19liujo I see
10:19poppro indicates that you have an urgent request and somebody should help you!
10:20poppro sorry I can't
10:20liujo got it
10:20liujo Please help with the above (long) question about credentials
10:22sunva I would assume we have IBM WS tech support... if nobody here can help...
10:23liujo I may have to do THAT if no one has an answer here
10:25poppro clarriad or colljos may help you
10:25poppro ;o)
10:37clarriad Hi
10:37clarriad I personally haven't seen that error before
10:37liujo hi
10:38clarriad Has this occured only once or is it a reproducable problem?
10:38liujo It is re-produceable
10:38liujo The error message is very long and suggesting:
10:39liujo it suggest SSL connection, sas.client.props
10:39liujo and sas.server.props
10:40liujo I am wondering if there is a " never expire" setting somewhere
10:42clarriad If you can't re-login again then it sounds more fundamental than it just expiring
10:42colljos Hi - please can you clarify the following:
10:44colljos Is the "credentials invalid" message associated with SSL or an authenticated user request to an EJB ?
10:45colljos Is your CORBA Server using SAS with programmatic login to originally authenticate user ?
10:46liujo I am not sure how the SSL is setup
10:46colljos I'm trying to understand if you have an Application or Infrastructure (WebSphere security) problem
10:46liujo I think I am in the second case
10:46colljos right - Are you running WebSphere with Security enabled ?
10:47colljos (ie. Console, Security Center, security enabled box)
10:47liujo I think we are
10:47liujo Here is the exact message from the server:
10:47liujo [SecureAssociationInterceptorImpl.client_unmarshalled_request]:
10:47liujo JSAS0060W: Unable to build security context. Many times problems with the client and/or server configuration is to blame for these errors. Most of the time it's related to SSL connections not being created. This could be due to invalid settings in the sas.client.props or the sas.server.props. Maybe the UJC.JAR is not specified in the classpath or is not the same version as the server.
10:47liujo The JDK you are using must also have the JSSE extention classes in /java/jre/lib/ext directory. The java.security file must include the IBMJCE provider. If the problem persists, contact support for assistance.
10:47colljos OK
10:48colljos We have seen this problem and already logged it with IBM
10:48colljos awaiting resolution
10:48liujo What do you do in the interim?
10:48colljos wait ;-)
10:49colljos But we have no side effects
10:49liujo do you have to restart the client?
10:49liujo or the server?
10:49colljos ie. the messages are sporadic and random, and the connections are automatically re-established between Client & Servers
10:50colljos nope - but then again we are not using CORBA servers as clients
10:50colljos Ocassionally I have had to restart clients (but not had this problem recently)
10:51liujo But I don't think this only applys to corba client
10:51colljos specifically the Admin Console would need re-starting
10:51colljos sure
10:51colljos Are you running WAS4 AE on Solaris ?
10:51liujo What do you restart admin console for?
10:51liujo Yes on solaris
10:52colljos admin console is just another client to WebSphere
10:52liujo Oh
10:52colljos and thus suffers the same Security problem
10:52karandan Just to clarify. We are not using a CORBA client. We are using a Java based Corba Server which acts as a regular java client to the EJB hosted in WAS4.0 on Solaris.
10:53karandan There is an additional message in the stdout file produced by the app server:
10:53karandan JSAS0435E: Credentials are invalid. Login again to get new credentials. Sometimes it is necessary to restart the cl
10:53karandan ient and/or server to ensure that you are using new credentials. Once credentials are marked invalid, they cannot be
10:53karandan come valid again.
10:53colljos interesting - that message I have NOT yet seen!
10:54liujo Any I am checking my log file again, I do see that the app server send back data a minute a minute after that exception
10:55colljos I suggest you raise this as an official bug with IBM Support
10:55liujo So maybe this one will not be a show-stopper
10:56colljos not a showstopper per se but I'd defintely raise it with a high severity (ie. cannot roll out into production due to this problem)
10:57colljos because you don't want to have to keep re-starting clients for re-authentication
10:57liujo yes, my earlier line was a continuation to my line before, not to your line about rasing to IBM
10:57karandan Jose...what's the process to raise this with IBM?
10:58colljos Contact IBM Support using our Passport Advantage contract agreement
10:58colljos I have all the details for logging calls from London but will need to do a bit of research for US details ..
10:58colljos unless you have a useful IBM Account Manager ?
10:59karandan no I don't or haven't had any contact with IBM directly.
10:59colljos ok - let me make a couple of phone calls to find out
10:59karandan Thanks.
11:01liujo Thanks
11:10colljos guys - I'll forward you a copy of the SSL security session establishment problem I submitted to IBM
11:11hongjb hi liujo
11:12hongjb i looked at the sas.server.props file in properties folder
11:12liujo see private
11:13hongjb there is a property called com.ibm.CORBA.loginTimeout
Jun Hong
[This message has been edited by Jun Hong (edited November 21, 2001).]
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!