Security Troubleshooting Guide

1 CCMDB Security..............................................................................................................3
1.1 WebSphere Application Server authentication..........................................................3
1.1.1 New user cannot login........................................................................................3
1.2 VMMSync configuration...........................................................................................5
1.2.1 Partial Sync ........................................................................................................5
1.2.2 New users/groups missing..................................................................................7
1.2.3 User attributes missing........................................................................................9
1.3 CCMDB Authorization............................................................................................13
1.3.1 403 Authorization error.....................................................................................13
1.3.2 Start Center Authorization................................................................................13
2 Tivoli Application Dependency Discovery Manager (TADDM) Security (VMM option)
............................................................................................................................................13
2.1 TADDM Authentication..........................................................................................13
2.1.1 Administrator login failure...............................................................................14
2.1.2 User login failure..............................................................................................14
2.2 TADDM Authorization............................................................................................16
2.2.1 User without TADDM role can login...............................................................16
2.2.2 TADDM Security Upgrade Issues....................................................................17
3 CCMDB Eco-System Integration...................................................................................17
3.1 TADDM Single Sign-On.........................................................................................17
3.1.1 LTPA token issues............................................................................................17
3.2 TADDM SSO authorization issues..........................................................................18
3.2.1 SSO successful but authorization error.............................................................18
3.3 TADDM Authorization Synchronization................................................................18
3.3.1 Collection fails to save......................................................................................19
1 CCMDB Security
Background:
Change and Configuration Management Database (CCMDB) is installed with
application-server security turned on. The task of authenticating the user is
delegated to WebSphere Application Server. When a user is successfully
authenticated by WebSphere Application Server, CCMDB creates a security profile
for the user in order to make authorization decisions. In order for CCMDB to create
a security profile, the user record must be present in database repository. In other
words, even if the user is successfully authenticated, in order to log in to the start
center the user record needs to be created in the Maximo database. This task is
accomplished by configuring the VMMSync crontask to query relevant system
users using VMM runtime APIs and create their records in the Maximo database.
For more information about authentication, authorization, and configuring security,
refer to the CCMDB information center.

1.1 WebSphere Application Server authentication

1.1.1 New user cannot login
A new user was successfully added to the directory server but cannot log in into
CCMDB.

Condition 1:
User was added to directory information tree (DIT) that is not configured under VMM.
Message in SystemOut.log:

[4/8/07 18:27:10:828 CDT] 0000003d LTPAServerObj E SECJ0369E: Authentication

failed when using LTPA. The exception is <null>.

Fix:
Make sure the user is created under proper location in the directory server or federate an
addition subtree under VMM.

Condition 2:
CCMDB is setup to require membership to J2EE role (default: maximouser) before
allowing a user to login into the system.
Browser message
Internet Explorer – HTTP 403 Forbidden

Exception in SystemOut.log
4/8/07 18:51:52:937 CDT] 00000038 WebCollaborat A SECJ0129E: Authorization
failed for maxadmin while invoking GET on maximo_host:/maximo/ui/login,
Authorization failed, Not granted any of the required roles: maximouser
Fix
Assign the proper group to the user in the directory server (in this case maximouser) or
map the J2EE role to “All authenticated”. In order for modified J2EE role mapping to be
effective MXServer should be restarted.

*Note: CCMDB (7.1&7.11) the install maps this role to “All authenticated” by default.

1.2 VMMSync configuration

1.2.1 Partial Sync

Some of the users from the directory server are synchronized but cannot see other users
and group membership don’t show up.

Condition 1:
Duplicate email ids:

Exception is SystemOut.log
[4/8/07 13:42:18:640 CDT] 0000006b SystemOut O 08 Apr 2007 13:42:14:125 [ERROR] Failed to
initialize the VMMSyncCronTask. This message will be repeated if the initialization fails again when the
task is run the next time.
psdi.security.vmm.VMMSyncException: Failed to perform VMM user synchronization.
at psdi.security.vmm.VMMSynchronizer.syncVMMUsers(VMMSynchronizer.java:654)
at psdi.security.vmm.VMMSynchronizer.performSync(VMMSynchronizer.java:345)
at psdi.security.vmm.VMMSyncTask.performTask(VMMSyncTask.java:348)
at psdi.security.vmm.VMMSyncCronTask.cronAction(VMMSyncCronTask.java:190)
 at psdi.server.CronTaskManager.callCronMethod(CronTaskManager.java:1338)
at psdi.server.CronTaskManager.access$300(CronTaskManager.java:83)
at psdi.server.CronTaskManager$CronThread.run(CronTaskManager.java:1750)
Caused by:
psdi.security.vmm.VMMSyncException: Failed to synchronize VMM user data to database.
at psdi.security.vmm.DefaultVMMSyncAdapter.syncUser(DefaultVMMSyncAdapter.java:86)
at psdi.security.vmm.VMMSynchronizer.syncVMMUsers(VMMSynchronizer.java:623)
... 6 more
Caused by:
com.ibm.db2.jcc.b.SqlException: One or more values in the INSERT statement, UPDATE statement, or
foreign key update caused by a DELETE statement are not valid because the primary key, unique constraint
or unique index identified by "2" constrains table "MAXIMO.EMAIL" from having duplicate values for
the index key.
at com.ibm.db2.jcc.b.sf.d(sf.java:1396)
at com.ibm.db2.jcc.c.jb.l(jb.java:367)
at com.ibm.db2.jcc.c.jb.a(jb.java:64)
at com.ibm.db2.jcc.c.w.a(w.java:48)
at com.ibm.db2.jcc.c.dc.b(dc.java:302)
at com.ibm.db2.jcc.b.tf.cb(tf.java:1719)
at com.ibm.db2.jcc.b.tf.d(tf.java:2319)
at com.ibm.db2.jcc.b.tf.Y(tf.java:540)
at com.ibm.db2.jcc.b.tf.executeUpdate(tf.java:523)
at
psdi.security.vmm.DefaultVMMSyncAdapter.insertRecord(DefaultVMMSyncAdapter.java:843)
at psdi.security.vmm.DefaultVMMSyncAdapter.syncUser(DefaultVMMSyncAdapter.java:80)

Fix: Make sure that no 2 users have same email ids in the directory server .

Condition 2:
User(s) has mail attribute set to a null value in the directory server .

Exception in SystemOut.log

psdi.security.vmm.VMMSyncException: Failed to perform VMM user synchronization.

at psdi.security.vmm.VMMSynchronizer.syncVMMUsers(VMMSynchronizer.java:654)
at psdi.security.vmm.VMMSynchronizer.performSync(VMMSynchronizer.java:345)
 at psdi.security.vmm.VMMSyncTask.performTask(VMMSyncTask.java:348)
at psdi.security.vmm.VMMSyncCronTask.cronAction(VMMSyncCronTask.java:190)
at psdi.server.CronTaskManager.callCronMethod(CronTaskManager.java:1338)
at psdi.server.CronTaskManager.access$300(CronTaskManager.java:83)
at psdi.server.CronTaskManager$CronThread.run(CronTaskManager.java:1750)
Caused by:
psdi.security.vmm.VMMSyncException: Failed to synchronize VMM user data to database.
at psdi.security.vmm.DefaultVMMSyncAdapter.syncUser(DefaultVMMSyncAdapter.java:86)
at psdi.security.vmm.VMMSynchronizer.syncVMMUsers(VMMSynchronizer.java:623)
... 6 more
Caused by:
com.ibm.db2.jcc.b.SqlException: One or more values in the INSERT statement, UPDATE statement, or
foreign key update caused by a DELETE statement are not valid because the primary key, unique constraint
or unique index identified by "2" constrains table "MAXIMO.EMAIL" from having duplicate values for
the index key.
at com.ibm.db2.jcc.b.sf.d(sf.java:1396)
at com.ibm.db2.jcc.c.jb.l(jb.java:367)
at com.ibm.db2.jcc.c.jb.a(jb.java:64)
at com.ibm.db2.jcc.c.w.a(w.java:48)
at com.ibm.db2.jcc.c.dc.b(dc.java:302)
at com.ibm.db2.jcc.b.tf.cb(tf.java:1719)
at com.ibm.db2.jcc.b.tf.d(tf.java:2319)
at com.ibm.db2.jcc.b.tf.Y(tf.java:540)
at com.ibm.db2.jcc.b.tf.executeUpdate(tf.java:523)
at
psdi.security.vmm.DefaultVMMSyncAdapter.insertRecord(DefaultVMMSyncAdapter.java:843)
at psdi.security.vmm.DefaultVMMSyncAdapter.syncUser(DefaultVMMSyncAdapter.java:80)

Fix:
Make sure that the attribute is removed from the directory server or a value is provided
for email.

Condition 3:

1.2.2 New users/groups missing

New users and groups added to the directory server do not show up in CCMDB

Condition 1:
VMM component cache is turned on and is timeout are greater than VMMSync schedule.

Fix:
Update VMMSync schedule so that VMM cache expires before next sync or disable
VMM cache for each directory server federated under VMM.
Condition 2:
VMMSync crontask usermapping or groupmapping attributes were updated to point to a
new location in directory information tree (DIT).
A new crontask instance was added for a multiple user directory setup.

Fix:
In order for any of the above changes to take affect MXServer needs to be restarted.
1.2.3 User attributes missing
Once the sync is completed users have firstname and display name attributes missing in
Maximo user application. The directory server user attributes and queried by VMMSync
crontask from the directory server and mapped to user columns in the Maximo database
repository. The LDAP attribute to user column mapping is defined in the VMMSync
configuration under usermapping parameter.
CCMDB (7.1 & 7.11) ships with following mapping:
<table name="PERSON">
<keycolumn name="PERSONID" type="UPPER">uid</keycolumn>

<column name="FIRSTNAME" type="ALN">givenName</column>

<column name="LASTNAME" type="ALN">sn</column>
<column name="DISPLAYNAME" type="ALN">displayName</column>
<column name="ADDRESSLINE1" type="ALN">street</column>
<column name="STATEPROVINCE" type="ALN">st</column>
<column name="CITY" type="ALN">l</column>
<column name="POSTALCODE" type="ALN">postalCode</column>
<column name="COUNTRY" type="ALN">c</column>
<column name="STATUS" type="UPPER">{ACTIVE}</column>
<column name="TRANSEMAILELECTION" type="UPPER">{NEVER}</column> <column name="VIP"
type="YORN">{0}</column>
<column name="STATUSDATE" type="ALN">{:sysdate}</column>
<column name="ACCEPTINGWFMAIL" type="YORN">{1}</column>
<column name="LOCTOSERVREQ" type="YORN">{1}</column>
<column name="PERSONUID" type="INTEGER">{:uniqueid}</column>
<column name="HASLD" type="YORN">{0}</column>
<column name="LANGCODE" type="UPPER">{en}</column>
</table>

Condition 1:
Attributes not present in directory server.
Fix 1:
Make sure that user objects have the ‘displayname’ and ‘givenname’ attributes.
Fix 2:
If you decide not to introduce the additional attribute for the user object the problem can
also be addressed by modifying the mapping to an attribute that is already present in the
directory server . Remember to restart MXServer after updating the usermapping
parameter.

<column name="FIRSTNAME" type="ALN">cn</column>

<column name="LASTNAME" type="ALN">sn</column>
<column name="DISPLAYNAME" type="ALN">cn</column>
1.3 CCMDB Authorization
1.3.1 403 Authorization error
Refer to section 1.1.1 condition 2.

1.3.2 Start Center Authorization

User with proper J2EE role performs successful authentication but it not given access to
CCMDB start center.

Error generated by the web UI.

Fix:
Make sure that user in question has membership to proper security group in CCMDB.
Users are assigned group membership in directory server and should wait for a successful
sync before they can use the system. Consult CCMDB Infocenter for group membership
required for various permissions.

2 Tivoli Application Dependency Discovery Manager

(TADDM) Security (VMM option)
When installing with the VMM security option TADDM relies on the CCMDB security
framework to provide following features:
User repository – TADDM pluggable security component exploits remote VMM API
(VMM provided by CCMDB middleware) to provide a user repository. In this way
TADDM and CCMDB share common user repository, which eases user management and
facilitates SSO integration between two products.
Authentication Service – TADDM further relies on CCMDB authentication service for
user authentication, LTPA token generation and validation.

As such TADDM relies on VMM and authentication service (both hosted on CCMDB) to
be properly up and running in order to provide appropriate security function. Further
TADDM has to be correctly configured so as to exploit these remote services.

2.1 TADDM Authentication

2.1.1 Administrator login failure
Administrator cannot login following install.

Condition 1:
Provided TADDM was properly installed and configured with the VMM option the
administrator login might fail because the administrator user was not created in the
directory server .

Fix:
This user is not automatically created during install and needs to be added manually post
install.

2.1.2 User login failure

User cannot login into TADDM.

Condition 1:
Authentication service is not started.
Error in TADDM trace.log
[4/8/07 19:47:32:609 CDT] 00000025 security E Login failed:CTGES0008E
The Authentication Client received a fault from the Authentication
Service. Fault reason: "(404)Not Found"

Fix:
Make sure that the authentication service (authensvc_ctges application) is properly
installed and started.

Condition 2:
TADDM authentication client is misconfigured and cannot connect to authentication
service. Confirm that following parameters specified in TADDM authentication client
properties file (ibmessclientauthncfg.properties) are correct.

authnServiceURL=http://stwin2003.austin.ibm.com:9080/TokenService/servi
ces/Trust

If hostname is incorrect following messaged is logged to TADDM trace.log

[4/8/07 20:12:25:156 CDT] 0000000f security E Login failed:CTGES0008E

The Authentication Client received a fault from the Authentication
Service. Fault reason: "java.net.UnknownHostException:
stwin.austin.ibm.com"

If port is incorrect following messaged is logged to TADDM trace.log

[4/8/07 20:19:48:171 CDT] 0000000e security E Login failed:CTGES0008E

The Authentication Client received a fault from the Authentication
Service. Fault reason: "java.net.ConnectException: Connection refused:
connect"

Condition 3:
TADDM user repository module is misconfigured and cannot connect to remote VMM
interfaces. Confirm that following parameters specified in the TADDM properties file
(collation.properties) are correct.

If any of the properties show below are incorrect

com.collation.security.auth.websphereHost=stwin2003.austin.ibm.com
com.collation.security.auth.webspherePort=9809

Following messages will be posted in TADDM SecurityManager.log

2007-04-09 00:03:31,656 SecurityManager [P=7921:O=0:CT] ERROR
jini.SecurityManagerServiceImpl - VMMUserRegistry:init(): Fatal
NamingException initializing VMM user management module: A
communication failure occurred while attempting to obtain an initial
context with the provider URL:
"corbaloc:iiop:stwin2003.austin.ibm.com:9808". Make sure that any
bootstrap address information in the URL is correct and that the target
name server is running.

If any of the properties shown below are incorrect

com.collation.security.auth.VMMAdminUsername=wasadmin
com.collation.security.auth.VMMAdminPassword=q5UxHsPW0zFbzkuBUPENzQ==

Following messages will be posted in TADDM SecurityManager.log

2007-04-09 00:16:36,203 SecurityManager [P=781593:O=0:CT] ERROR

jini.SecurityManagerServiceImpl - VMMUserRegistry:init(): Fatal
LoginException initializing VMM user management module: Authentication
Failed.

Condition 4:

Following error messages will be posted in TADDM trace.log (trace set at DEBUG level)

5/8/08 12:23:39:566 GMT-06:00] 00000013 security E Error getting

token descriptor from credential token (credential expired): null

TADDM and WAS servers system time (system clock) causes the TADDM received an
expired token.

Fix:
Make sure the clocks for WAS and TADDM servers are synchronized.

2.2 TADDM Authorization

2.2.1 User without TADDM role can login

This behavior is observed when TADDM data-level security is turned off. With data-
level security disabled all TADDM objects are assigned to a default access collection and
every authenticated user has operator permission.

Fix:
Set com.collation.security.enabledatalevelsecurity to true in
collation.properties. Mare sure that TADDM server is restarted for the change to take
effect.
2.2.2 TADDM Security Upgrade Issues
If TADDM is installed with local file-based repository option and later reconfigured to
use VMM option, depending on customer setup following issues can be encountered:

Users with non administrator role seems to have administrator permission

Users with no TADDM roles can login even if data-level security is turned on.

Condition 1:
This occurs because the old file-based repository authorization file is still present on the
system. So even though TADDM security was reconfigured to use VMM the security
manager component is still enforcing the older authorization policy created in the older
setup.

Fix:
Make sure that old policy files are deleted from
<TADDM_HOME>\dist\var\policy\ibmsecauthz\policy\rolemapping\AuthorizationMana
gerPolicyContextId_role.

3 CCMDB Eco-System Integration

3.1 TADDM Single Sign-On

Make sure all the TADDM login problems discussed in previous section are not present.
Successful TADDM login setup is a prerequisite to SSO setup.

3.1.1 LTPA token issues

Message posted in TADDM trace.log

[4/9/07 17:35:31:609 CDT] 00000018 security E Login failed:CTGES0008E The

Authentication Client received a fault from the Authentication Service. Fault reason:
"The specified RequestSecurityToken is not understood."

Fix:
Make sure that LTPA token is exported from Authentication service and imported into
WebSphere Application Server. Refer to CCMDB install guide for detailed instructions.
3.2 TADDM SSO authorization issues
3.2.1 SSO successful but authorization error
This occurs when login is successful but no TADDM role is assigned to the SSO user.

Message in TADDM trace.log

[4/10/07 1:02:07:437 CDT] 00000037 XACMLPolicyPa W XACMLPolicyParser

XACMLPolicyParser() CWRGS4116W No location has been provided for the XACML
policy schema file. XML schema validation has been disabled.

Fix:
Make sure the SSO user has proper TADDM role-level authorization. If the SSO is being
performed as part of launch-in-context make sure the CI being launched is part of
collection(s) and the user has access to that collection. Refer next section for further
details.

3.3 TADDM Authorization Synchronization

CCMDB and TADDM share common CI data objects, access to which can be restricted
by authorization policy. Both CCMDB and TADDM utilize the access collection
framework to implement data-level security. Authorization synchronization module was
implemented to ease the setting up and enforcement of a common data-level
authorization policy. The synchronization has two important aspects to it.
 1. Access collection created in CCMDB using collection application is synchronized
to TADDM access collections.
2. Groups assigned to access collections in CCMBD should have same assignment
in TADDM.

3.3.1 Collection fails to save

The assumption here is that the authorization synchronization between CCMDB and
TADDM has been enabled. Refer to Infocenter for steps to enable this component.

This occurs when the CCMDB server cannot properly connect to TADDM server due to
any of the following conditions:

Condition 1:
Incorrect hostname or port information.

Message returned on the browser.

Message posted to SystemOut.log.

[4/10/07 16:21:55:937 CDT] 0000003a SystemOut O 10 Apr 2007 16:21:55:937 [ERROR]

java.rmi.ConnectException:
com.collation.proxy.api.client.ApiConnectionFailureException: java.rmi.ConnectException:
at com.collation.proxy.api.client.ApiConnectionImpl.init(ApiConnectionImpl.java:293)
at com.ibm.cdb.api.client.ApiConnectionFactory.getApiConnection(ApiConnectionFactory.java:58)
at com.ibm.cdb.api.ApiFactory.getApiConnection(ApiFactory.java:158)
at com.ibm.tivoli.maximo.authsync.TADDMHandler.invoke(TADDMHandler.java:128)
at com.ibm.tivoli.maximo.authsync.AuthSyncColExit.setDataOut(AuthSyncColExit.java:149)
at psdi.iface.migexits.ExternalExit.callExitsOut(ExternalExit.java:60)

Condition 2:
Incorrect username or password information.
Message returned on the browser.

Message posted to SystemOut.log.

[4/10/07 16:33:10:296 CDT] 00000045 SystemOut O 10 Apr 2007 16:33:10:296 [ERROR]

com.collation.proxy.api.client.ApiException: CTJOX0130E The password specified is not correct.
com.collation.proxy.api.client.ApiLoginException: com.collation.proxy.api.client.ApiException: CTJOX0130E The
password specified is not correct.
at com.collation.proxy.api.client.ApiSessionImpl.init(ApiSessionImpl.java:155)
at com.ibm.cdb.api.client.ApiSessionFactory.getSession(ApiSessionFactory.java:63)
at com.ibm.cdb.api.ApiFactory.getSession(ApiFactory.java:167)
at com.ibm.tivoli.maximo.authsync.TADDMHandler.invoke(TADDMHandler.java:136)
at com.ibm.tivoli.maximo.authsync.AuthSyncColExit.setDataOut(AuthSyncColExit.java:149)
at psdi.iface.migexits.ExternalExit.callExitsOut(ExternalExit.java:60)

Fix:
Make sure the hostname and port information provided on the TADDMEP endpoint is
correct.
Condition 3:
If you are using SSL transport (port 9531 instead of 9530) to connect to TADDM and
haven’t downloaded java certificate on to the CCMDB node, the connection will result in
failure.

Message returned on the browser.

Message posted to SystemOut.log.

[4/10/07 16:37:19:546 CDT] 0000003a SystemOut O 10 Apr 2007 16:37:19:546 [ERROR]

java.rmi.ConnectException:
com.collation.proxy.api.client.ApiConnectionFailureException: java.rmi.ConnectException:
at com.collation.proxy.api.client.ApiConnectionImpl.init(ApiConnectionImpl.java:293)
at com.ibm.cdb.api.client.ApiConnectionFactory.getApiConnection(ApiConnectionFactory.java:58)
at com.ibm.cdb.api.ApiFactory.getApiConnection(ApiFactory.java:158)
at com.ibm.tivoli.maximo.authsync.TADDMHandler.invoke(TADDMHandler.java:122)
at com.ibm.tivoli.maximo.authsync.AuthSyncColExit.setDataOut(AuthSyncColExit.java:149)
at psdi.iface.migexits.ExternalExit.callExitsOut(ExternalExit.java:60)

Fix:
Make sure the certificate is downloaded from the TADDM machine and copy to proper
location on CCMDB node. Refer to Infocenter for details.

*Note: similar issue can arise when assigning a collection to a security group if any of the
information discussed above is not correctly provided.