关于Websphere Portal 以及 WAS的Security设置,一直都是个大问题,各种资料以及InfoCenter里面都列举了很多方法。这里我分享一个自己的经历。
在启动WPS (Websphere Portal Server)的时候,启动日志里面出现Secrurity的异常,例如一下是我遇到的
[10/9/09 11:32:31:715 CDT] 0000000a distContextMa E SECJ0270E: Failed to get actual credentials. The exception is javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:77)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:435)
......
[10/9/09 11:32:31:734 CDT] 0000000a distSecurityC E SECJ0208E: An unexpected exception occurred when attempting to authenticate the server's id during security initialization. The exception is j
avax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:77)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:435)
......
[10/9/09 11:32:31:746 CDT] 0000000a distSecurityC E SECJ0007E: Error during security initialization. The exception is javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:77)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:435)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:357)
......
[10/9/09 11:32:37:102 CDT] 0000000a WsServerImpl E WSVR0009E: Error occurred during startup
META-INF/ws-server-components.xml
[10/9/09 11:32:37:139 CDT] 0000000a WsServerImpl E WSVR0009E: Error occurred during startup
com.ibm.ws.exception.RuntimeError: com.ibm.ws.exception.RuntimeError: Request: 1 cancelled
at com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:194)
.......
Caused by: com.ibm.ws.exception.RuntimeError: Request: 1 cancelled
at com.ibm.ws.security.core.ServerSecurityComponentImpl.start(ServerSecurityComponentImpl.java:323)
......
Caused by: com.ibm.websphere.security.WSSecurityException: Request: 1 cancelled
at com.ibm.ws.security.auth.distContextManagerImpl.getServerSubjectInternal(distContextManagerImpl.java:2192)
.....
Caused by: com.ibm.websphere.security.auth.WSLoginFailedException: Request: 1 cancelled
at com.ibm.ws.security.ltpa.LTPAServerObject.authenticate(LTPAServerObject.java:599)
at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginModule.java:437)
Caused by: com.ibm.websphere.security.CustomRegistryException: Request: 1 cancelled
at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.checkPassword(LdapRegistryImpl.java:326)
at com.ibm.ws.security.registry.UserRegistryImpl.checkPassword(UserRegistryImpl.java:296)
at com.ibm.ws.security.ltpa.LTPAServerObject.authenticate(LTPAServerObject.java:574)
... 41 more
Caused by: com.ibm.websphere.security.CustomRegistryException: Request: 1 cancelled
at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.getUsers(LdapRegistryImpl.java:1211)
at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.checkPassword(LdapRegistryImpl.java:293)
... 43 more
Caused by: javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:77)
.............
不管怎么样,在确认认证没有问题的情况下,可以检查与security相关的几个配置文件:
第一个就是 . security.xml
这个文件在profile的目录下面,找到Profiles所在就行了,一般在: $WAS_Home/profiles/wp_profile/config/cells/$host_name/
这个文件的开头:
<security:Security xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:orb.securityprotocol="http://www.ibm.com/websphere/appserver/schemas/5.0/orb.securityprotocol.xmi" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Security_1" useLocalSecurityServer="true" useDomainQualifiedUserNames="false" enabled="true" cacheTimeout="600" issuePermissionWarning="true" activeProtocol="BOTH" enforceJava2Security="false" enforceFineGrainedJCASecurity="false" activeAuthMechanism="LTPA_1" activeUserRegistry="LDAPUserRegistry_1" defaultSSLSettings="SSLConfig_1">
这里activeUserRegistry="LDAPUserRegistry_1", 说明用的是LDAP; enabled="true",说明security是enable的。
再查看ldap的那一段:
<userRegistries xmi:type="security:LDAPUserRegistry" xmi:id="LDAPUserRegistry_1" serverId="tongh@us.ibm.com" serverPassword="{xor}Zx5saG1vZ2ZoGhs=" realm="www.vicdl.cn:389" ignoreCase="true" type="CUSTOM" sslEnabled="false" sslConfig="IBM-L/DefaultSSLSettings" baseDN="o=ibm.com" bindDN="uid=8A3720897ED,ou=persons,o=ibm.com" bindPassword="{xor}Zx5saG1vZ2ZoGhs=" searchTimeout="120" reuseConnection="true">
<searchFilter xmi:id="LDAPSearchFilter_1" userFilter="(&(authenid=%v)(objectclass=udperson))" groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))" userIdMap="*:authenid" groupIdMap="*:cn" groupMemberIdMap="groupOfNames:uniqueMember" certificateMapMode="EXACT_DN"/>
<hosts xmi:id="EndPoint_1197566690469" host="www.vicdl.cn" port="389"/>
</userRegistries>
这里需要检查的地方是: serverId和serverPassword一定要正确,这是连接LDAP Server用的,其中password是加密的;realm和host就是LDAP Server的地址,后面的端口号要注意,如果是636, sslEnabled应该设置成false,因为636是ssl加密的,如果是389默认非加密端口,sslEnabled="false".
第二个要注意到文件是wmm.xml
在wps6.0下,这个文件一般在$WPS_Home/wmm/目录下面,检查这个文件是否有关于ldap的设置,如果有,检查一下设置是否正确,基本上和上面一样。
另外关于WAS的设置也和上面第一个文件的设置一样,第二个文件才是Websphere Portal 特有的