關於Websphere Portal 以及 WAS的Security設置,一直都是個大問題,各種資料以及InfoCenter裏面都列舉了很多方法。這裏我分享一個自己的經歷。
在啓動WPS (Websphere Portal Server)的時候,啓動日誌裏面出現Secrurity的異常,例如一下是我遇到的
[10/9/09 11:32:31:715 CDT] 0000000a distContextMa E SECJ0270E: Failed to get actual credentials. The exception is javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:77)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:435)
......
[10/9/09 11:32:31:734 CDT] 0000000a distSecurityC E SECJ0208E: An unexpected exception occurred when attempting to authenticate the server's id during security initialization. The exception is j
avax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:77)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:435)
......
[10/9/09 11:32:31:746 CDT] 0000000a distSecurityC E SECJ0007E: Error during security initialization. The exception is javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:77)
at com.sun.jndi.ldap.Connection.readReply(Connection.java:435)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:357)
......
[10/9/09 11:32:37:102 CDT] 0000000a WsServerImpl E WSVR0009E: Error occurred during startup
META-INF/ws-server-components.xml
[10/9/09 11:32:37:139 CDT] 0000000a WsServerImpl E WSVR0009E: Error occurred during startup
com.ibm.ws.exception.RuntimeError: com.ibm.ws.exception.RuntimeError: Request: 1 cancelled
at com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:194)
.......
Caused by: com.ibm.ws.exception.RuntimeError: Request: 1 cancelled
at com.ibm.ws.security.core.ServerSecurityComponentImpl.start(ServerSecurityComponentImpl.java:323)
......
Caused by: com.ibm.websphere.security.WSSecurityException: Request: 1 cancelled
at com.ibm.ws.security.auth.distContextManagerImpl.getServerSubjectInternal(distContextManagerImpl.java:2192)
.....
Caused by: com.ibm.websphere.security.auth.WSLoginFailedException: Request: 1 cancelled
at com.ibm.ws.security.ltpa.LTPAServerObject.authenticate(LTPAServerObject.java:599)
at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginModule.java:437)
Caused by: com.ibm.websphere.security.CustomRegistryException: Request: 1 cancelled
at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.checkPassword(LdapRegistryImpl.java:326)
at com.ibm.ws.security.registry.UserRegistryImpl.checkPassword(UserRegistryImpl.java:296)
at com.ibm.ws.security.ltpa.LTPAServerObject.authenticate(LTPAServerObject.java:574)
... 41 more
Caused by: com.ibm.websphere.security.CustomRegistryException: Request: 1 cancelled
at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.getUsers(LdapRegistryImpl.java:1211)
at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.checkPassword(LdapRegistryImpl.java:293)
... 43 more
Caused by: javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:77)
.............
不管怎麼樣,在確認認證沒有問題的情況下,可以檢查與security相關的幾個配置文件:
第一個就是 . security.xml
這個文件在profile的目錄下面,找到Profiles所在就行了,一般在: $WAS_Home/profiles/wp_profile/config/cells/$host_name/
這個文件的開頭:
<security:Security xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:orb.securityprotocol="http://www.ibm.com/websphere/appserver/schemas/5.0/orb.securityprotocol.xmi" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Security_1" useLocalSecurityServer="true" useDomainQualifiedUserNames="false" enabled="true" cacheTimeout="600" issuePermissionWarning="true" activeProtocol="BOTH" enforceJava2Security="false" enforceFineGrainedJCASecurity="false" activeAuthMechanism="LTPA_1" activeUserRegistry="LDAPUserRegistry_1" defaultSSLSettings="SSLConfig_1">
這裏activeUserRegistry="LDAPUserRegistry_1", 說明用的是LDAP; enabled="true",說明security是enable的。
再查看ldap的那一段:
<userRegistries xmi:type="security:LDAPUserRegistry" xmi:id="LDAPUserRegistry_1" serverId="[email protected]" serverPassword="{xor}Zx5saG1vZ2ZoGhs=" realm="www.vicdl.cn:389" ignoreCase="true" type="CUSTOM" sslEnabled="false" sslConfig="IBM-L/DefaultSSLSettings" baseDN="o=ibm.com" bindDN="uid=8A3720897ED,ou=persons,o=ibm.com" bindPassword="{xor}Zx5saG1vZ2ZoGhs=" searchTimeout="120" reuseConnection="true">
<searchFilter xmi:id="LDAPSearchFilter_1" userFilter="(&(authenid=%v)(objectclass=udperson))" groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))" userIdMap="*:authenid" groupIdMap="*:cn" groupMemberIdMap="groupOfNames:uniqueMember" certificateMapMode="EXACT_DN"/>
<hosts xmi:id="EndPoint_1197566690469" host="www.vicdl.cn" port="389"/>
</userRegistries>
這裏需要檢查的地方是: serverId和serverPassword一定要正確,這是連接LDAP Server用的,其中password是加密的;realm和host就是LDAP Server的地址,後面的端口號要注意,如果是636, sslEnabled應該設置成false,因爲636是ssl加密的,如果是389默認非加密端口,sslEnabled="false".
第二個要注意到文件是wmm.xml
在wps6.0下,這個文件一般在$WPS_Home/wmm/目錄下面,檢查這個文件是否有關於ldap的設置,如果有,檢查一下設置是否正確,基本上和上面一樣。
另外關於WAS的設置也和上面第一個文件的設置一樣,第二個文件纔是Websphere Portal 特有的