Paul Ilechko wrote:
> cmorris@novell.com wrote:
>>> Can you turn on security trace so that you can see
>>> exactly what the sequence of events is?
>>
>> Nothing was obvious to me. Here is the trace I got:
>>
>
> Nothing obvious to me either - did you look into my other idea, that you
> were not setting any groups when you asserted the Subject in your login
> module (by creating the Map in shared state)? I have a feeling that if
> there are no groups, WAS will try and get them from the registry. Try
> putting a group name in there, see if that helps.

also, you can add :

com.ibm.ws.wim.*=all=enabled:com.ibm.websphere.wim .*=all=enabled

to the trace string to get VMM trace.

Paul Ilechko wrote:

> Another thought - are you adding any groups to the hashmap ? It looks to
> me like you are sticking an empty array list in to WSCREDENTIAL_GROUPS.
> I think if that is empty, WAS will try to read the user registry to get
> groups, giving you an authentication error when it can't find the user.

Never mind, I checked and it's legal to add an empty array of groups to
the subject. WAS should not try to override that.


The only other thing I can think of is, are you setting the UniqueID
correctly? Does it have the correct realm name based on what is defined
as the WAS realm?

The realm name did not match my user repository. So I changed that. I also added some bogus groups. Nothing seems to change.

Here is the log output: Attached is the full thing. Its large.

[9/21/07 13:34:52:023 MDT] 00000050 FormLoginExte 3 Create WebAttributes for this webApp.
[9/21/07 13:34:52:023 MDT] 00000050 FormLoginExte 3 login page is: /login
[9/21/07 13:34:52:023 MDT] 00000050 FormLoginExte 3 J2EEAuditEventFactory was not initialized
[9/21/07 13:34:52:023 MDT] 00000050 FormLoginExte 3 login error page is: /error.jsp
[9/21/07 13:34:52:026 MDT] 00000050 FormLoginExte > formLogin, WebAttributes:
webAppName[PayrollWeb]
isProtected[true]
realm[null]
challengeType[FORM]
authMechanism[LTPA]
SSLEnabled[false]
SSOEnabled[true]
secureSSO[false]
defaultToBasic[false]
LTPACookieName[LtpaToken]
loginCookieName[null]
CookieSuffix[null] Entry
[9/21/07 13:34:52:027 MDT] 00000050 FormLoginExte 3 Form based login: userid/password present in the form. User is: cn=test,o=novell
[9/21/07 13:34:52:027 MDT] 00000050 ContextManage > getDefaultRealm Entry
[9/21/07 13:34:52:027 MDT] 00000050 ContextManage < getDefaultRealm Exit
defaultWIMFileBasedRealm
[9/21/07 13:34:52:027 MDT] 00000050 ContextManage > login(realm, user, password) -> login(defaultWIMFileBasedRealm, cn=test,o=novell, ************************************, system.WEB_INBOUND) Entry
[9/21/07 13:34:52:027 MDT] 00000050 ContextManage 3 Looking for opaque token on the thread before Subject cache lookup.
[9/21/07 13:34:52:028 MDT] 00000050 ContextManage > getSubjectFromTokenHolderCacheKey Entry


[9/21/07 13:34:52:028 MDT] 00000050 ContextManage < getSubjectFromTokenHolderCacheKey Exit

[9/21/07 13:34:52:028 MDT] 00000050 ContextManage 3 Looking for subject from cache using token as lookup.
[9/21/07 13:34:52:028 MDT] 00000050 AuthCache > getSubject Entry
defaultWIMFileBasedRealm
cn=test,o=novell
xxxxx
[9/21/07 13:34:52:028 MDT] 00000050 AuthCache 3 One-way password hash using SHA is: 641235360270227624917054902848906975847867690344
[9/21/07 13:34:52:028 MDT] 00000050 Cache > get Entry
defaultWIMFileBasedRealm:cn=test,o=novell
[9/21/07 13:34:52:029 MDT] 00000050 Cache < get Exit

[9/21/07 13:34:52:029 MDT] 00000050 AuthCache < getSubject Exit

[9/21/07 13:34:52:029 MDT] 00000050 JaasLoginHelp > jaas_login(realm,user,password,auth_mech = system.WEB_INBOUND) for web Entry
[9/21/07 13:34:52:029 MDT] 00000050 WSCallbackHan > WSCallbackHandler(userName = "cn=test,o=novell", password = "********") Entry
[9/21/07 13:34:52:029 MDT] 00000050 WSCallbackHan < WsCallbackHandler(userName, password) Exit
[9/21/07 13:34:52:029 MDT] 00000050 WSCallbackHan > WSCallbackHandler(userName, realmName = defaultWIMFileBasedRealm ,password, req, resp, appContext) Entry
[9/21/07 13:34:52:029 MDT] 00000050 Configuration 3 com.ibm.ws.security.auth.login.Configuration :Entry: getAppConfigurationEntry(system.WEB_INBOUND)
[9/21/07 13:34:52:037 MDT] 00000050 NidsLoginModu I 2007-09-21T13:34:52Z INFO J2EE Agent: AM#600602000: AMDEVICEID#agent-985EBEB0A4CF5A9D: initialize options={delegate=com.novell.nids.agent.auth.websp here.NidsWebSphereLoginModule}
[9/21/07 13:34:52:039 MDT] 00000050 NidsWebSphere I PrincipalClass = com.novell.nids.agent.auth.websphere.WSPrincipalIm pl
[9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan > handle(callbacks = "{ com.ibm.wsspi.security.auth.callback.WSTokenHolder Callback }") Entry
[9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan < handle(callbacks) Exit
[9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan > handle(callbacks = "{ javax.security.auth.callback.NameCallback }") Entry
[9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan < handle(callbacks) Exit
[9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan > handle(callbacks = "{ javax.security.auth.callback.PasswordCallback }") Entry
[9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan > handle(callbacks = "{ javax.security.auth.callback.PasswordCallback }") Entry
[9/21/07 13:34:52:041 MDT] 00000050 WSCallbackHan < handle(callbacks) Exit
[9/21/07 13:34:52:042 MDT] 00000050 NidsLoginModu I 2007-09-21T13:34:52Z INFO J2EE Agent: AM#500602006: AMDEVICEID#agent-985EBEB0A4CF5A9D: AMAUTHID#null: AMEVENTID#NotImplemented: verifying the credentials for cn=test,o=novell
[9/21/07 13:34:52:043 MDT] 00000050 NidsLoginModu I 2007-09-21T13:34:52Z INFO J2EE Agent: AM#500602006: AMDEVICEID#agent-985EBEB0A4CF5A9D: AMAUTHID#rGcrAy3kScDeJNwyNjs3lk2: AMEVENTID#NotImplemented: verifying the credentials for cn=test,o=novell
[9/21/07 13:34:52:045 MDT] 0000005d ContextManage > getServerSubject Entry
[9/21/07 13:34:52:045 MDT] 0000005d ContextManage > getServerSubjectInternal Entry
[9/21/07 13:34:52:045 MDT] 0000005d ContextManage > getRegistryObject Entry
[9/21/07 13:34:52:045 MDT] 0000005d ContextManage < getRegistryObject Exit
com.ibm.ws.security.registry.UserReg....registry.WIMUserRegistry@2d202d20;realm=defaultWIMFileBasedReal m
[9/21/07 13:34:52:045 MDT] 0000005d WSCredentialI > isDestroyed Entry
[9/21/07 13:34:52:045 MDT] 0000005d WSCredentialI < isDestroyed Exit
false
[9/21/07 13:34:52:045 MDT] 0000005d WSCredentialI > getExpiration Entry
[9/21/07 13:34:52:045 MDT] 0000005d WSCredentialI < getExpiration Exit
1190410451325
[9/21/07 13:34:52:045 MDT] 0000005d AuthCache > getCushion Entry
[9/21/07 13:34:52:045 MDT] 0000005d AuthCache < getCushion Exit
600000
[9/21/07 13:34:52:045 MDT] 0000005d ContextManage 3 Is server subject valid? true
[9/21/07 13:34:52:045 MDT] 0000005d ContextManage 3 Server Subject returned with sufficient time left.
[9/21/07 13:34:52:045 MDT] 0000005d ContextManage < getServerSubject Exit
Subject:
Principal: defaultWIMFileBasedRealm/server:camvm1Node01Cell_camvm1Node01_server1
Public Credential: com.ibm.ws.security.auth.WSCredentialImpl@ac20ac2
Private Credential: com.ibm.ws.security.token.SingleSignonTokenImpl@30 003000
Private Credential: com.ibm.ws.security.token.AuthenticationTokenImpl@ 43784378
Private Credential: com.ibm.ws.security.token.AuthorizationTokenImpl@7 9947994

Hello,

Please can you help me on this case?
I knew that Ibm Maximo support single sign on (SSO). But I realized that although the security is enabled, we have to tape the loggin and password each time we want to connect to maximo application.

I want to know if there's a way to activate this SSO. what are the steps and prerequisites to do?
Thank you in advance.

Kind regards, Fouad