Webseal runtime component configuration - webseal

Hello
i am working on the IBM webseal authentication. i want to implement the webseal authentication into my application.
while configuring the runtime component i am getting the following error.
Unable to verify the management domain location DN in the
LDAP server: (secAuthority=Default).
If the location does not exist on the server, create it,
otherwise specify a different location that does exist.
Error: DPWAP0003I An error occurred while executing the command: /opt/PolicyDirector/sbin/PDMgr_config -s TRUE -y no -v TRUE -d CN=jony mittal,OU=dev,DC=dgad,DC=com -w XXXX -L 389 -C fips -D Default -m XXXX -l 1460 (0x1)
anyone please help me to resolve this issue.
thanks

When you are configuring ISAM/ISVA PD runtime, PDMgr_config will deploy its registry into your LDAP directory server. This requires modifying the schema of the LDAP server. To do this, it requires administrator rights on the directory. Commonly this will be an account such as cn=root, cn=admin, cn=DM, etc. depending on your directory server.
I believe what may work better for you, if you are configuring ISAM from scratch, is likely deploy using the internal/embedded LDAP. When configuring the runtime choose the local LDAP server option. You can set the credentials on the local/embedded LDAP server on the tab where you configure the runtime. Just set a password on it, then feed that password into the runtime configuration.
Then, if you are needing to tie into another directory, which I expect is the case since you are trying to do this now, then use basic user mode with a "federated registry" so you don't have to deploy the ISAM "registry" and hence do not have to modify the existing directory. This way you can authenticate and authorize users off an existing directory without having to modify that directory specifically to support ISAM.
Additional information here:
Embedded (local) LDAP server instructions
Configuring PD runtime
Basic user mode instructions
Setup federated repository

Related

Pulumi automation backend

I am a newbie in pulumi. I am having an issue. When I do pulumi login in GCP backend It appears an error:
stderr: error: getting secrets manager: passphrase must be set with
PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE environment
variables
When I do pulumi logout the deployment works - pulumi api automation. Does anyone have an idea how to fix this?
Tried to set pulumi_config_passphrase.
When using the self-managed backends for Pulumi, you need to provide a pass phrase to encrypt secret values.
This can be done by setting a global environment variable which will depend on the operating system you're using. In Unix like environments (eg MacOs or Linux) you can do:
export PULUMI_CONFIG_PASSPHRASE=<a password you can remember>
In Windows on Powershell this can be done using:
$env:PULUMI_CONFIG_PASSPHRASE=<a password you can remember>
If you don't wish to use a passphrase, you can leverage the Pulumi service as your state store, or configure a cloud secrets provider.
This is done when initializing your stack, more information on that can be found here

How to force TortoiseSVN client 1.11.1 on Win10 to prompt for credentials (disable automatic LDAP authentication)?

I've just installed latest TortoiseSVN client on Win 10 Pro v1803 b17134.556
I've done pretty much default installation, with possible only alteration that I wanted also CLI client. So it's in MS Win 10 default path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TortoiseSVN
1.11.1, Build 28492 - 64 Bit , 2019/01/08 21:40:39
ipv6 enabled
Subversion 1.11.1, -release
apr 1.6.5
apr-util 1.6.1
serf 1.3.9
OpenSSL 1.1.0j 20 Nov 2018
zlib 1.2.11
SQLite 3.23.1
And obviously tried to browse and checkout an SVN repository.
A colleague of mine has TortoiseSVN client v1.9.5.xxx and he can browse our SVN server "nzchch-svn-yyy.xxxxxx.zzzzz.net/svn/MGIS without any issues. He can't remember how he managed to authenticate himself a long time ago, but he doesn't need to authenticated (I mean provide credentials) these days.
However I would expect kind of authentication dialog to pop up for me. Instead of it I'm getting only:
Unable to connect to a repository at URL
'https://..........net/svn/MGIS
Access to '/svn/MGIS' forbidden
I'm not sure if it is authenticated against LDAP, but even though if it does and my LDAP account doesn't have permission to access it (which I think is the case), I do have available a service account we use on Jenkins server to checkout the SVN repo, and I should be able to provide those credentials somehow. But Tortoise doesn't ask me for the credentials at all.
I tried to authenticate via CMD, running:
svn auth --username jenkinsuser --password topsecret
Credentials cache in 'C:\Users\bfu\AppData\Roaming\Subversion' is empty
I tried to follow several advices like:
remove auth dir:
rmdir /S %APPDATA%\subversion\auth\%APPDATA%\subversion\auth
Clearing 'All my Saved Data', well as it is a clean install I have enabled on to Clear: URL history and Dialog Sizes and positions.
Updating the config file to enable:
password-stores = windows-cryptoapi
store-passwords = yes
store-auth-creds = yes
which was commented out.
Just no way I can provide credentials and if it comes down, I can use hundreds of SVN servers with different authentication data and no way to enable it or force it to ask me for it.
Any idea what is going on? I'm pretty hopeless as I couldn't imagine there would be a such stubborn SVN client which would refused to ask me for credentials (and possibly save it in the next step).
The problem is not with authentication, but with authorization. Your user account does not have permissions to access MGIS repository. You need to review and fix your permissions.
Read https://www.visualsvn.com/server/getting-started/#User-Permissions.

Generating packed template from Weblogic Admin Server Dynamically fails

I have a weblogic domain (i.e. server1) that manages multiple managed servers (i.e. server2) on remote machines on which the admin server does not reside. I am trying to use WLST in online mode to dynamically pack the domain on the Admin Server into a JAR and transfer it to the managed server, but it fails due to CIE ConfigHelper service not being availble. I've tried to find a reference to this service with no lunck.
Here is the log of the output:
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Connecting to t3://admin:7001 with userid admin ...
Successfully connected to Admin Server "wladmin_server" that belongs to domain "qa".
Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.
Location changed to serverRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help('domainConfig')
CIE ConfigHelper online service is not available.
Disconnected from weblogic server: wladmin_server
I'm doing this based on the following link https://docs.oracle.com/middleware/1212/wls/WLSTG/domains.htm#WLSTG406 , but it just doesn't seem to work.
I am using Weblogic 12c (12.1.3) running on RH Linux.
Thanks.
pack and unpack scripts are working for us in similar scenario.
On admin server machine where domain is already created ,You can use this to pack/create managed server template :
$WL_HOME/common/bin/pack.sh -domain=${DOMAIN_HOME} \
-template=${DOMAIN_NAME}_managed_template.jar \
-template_name="${DOMAIN_NAME}" \
-template_author="YOU" \
-template_desc="${DOMAIN_NAME}-managed-template" \
-managed="true" \
-log=logs/pack_managed_${DOMAIN_NAME}.log
Then copy managed server template to different machines and unpack there:
$WL_HOME/common/bin/unpack.sh \
-domain=$DOMAIN_HOME \
-template=${DOMAIN_NAME}_managed_template.jar \
-overwrite_domain="true" \
-app_dir=$DOMAIN_HOME/../applications \
-log=logs/${DOMAIN_NAME}_creation.log
I have also encountered the same problem on my weblogic (ver 12.1.3). The problem seems to appear only when the weblogic server is started using wlst.
When I started the weblogic using startWeblogic.sh file and run the domain template wlst script the error(CIE ConfigHelper online service is not available.) has disappeared, and I can see that the template is created successfully.
It seems like a bug in weblogic wlst.

How to reset WebSphere wasadmin password

I have tried following this tutorial but the new password doesn't take effect after security is enabled again, still have to use old password to login as wasadmin:
http://weblogic-wonders.com/weblogic/2014/03/27/reset-websphere-admin-console-password/
I even tried the guide from IBM:
http://www-01.ibm.com/support/docview.wss?uid=swg21392427
But I'm lost at this step:
_Navigate via command prompt to /ConfigEngine
Because in my WebSphere it doesn't have this ConfigEngine folder in order the run the rest of the commands.
Can anyone help me?
EDIT: This is WebSphere 7 for Maximo 7.5
Have you tried the following?
To disable security, please perform the following steps via wsadmin:
/bin/> wsadmin -conntype NONE
wsadmin> securityoff
wsadmin> exit
Restart the servers.
Enable the security from administrative console.
Once the needed corrections are made, you can re-enable security in the admin console and then restart WebSphere.
NOTE: To restart the servers, you will first need to manually kill the java process since security is still enabled in the currently running process.
Or editing the xml file
Following this link you have 2 optiont:
This is for the standalone version
Make a backup of the security.xml file:
/config/cells/cellname/security.xml
Edit the security.xml file by searching for the first instance of " enabled= ". You should see enabled="true" as in:
Change to enabled="false".
Save the security.xml file.
Restart server1 and the WebSphere_Portal servers. If you get authentication exceptions while trying to stop the servers, you may have to manually kill the server processes and then restart them.
In the wpconfig.properties file, make the following changes:
PortalAdminId=wpsadmin
PortalAdminGroupId=wpsadmins
Refer to the Information Center link for specific instructions.
Save the wpconfig.propeties file.
Try to disable security again using the disable-security task:
./WPSconfig.sh disable-securit y
At this point, security should be disabled. You can verify by accessing the WebSphere Application Server admin console. You should be prompted for only a user name, not a password.
Follow these instructions for a clustered version:
Make a backup of the security.xml file on the Deployment Manager machine:
/config/cells/cellname/security.xml
Edit the security.xml file by searching for the first instance of "enabled= ". You should see enabled="true" as in:
Change to enabled="false".
Save the security.xml file.
Copy the security.xml file to the nodes:
/config/cells/cellname/security.xml
/config/cells/cellname/security.xml
Restart DMGR, NodeAgents, and WebSphere_Portal servers. If you get authentication exceptions while trying to stop the servers, you may have to manually kill the server processes and then restart them.
In wpconfig.properties, make the following changes:
PortalAdminId=wpsadmin
PortalAdminGroupId=wpsadmins
Refer to the Information Center link for specific instructions.
Save the wpconfig.propeties file.
Try to disable security again using the disable-security task. Note that the DMGR and the nodeagent should be running:
./WPSconfig.sh disable-security
At this point, security should be disabled. You can verify by accessing the DMGR AdminConsole. You should be prompted for only a user name, not a password.
Or more option is explained here
Note: I haven't tried this myself yet
Goto DMGR bin directory and follow the below process.
[root#localhost bin]# ./wsadmin.sh -connType NONE -lang jython
wsadmin>AdminTask.changeFileRegistryAccountPassword('-userId saddam -password saddamm')
wsadmin>AdminConfig.save()
Please restart dmgr.
If you have forgotten the password, then you have to directly kill the dmgr process id and start dmgr.
Login to WebSphere Console -> Users and Groups -> Manage Users -> click on <user_name> -> change the password value -> save the configuration.

Why is WLST not recognizing the user/password in the key and config file in connect() call?

I'm trying to connect to an admin server in WLST using config and key files. There are no error messages but I am prompted for a username and password. These files were created (by another developer who is long gone[1]) with the storeUserConfig() command. My call to connect looks something like this: connect(userConfigFile=configFile, userKeyFile=keyFile, url='t3://somehost:7031')).
Is there some restriction in using these files, such as it can only be used on the host where created, or it needs access to the domain's boot.properties file?
Note: I'm trying to connect to an admin server on a different host and non-standard port (e.g. not 7001). The server I am running WLST on and the remote host are the same version of Weblogic.
Some of the things I have tried:
verified that these files appear correct, the key file being binary data and the config file having a line for "weblogic.management.username={AES}..." and "weblogic.management.password={AES}...".
verified that there is a server on the specified port by entering a known login and password that is successful
specified the admin server in the connect parameter
turn on debug(true); the only output is <wlst-debug> connect : Will check if userConfig and userKeyFile should be used to connect to the server and another line giving the path to the userConfig file
turn on Python logging in jython with -Dpython.verbose=debug; nothing relevant to decryption operation
Munging the key or the config files generates no error messages and behaviour as above
[1]: These files are still used today by other existing WLST scripts. However, these scripts are so convoluted and deliberately obfuscated that they are very difficult to reverse-engineer how connect() is being called.
You do not need to access to the domain's boot.properties file. You just need to make sure the configFile and keyFile pointing to the right files. FYI, here is one of the commands we are using:connect(userConfigFile='./user.secure',userKeyFile='./key.secure',url='t3://somehost:7001')
Have you check the network connectity that might be having a firewall in between that troubling you, check the traceroute from the script machine to the Remote machine. Recently I have faced simalar issue. once the routing table updated with allow the WL admin server port everything got set.
Hope this could helps you!
I had this problem too. In a script, I exported the Linux variables userConfigFile and userKeyFile. Then I connected by running:
url='t3://localhost:7002'
userConfigFile='$userConfigFile'
userKeyFile='$userKeyFile'
connect(userConfigFile=$userConfigFile, userKeyFile=#userKeyFile, url=url)
That all worked in a script, but would not work interactively. I changed to doing the following:
url='t3://localhost:7002'
userConfigFile='/users/me/weblogic-2014/weblogic-admin-WebLogicConfig.properties'
userKeyFile='/users/me/weblogic-2014/weblogic-admin-WebLogicKey.properties'
connect(userConfigFile=userConfigFile, userKeyFile=userKeyFile, url=url)
And that worked interactively.