Changed realm in Websphere Application Server now JVMs will not start - ldap

We're unable to start our JVMs after changing the LDAP server in the Security -> Global Security settings. We get "The user is from a foreign realm, XXXX:289, and this foreign realm is not trusted. Current realm is XXXX".
This error seems straightforward. Yet we cannot find anything wrong with our settings. The "Trusted authentication realms - inbound" looks correct. The settings in the Global Security looks right. The users have been recreated
The process we followed was to update the LDAP server. Remove and added back the Admin group roles so they have the new LDAP server. Then shutdown all the Websphere processes. Run the osgiCfgInit.sh and clearcasecache.sh scripts to clear the cache. Then started the processes back up.
Is there a file or cache we need to modify for our admin user?

Related

Difference between Agent User ID and user/ password while configuring replication agent AEM

What is the difference between Agent User ID (Settings tab) and User/Password (Transport tab)? Please share the scenarios of both two when configuring the replicating agents in AEM.
This is well documented in Adobe's documentation here
The context that is missing is to understand the how ACLs work, each user/group has certain privileges/rights; which outside normal CRUD operations include Read ACL, Edit ACL and Replicate. You can read about them here
Now coming to your question, a replication agent has host configuration (the system on which it is setup) and target configuration (the system it connects to). Agent User ID is used for the host system while User/Password on transport tab is for the target system.
For a replication agent on author, the user used in Agent User Id must have read and replicate rights on all path that need to be processed where as user specified in User/Password on transport tab must have create/write access to replicate the content on Publish instance.

Ldap certificates expired on a WebSphere application server initially configured with ldap

We are running WebSphere Application Server v8.5 on AIX 7, which we configured to use ldap security. Everything is working fine, but project went halt for some time and our WAS was down. Now we see that ldap cerficates were expired, hence we are unable to connect to dmgr & admin console. Can somebody help to resolve it?
We know how to configure ldap on WAS, but dont no how to change expired ldap cerficate with new cerficates. (We received new non-expiry certificates from ldap team but dont no how to configure it on WAS).
You need to disable security, restart dmgr, replace certificates and reenable security.
To disable security:
stop/kill the dmgr
run the following from the dmgr\bin folder:
wsadmin -conntype NONE
At the wsadmin prompt, type securityoff and then type exit.
Restart your dmgr.
UPDATE
Do you have Federated or Standalone Ldap configured? You should have in LDAP configuration link to SSL configuration. There you will need to add your new certificate to the Signers store (this is very simplified description as I'm not sure which repository you are using).

rabbitMQ federation ACCESS_REFUSED (guest login fail)

I have set up rabbitMQ federation between two machines A and B, bi-direction,
but have the error
{auth_failure,"ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile."}
in the log file, it seems the federation amqp need to access through guest/guest credential, this comes to the question here:
rabbitMQ guest login failed
with existing solution to set up test/test here :
Can't access RabbitMQ web management interface after fresh install
I tried to make guest/guest also work from another machine by running :
rabbitmqctl set_permissions -p / guest "." "." ".*"
but still fail to login via guest/guest on another machine,
in the rabbitMQ management web UI, the user test and guest look all the same:
Name
Tags
Can access virtual hosts Has password
guest
administrator / ●
test
administrator / ●
but why I still can't loging with guest/guest on another machine? (test/test works fine)
You are not listing what version you use, but guesstimating from your post time, I would say the issue is probably because in v 3.3.0 (released in early April 2014) they disabled guest user login remotely (see release notes here), AND it looks like at some point around that time there was a change either in the way federation is supposed to be setup, or simply the yanking of the guest user made it behave differently.
Anyway, to resolve this, make sure you create your upstream with an URI in the following form:
amqp://your_user:your_users_password#rabbit-node-FQDN.your.domain.com/your_vhost
the key is in the your_user:your_users_password string - that was not required before 3.3 (and it still may work without it should you enable the guest user... but I don't care to try that)
hth

Glassfish access control

I have web service deployed in my system under Glassfish server. When I try to access it from another system using my IP and port number it shows an access control origin error.
I tried to solve this by putting a accesscrossdomain.xml file in my Glassfish docroot folder, but the error still continues.
What can be done to solve this issue?
You are likely running into the default configuration, which disables remote administration by default for security reasons. This means no SSL while logging into the administration console, no admin password, etc.
GlassFish Server has excellent documentation. For this particular issue, this section of the Security Guide should help. Basically, you'll want to run "asadmin enable-secure-admin". To learn more about secure admin, read this section of the Security Guide.

Using ldap locally to share login info with webapps - Do I need Kerberos too?

So I'm setting up a dedicated server using Debian 5 Lenny. I will be using some Atlassian Tools (JIRA, Confluence, Bamboo, and Fisheye). I want to use a local LDAP server to store information for the users that will be accessing these software titles, so that they can use one set of credentials to log in.
I also want webmail users to be configured using LDAP.
However, this is a small operation. Three people. That's why all of the software, including the ldap server, will all be on the same machine.
That said, is it safe to use LDAP to store user credentials (including passwords) in LDAP without using Kerberos? I'm confused as to when Kerberos should be used.
Hypothetically, let's say I had two servers on a subnet. Server A received requests from the outside world, for atlassian tools. Server a communicates to ldap server (internally) on server b. In that case, would I use kerberos?
When do I use Kerberos? When do I not?
I am not setting anything like "Active Directory" up. No Samba either. Users do not need to login to a domain (with access to files on the domain), they just need to login to webapps. But if I was doing LDAP on it's own dedicated machine, then I might want Kerberos?
:confuzzled: :(
-Sam
The simplest possible answer is yes, it is possible to store user names, user ids, and passwords without using Kerberos, and in fact directory services accessed via LDAP are an excellent tool for storing this sort of authentication and authorization information.
Update:
In my opinion, if you do choose an open source server, you will find OpenDS to be superior to OpenLDAP or Apache.
Basically, if you have Kerberos, you do not need any directory server. If you aren't in a corporate environment and are looking for an identity management store, you should definitively go for a directory server like OpenLDAP or Apache Directory. Kerberos require running a correctly set up DNS and NTP server. This might be way to much. Even if you do, those lazy morons from Atlassian still did not implement Kerberos support into their products. You can't even go with that.
I just noticed that there are only three of you, maybe a simple database setup with MySQL would suffice instead of running a full-blown directory server?