Access Denied Errors For Admin User.

, , ,
1

Hello,

In our Environment, We will have Administrator User disabled on all Integration Servers .

Once we have disable the Administrator, We see continuous Error logged in IS Server log.

I Assume this is coming from SPM.

[2380]2016-08-05 10:09:28 UTC [ISS.0053.0002C] Access denied for user Administrator on port 5555 → ‘invoke/wm.server/connect’ from 127.0.0.1.
[2379]2016-08-05 10:08:54 UTC [ISS.0053.0002C] Access denied for user Administrator on port 5555 → ‘invoke/wm.server/connect’ from 127.0.0.1.

and Also After Administrator user is Disabled on IS, Composite Templates dont get completed – Wrapper logs shows it is Scheduled and Jobs show 40% complete and there is no progress after that.

One more Observation- We dont See any of above error if Administrator is enabled with non-default password.

Please Help me to fix this error.

Regards

2

Hi Krishnendi,

as far as I understood, using the Administrator User is essential for what you are trying to do.
So it needs to be enabled and cannot be disabled.

If it works with modified password → good luck.
Remember to keep this password in sync on IS, MWS, SPM, CCE, …

If you think that this behaviour should be changed please open an idea/feature request on Brainstorm portal for this.

Regards,
Holger

3

Hi Holger,

For Security Purpose, we will have Administrator user disabled on Pre-Prod and Prod.
There must be some way to fix this ?
i was going through Documentation, I guess this can done via either of below commands.

cc add security credentials nodeAlias=local runtimeComponentId=integrationServer-ENGINE -i cred.xml

cc add security credentials nodeAlias=local runtimeComponentId=OSGI-IS_default -i creds.xml

cred.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>NewuserBASICmanage123

I tried first option …it did not help :frowning:

4

IIUC, the user Administrator is used in several places for communicating between system components (MWS, PRT etc). At some places it should be possible to specify some other user for this (but then the user should have been granted the right privileges). But I will be not surprised if “Administrator” is just hard coded at some places so that it won’t be possible to change this. Or you will have to live with a constant fear that something might break at any moment.

5

Hi All,

I was able to fix the error from GUI, by Providing a Custom User.

Find the Attached Screenshot.

Can some help me to provide CLI command to do the same ?

error_fixed.jpg
error_fixed.jpg1719×733 128 KB

6

Hi Sergei,

Can you please provide your inputs on above query ?

Regards

7

The command is what you used, but a bit simpler form and with the correct IS engine component id:


export NODE_ALIAS=CTE_CMNSL101_COM_01
export IS_INST_NAME=default

cc add security credentials nodeAlias=$NODE_ALIAS runtimeComponentId=integrationServer-$IS_INST_NAME username=InfraCCadmin password=****

Note that if you may address multiple nodes and multiple components ids with a single entry if you can glob them based on the node alias and/or component id pattern, e.g. to apply to any node which alias starts with CTE_CMNSL101:


cc add security credentials nodeAlias=CTE_CMNSL101* runtimeComponentId=integrationServer-* username=InfraCCadmin password=****

The above will only apply if there is NO explicit mapping to more specific nodeAlias and/or componentId.

Thanks
Sergei

8

Should we run the above command for OSGI also ? like below example ?

cc add security credentials nodeAlias=CTE_CMNSL101* runtimeComponentId=OSGI-IS_com_is_01 username=InfraCCadmin password=****

9

Should we run the above command for OSGI also ? like below example ? as still get Access dined error . Once every one hour

cc add security credentials nodeAlias=CTE_CMNSL101* runtimeComponentId=OSGI-IS_com_is_01 username=InfraCCadmin password=****

[8]2016-11-11 07:07:56 UTC [ISS.0053.0002C] Access denied for user Administrator on port 5555 → ‘invoke/wm.server/connect’ from 127.0.0.1.
[7]2016-11-11 06:07:54 UTC [ISS.0053.0002C] Access denied for user Administrator on port 5555 → ‘invoke/wm.server/connect’ from 127.0.0.1.
[6]2016-11-11 05:07:52 UTC [ISS.0053.0002C] Access denied for user Administrator on port 5555 → ‘invoke/wm.server/connect’ from 127.0.0.1.
[5]2016-11-11 04:07:55 UTC [ISS.0053.0002C] Access denied for user Administrator on port 5555 → ‘invoke/wm.server/connect’ from 127.0.0.1.
[4]2016-11-11 03:07:53 UTC [ISS.0053.0002C] Access denied for user Administrator on port 5555 → ‘invoke/wm.server/connect’ from 127.0.0.1.
[3]2016-11-11 02:07:54 UTC [ISS.0053.0002C] Access denied for user Administrator on port 5555 → ‘invoke/wm.server/connect’ from 127.0.0.1.
[2]2016-11-11 01:07:55 UTC [ISS.0053.0002C] Access denied for user Administrator on port 5555 → ‘invoke/wm.server/connect’ from 127.0.0.1.
[1]2016-11-11 00:07:54 UTC [ISS.0053.0002C] Access denied for user Administrator on port 5555 → ‘invoke/wm.server/connect’ from 127.0.0.1

10

If IS version is 9.8+ the best option to set Authentication type to TRUSTED for both OSGI-IS_ and integrationServer- components. This is the default authentication type which avoids wrong passwords problems altogether.

There is no benefit of using a separate InfraCCAdmin user vs Administrator user (which is used by TRUSTED auth) as SPM needs to have full admin access to IS in order to be able perform IS configuration and administration.

If you still want to use basic authentication as InfraCCAdmin and experience issues configuring that, it would be best to open a support ticket and provide more information about your environment:

  • Versions of IS/SPM and CCE used
  • Fixes installed
  • Logs from IS and SPM
  • What steps have been done to setup InfraCCAdmin user and configure SPM to use it.