Hi Experts,
we have two MWS nodes configured in our system in webMethods version is - 9.9.
I have created the new user in MWS Node 1 and confirmed it by searching in another MWS node2.
But, while trying to configure the SSL certificate under security tab in IS, I am unable to find the new user {where in old user can be easily found}
Steps I verified to ensure user is added and JDBC pool is working fine are-
1. Verified T_WM_XT_SYSDIRUSER table and can see user entry in it.
2. Tested CentralUsers JDBC pool in IS successfully.
3. Increase the IS user management logging to trace and found information mentioned below -
[18311]2017-09-05 09:27:39 CEST [ISS.0024.0040D] Integration Live Manager getUser(), user not found → ABC-
Test-app.
[18310]2017-09-05 09:27:39 CEST [ISS.0024.0030D] Integration Live Manager getUser(), tenantID: null_null.
4. Current fix in IS = IS_9.9_Core_Fix4
Can someone please suggest me If I am missing any verification step? Is there any solution to fix the issue without IS re-start {as it’s production}.
Thanks.
Hi Nivedita,
are the two MWS in a cluster?
To which of the 2 MWS is the IS configrued to connect for CentralUserManagement?
Is the SAML Resolver URL configured correctly.?
Regards,
Holger
Hi Holger,
Please find the ans inline
-
Are the two MWS in a cluster? – yes we have two MWS configured in cluster .
-
To which of the 2 MWS is the IS configrued to connect for CentralUserManagement? – sorry not
getting your question, As per my understanding to share central user details MWS and IS should connect to same database.
IS there anything I am missing?
-
Is the SAML Resolver URL configured correctly.? There is no URL configured in our IS under Security > SAML on IS.
Thanks for the assistance.
Hi Nevedita,
for point two: connecting the shared database is fine.
The SAML Resolver URL shoud point to the load balancer URL which forwards to the clustered MWS nodes.
This is neccessary i.e. for Monitor UI.
Is it possible to configure the certificate in MWS instead of IS?
Regards,
Holger
Hi Holger,
I can see load balancer URL configured in MWS under Administrator ->My webMethods ->System Settings → server for the IS (Not in IS under Security → SAML).
Regarding - Is it possible to configure the certificate in MWS instead of IS? - No as per the current setup, we can configure the certificate in IS only .
Additional Note: We have also created a support ticket with SAG for the solution.
Hi Nivedita,
please adjust the SAML Resolver URL in IS to point to the load balancer URL of the MWS Cluster and add “/services/SAML” to it.
Save it and restart the IS (just to be sure).
Might be that IS uses some web service calls against MWS to load the users for the certificate mapping.
Regards,
Holger
Addendum:
Extract from IS Administrators Guide (for 9.5 in this case):
Certificate Mapping
The certificate mapping feature allows you to store client certificates on an Integration
Server and associate each of the certificates with a user account (for example, a certificate
may be used to identify the user FINANCE). When a client presents one of these
certificates, Integration Server logs the client in as the user "mapped" to the certificate.
My webMethods Server also allows you to associate a certificate and a user. If central user
management is configured in Integration Server, Integration Server will automatically
check the My webMethods Server database for certificate mappings when it cannot locate
the user in its local store. Refer to Administering My webMethods Server for further details.
Additionally it is not possible to create a user locally when it is already defined in the MWS used for Central User Management.
Is there anything noteworthy in the server.log or error log of the IS when trying to map the certificate.
Regards,
Holger