Password Validation while login to Enterprise manager

Hi,

We have connected UM realm to LDAP. While logging into EM to connect to this remote realm, it does User validation correctly. But Password validation is not working as expected. Whatever the password we type, it accepts if user given is correct.

Realm is in linux and EM is in Windows machines.

Please let me know how to resolve this.

Did you add the following two Java system properties to the server_common.conf?
wrapper.java.additional.19=-DNirvana.auth.enabled=y
wrapper.java.additional.20=-DNirvana.auth.mandatory=y

Also, typically the user that installed UM on localhost has full access anyway, so please try using the LDAP connection from a different machine.

Hope this helps.

Hi Jonathan,
We have configured below settings in Server_Common.conf.
wrapper.java.additional.17=-DNirvana.auth.enabled=y
wrapper.java.additional.18=-DNirvana.auth.mandatory=y
wrapper.java.additional.19=-DNirvana.auth.server.jaaskey=UM
wrapper.java.additional.20=-Djava.security.auth.login.config=jaas.conf
wrapper.java.additional.21=-DEnableDebug=auth

Also i am trying from a different machine to login.

Is the number after .additional in the Server_Common.conf unique?
What happens if you try to connect from using a username that doesn’t exist in LDAP?
Can you share the jaas.conf (remove any sensitive information first)?

Hi Jonathan,

  1. Yes the number is unique.

  2. Even if i don’t connect with a user name, its get through, if i give the users inside users.txt it gets through, if i give CDS users it gets through, When i give non CDS user or some name which is not there inside users.txt ti does not get through. But all these users password is not getting validated

  3. My jaas.conf looks liek below.
    UM {
    com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule sufficient
    url=""
    prin=""
    cred=admin
    userrootdn=""
    uidprop=“CN”
    grouprootdn=“cn=integration,cn=usergroups,ou=security,ou=global,o=xx.com
    groupobjclass=“group”
    personobjclass=“person”
    logLevel=debug;

     com.softwareag.security.jaas.login.internal.InternalLoginModule sufficient
     template_section=INTERNAL
     logCallback=true
     internalRepository="users.txt";
    

};

Hi Jonathan,

I have observed the following things while logging.
Below setting is there in Server_Common.conf

Changed for LDAP and local user store (enablig basic auth) ------------

wrapper.java.additional.101=-DNirvana.auth.enabled=y
wrapper.java.additional.102=-DNirvana.auth.mandatory=y
wrapper.java.additional.103=-DNirvana.auth.server.jaaskey=UM
wrapper.java.additional.104=-Djava.security.auth.login.config=jaas.conf
wrapper.java.additional.105=-DEnableDebug=auth

wrapper.java.additional.101=-XX:MaxDirectMemorySize=1G

If this setting is there I can connect to EM with user or without user credentials. But does not validate password.
If i make wrapper.java.additional.101=-XX:MaxDirectMemorySize=1G to wrapper.java.additional.106=-XX:MaxDirectMemorySize=1G then i am not able to login to realm from EM with or without user. I get the error as Unable to Establish the connection to Realm.

Could you please explain me this.

Hello Kavitha,

as Jonathan explained earlier the indexes in the “wrapper.java.additional.xxx” entries must be unique. Otherwise the latter wrapper.java.additional.101 overwrites the previous wrapper.java.additional.101 entry.
Note that they must be unique not only within the Server_Common.conf file, but within the ServerCommon.conf and the nserver.conf (respectively nserverdaemon.conf), since these latter ones import the common one, which in tanuki’s terms is essentially the same as merging the text files.

After making sure you are using unique indexes, can you also confirm that you have the additional JAAS libraries added to the classpath of the UM server. That would be essential because generally (and that may depend on the version you are using) the JAAS modules (such as com.softwareag.security.sin.is.ldap.lm.LDAPLoginModule) are not delivered with UM installation and the respective jar files are not on the server classpath.

Stefan

Hi Stefan,

Yes i have added the required jars to the server class path.
Have configured Jass.conf file to both LDAP and internal repository that is users.txt.

I have modified the XX number to be unique for all the properties.
Now when i try to login to EM, it gives me unable to establish connection to realm with users list from LDAP to users.txt

Hi All,

I am still not able to fix this issue.

Can someone please suggest any solution for the problem.

  1. Tryign to configure both LDAP and internal repository.
  2. Copied all the required jars files and added in classpath in UM.
  3. Added Authentication required property as given earlier.

Still getting unable to establish connection to realm.

Please provide the UM logs and complete Server_Common.conf.

Also check and confirm the below points…

  • Whether your UM is clustered
  • Have you seen any intermittent connectivity between EM and realm, whether both are in same network / different network.
  • Have you seen any errors in logs ,

Thanks

Hello Kavitha,

the reason you get a failure suggesting that the login failed against the users.txt file is most probably because that was the last thing that the JAAS authentication went through.

I’d suggest setting the server log level to 0 (from Enterprise manager) and changing the -DEnableDebug=auth property in Server_Common.conf to -DEnableDebug=all
Then restart the server and try to log in again. In nirvana.log (under the server data directory) you should see the authentication failures and the reason for them.
We may also need to turn on the JAAS login modules verbose debug log.

One more question - are you unable to login both against the LDAP and the internal user repo (users.txt)? Your JAAS configuration suggests that the authenticator would first try the LDAP server, and if that fails it will try to authenticate against the users.txt file, so you should be able to try for example the default SAG user (Administrator:manage if you haven’t changed it).

Stefan

Hi Stefan,

I tried everything you said.
This is what i see in nirvana log.
,SASL-ServerLoginContext/88: [debug] Authenticating PLAIN username=_kamah3 - authorisation-ID=null/allowed=false
SASL-ServerLoginContext/1874: [debug] Authenticating PLAIN username=Administrator - authorisation-ID=null/allowed=false

I am not able to login to users.txt users nor LDAP users.
I tried to login with Administrator user

What is the version version and the patch level you are on?

Hi Stefan,

we are on 9.10 Fix1 UM

thanks

Could you attach the nirvana.log file here?

Thanks,
Stefan

Hi Stefan,

I am attaching some part of the nirvana log file.

nirvana.log (24.5 KB)

Hi Stefan,

I also get the below logs when i do grep on JAAS in nirvana.log

[Thu Jun 16 08:16:13 UTC 2016],Server Authentication: Enabled=true, Mandatory=true, JAAS-key=UM/std=false, SuperUser=webm@localhost, Exempt=1/[@]
at com.pcbsys.foundation.security.auth.fAuthentication.authenticateJAAS(fAuthentication.java:55)
at com.pcbsys.foundation.security.auth.fAuthentication.authenticateJAAS(fAuthentication.java:55)
at com.pcbsys.foundation.security.auth.fAuthentication.authenticateJAAS(fAuthentication.java:55)
at com.pcbsys.foundation.security.auth.fAuthentication.authenticateJAAS(fAuthentication.java:55)

Hi Stefan,

I have modifed jaas.conf as below.

UM {
com.softwareag.security.jaas.login.internal.InternalLoginModule sufficient
template_section=INTERNAL
logCallback=true
internalRepository=“fullpath/UniversalMessaging/server/um_01/bin/users.txt”;
logLevel=debug;
};

Still i am not able to login to EM using users.txt

Hello Kavitha,

The error in the log:

java.lang.SecurityException: java.io.IOException: Configuration Error: Line 5: expected [option key], found [null]

suggests a syntactic error in the jaas configuration file. In my experience the most common cause is some separator character (comma, semi-colon) in between the login module configuration properties.
If you attach the jaas configuration file here I can have a quick look.

Stefan

I just realized you’ve pasted your jaas configuration with the users.txt file - the syntactic error in this case would be the semi-colon character after the path to the users txt file (since you have another property following that).

Stefan