Liberty LTPA SSO configuration failing with com.ibm.ws.security.registry.EntryNotFoundException

0
votes

I am building the SSO between IBM ISAM & LIberty profile using LTPA token, The ISAM is configured with LDAP authentication and i have added same LDAP users into liberty server.xml basic registry. Now after the ISAM authentication i am not able to see the my liberty and i see the below error in the liberty log.

stack trace Stack Dump = com.ibm.ws.security.registry.EntryNotFoundException: cn=f4a3e7df53e9caf8dfd3,o=xxx,c=us,dc=xxx,dc=com does not exist at com.ibm.ws.security.registry.basic.internal.BasicRegistry.getUserSecurityName(BasicRegistry.java:506) at com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule.setUpTemporaryUserSubject(TokenLoginModule.java:130) at com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule.login(TokenLoginModule.java:76) at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:53) at

Configuration Details

  1. In the liberty ltpa.keys the realm is "com.ibm.websphere.ltpa.Realm=BasicRealm" and this what used in the above junction.

  2. In server.xml

    basicRegistry id="basic" realm="BasicRealm" user name="[email protected],cn=f4a3e7df53e9caf8dfd3,o=xxx,c=xx,dc=xxx,dc=com" password="qazwsx1234"

    group name="LDAPgroupUsers"
    member name="[email protected],cn=f4a3e7df53e9caf8dfd3,o=xxx,c=xx,dc=xxx,dc=com"
group

    basicRegistry webApplication contextRoot="my-demo" id="MyDemo" location="MyDemo.war" name="MyDemo" application-bnd security-role name="LDAPUsersRole" group name="LDAPgroupUsers" security-role application-bnd webApplication

I feel the ltpa2token passed to liberty and i can see it from the below log, So it must some issue the way i configured the user patterns in basicRegistry mentioned in server.xml .... Any clue?

Object type = com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule tc = class com.ibm.websphere.ras.TraceComponent@8f59a5c2 strings[0] = "TraceComponent[com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule,class com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule,[Authentication],com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages,null]" accessId = "user:BasicRealm/cn=f4a3e7df53e9caf8dfd3,o=xxx,c=us,dc=xxx,dc=com" recreatedToken = class com.ibm.ws.security.token.ltpa.internal.LTPAToken2@255023a9 tc = class com.ibm.websphere.ras.TraceComponent@cb94b8a1

1
single-sign-onwebsphere-libertyltpa
Why are you not using the same LDAP server (what is used in ISAM) for Liberty (server.xml) configuration? Please try using the same LDAP registry for Liberty server instead of using basic registry.M. Tamboli
Thanks.. There were issues with LDAP connection so before proceeding with LDAP want to try with specific user in basic registry.Mkm

1 Answers

0
votes

I have queried the user in LDAP and added the same pattern (name="cn=f4a3e7df53e9caf8dfd3,o=xxx,c=xx,dc=xxx,dc=com) as in server.xml then it worked.

Thanks Tamboli.