IBM Support

The error CWWIM4001E occurs after enabling client certificate login support for a federated repository with LDAP

Troubleshooting


Problem

I configured client certificate login support for an LDAP federated repository. My application is designed to use a client certificate login method.

==> My certificate subject detail required for my client certificate login is:

cn=Gabriel.WAS.123456,OU=WASL2,OU=WASsecurity,O=ibm,C=us

==> My LDAP user DN is:

cn=Gabriel.WAS.123456,cn=users,ou=WASl2security,O=ibm,C=us

==> My wim configuration (wimconfig.xml) is:

certificateFilter="cn=${SubjectCN}" certificateMapMode="filterdescriptormode"

==> My wim configuration (wimconfig.xml) has the following login properties

<config:loginProperties>mail</config:loginProperties>

<config:loginProperties>cn</config:loginProperties>

<config:loginProperties>id</config:loginProperties>

I am unable to login into my application using client certificate login

I enabled the WebSphere security trace:

com.ibm.ws.security.=all:com.ibm.websphere.security.=all:com.ibm.websphere.wim.=all:com.ibm.wsspi.wim.=all:com.ibm.ws.wim.*=all

In the trace, I see the following exception.

exception 1 com.ibm.ws.wim.registry.util.UniqueIdBridge getUniqueUserId com.ibm.websphere.wim.exception.EntityNotFoundException: CWWIM4001E The 'null' entity was not found.

at com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:255)

 at com.ibm.ws.wim.registry.WIMUserRegistry$6.run(WIMUserRegistry.java:729)

at com.ibm.ws.wim.env.was.JACCAuthorizationService.runAsSuperUser(JACCAuthorizationService.java:1098)

at com.ibm.ws.wim.security.authz.ProfileSecurityManager.runAsSuperUser(ProfileSecurityManager.java:285)

at com.ibm.ws.wim.registry.WIMUserRegistry.getUniqueUserId(WIMUserRegistry.java:714)

at com.ibm.ws.security.registry.UserRegistryImpl.createCredentialInternal(UserRegistryImpl.java:922)

at com.ibm.ws.security.registry.UserRegistryImpl.createCredential(UserRegistryImpl.java:833)

at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginModule.java:800)

How do I resolve this and get my application to use the client certificate login?

Diagnosing The Problem

It seems the issue here is wim configuration is configured with three login properties, and from them, the mail is the first property set, so the principalname will return the mail property value.

check-in LDAP user ldif detail and see if the mail attribute for this user in LDAP, if not then, in login API, principalName is returned as null because mail attribute value is returned by LDAP is null.

check in the traces example you might notice the following.

[2/17/18:58:52:03CST] 000000a4 RealmManager> com.ibm.ws.wim.RealmManager getURMapOutputPropertyInRealm ENTRY realmName=defaultWIMFileBasedRealm, urMapInfouserSecurityNameMapping

[2/17/18:58:52:03CST] 000000a4 RealmManager< com.ibm.ws.wim.RealmManager getURMapOutputPropertyInRealm RETURN result=principalName

[2/17/18:58:52:03CST] 000000a4 TypeMappings< com.ibm.ws.wim.registry.util.TypeMappings getOutputMapping RETURN returnValue = "principalName"

[2/17/18:58:52:03CST] 000000a4 TypeMappings< com.ibm.ws.wim.registry.util.TypeMappings getOutputUserSecurityName RETURN returnValue = "principalName"

[2/17/18:58:52:03CST] 000000a4 LoginBridge < com.ibm.ws.wim.registry.util.LoginBridge mapCertificate RETURN returnValue = "null"

[2/17/18:58:52:03CST] 000000a4 WIMUserRegist < com.ibm.ws.wim.registry.WIMUserRegistry mapCertificate RETURN returnValue = "null"

[2/17/18:58:52:03CST] 000000a4 authz < com.ibm.ws.wim.env.was.JACCAuthorizationService runAsSuperUser() RETURN

[2/17/18:58:52:03CST] 000000a4 UserRegistryI <mapCertificate Exit null

[2/17/18:58:52:03CST] 000000a4 UserMappingIm <mapCertificateToName Exit null

Resolving The Problem

Check-in your LDAP user ldif detail and see if the mail attribute for this user in LDAP. If not configured in LDAP then, you need to set value for mail attribute for this user in the LDAP server.

Set cn as the first login property. Please see the following order for login properties. Save the change and restart the Websphere Application Server server.

Example

<config:loginProperties>cn</config:loginProperties>

<config:loginProperties>mail</config:loginProperties>

<config:loginProperties>uid</config:loginProperties>

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"LDAP SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 April 2020

UID

ibm16117892

Page Feedback