Troubleshooting
Problem
I configured client certificate login support for an LDAP federated repository. My application is designed to use a client certificate login method.
==> My certificate subject detail required for my client certificate login is:
cn=Gabriel.WAS.123456,OU=WASL2,OU=WASsecurity,O=ibm,C=us
==> My LDAP user DN is:
cn=Gabriel.WAS.123456,cn=users,ou=WASl2security,O=ibm,C=us
==> My wim configuration (wimconfig.xml) is:
certificateFilter="cn=${SubjectCN}" certificateMapMode="filterdescriptormode"
==> My wim configuration (wimconfig.xml) has the following login properties
<config:loginProperties>mail</config:loginProperties>
<config:loginProperties>cn</config:loginProperties>
<config:loginProperties>id</config:loginProperties>
I am unable to login into my application using client certificate login
I enabled the WebSphere security trace:
com.ibm.ws.security.=all:com.ibm.websphere.security.=all:com.ibm.websphere.wim.=all:com.ibm.wsspi.wim.=all:com.ibm.ws.wim.*=all
In the trace, I see the following exception.
exception 1 com.ibm.ws.wim.registry.util.UniqueIdBridge getUniqueUserId com.ibm.websphere.wim.exception.EntityNotFoundException: CWWIM4001E The 'null' entity was not found.
at com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:255)
at com.ibm.ws.wim.registry.WIMUserRegistry$6.run(WIMUserRegistry.java:729)
at com.ibm.ws.wim.env.was.JACCAuthorizationService.runAsSuperUser(JACCAuthorizationService.java:1098)
at com.ibm.ws.wim.security.authz.ProfileSecurityManager.runAsSuperUser(ProfileSecurityManager.java:285)
at com.ibm.ws.wim.registry.WIMUserRegistry.getUniqueUserId(WIMUserRegistry.java:714)
at com.ibm.ws.security.registry.UserRegistryImpl.createCredentialInternal(UserRegistryImpl.java:922)
at com.ibm.ws.security.registry.UserRegistryImpl.createCredential(UserRegistryImpl.java:833)
at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginModule.java:800)
How do I resolve this and get my application to use the client certificate login?
Diagnosing The Problem
It seems the issue here is wim configuration is configured with three login properties, and from them, the mail is the first property set, so the principalname will return the mail property value.
check-in LDAP user ldif detail and see if the mail attribute for this user in LDAP, if not then, in login API, principalName is returned as null because mail attribute value is returned by LDAP is null.
check in the traces example you might notice the following.
[2/17/18:58:52:03CST] 000000a4 RealmManager> com.ibm.ws.wim.RealmManager getURMapOutputPropertyInRealm ENTRY realmName=defaultWIMFileBasedRealm, urMapInfouserSecurityNameMapping
[2/17/18:58:52:03CST] 000000a4 RealmManager< com.ibm.ws.wim.RealmManager getURMapOutputPropertyInRealm RETURN result=principalName
[2/17/18:58:52:03CST] 000000a4 TypeMappings< com.ibm.ws.wim.registry.util.TypeMappings getOutputMapping RETURN returnValue = "principalName"
[2/17/18:58:52:03CST] 000000a4 TypeMappings< com.ibm.ws.wim.registry.util.TypeMappings getOutputUserSecurityName RETURN returnValue = "principalName"
[2/17/18:58:52:03CST] 000000a4 LoginBridge < com.ibm.ws.wim.registry.util.LoginBridge mapCertificate RETURN returnValue = "null"
[2/17/18:58:52:03CST] 000000a4 WIMUserRegist < com.ibm.ws.wim.registry.WIMUserRegistry mapCertificate RETURN returnValue = "null"
[2/17/18:58:52:03CST] 000000a4 authz < com.ibm.ws.wim.env.was.JACCAuthorizationService runAsSuperUser() RETURN
[2/17/18:58:52:03CST] 000000a4 UserRegistryI <mapCertificate Exit null
[2/17/18:58:52:03CST] 000000a4 UserMappingIm <mapCertificateToName Exit null
Resolving The Problem
Check-in your LDAP user ldif detail and see if the mail attribute for this user in LDAP. If not configured in LDAP then, you need to set value for mail attribute for this user in the LDAP server.
Set cn as the first login property. Please see the following order for login properties. Save the change and restart the Websphere Application Server server.
Example
<config:loginProperties>cn</config:loginProperties>
<config:loginProperties>mail</config:loginProperties>
<config:loginProperties>uid</config:loginProperties>
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
15 April 2020
UID
ibm16117892