A fix is available
APAR status
Closed as program error.
Error description
Worklight has been installed to a WebSphere ND server and the "Option 2" authentication mechanism is being used. The app server uses a custom security domain, yet when authentication is attempted within the app, the global security domain is used for validation, and as a result, a failure occurs. An error such as the following occurs as the incorrect registry is used: [24/09/14 15.07.47:758 CEST] 000000a9 LdapRegistryI E SECJ0336E: Authentication failed for user appuser because of the following exception com.ibm.websphere.security.PasswordCheckFailedException: No user appuser found [24/09/14 15.07.47:758 CEST] 000000a9 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.security.PasswordCheckFailedException: No user appuser found. [24/09/14 15.07.47:758 CEST] 000000a9 WebSphereLogi W com.worklight.core.auth.ext.WebSphereLoginModule jaasLogin FWLSE0048E: Unhandled exception caught: com.ibm.websphere.security.auth.WSLoginFailedException: No user appuser found com.ibm.websphere.security.PasswordCheckFailedException: No user appuser found at com.ibm.ws.security.registry.ldap.LdapRegistryImpl.checkPassword (LdapRegistryImpl.java:354)
Local fix
When using the option 2 authentication mechanism, the only work around is to configure only a single security domain within the server. If the option 1 authentication mechanism is suitable for your needs, then that can be used as a work around as well with multiple domains.
Problem summary
**************************************************************** * USERS AFFECTED: * * Worklight server administrators who use "multiple security * * domains" support on Websphere Application Server with their * * Worklight server runtime. * **************************************************************** * PROBLEM DESCRIPTION: * * When using LTPA based authentication with the Worklight * * server, the LTPA login module uses Websphere Application * * Server?s global security scope. This causes an unexpected * * behavior when the Worklight server is configured for a * * non-global security domain. * **************************************************************** * RECOMMENDATION: * * - * ****************************************************************
Problem conclusion
The Worklight server was updated to correctly handle multiple security domains on Websphere Application Server. The existing behavior remains the same for Websphere Application Server Liberty Profile and for Tomcat since neither support multiple security domains. If the Worklight server is always expected to use global security, the previous behavior can be achieved by setting the JVM property ?com.worklight.disableMultipleSecurityDomains? to ?true?.
Temporary fix
Comments
APAR Information
APAR number
PI28652
Reported component name
WL/MFPF ENTERPR
Reported component ID
5725I4300
Reported release
620
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-10-29
Closed date
2014-11-10
Last modified date
2014-11-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WL/MFPF ENTERPR
Fixed component ID
5725I4300
Applicable component levels
R620 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"620","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
14 October 2021