Troubleshooting
Problem
Sometimes during start up the application server fails with the following sequence of errors: SECJ0418I: Cannot connect to the LDAP server ldap://LDAP.SERVER.COM:389. SECJ0136I: Custom Registry:com.ibm.ws.security.registry.ldap. LdapRegistryImpl has been initialized SECJ0418I: Cannot connect to the LDAP server ldap://LDAP.SERVER.COM:389. SECJ0418I: Cannot connect to the LDAP server ldap://LDAP.SERVER.COM:389. SECJ0418I: Cannot connect to the LDAP server ldap://LDAP.SERVER.COM:389. SECJ0352E: Could not get the users matching the pattern xsawebsphere because of the following exception {1}. SECJ0336E: Authentication failed for user xsawebsphere because of the following exception {1} SECJ0369E: Authentication failed when using LTPA. The exception is LDAP.SERVER.COM:389. SECJ0222E: An unexpected exception occurred when trying to create a LoginContext. The LoginModule alias is system.DEFAULT and the exception is com.ibm.websphere.security.auth. WSLoginFailedException: LDAP.SERVER.COM:389. SECJ0270E: Failed to get actual credentials. The exception is javax.naming.CommunicationException: LDAP.SERVER.COM:389. Root exception is java.net.NoRouteToHostException: No route to host: connect In the security trace (options, *=info:com.ibm.ws.security.*=all) you see the faiure took 18 sec. The trace entries show: LdapRegistryI 3 javax.naming.CommunicationException: LDAP.SERVER.COM:389 [Root exception is java.net.NoRouteToHostException: No route to host: connect] LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://LDAP.SERVER.COM:389. - Issuing the command nslookup LDAP.SERVER.COM responds with multiple IP addresses. This is the cause of the problem.
Cause
WebSphere Application Server does not support this type of configuration because of a limitation in Java™. This configuration will not work due to Java naming cache. By default, Java only resolves a name once, and caches it indefinitely. So even if the DNS server can resolve 47 host names, Java only resolves once, so it will only use the IP address that was returned to it the first time.
Resolving The Problem
In WebSphere Application Server you can work around this limitation by defining backup LDAP servers. You do this by configuring Global Security to use one actual LDAP server and then use
wsdamin to define multiple backup servers. The instructions to do this is in the product documentation: Security failover among multiple LDAP servers
-
The following steps should be taken:
- Modify the LDAP settings in the admin console to use a host name that resolves to one IP address. This is done on panel, security > global security > LDAP
- Start the Deployment Manager or Application Server
- Copy the JACL script from the referenced Information Center link to a file called LDAPAdd.jacl
- Run the command wsadmin -f LDAPadd.jacl ldap_host_name ldap_port_number for each backup ldap host you want to configure.
- After you add them all go to <WebSphere_Install>\config\cells\<cellname>\security xml You should see something like this ... <userRegistriesxmi:type="security:LDAPUserRegistry" ..... <searchFilterxmi:id="LDAPSearchFilter_1" .... <hostsxmi:id="EndPoint_1133560718410" host="ldap_host_name" port="389"/>
- Synchronize all of the nodes.
- Restart the deployment manager and nodes and test that the backup LDAPs get control when the primary LDAP fails.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21229549