Trouble Shooting Authentication using Lotus Connections v3.0
A great way to increase innovation is through knowledge sharing. Three products that I use every day are Rational Team Concert, Rational Asset Manager and Lotus Connections. These products provide Change Management, Asset Management and Collaboration capabilities which are important for being able to innovate successfully with a team. I am investigating new ways of using and integrating these products. So recently I tried to install Lotus Connections to learn more. After completing my installation process for IBM Lotus Connections I hit a problem where I was unable to login. Each time I tried I was redirected me back to the login page after it successfully accepted my credentials.
Logging in to WAS I could see that LDAP was enabled with WAS. I could see the users in LDAP there. Going to the profile directory I could see I successfully populated the profiles database with my ldap users. The issue had to be with the authentication. I wanted to share the method below that ultimately allowed me to trouble shoot and solve the problem. I hit many other problems but those were well documented on the Web. This one however wasn’t and I think it maybe useful for others who are deploying notes or just plain WebSphere applications.
Troubleshooting Security Problems in WebSphere
- Enable Tracing – Turn on tracing to get the right level of logging to trouble shoot. In the Integrated Solutions Console to go Troubleshooting logs and trace.
i. Select your server in my case it was connections _server1
ii. Select Diagnostic Trace
iv. In the components field replace *=info with
2. Confirm that you have global security / Single Sign On SSO
- a. General Properties Enabled
- b. Required SSL unselected
- c. Domain name with a leading period. Mine was .funbox2.com
- d. Enable Interoperability Mode and Web inbound Securty
- 3. Confirm that you have federated repositories for Global Security
- a. Confirm that you have both defaultWIFIleBasedRealm and LDAP RELM
- b. Confirm your Repository Identifier is setup with your directory server, host and port
- c. Binding DN pointing to cn=root and bind password for LDAP root
- d. Ensure LoginProperties is set to uid
- e. Certificate Mapping to EXACT_DN
- 4. Restart your Connections Server
- 5. Use baretail.exe to trace the SystemOut.log file C:\Program Files\IBM\WebSphere\AppServer1\profiles\AppSrv01\logs\connections_server1
- 6. Use baretail.exe to trace the trace.log file C:\Program Files\IBM\WebSphere\AppServer1\profiles\AppSrv01\logs\connections_server1
This showed the error “REALM doesn’t match”
The SystemOut.log file had this key error:
[2/17/12 7:58:02:265 PST] 0000004f J2EEContext E ASYN9999E: Unexpected Exception Occurred: com.ibm.websphere.asynchbeans.SerialDeserialException: Exception while deserializing a saved service. Service=security. Unable to deserialize the Subjects in this Context, cause: the realms do not match
- 7. At this point I shared the trace and logs with a friend who was familiar with these types of security errors. He thought the error was likely caused by not having a three level url. That included www.funbox2.com
- 8. Since I was testing in a local sandbox I modified the hosts file C:\WINDOWS\system32\drivers\etc I was missing the one with http://www.funbox2.com
- 9. Updated the LotusConnections-config.xml so that it referred to hostname www.funbox2.com instead of funbox2.com for all occurrences of it.
C:\Program Files\IBM\WebSphere\AppServer1\profiles\AppSrv01\config\cells\funbox2Cell01\ \LotusConnections-config\LotusConnections-config.xml
- 10. TO ensure the config changes get propogated across the WAS cluster / cell go back into the Integrated Solutions Console. System Adminstration / Cell / Nodes/ Select the node and do a Full Re-sychronize.
This solved my Lotus Connections Login problem and I can now use IBM Lotus Connections. I now can claim I have successfully installed IBM Lotus Connections.