WebSphere Application Server Security configuration changes done with wsadmin are not activated immediately.
Problem(Abstract)
Some administrative actions (like mapping administrative users or groups to security roles) might not get activated immediately and require a restart of the JVM.
For example, you want to map the group called "wasadmins" to the Administrator role:
AdminTask.mapGroupsToAdminRole('[-roleName administrator -accessids [group:defaultWIMFileBasedRealm/cn=wasadmins,cn=groups,dc=mycompany,dc=com ] -groupids [wasadmins@defaultWIMFileBasedRealm ]]')
AdminConfig.save()
For example, you want to map the group called "wasadmins" to the Administrator role:
AdminTask.mapGroupsToAdminRole('[-roleName administrator -accessids [group:defaultWIMFileBasedRealm/cn=wasadmins,cn=groups,dc=mycompany,dc=com ] -groupids [wasadmins@defaultWIMFileBasedRealm ]]')
AdminConfig.save()
Symptom
Although the configuration change has been saved with AdminConfig.save() you cannot login immediately, although your user is member of the "wasadmins" group.
If you login to the AdminConsole with the primary administrative user and go to the "Administrative group roles" page, the new group mapping will be listed.
If you quit the Console again, you can login with a member of the newly mapped group.
Cause
Some changes of the WAS configuration require a restart of the JVM, or at least a refresh of the configuration for the running instances.
This refresh is done, when you go to the ISC "Administrative group roles" page.
This refresh is done, when you go to the ISC "Administrative group roles" page.
Resolving the problem
When the configuration changes are completed and saved, you can force a refresh of the security configuration with the AdminControl action "refreshAll":
authGrpMgr = AdminControl.completeObjectName('WebSphere:type=AuthorizationGroupManager,*')
AdminControl.invoke(authGrpMgr, 'refreshAll')
Now the login with a newly mapped user is possible.
The above command will work fine for the DMgr or for a Base instance where you are connected to via wsadmin.
But if you want to execute tasks with the newly created user on federated nodes (e.g. start application server JVM, etc..) then the nodeagents also need to refresh the security configuration.
Which means, you need to extend the script e.g. like this:
authGrpMgr = AdminControl.queryNames('type=AuthorizationGroupManager,process=nodeagent,node=node1,*') AdminControl.invoke(authGrpMgr, 'refreshAll')
authGrpMgr = AdminControl.queryNames('type=AuthorizationGroupManager,process=nodeagent,node=node2,*') AdminControl.invoke(authGrpMgr, 'refreshAll')
AdminControl.invoke(authGrpMgr, 'refreshAll')
Now the login with a newly mapped user is possible.
The above command will work fine for the DMgr or for a Base instance where you are connected to via wsadmin.
But if you want to execute tasks with the newly created user on federated nodes (e.g. start application server JVM, etc..) then the nodeagents also need to refresh the security configuration.
Which means, you need to extend the script e.g. like this:
authGrpMgr = AdminControl.queryNames('type=AuthorizationGroupManager,process=nodeagent,node=node1,*') AdminControl.invoke(authGrpMgr, 'refreshAll')
authGrpMgr = AdminControl.queryNames('type=AuthorizationGroupManager,process=nodeagent,node=node2,*') AdminControl.invoke(authGrpMgr, 'refreshAll')
沒有留言:
張貼留言