There are several reasons why this error can occur. The solutions

advertisement

There are several reasons why this error can occur. The solutions below will show you how to check and resolve the most common causes.

How the authentication process works:

There are 3 types of authentication available to users in ITM.

TEPS Authentication

TEMS Operating system / Validate User Authentication

LDAP Authentication

With all 3 types of authentication, access to the Tivoli Enterprise Portal is controlled by user accounts that are defined in the portal server. The user ID must have an account created in the portal server to be able to gain access. These IDs control which user are authorized to log into the TEP, and also define the permission's for what each user can do. (what each user can see, access and modify)

TEPS Authentication

Tivoli Enterprise Portal Server authentication is solely managed by the user IDs defined in the TEP. If a user is listed has an ID in this repository, then that user can log into the TEP without any password, only the user ID is required.

You can check which IDs you have listed in the TEPS, by logging in to the TEP console with a valid user and selecting the user icon.

TEMS Operating system / Validate User Authentication

This type of authentication is user security that is enabled on the HUB TEMS (Tivoli Enterprise

Monitoring Server). This type of authentication requires a password as well as a user ID to log in to the

Tivoli Enterprise Portal.

Password authentication is controlled by the host of the HUB TEMS. When a user logs in to the Tivoli

Enterprise Portal, the Portal Server queries the HUB monitoring server to validate the account and sends the encrypted user ID and password. The HUB monitoring server validates the account by sending a request to the operating system to ensure the userid and password is correct. The Tivoli Enterprise Portal user ID's and associated passwords MUST be defined on the hub computer.

This is where the userid and password needs to be set on the HUB TEMS O/S for this authentication to work:

Operating system of the hub monitoring server

Method of Tivoli Enterprise Portal password authentication

Windows User operating system accounts

Linux and UNIX z/OS

Password files

RACF, CA-ACF2, CA-TOP SECRET, or Network Access

Method

You can check if you have this type of authentication active by reconfiguring the HUB TEMS component and checking the following settings on the first screen that appears. If the box next to "Security: Validate

User " is selected, then it is enabled.

User authentication using LDAP

When you enable security on the HUB monitoring server, you have the option of selecting validation using LDAP, instead of the local registry for user authentication. The users you have created in the TEP are then mapped to the LDAP repository usernames and passwords. For this authentication to function correctly, the username in the TEP must match a user in the LDAP repository. The passwords are then authenticated against the information on the LDAP server.

NOTE: LDAP is not supported for hub monitoring servers on z/OS.

You can check to determine if you have this type of authentication active by reconfiguring the HUB

TEMS component and checking the following settings on the first screen that appears. If the box next to

"Security: Validate User " and also LDAP are selected, then it is enabled.

Check list of what to look for to resolve your issue

1.

The User ID is defined in the ITM infrastructure

2.

Validate that the password is correct

3.

Character length of password with TEMS Operating system / Validate User Authentication

1. Ensure the user ID is defined in the ITM infrastructure

The user ID you enter must match the user ID on the portal server, If the user ID does not exist then the user will not be able to log in. You can check this in two ways:

1.

Log on to the portal server with a valid user ID and check the user that fails appears in the list. If it does not you will need to create it for access to be granted.

2.

You can also check what users exist by reviewing the contents of the TEPS database. This is a good method if no user ID can log in. All portal users are stored in a table called KFWUSER.

When you query the table, the column labled "ID" should match the user ID you are trying to log in with. If all users are missing including "sysadmin" then you may wish to investigate if any recent changes have occurred on the TEPS or it's database that could have caused the contents to be removed.

2. Check password is correct

The next step is to check that the password you are using is correct. The best way to test this quickly is to try and log in to the HUB TEMS host operating system, with the username and password you used when you attempted to log in to the TEP. If the username and password fails

to authenticate, then you can try to reset the password for that account from within the operating system where the HUB TEMS is located.

Example for windows 2008:

1. Open the Local user and Groups window.

These steps ensure that the password you are using is correct and the same one that is listed on the operating system account on the server where the HUB TEMS resides.

3. Check character length of password if using TEMS Operating system / Validate User

Authentication

If you are using TEMS Operating system / Validate User Authentication (as described above) then there is a 15 character password limit. Due to this restriction, the TEPS will only pass 15 characters of the password for validation when TEMS authentication is used. To rectify this issue you can update the password for the user to a maximum of 15 characters in one of the following locations at the HUB TEMS.

Operating system of the hub monitoring server

Method of Tivoli Enterprise Portal password authentication

Windows User operating system accounts

Linux and UNIX Password files z/OS RACF, CA-ACF2, CA-TOP SECRET, or Network Access

Method

Next steps:

If all the above still did not resolve the issue, you may need to enable traces on the TEPS server to diagnose this problem further.

The recommended trace level would be:

ERROR (UNIT:ctsql IN ER) (UNIT:ctdata IN ER) (UNIT:ctauth ALL)

This level of tracing will capture the SQL calls, the data calls and any information relating to the authorization that passes through the TEPS. This trace level will enable IBM Support to see any errors relating to the username and password failing as the request passes through the TEPS.

How to set the tracing:

Using the GUI From MTEMS (Manage Tivoli Enterprise Monitoring Services utility) :

1. Right click on Tivoli Enterprise Portal Server

2. Select Advanced -> Edit trace parms...

3. In the box labled "Enter RAS1 Filters:" enter the following without the "

"ERROR (UNIT:ctsql IN ER) (UNIT:ctdata IN ER) (UNIT:ctauth ALL)"

4. Select OK (to implement the change)

Editing the configuration file

1. Open following file :

Windows : <ITM_HOME>\CNPS\kfwenv

Unix : <ITM_HOME>/config/cq.ini

2. Edit to set the value for KBB_RAS1 as following and save it.

KBB_RAS1 = ERROR (UNIT:ctsql IN ER) (UNIT:ctdata IN ER) (UNIT:ctauth ALL)

(Caution : Make sure that the value of KBB_RAS1 is not enclosed in any - single or double - quotes).

If you wish to set the tracing dynamically so you don't need to restart the component then this technote will guide you through the steps:

Recreate the problem

Once the trace has been set, restart the TEPS, then attempt to login to the TEPS and reproduce the error.

Restarting the TEPS enables the new trace level.

Review the logs:

Then collect/review the last *_cq_* log files from the $CANDLEHOME/logs on the TEPS, as well as the ms.ini from the TEMS.

Download