Tuesday, August 30, 2011

Managed node fails to synchronize



Technote (troubleshooting)


Problem(Abstract)

The managed node fails to synchronize with the following errors.

Symptom

00002a04 NodeSync E ADMS0005E: The system is unable to generate synchronization request:
javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getRepositoryEpoch operation on ConfigRepository MBean because of insufficient or empty credentials.
.
.
00002a04 NodeSyncTask A ADMS0036E: The configuration synchronization failed.

00002a05 ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl initialize FFDC0009I: FFDC opened incident stream file
F:\IBM\WebSphere\AppServer\profiles\ctgAppSrv01\logs\ffdc\nodeagent_0000
2a05_09.09.20_22.01.17_0.txt

00002a05 ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl resetIncidentStream FFDC0010I: FFDC closed incident stream file
F:\IBM\WebSphere\AppServer\profiles\ctgAppSrv01\logs\ffdc\nodeagent_00002a05_09.09.20_22.01.17_0.txt

00002a06 NodeSync E ADMS0005E: The system is unable to generate synchronization request: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getRepositoryEpoch operation on ConfigRepository MBean because of insufficient or empty credentials.
.
.
00002a34 RoleBasedAuth E SECJ0306E: No received or invocation credential exist on the thread. The Role based authorization check will not have an accessId of the caller to check. The parameters are: access check method isNodeSynchronized on resource NodeSync and module NodeSync. The stack trace is java.lang.Exception:
Invocation and received credentials are both null at
com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess(RoleBasedAu thorizerImpl.java:287)

Cause

The error listed above usually indicate that the LTPA keys might have been automatically regenerated. However, those keys might not have pushed correctly to nodes and thus causing this problem.

Resolving the problem

To solve this problem try disabling automatic generation of Lightweight Third Party Authentication keys. In Administrative console, you can disable "Automatically generate key" as follows;
In Administrative console:
  1. SSL certificate and key management -> Key set groups ->Select Key set group name -> uncheck the box for "Automatically generate keys"

    Clear the Automatically generate keys option.
  2. From the Key set groups -> check key set Group name and hit Generated Keys tab.
  3. Click OK and Save to save the changes to the master configuration.
  4. Stop the dmgr
  5. On dmgr side delete the contents under wstemp, temp and config/temp folder from <profile_root>
  6. Start the dmgr
  7. Stop the Node/Server using stopNode/stopServer commands from the <profile_root>/bin of AppServer
  8. Manually synchronize the node by running syncNode.sh from <profile_root>/bin, since security is enabled then please run following command

    syncNode.sh <DMgr_hostName> <SOAP_PORT_of_DMGR> -username <username> -password <password>
  9. Start the node and server.
  10. Logon to Dmgr Administrative console and check the Node/Server availability.

It's recommended that users of IBM WebSphere Application Server upgrading to the latest Fix Pack since we have some known issues related LTPA which have fixed in the later Fix Packs.

For additional information, please open this link: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/twsu_jaxr_sec.html

Refer to the following URL to obtain the latest Fix Pack:
http://www.ibm.com/support/docview.wss?uid=swg27004980#ver61

No comments:

Post a Comment