WebExpress Logondependsonanumber ofindependentprocessesworking together tofunctionproperly.Someofthese processesrunontheHostOn-Demand client whileothersrunonotherhostsystems.Whenoneormoreofthese
processesbreakdown,youmustbe abletodeterminewhichprocessiscausingthe probleminordertoresolve itappropriately.Thisportionof thedocumentis devoted tothatpurpose.
IfyouhaveproblemswithWebExpress Logon,analyzethetypeofresultsyou receiveandanyaccompanyinginformationalmessages.Someofthese
informationalmessages areincludedaspartof theHostOn-Demandclientbyway of aninteractivepanel,and/or theymaybepartof aserver-basedlog.
AssumingthatWebExpress Logonisnotfunctioningproperly(thatis,youarenot logged inahostemulation session),askyourselfthefollowingquestions:
1. DidtheHostOn-Demandclientdisplayanerrormessagepanel?
v Ifyes,skipto“WebExpress Logonclient-sidemessages”onpage104.
v Ifno,verifythefollowingonyoursessionconfigurationpanel:
– HaveyouenabledExpress Logonforthesessionthatyouarecurrently running?Todo this,highlightyour sessionandselectPropertiesunderthe Configuredrop-downmenu intheDeploymentWizard.Ontheleftsideof thewindow,selectExpressLogonunderConnectionandclickYesto enableExpress Logon.
– Isthis a5250sessionand youare usinga Kerberospassticket for authentication?Ifso,youwillneed tomakesureyouselectYesforthe UseKerberosPassticketoptionontheExpresslogonwindowof session properties.
2. Are youusingmacro-basedautomation?Ifso, verifythefollowingitems:
v Whencreatingthemacro,verifythatyouselectedWebExpress Logon(not Certificate ExpressLogon)ontheRecordmacrowindow.
v Ifyouareexpectingthemacrotorunwhen thesession isstarted,verifythat youhaveselectedAuto-Startmacroinyoursession configuration.
3. Didyour automationmacrorunbutnotprovidetheappropriatecredentialsto logintheuser?ThismeansthatyouhaveproperlyaccessedtheCredential MapperWebapplication,butsomethingisnotfunctioningproperlywithinthat environment.Youshouldenableserver-sideloggingandattemptanother credentialautomationevent.Thenlookinthelogthatiscreatedand referto
“WebExpressLogonserver-sidemessages”onpage107.
4. Are youusingIBMWebSphereApplicationServerand haveJava 2security enabled?Ifso,pleasechecktomakesure thatthefollowingpermissionsare grantedinthewas.policyfile,whichislocatedintheMETA-INFdirectory.
permission java.io.FilePermission″<<ALLFILES>>″,″write″;
Youcanchange<<ALLFILES>>towhicheverdirectory youspecifedin theCMPI_TRACE_LOG_FILEparameterintheweb.xmlfile.
permission java.lang.RuntimePermission
″accessClassInPackage.sun.jdbc.odbc″;
ThisappliestotheJDBCdatabase HostCredentialMapper(HCM).
5. Are usersbeingpromptedfortheirnetworkIDstwice?WhenusingJVMV1.4 andlater, usersmaybepromptedfortheirnetworkcredentialstwotimes.
Althoughthisisaknown issue,currentlynoworkaroundexists.Thisdouble authentication issuedoesnotoccur whenusingJVMV1.3.x.
Web Express Logon client-side messages
Whenanunexpectedproblemoccursduring theWebExpressLogonprocess,the HostOn-Demandclientprovidesinformationabouttheproblemtotheuser by displaying apanelwithan informationalmessage.Eachofthesemessages contain an errorcode thatyoucanuseasa uniqueidentifierfortheproblemthatis occurring. Thefollowingisa listofallWebExpress LogonmessagesfortheHost On-Demandclient.
WELM001: Messagekeynotfound: status=value
Thismessageshouldonlybe seenintheeventofanerrorfoundina custom plug-in.Ifyouhavecustomized theWebExpressLogoncredential mapperframework,youcancreateuserdefinederrorcodes.IftheWeb Express Logoncredentialmapperreturnssuchacode,thismessagewillbe displayed.
WELM002: NosuitableHost credentialplug-infound
Thismessageisdisplayedwhenthereisnoappropriatecredentialplug-in foundtohandletheHostOn-Demandclient’scredentialrequest. Verify thatyour WebExpressLogoncredentialmapperapplicationisproperly configuredto handletheHostOn-Demandclient’ssessiontype.
WELM003: InvalidnetworkuserID
TheWebExpress Logoncredentialmappercannotacquiretheuser’s networkID.Thiscanbecausedbyimpropersettingsinthenetwork securityplug-insectionoftheCMSconfiguration. Ifthelocaloperating system identificationisbeingusedtoidentifytheuser,makesurethis option isselectedintheExpressLogonsectionoftheSession
Configurationpanel.
WELM004: InvalidApplicationID
ThismessageindicatesthelackofavalidApplicationID.Youspecifythe ApplicationIDwhenyoucreatetheWebExpressLogonmacro.Whenyou createthemacro,besure thatyouenterthepropervalue forthe
ApplicationID.
WELM005: Invalidserveraddress
Thismessageindicatesthelackofavalidserveraddress.Theserver address isspecifiedastheDestinationAddressontheSession Configurationpanel.For somecredentialplug-ins,thisisa required parameter.
WELM006: Couldnot connecttodatabase
Thisproblemcanbegeneratedbyan improperlyconfigureddatabaselink.
Pleaseverifythatthedatabaseisproperlyconfiguredinyour CMS configuration. Iftheconfigurationinformationlooks correct,youshould independentlyverifythedatabase’savailabilityandrunningstatus.The database’sconfigurationandmanagementtoolsare agoodplaceto perform thistest.
WELM007: AmatchinguserID notfoundindatabase
Thecredentialplug-inisnotabletofind amatchfortheuser’shostID, giventhesearchcriteria.Verifythattheuser’shostIDisspecified inthe database orotherstorage mediumusedbythecredentialplug-in. In
addition,youmaywanttoenableserver-sideloggingandverifythatthe parametersbeingsenttotheCMSarecorrect.
WELM008: TheCredential MapperServletreportedanexceptionwhile processing acredentialrequest. Pleaseseetheserverlogfordetails.
Thisgeneralizedmessageisaresult ofanexceptionoccurringontheCMS.
Pleasefollowtheinstructionsforenabling server-sideloggingformore informationaboutthecauseof thisproblem.
WELM009: InvalidUserID
Acredentialplug-indoesnothaveavaliduser’shostID.For some plug-ins,thehostIDisusedtoobtainatemporarypassticket credentialto accessthehost.If thevalue usedisnotappropriate,thismessageis generated.Youmaywanttoverifytheuser’shostIDisspecifiedin the database orotherstorage mediumusedbythecredentialplug-in. In addition,youmaywanttoenableserver-sideloggingandverifythatthe parametersbeingsenttotheCMSarecorrect.
WELM010: Passticketcouldnot beobtained
Thismessageisdisplayedwhenacredentialplug-inreceivesanerror during thepassticket creationprocess.Typically,theactualcreationofthe passticket occursina processoutsideofthecredentialplug-in.Ifthat external processreturnsanerror,this messagedisplays.Youshouldenable server-sideloggingandperformthecredentialrequestagain.Usingthe informationinthelogalongwiththemessagesfoundinthis sectionofthe documentshouldprovideabetter understandingoftheproblem.
WELM011:Credential/Passticketrequesttimedout
Thismessageistheresult ofapending requesttimingoutbefore itcould be resolved.Thiscould happenwhentheHostOn-Demandclientis making arequestoftheCredentialMapperServer,oritcould bethe credentialplug-inmakingarequestofanexternal entity.Ineithercase,if thedefaulttimeelapsesbeforetherequestisfulfilled,this messageis generated.Torectifytheproblem,verifythattheaddressesbeingusedare correct.FortheHostOn-Demandclient,theCredentialMapperserveris specifiedastheCredentialMapperServer addressintheExpressLogon propertieswindowoftheSessionConfigurationpanel.Ifthecredential plug-inisgeneratingthisproblem,verifythatthecredentialplug-inis properlyconfiguredinyourCMSconfiguration.
WELM012: Unexpectedreturn codereceived fromDCAS
Thiserroriscreatedwhen acredentialplug-inreceivesanunexpected return valueofanexternal application.Youshouldenableserver-side loggingandperform thecredentialrequestagain.Using theinformationin thelogalongwiththemessagesfoundinthis sectionofthedocument shouldprovideabetter understandingoftheproblem.
WELM013: APInot supported.Contact thesystem administratorforserverlog.
Thismessageinformstheuser thatanunsupportedrequesthasbeen made ofthecredentialplug-inselectedbythecredentialmappingapplication.
Youshouldenableserver-sideloggingand performthecredentialrequest again.Using theinformationinthelogalongwiththemessages foundin this sectionofthedocumentshouldprovidea betterunderstandingofthe problem.
WELM014: AmalformedURLwasspecifiedfortheCredentialMapperServer Address
Theaddress usedfortheCredentialMapperserverisnotavalidURL
address.TheCredentialMapperserverisspecifiedastheCredential MapperserveraddressintheExpressLogonpropertiesoftheSession Configurationpanel.
WELM015: UnabletoparseCredentialMapperresponse
TheresponsegeneratedbytheCredentialMapperserverapplication contains aresponsethatisimproperlyformatted.Thismayhappen whena custom CredentialMapperserverapplicationisusedinplaceofthedefault HostOn-DemandCredentialMapperserverapplication.Referto
Chapter9,“CustomizingWebExpressLogon,”onpage91formore informationabouttheCMSresponseformat.
WELM016: LocaluserID notavailable
Thismessageisgeneratedwhentheoperatingsystem onwhichtheHost On-DemandclientisrunningdoesnotsupporttheUseLocalOperating SystemIDoptionfornetworksecurityidentification.Refertothe Chapter2,“Introduction,”onpage7formore informationaboutwhich operatingsystemsandversions aresupportedbythisoption.
WELM017: CredentialMapperresponsecontaineda duplicateuserid,password, or statustag
ThisproblemiscausedwhentheresponsegeneratedbytheCredential Mapperserverapplicationcontains duplicateresponsevalues.Thismay happenwhena customCredentialMapperserverapplication isusedin placeofthedefaultHostOn-DemandCredentialMapperserver
application.Refer toChapter9,“CustomizingWebExpress Logon,”on page91formoreinformationabouttheCMSresponseformat.
WELM018: Anexceptionoccurredwhileprocessingthecredentialrequest: some exception
ThismessageisdisplayedwhenanexceptionoccursintheHost
On-Demandclientduring theWebExpress Logonprocess.Iftheexception isanIOException, theproblemmaybe theCredentialMapperserver address specifiedintheExpressLogonpropertiespanelinthesession configuration. Iftheaddressseemscorrect,validatethattheCMSserveris available.TypingtheCredentialMapperaddressspecifiedinthesession configurationintotheaddressentryfieldofyour browserallowsyouto test accesstotheCMSservereasily.Theresultsshouldbe anXML documentsimilartotheonedescribedearlier inthisdocument.
WELM020: PortaluserIDnotavailable
ThismessageisgeneratedwhenthePortalIDcannotbe retrieved.The HTMLpagemaynotbe configuredasaHostOn-Demandportlet.
WELM021: AmatchinguserID notfoundinPortalVault
Thematching user’shostcredentialsarenotfoundinthePortalVault.Be sure thatthePortalVaultparametersareconfiguredwhentheHTMLpage isgenerated.
WELM050: WebExpress LogonCredentialMapperServerAddressnotspecified WebExpress LogonisusedtoautomatetheHostOn-Demand
configurationserverloginprocess,buttheCredentialMapperserver address isnotspecified.Verifythatyouhavespecifiedthepropervaluefor theCredentialMapperserveraddressin theDeploymentWizard.
WELM051: Username returnedfromWeb ExpressLogonisnota knownHost On-Demanduser
WebExpress LogonisusedtoautomatetheHostOn-Demand
configurationserverloginprocessand theuser nameprovidedbyWeb Express LogonisnotavalidHostOn-Demanduser. Verifythattheuseris
listed intheHostOn-DemandconfigurationbyaccessingtheHost On-DemandAdministrativeConsole. Inaddition,view theserver-sidelog toverify thattheuser nameisbeingretrievedproperly.
WELM052: Invalidpasswordreturnedfrom WebExpressLogon WebExpress LogonisusedtoautomatetheHostOn-Demand
configurationserverloginprocess,andthepasswordprovidedbyWeb Express Logonisnotavalid.Verifythattheuser islistedin theHost On-DemandconfigurationbyaccessingtheHostOn-Demand
AdministrativeConsole.Inaddition,view theserver-sidelogtoverifythat theusernameisbeingretrievedproperly.
WELM053: ThissessionisnotenabledforWeb ExpressLogon
AWebExpressLogonmacroisexecuted,and thesessiononwhichitis runninghasnotbeenconfigured touseWebExpress Logon.WebExpress LogoncanbeconfiguredviatheHostOn-Demandsessionconfiguration panel.
Web Express Logon server-side messages
Thefollowingare theprimary server-sidemessages:
CMPIE001:Credential MapperPlug-ininitializationfailedfor:
YourCredentialMapperName
ThiserroroccurswhentheCredentialMapperplug-incorrespondingto YourCredentialMapperNamefailstoinitializesuccessfully.Possiblecausesof this errorinclude thefollowing:
v Yourweb.xmlspecifiesan invalidormissingvalue foraparameterthat isrequiredbythespecifiedplug-in.
v Todeterminewhichparameter(s)iscausingtheproblem,turnontracing for theplug-inandlookinthelogforerrorCMPIE008.
v Youare usingtheDCASorVaultplug-ins,andanerroroccurswhen attemptingtoconnecttothecredentialsdatabase.Turnontracing forthe plug-intoobtainmorediagnostic information(databasedrivermissing, SQLexception,etc).
v Youare usinga customplug-in, andyourInit()methodisreturninga value otherthan0onsuccess.RefertotheChapter9,“CustomizingWeb Express Logon,”onpage91formore informationaboutwritingyour own credentialmapperplug-in.
v Youare usingDCAS, andtheSSLkeydatabasefileorpasswordisnot specified inweb.xml.
CMPIE003:NoCMconfigurationcanbefoundfortheCMidentifiedbythe CredentialMapperNamename.
Thiserroroccursasa resultofa missingelementinyourweb.xmlfile.If youprovideavalue fortheCMPICredentialMappers parameterthatisnot also aparameteritselfelsewhere intheweb.xml,youwillgetthis error.
For example,isyouhavethefollowingdefinitioninyourweb.xml,
<init-param>
<param-name>CMPICredentialMappers</param-name>
<param-value>vault</param-value>
</init-param>
youwouldalsoneedsomethinglike this,
<init-param>
<param-name>vault</param-name>
<param-value>com.ibm.eNetwork.security.sso.cms.CMPIVault,
AuthType_3270Host,*</param-value>
</init-param>
oryouwouldgettheerrorabove.
CMPIE004: NoCredential Mappershave beenspecified.
Thiserroroccurswhenyour web.xmldoesnotdefinethe
CMPICredentialMappers parameter.Besuretoincludethefollowingin your web.xml:
<init-param>
<param-name>CMPICredentialMappers</param-name>
<param-value>YourCredentialMapperName(s)</param-value>
</init-param>
CMPIE005: NoCredential MapperfoundforAuthtype:AuthTypeValue WhenyoudefineaCredentialMapperinyourweb.xml,youspecifythe type ofAuthenticationtowhichtheplug-inapplies. Forexample,ifyou had anentrysuchasthefollowing,
<init-param>
<param-name>vault</param-name>
<param-value>com.ibm.eNetwork.security.sso.cms.CMPIVault,
AuthType_3270Host,*</param-value>
</init-param>
this wouldshowthatthevaultCredentialMapperisonlyintendedtobe usedwith3270hostsessions.Ifthiswere theonlyCredentialMapper definedinyourweb.xmland youtried toperforma logontoa 5250 session, youwouldreceivethiserrorwithAuthTypeValueequalto AuthType_5250Host.Besurethatyour web.xmlhasa CredentialMapper definedthatisappropriateforyourauthentication type.
CMPIE007: NoauthenticationtypespecifiedforCMobject:
YourCredentialMapperName
WhenyoudefineaCredentialMapperinyourweb.xml,youmust specify thefullclasspathname,theauthenticationtype, andthehostmask.Ifyou do notspecifyanauthentication type,orifyouspecifyaninvalid
authentication type(suchasAuthType_Fred),youwillget thiserror.For a listofvalidauthentication types,refertoTable6onpage77.
CMPIE008: Invalidvalue forparameter:ParameterName
Thiserroroccurswhena parameterthatisrequiredbytheplug-inhasan invalidvalue orhasnotbeenspecified.Provideanappropriatevalue in theweb.xmlfortheparameterParameterName.
CMPIE010: ExceptionandHostUserIDnotfoundforNetworkID:NetIDValue.
An exceptionoccurred beforethehostuserIDcorrespondingto NetIDValuecouldbe found.Apossiblecauseoftheexceptionisa mismatchbetweenthecolumnnamesinthedatasourceandthecolumn namesspecifiedintheweb.xml.Anotherpossibilityisanerrorinthe formattingofthetablename([tableName$]forExcel,simplytableName forDB2).Doublecheckyour web.xmlforerrorsandrefertotheexception traceintheserverlogfordebugginginformation.
CMPIE011:HostUserIDnot foundforNetworkID:NetIDValue.
Thiserroroccurswhenthereisnoentryfoundinthedatabase for NetIDValue. Checkyourdatabase andverifythatthereisan entryfor NetIDValue. Makesurethatthehostaddressandapplication IDfoundin
theserverlogforthisquerymatchthehostaddressandapplication ID specifiedforthis NetIDinthedatabase.
CMPIE012:SQLException:Value.
Thiserroroccurswhenattemptingtoopenorclosea connectiontothe database.Makesure thatthedatabaseisavailable andcorrectlyspecified intheweb.xmlfile.
CMPIE013:Exception: Value.
An exceptionoccurred intheplug-incode.
DCAS error messages
Thefollowingare theprimary DCASerrormessages:
DCASE001: CannotimporttheCAcertificatescontainedinKeyringDatabase.
An SSLruntimeexceptionoccurredwhileloadingtheCAcertificatesfrom theKeyringDatabase.Thefilemaybecorrupted. Pleaseseetheadditional logged messagesfordetails.Youmayhavetosetthe
CMPI_DCAS_TRACE_LEVELparameterinweb.xmlto3toseethe
CMPI_DCAS_TRACE_LEVELparameterinweb.xmlto3toseethe