Solaris WBEM Developer's Guide

Troubleshooting Problems With WBEM Security

This section describes what to do in the following situations:

If a Client (User) Cannot Be Authenticated by the CIMOM on the WBEM Server

If a client cannot be successfully authenticated by the CIMOM on the WBEM server, the WBEM server returns a CIM security exception. This exception is returned when the server attempts to establish the CIM client handle in the client application. The exception contains an error code that indicates why the authentication attempt failed.

If the WBEM server cannot verify the user identity and credential and the user's identity is invalid, the WBEM server returns a CIM security exception. This exception includes the NO_SUCH_PRINCIPAL error. If the WBEM server cannot verify the user's identity and credential and the user's password is invalid for that user's identity, the WBEM server returns a CIM security exception. This exception includes the INVALID_CREDENTIAL error.

If the WBEM server cannot verify the Solaris OS role identity, the WBEM server returns a CIM security exception that includes the NO_SUCH_ROLE error.

If the role password is invalid for the specified role identity, the WBEM server returns the INVALID_CREDENTIAL error in the CIM security exception.

If both the role identity and role password are valid but the user is not allowed to assume the role, the WBEM server returns the CANNOT_ASSUME_ROLE error in the CIM security exception.

These CIM security exceptions are described in more detail in the following table.

Error 

Probable Cause 

Solution 

NO_SUCH_PRINCIPAL

Specified user identity was not valid in the Solaris OS on the WBEM server.  

The user account for that user identity has no password. 

The user account for that user identity is locked. 

Check that the user has a valid user identity. In other words, ensure that the user can log in to the Solaris OS on the WBEM server machine. You might also need to check the name service tables. This check is to determine whether the Solaris WBEM server might be using user identities from a name service configured on the server. 

INVALID_CREDENTIAL

Password for the specified user, or assumed role, is not valid for that user in the Solaris OS on the WBEM server. 

Check that the user's password is correct. 

NO_SUCH_ROLE

Role identity that is used for authentication to the WBEM server is not a valid RBAC role in the Solaris OS on that server. 

The role identity might be valid in the passwd table on the server, but you cannot log into the server using that identity. The Solaris software does not allow you to log in directly to role identities. You must check the passwd table for the role identity, and check theuser_attrtable to ensure that the role is defined as type user. Role identities in the user_attr table contain an attribute in the syntax type=role.

You can also check for a valid user or valid role identity by using the Solaris Management Console User tool. You can use User Management to check for a user, and you can use Role Management to check for a role. However, when using the User tool, you must know the correct source of the tables on the CIMOM server. In other words, if the CIMOM server is using a name service such as NIS, you must access the master server for that name service.

CANNOT_ASSUME_ROLE

Role identity is valid, but the specified user identity in the authentication exchange is not configured to assume that role. 

Assign users to roles by using the Administrative Role tool in the Solaris Management Console User tool collection, which is described in How to Change the Properties of a Role in System Administration Guide: Security Services.

If Other CIM Security Exceptions Appear

The WBEM server can return other error indications in the CIM security exception. However, these indications typically identify a system failure in the authentication exchange. The WBEM client configuration might not be compatible with the WBEM server configuration for the security options in the authentication exchange.

If these error indications occur, check the client application CLASSPATH setting to ensure that sunwbem.jar and the extension directory are in the CLASSPATH.

If an Authorization Check Fails

If a client is not authorized to access or modify the data associated with a request to the WBEM server, that server returns a CIM security exception. This exception includes the ACCESS_DENIED error.

The ACCESS_DENIED error indicates that a request could not be completed because the user or role does not have access to the data managed by that request.

Check the security messages in the WBEM log for the failed request. For information about viewing log data, see Viewing Log Data Through Log Viewer. Authorization failure messages in the WBEM log specify Access denied in the Summary column. The User column lists the name of the authenticated user or the role name that was used in the check. The Source column lists the name of the provider that is making the check. Note that the provider name that is listed in this column is not the class of the provider implementation, but a user-friendly provider name.

The detailed message contains the name of the permission that was being checked, and that permission has not been granted to the user or role.

If the permission appears as namespace:right, the authorization check was using a name space ACL. The authenticated user has not been granted that permission (read or write) for that name space.

Use Sun WBEM User Manager (wbemadmin) to grant the user the appropriate permission. Sun WBEM User Manager is described in Using Sun WBEM User Manager to Set Access Control.

If the permission appears as solaris.application.right, the authorization check was using an RBAC authorization.

Use the Administrative Role tool in the Solaris Management Console User tool collection to grant the rights that you want to the user or role. This procedure is described in How to Change the Properties of a Role in System Administration Guide: Security Services.