The problem occurs when spaces are used in the common name (cn) in specific scenarios. The following conditions can cause the problem:
When either of the following agents are used:
Agent for IBM WebSphere Application Server 5.1.1
Agent for IBM WebSphere Application Server 6.0
When either of the following agentadmin options are used:
agentadmin --setGroup
agentadmin --removeGroup
When Access Manager 6.3 is used, since the problem occurs when the group name includes cn, which is specific to Access Manager 6.3.
The following agentadmin command illustrates the problem. Notice that the cn contains spaces: was admin role. The spaces before and after the string admin are not allowed:
/agentadmin --setGroup administrator "cn=was admin role,dc=example,dc=com" /opt/WebSphere/AppServer/config/cells/
Workaround: Use a text editor of your choice to directly map the groups in the admin-authz.xml file.