PI97871: CANNOT CHANGE ADMINISTRATIVE USER IN FEDERATED REPOSITORIES

9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

APAR status

• Closed as program error.

Error description

• When the Federated Repositories input property for user
  security name is an identifier property (uniqueName, uniqueId,
  externalName, externalId) changing the administrative user
  fails because the search filter generated is invalid for VMM
  

Local fix

• n/a
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:  IBM WebSphere Application Server users of   *
  *                  federated repositories                      *
  ****************************************************************
  * PROBLEM DESCRIPTION: Cannot change administrative user in    *
  *                      federated repositories                  *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  If the "userSecurityName" "Property for Input" in the "User
  repository attribute mapping" for Federated Repositories is
  "uniqueName", "uniqueId", "externalName", or "externalId", when
  trying to update the Federated Repositories "Primary
  administrative user name" the server will fail to validate
  that the user exists.
  The server will query for a password to create the
  (supposedly) missing user.
  Upon applying the password, the console will display the
  following error on the Federated Repositories panel:
  "ErrorThe Primary administrative user name does not exist in
  the user repository."
  This again occurs because it cannot validate that the user
  exists.
  If WIM trace is enabled, the problem can be diagnosed if an
  error similar to the following is seen in the trace files:
  [5/11/18 15:58:16:301 CDT] 0000006c FileXPathHelp 1
  com.ibm.ws.wim.adapter.file.was.FileXPathHelper
  evaluateXPathNode(propertyNode) Exception occurred:
  java.lang.IllegalArgumentException: Class 'PersonAccount' does
  not have a feature named 'uniqueName'
  at
  org.eclipse.emf.ecore.sdo.util.SDOUtil$Accessor.setFeatureName(S
  DOUtil.java:893)
  at
  org.eclipse.emf.ecore.sdo.util.SDOUtil$Accessor.process(SDOUtil.
  java:1079)
  at
  org.eclipse.emf.ecore.sdo.util.SDOUtil$Accessor.init(SDOUtil.jav
  a:760)
  at
  org.eclipse.emf.ecore.sdo.util.SDOUtil$Accessor.create(SDOUtil.j
  ava:680)
  at
  org.eclipse.emf.ecore.sdo.util.SDOUtil.isSet(SDOUtil.java:239)
  at
  org.eclipse.emf.ecore.sdo.impl.DynamicEDataObjectImpl.isSet(Dyna
  micEDataObjectImpl.java:126)
  at
  com.ibm.ws.wim.adapter.file.was.FileXPathHelper.evaluateXPathNod
  e(FileXPathHelper.java:335)
  at
  com.ibm.ws.wim.adapter.file.was.FileXPathHelper.evaluateXPathNod
  e(FileXPathHelper.java:273)
  at
  com.ibm.ws.wim.adapter.file.was.FileXPathHelper.evaluate(FileXPa
  thHelper.java:261)
  at
  com.ibm.ws.wim.adapter.file.was.FileData.search(FileData.java:82
  0)
  at
  com.ibm.ws.wim.adapter.file.was.FileAdapter.search(FileAdapter.j
  ava:2156)
  at
  com.ibm.ws.wim.SPIServiceProvider.searchRepository(SPIServicePro
  vider.java:670)
  at
  com.ibm.ws.wim.SPIServiceProvider.search(SPIServiceProvider.java
  :608)
  at
  com.ibm.ws.wim.registry.util.UserRegistryValidator.getUsers(User
  RegistryValidator.java:310)
  at
  com.ibm.ws.security.admintask.ValidateAdminName.afterStepsExecut
  ed(ValidateAdminName.java:534)
  at
  com.ibm.websphere.management.cmdframework.provider.AbstractTaskC
  ommand.executeReal(AbstractTaskCommand.java:855)
  at
  com.ibm.websphere.management.cmdframework.provider.AbstractTaskC
  ommand.execute(AbstractTaskCommand.java:807)
  at
  com.ibm.ws.console.security.Registry.UserRegistryDetailActionGen
  .validateAdminId(UserRegistryDetailActionGen.java:580)
  at
  com.ibm.ws.console.security.Registry.UserRegistryDetailActionGen
  .processAdminId(UserRegistryDetailActionGen.java:558)
  at
  com.ibm.ws.console.security.IdMgrRealm.AdminUserPasswordDetailAc
  tion.execute(AdminUserPasswordDetailAction.java:186)
  ...
  

Problem conclusion

• The search was updated to default to principalName when a
  identifier property is used as the user security name input
  property.
  
  The fix for this APAR is currently targeted for inclusion in
  fix packs 8.5.5.16 and 9.0.5.1.  Please refer to the
  Recommended Updates page for delivery information:
  http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WEBS APP SERV N

• Fixed component ID

  5724H8800

Applicable component levels

• R850 PSY

     UP

• R900 PSY

     UP