Error running script Ustoreservice.sh - Failed to authenticate user. / Error: Failed to fetch data. HTTP Status: 401
Article ID: 420160
Updated On:
Products
Issue/Introduction
executing the procedure "Strong Encryption for the Password History Data" we get the following error:
./Ustoreservice.sh scan all
Please enter the password of the user imadmin
Please wait... Analysing Userstore data.
Error: Failed to fetch data. HTTP Status: 401
------------- Finished executing the command-------------
$ curl -v -k -X GET -H ENV_NAME:<environment name>--anyauth -u <username>:******** -s -w '%{http_code}' -o response.json https://<imserverURL>/iam/im/ws/ustore/analyse/scan/all/5 && cat response.json && echo
* About to connect() to <IM server IP> port 8443 (#0)
* Trying <IM server IP>...
* Connected to <IM server IP> (<IM server IP>) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using <cipher>
* Server certificate:
* subject: <Certificate subject>
* start date:
* expire date:
* common name: <common name>
* issuer: <issuer CN>
> GET /iam/im/ws/ustore/analyse/scan/all/5 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <IM server IP>:8443
> Accept: */*
> ENV_NAME:<environment name>
>
< HTTP/1.1 200 OK
< Connection: keep-alive
< Set-Cookie: <cookie>
< Content-Length: 139
< Content-Type: text/plain
< Date:
<
{ [data not shown]
* Connection #0 to host <IM server IP> left intact
200FAILED. Failed to authenticate user. Provide valid credentials in the Ustoreservice.(sh/.bat) Authorization header not found in the request
Environment
Identity Manager 14.4 and 14.5
Cause
This happens if Security is enabled on JBoss/WildFly, WebLogic or WebSphere
Resolution
This issue can be mitigated via one of the following workarounds:
1. Ensure to add a JBoss/Wildfly/Websphere/Weblogic Application User. The name and password of this user has to be identical to the name and password of the Identity Manager Environment 'User' i.e. for example imadmin/superadmin. The passwords of both users need to match as the user is authenticated on Appserver level as well.
2. To move away from BASIC to FORM auth-method in the web.xml file in the following location "iam_im.ear\user_console.war\WEB-INF". In this case, ensure to add a JBoss/Wildfly/Websphere/Weblogic Application User, the name and password of this user need not be the same as Identity Manager Environment 'User'. This would also require placing the html pages for login and error page under the ear location i.e. "iam_im.ear\user_console.war".
From:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>IAM Realm</realm-name>
</login-config>
To:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/wf_login.html</form-login-page>
<form-error-page>/wf_login_error.html</form-error-page>
</form-login-config>
</login-config>
The above change to FORM should also include the relevant pages for login and error whose content is listed below. These are needed to access the "logging.jsp".
Content of wf_login.html file:
<html>
<head>
<title>Login Page</title>
</head>
<br><br>
<form action="j_security_check" method=post>
<p><strong>User Name: </strong>
<input type="text" name="j_username" size="25">
<p><p><strong>Password: </strong>
<input type="password" size="15" name="j_password">
<p><p>
<input type="submit" value="Submit">
<input type="reset" value="Reset">
</form>
</html>
Content of wf_login_error.html file:
<html>
<head>
<title>Login Error Page</title>
</head>
<br><br>
<body>
Login Failed.
</body>
</html>
For more info on this topic, refer the documentation for "Enabling Security on JBoss/WildFly" as well as "Defining a Role and Authorized User for the Logging Admin Tool" @ https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/configuring/Logging-and-Task-Tracking/Identity-Manager-Server-Logging.html
Feedback
