sort of working : ds-8 install - local-os authentication?

Post questions here relative to DataStage Enterprise/PX Edition for such areas as Parallel job design, Parallel datasets, BuildOps, Wrappers, etc.

Moderators: chulett, rschirm, roy

Post Reply
jgreve
Premium Member
Premium Member
Posts: 107
Joined: Mon Sep 25, 2006 4:25 pm

sort of working : ds-8 install - local-os authentication?

Post by jgreve »

update - local os seems to be working; will post again when as more data points come along.

It looks like the first install left some improperly defined user-info inside the metadata repository. Subsequent installs (didn't drop the metadata tablespace & recreate it) seem to have reused info from the first install vs. dropping & recreating the tables.

Reinstalling w/just "wsadmin" serving double-duty as the repository admin has allowed the install to complete.

Next step will be uninstalling everything (dropping the tablespace & recreating).

Still in need of a theory about why the very first install failed, though. Perhaps it makes a difference if one installs as a Windows domain-admin vs. a Windows local-admin...?
---------------------
note: the popup msg (AsbAgent : An engine already exists. Remove the existing installation) appears to be misleading; it seems likely that the isadmin user really didn't have suite-admin permissions.
---------------------
Hi, has anyone gotten ds-8 to work on the local-os (vs. internal) authentication?

I'm doing a gui install for
win2003 server
metadata repository=SqlServer
the install:
client
engine
-disabled- metadata
domain
documentation
[x] Local OS User Registry

Note that "metadata" is disabled because I ran the setup script to create the meta-database in Microsft SqlServer. The install ran far enough to populate SqlServer with lots of tables for the metadata repository, so I think that is working well.


I'm pretty sure the installer is pulling XYZ (the windows domain) from the local-os as I'm just using "is_admin" for the user name. It seems strange
that it is building a composite name with a forward slash, but I'm willing to believe that this is just Java doing it "sun's way".

The userid launching the install is a Windows Domain Administrator for the XYZ domain.

Installing ASB Agent, Please wait...
then this popup msg:


At about 37% on the install, I'm hitting this error message: "AsbAgent : An engine already exists. Remove the existing installation before you install the suite. [OK]"

Here's a log excerpt:

Code: Select all

Install_asbagent, com.ascential.acs.installer.utils.SetGlobalPersistentVariableWizardAction, msg1, Adding global persistent variable: ASB_AGENT_HOST
Install_asbagent, com.ascential.acs.installer.asbagent.event.dialog.PanelConfigHelper, msg1, Agent host: ADMS3
Install_asbagent, com.ascential.acs.installer.asbagent.event.dialog.PanelConfigHelper, msg1, Agent port: 31531
Install_asbagent, com.ascential.acs.installer.asbagent.event.dialog.PanelConfigHelper, msg1, Logging port: 31533
Install_asbagent, com.ascential.acs.installer.asbagent.event.dialog.PanelConfigHelper, msg1, Agent host: ADMS3
Install_asbagent, com.ascential.acs.installer.asbagent.event.dialog.PanelConfigHelper, msg1, Agent port: 31531
Install_asbagent, com.ascential.acs.installer.asbagent.event.dialog.PanelConfigHelper, msg1, Logging port: 31533
Install_asbagent, com.installshield.wizard.platform.win32.Win32ProductServiceImpl, msg1, installing Asb Agent Product Action (asbagentProductAction)
Install_asbagent, com.ascential.acs.installer.asb.AsbAgentProductAction
   msg1, Created isf-node keystore in: r:\IBM\InformationServer\ASBNode\conf\isf-node.keystore
   msg1, ApplicationUtils.runCommand = r:\IBM\InformationServer\ASBNode\bin\RegistrationCommand.bat
   err, ServiceException: (error code = 2; message = "r:\IBM\InformationServer\ASBNode\bin\RegistrationCommand.bat command has error messages.
StdOut:
DEBUG The following exception has occurred:

javax.security.auth.login.LoginException: You are not authorized to login.
You need the Suite User role in order to login.
	at com.ascential.acs.security.auth.client.AuthenticationService.getLoginException(AuthenticationService.java:969)
	at com.ascential.acs.security.auth.client.AuthenticationService.getLoginException(AuthenticationService.java:935)
	at com.ascential.acs.security.auth.client.AuthenticationService.doLoginImpl(AuthenticationService.java:863)
	at com.ascential.acs.security.auth.client.AuthenticationService.doLogin(AuthenticationService.java:353)
	at com.ascential.acs.registration.tools.RegistrationCommand.authenticate(RegistrationCommand.java:1097)
	at com.ascential.acs.registration.tools.RegistrationCommand.processInstallNode(RegistrationCommand.java:502)
	at com.ascential.acs.registration.tools.RegistrationCommand.processDocument(RegistrationCommand.java:812)
	at com.ascential.acs.registration.tools.RegistrationCommand.processFile(RegistrationCommand.java:858)
	at com.ascential.acs.registration.tools.RegistrationCommand.handleRequest(RegistrationCommand.java:962)
	at com.ascential.acs.registration.tools.RegistrationCommand.main(RegistrationCommand.java:1122)
Caused by: java.rmi.AccessException: CORBA NO_PERMISSION 0x0 No; nested exception is: 
	org.omg.CORBA.NO_PERMISSION: 

Trace from server: 1198777258 at host ADMS3 >>
org.omg.CORBA.NO_PERMISSION: java.rmi.AccessException:  ; nested exception is: 
	com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization failed for XYZ/is_admin while invoking (Bean)ascential/acs/ejb/impl/AuthenticationService login(java.lang.String,char[],com.ascential.asb.util.security.SessionInfo):1 JACC Authorization failed for bean: AuthenticationService  vmcid: 0x0  minor code: 0  completed: No
	at com.ibm.ws.security.core.SecurityCollaborator.performAuthorization(SecurityCollaborator.java(Compiled Code))
	at com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke(EJSSecurityCollaborator.java(Compiled Code))
	at com.ibm.ejs.container.EJSContainer.preInvokeAfterActivate(EJSContainer.java(Compiled Code))
	at com.ibm.ejs.container.EJSContainer.preInvoke(EJSContainer.java(Compiled Code))
	at com.ascential.acs.security.auth.server.EJSRemoteStatelessAuthenticationService_e0d03809.login(Unknown Source)
	at com.ascential.acs.security.auth.server._EJSRemoteStatelessAuthenticationService_e0d03809_Tie.login(_EJSRemoteStatelessAuthenticationService_e0d03809_Tie.java:149)
	at com.ascential.acs.security.auth.server._EJSRemoteStatelessAuthenticationService_e0d03809_Tie._invoke(_EJSRemoteStatelessAuthenticationService_e0d03809_Tie.java:92)
	at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(ServerDelegate.java:610)
	at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.java:463)
	at com.ibm.rmi.iiop.ORB.process(ORB.java:439)
	at com.ibm.CORBA.iiop.ORB.process(ORB.java:1737)
	at com.ibm.rmi.iiop.Connection.doWork(Connection.java:2300)
	at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:65)
	at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:95)
	at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1470)
<<  END server: 1198777258 at host ADMS3
Top
vmcburney
Participant
Posts: 3593
Joined: Thu Jan 23, 2003 5:25 pm
Location: Australia, Melbourne
Contact:
Contact vmcburney

Post by vmcburney »

When I tried local OS authentication I could use the Information Server console but could not log in through DataStage - however I was on unsupported Windows 2000. With internal authentication everything worked okay.
Top
jgreve
Premium Member
Premium Member
Posts: 107
Joined: Mon Sep 25, 2006 4:25 pm

Post by jgreve »

vmcburney wrote:When I tried local OS authentication I could use the Information Server console but could not log in through DataStage - however I was on unsupported Windows 2000. With internal authentication everything worked okay.
As well, most of my installs have been test-runs on a laptop to get a look at it, and internal is certainly easier to setup.
vmcburney - Did you set up the info_server -> windows user mappings?

As for my problem, it is starting to look like being a domain-admin vs. local-admin makes a difference when you run the install. This client has their users-ids based in a different domain (different forrests, actualy) than the server hosting info-server.

7.5 seems simpler in retrospect.
Top
jgreve
Premium Member
Premium Member
Posts: 107
Joined: Mon Sep 25, 2006 4:25 pm

stable enough to move forward w/local-os user authenticaiton

Post by jgreve »

jgreve wrote:update - local os seems to be working; will post again when as more data points come along.
It looks like the first install left some improperly defined user-info inside the metadata repository. Subsequent installs (didn't drop the metadata tablespace & recreate it) seem to have reused info from the first install vs. dropping & recreating the tables.

Reinstalling w/just "wsadmin" serving double-duty as the repository admin has allowed the install to complete.
After doing a clean reinstall (as above, wsadmin for both was & infoserver administration), I'm going to move on - deadlines and all that.

I don't have a reason for why the initial install failed.
It looks like something bogus got put into the metadata repository on the first install. Leaving the metadata repository alone was messing up subsequent installs. Dropping that database is probably a "best practice" for doing reinstalls.

I'll post the original cause if I ever find it; that is something to try & recreate back in the lab, not in the field.
John G.
Top
Post Reply

Return to “IBM<sup>®</sup> DataStage Enterprise Edition (Formerly Parallel Extender/PX)”