Error Message Reference

Transcription

1 IBM Security Access Manager for Web Version 7.0 Error Message Reference GI

2

3 IBM Security Access Manager for Web Version 7.0 Error Message Reference GI

4 Note Before using this information and the product it supports, read the information in Notices on page 299. Edition notice Note: This edition applies to version 7, release 0, modification 0 of IBM Security Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2001, US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Figures v About this publication vii Intended audience vii Access to publications and terminology..... vii Related publications ix Accessibility xi Technical training xi Support information xi Chapter 1. Message overview Message types Message format Chapter 2. Security Access Manager Base Messages Chapter 4. Security Access Manager Plug-in for Web Servers Messages Chapter 5. Security Access Manager Session Management Server Messages Chapter 6. Security Access Manager Web Runtime Messages Chapter 7. Common Auditing and Reporting Service messages Notices Chapter 3. Security Access Manager WebSEAL Messages Copyright IBM Corp. 2001, 2012 iii

6 iv Version 7.0: Error Message Reference

7 Figures 1. Message ID format Copyright IBM Corp. 2001, 2012 v

8 vi Version 7.0: Error Message Reference

9 About this publication Intended audience IBM Security Access Manager for Web, formerly called IBM Tivoli Access Manager for e-business, is a user authentication, authorization, and web single sign-on solution for enforcing security policies over a wide range of web and application resources. The IBM Security Access Manager for Web Error Message Reference provides a list of all informational, warning, and error messages associated with IBM Security Access Manager for Web. This book is intended for system administrators who are responsible for maintaining and troubleshooting IBM Security Access Manager for Web. Access to publications and terminology This section provides: v A list of publications in the IBM Security Access Manager for Web library. v Links to Online publications on page ix. v A link to the IBM Terminology website on page ix. IBM Security Access Manager for Web library The following documents are in the IBM Security Access Manager for Web library: v IBM Security Access Manager for Web Quick Start Guide, GI Provides steps that summarize major installation and configuration tasks. v IBM Security Web Gateway Appliance Quick Start Guide Hardware Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Hardware Appliance, SC v IBM Security Web Gateway Appliance Quick Start Guide Virtual Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Virtual Appliance. v IBM Security Access Manager for Web Installation Guide, GC Explains how to install and configure Security Access Manager. v IBM Security Access Manager for Web Upgrade Guide, SC Provides information for users to upgrade from version 6.0, or 6.1.x to version 7.0. v IBM Security Access Manager for Web Administration Guide, SC Describes the concepts and procedures for using Security Access Manager. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. v IBM Security Access Manager for Web WebSEAL Administration Guide, SC Provides background material, administrative procedures, and reference information for using WebSEAL to manage the resources of your secure Web domain. Copyright IBM Corp. 2001, 2012 vii

10 v IBM Security Access Manager for Web Plug-in for Web Servers Administration Guide, SC Provides procedures and reference information for securing your Web domain by using a Web server plug-in. v IBM Security Access Manager for Web Shared Session Management Administration Guide, SC Provides administrative considerations and operational instructions for the session management server. v IBM Security Access Manager for Web Shared Session Management Deployment Guide, SC Provides deployment considerations for the session management server. v IBM Security Web Gateway Appliance Administration Guide, SC Provides administrative procedures and technical reference information for the WebSEAL Appliance. v IBM Security Web Gateway Appliance Configuration Guide for Web Reverse Proxy, SC Provides configuration procedures and technical reference information for the WebSEAL Appliance. v IBM Security Web Gateway Appliance Web Reverse Proxy Stanza Reference, SC Provides a complete stanza reference for the IBM Security Web Gateway Appliance Web Reverse Proxy. v IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference, SC Provides a complete stanza reference for the WebSEAL Appliance. v IBM Global Security Kit: CapiCmd Users Guide, SC Provides instructions on creating key databases, public-private key pairs, and certificate requests. v IBM Security Access Manager for Web Auditing Guide, SC Provides information about configuring and managing audit events by using the native Security Access Manager approach and the Common Auditing and Reporting Service. You can also find information about installing and configuring the Common Auditing and Reporting Service. Use this service for generating and viewing operational reports. v IBM Security Access Manager for Web Command Reference, SC Provides reference information about the commands, utilities, and scripts that are provided with Security Access Manager. v IBM Security Access Manager for Web Administration C API Developer Reference, SC Provides reference information about using the C language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. v IBM Security Access Manager for Web Administration Java Classes Developer Reference, SC Provides reference information about using the Java language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. v IBM Security Access Manager for Web Authorization C API Developer Reference, SC viii Version 7.0: Error Message Reference

11 v v v v v Provides reference information about using the C language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Authorization Java Classes Developer Reference, SC Provides reference information about using the Java language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Web Security Developer Reference, SC Provides programming and reference information for developing authentication modules. IBM Security Access Manager for Web Error Message Reference, GI Provides explanations and corrective actions for the messages and return code. IBM Security Access Manager for Web Troubleshooting Guide, GC Provides problem determination information. IBM Security Access Manager for Web Performance Tuning Guide, SC Provides performance tuning information for an environment that consists of Security Access Manager with the IBM Tivoli Directory Server as the user registry. Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security Access Manager for Web Information Center The com.ibm.isam.doc_70/welcome.html site displays the information center welcome page for this product. IBM Publications Center The pbi.wss site offers customized search functions to help you find all the IBM publications that you need. IBM Terminology website The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at software/globalization/terminology. Related publications This section lists the IBM products that are related to and included with the Security Access Manager solution. IBM Global Security Kit Security Access Manager provides data encryption by using Global Security Kit (GSKit) version 8.0.x. GSKit is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. GSKit version 8 includes the command-line tool for key management, GSKCapiCmd (gsk8capicmd_64). About this publication ix

12 GSKit version 8 no longer includes the key management utility, ikeyman (gskikm.jar). ikeyman is packaged with IBM Java version 6 or later and is now a pure Java application with no dependency on the native GSKit runtime. Do not move or remove the bundled java/jre/lib/gskikm.jar library. The IBM Developer Kit and Runtime Environment, Java Technology Edition, Version 6 and 7, ikeyman User's Guide for version 8.0 is available on the Security Access Manager Information Center. You can also find this document directly at: Note: 60/iKeyman.8.User.Guide.pdf GSKit version 8 includes important changes made to the implementation of Transport Layer Security required to remediate security issues. The GSKit version 8 changes comply with the Internet Engineering Task Force (IETF) Request for Comments (RFC) requirements. However, it is not compatible with earlier versions (1.1 or 1.2) of Transport Layer Security. Any component that communicates with Security Access Manager that uses GSKit must be upgraded to use GSKit version , or or later. Otherwise, communication problems might occur. IBM Tivoli Directory Server IBM Tivoli Directory Server version 6.3 FP17 ( ISS-ITDS-FP0017) is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can find more information about Tivoli Directory Server at: IBM Tivoli Directory Integrator IBM Tivoli Directory Integrator version is included on the IBM Tivoli Directory Integrator Identity Edition V for Multiplatform product image or DVD for your particular platform. You can find more information about IBM Tivoli Directory Integrator at: IBM DB2 Universal Database IBM DB2 Universal Database Enterprise Server Edition, version 9.7 FP4 is provided on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can install DB2 with the Tivoli Directory Server software, or as a stand-alone product. DB2 is required when you use Tivoli Directory Server or z/os LDAP servers as the user registry for Security Access Manager. For z/os LDAP servers, you must separately purchase DB2. You can find more information about DB2 at: x Version 7.0: Error Message Reference

13 IBM WebSphere products The installation packages for WebSphere Application Server Network Deployment, version 8.0, and WebSphere extreme Scale, version 8.5, are included with Security Access Manager version 7.0. WebSphere extreme Scale is required only when you use the Session Management Server (SMS) component. WebSphere Application Server enables the support of the following applications: v Web Portal Manager interface, which administers Security Access Manager. v Web Administration Tool, which administers Tivoli Directory Server. v Common Auditing and Reporting Service, which processes and reports on audit events. v Session Management Server, which manages shared session in a Web security server environment. v Attribute Retrieval Service. You can find more information about WebSphere Application Server at: Accessibility Technical training Support information Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Visit the IBM Accessibility Center for more information about IBM's commitment to accessibility. For technical training information, see the following IBM Education website at IBM Support provides assistance with code-related problems and routine, short duration installation or usage questions. You can directly access the IBM Software Support site at The IBM Security Access Manager for Web Troubleshooting Guide provides details about: v What information to collect before you contact IBM Support. v The various methods for contacting IBM Support. v How to use IBM Support Assistant. v Instructions and problem-determination resources to isolate and fix the problem yourself. Note: The Community and Support tab on the product information center can provide more support resources. About this publication xi

14 xii Version 7.0: Error Message Reference

15 Chapter 1. Message overview Message types Message format Messages indicate events that occur during the operation of the system. Depending on their purpose, messages might be displayed on the screen. By default, all informational, warning, and error messages are written to the message logs. The logs can be reviewed later to determine what events occurred, to see what corrective actions were taken, and to audit all the actions performed. For more information about message logs, see the IBM Security Access Manager Troubleshooting Guide. IBM Security Access Manager for Web uses messages of specific types. The following types of messages are used: Informational messages Indicate conditions that are worthy of noting but that do not require you to take any precautions or perform an action. Warning messages Indicate that a condition has been detected that you should be aware of, but does not necessarily require that you take any action. Error messages Indicates that a condition has occurred that requires you to take action. Messages logged by IBM Security Access Manager for Web adhere to the Tivoli Message Standard. Each message consists of a message identifier (ID) and accompanying message text. Message ID format A message ID consists of 10 alphanumeric characters that uniquely identify the message. A message ID in Security Access Manager for Web is composed of: v three-character product identifier (HPD for Security Access Manager Base and CBA and CFG for Common Auditing and Reporting Service) v two-character or three-character component or subsystem identifier v three-digit or four-digit serial or message number v one-character type code indicating the severity of the message The figure that follows shows a graphical representation of a possible message ID and identifies its different parts. (Some messages might use 2 characters for the component ID and 4 digits for the serial number.) Copyright IBM Corp. 2001,

16 FBT RTE 033 I Severity I - Informational W -- Warning E Error Message number (3 digits) Component or subsystem identifier (3 characters) IBM product prefix (3 characters) Figure 1. Message ID format Component identifiers The component identifier indicates which component or subsystem produced the message. ADM Administration commands AUD Audit CC Common Auditing and Reporting Service disk cache CDS InfoCard messages CE Common Auditing and Reporting Service emitter CFG Configuration properties CLI Command-line interface CO Common Audit Service Configuration Console CON Security Access Manager console FMS Management service IDS Identity service IN Common Auditing and Reporting Service installation ISJ Alias service JDBC component ISL Alias service LDAP component IVT Installation verification test KES Key service keystore management KJK Key service keystore management LIB Liberty single sign-on protocol LOG Logging MB Common Audit Service Configuration MBean MGT Management MET Metadata handling MOD Module OID OpenID messages 2 Version 7.0: Error Message Reference

17 PWD RPT RTE SML SOC SPS STM STS STZ SU TAC TRC USC WS WSF WSP WSS XS XU Password handling Report messages Runtime environment component configuration SAML single sign-on protocol SOAP client Single sign-on protocol service Secure token service Secure token service modules RACF PassTicket tokens Common Audit Staging Utility Tivoli Access Manager configuration as point-of-contact server Trust client User self care Common Auditing and Reporting Service Web service WS-Federation single sign-on protocol Provisioning service Web services security management Common Audit Service XML data store Common Audit Service XML store utilities Severity Associated with each message is a severity level that indicates whether corrective action must be taken. Table 1. Severity level Severity Description I (Informational) Provides information or feedback about normal events that occur. In general, no action needs to be performed in response to an informational message. FBTRTE033I The domain default was successfully created. FBTSTM066I The Trust Service has been disabled. W (Warning) Indicates that a potentially undesirable condition has occurred, but processing can continue. Intervention or corrective action might be necessary in response to a warning message. FBTLOG002W An integer was expected. FBTTRC004W The returned RequestSecurityTokenResponse did not have a wsu:id Chapter 1. Message overview 3

18 Table 1. Severity level (continued) Severity Description E (Error) Indicates that a problem has occurred that requires intervention or correction before processing can continue. An error message might be accompanied by one or more warning or informational messages that provide additional details about the problem. FBTCON013E The federation with ID insert could not be retrieved from the single sign-on protocol service. This error can occur if the console is unable to communicate with the single sign-on protocol service. FBTSML260E The binding value value for attribute attr is not valid for profile profile. Message text The text of the message, in the system locale, also is recorded in the log file. If the message text is not available in the desired language, the English language text is used. 4 Version 7.0: Error Message Reference

19 Chapter 2. Security Access Manager Base Messages These messages are provided by the Security Access Manager Base component. HPDAC0153E Could not build ACL with the supplied ACL entries. An ACL entry failed the validity check. The Security Access Manager policy server's error log file will contain an error status message indicating the reason for the failure. Review the Security Access Manager policy server's error log to determine the reason that the ACL failed the validity check. HPDAC0178E Could not obtain local host name. The system library call to get the local host name failed. a valid hostname. HPDAC0179E Ensure that the machine has Unexpected exception caught. An unexpected exception was caught while registering an azn administration service with the Security Access Manager policy server. Ensure that the Security Access Manager policy server is running and that the client and server versions are compatible with each other. HPDAC0180E The Security Access Manager authorization server could not be started (0x%8.8lx). The Security Access Manager authorization server encountered an error during initialization. See the accompanying status code, which gives more information about the failure. HPDAC0450E There is no root ACL in the authorization policy database. This is a severe error indicating integrity problems with the policy database. If the problem occurs with the Security Access Manager authorization server or with a Security Access Manager resource manager application, then stop the resource manager, remove the resource manager's policy database, and start the resource manager again. If the problem occurs with the Security Access Manager policy server, then stop the policy server, restore a known good version of the master policy database, and then start the Security Access Manager servers again. If the problem persists, check IBM Electronic Support for additional information - software/sysmgmt/products/support/ HPDAC0451E A protected object should have only one attached ACL (%s). This is a severe error indicating integrity problems with the policy database. If the problem occurs with the Security Access Manager authorization server or with a Security Access Manager resource manager application, then stop the resource manager, remove the resource manager's policy database, and start the resource manager again. If the problem occurs with the Security Access Manager policy server, then stop the policy server, restore a known good version of the master policy database, and then start the Security Access Manager servers again. If the problem persists, check IBM Electronic Support for additional information - software/sysmgmt/products/support/ HPDAC0452E An ACL that is attached to a protected object cannot be found in the policy database (%s,%s). This is a severe error indicating integrity problems with the policy database. If the problem occurs with the Security Access Manager authorization server or with a Security Access Manager resource manager application, then stop the resource manager, remove the resource manager's policy database, and start the resource manager again. If the problem occurs with the Security Access Manager policy server, then stop the policy server, restore a known good version of the master policy database, and then start the Security Access Manager servers again. If the problem persists, check IBM Electronic Support for additional information - software/sysmgmt/products/support/ Copyright IBM Corp. 2001,

20 HPDAC0453E HPDAC0464E HPDAC0453E Authorization policy database version is incompatible with the server version (%ld,%ld) and will be automatically replaced. The authorization client application has detected an incompatible version of the policy database. The database is replaced automatically. No action is required. HPDAC0454E Could not initialize the authorization policy database (0x%8.8lx). An error occurred while attempting to access the authorization policy database. The authorization engine client was not initialized correctly. See the accompanying status code, which gives more information about failure. HPDAC0455E The authorization policy database has not been initialized. An error occurred during application initialization and the authorization policy database was not initialized correctly. Review the Security Access Manager base error log and look for error messages during initialization that might account for problems with the authorization policy database. HPDAC0456E The ACL name specified was not found in the authorization policy database. Review the ACL name and ensure that the name is a valid ACL name and that it matches an ACL that exists in the authorization policy database. HPDAC0457E The protected object name is invalid. The protected object name is invalid. The name must begin with the '/' character. The name cannot contain carriage return or line-feed characters and it cannot contain two '/' characters in sequence. Review the protected object name and ensure that it adheres to the restrictions outlined in the message explanation. HPDAC0458E The protected object name specified was not found in the authorization policy database. Review the protected object name and ensure that the name is a valid protected object name and that it matches an object that exists in the authorization policy database. HPDAC0459E The protected object space specified was not found in the authorization policy database. Review the protected object space name and ensure that the name is a valid protected object space name and that it matches an object space that exists in the authorization policy database. HPDAC0460E The protected object space specified already exists in the authorization policy database. Each protected object space name must be unique so choose a different name for the new protected object space. HPDAC0461E The extended attribute specified was not found. Review the extended attributes on the target object and ensure that the extended attribute requested actually exists in the extended attribute list for this object. HPDAC0462E The extended attribute name specified is invalid. Review the extended attribute name to ensure that it is valid. HPDAC0463E There are no extended attributes associated with the specified protected object or authorization policy object. Define extended attributes for specified object or parent object if you want to perform extended attributes associated with the object. HPDAC0464E A POP that is attached to a protected object cannot be found in the policy database (%s,%s). This is a severe error indicating integrity problems with the policy database. If the problem occurs with the Security Access Manager authorization server or with a Security Access Manager 6 Version 7.0: Error Message Reference

21 HPDAC0465E HPDAC0474E resource manager application, then stop the resource manager, remove the resource manager's policy database, and start the resource manager again. If the problem occurs with the Security Access Manager policy server, then stop the policy server, restore a known good version of the master policy database, and then start the Security Access Manager servers again. If the problem persists, check IBM Electronic Support for additional information - software/sysmgmt/products/support/ HPDAC0465E A new action group could not be created because the count of action groups has reached the maximum permitted. If you want to create another action group, then you must first reduce the count of defined action groups. Review the list of defined action groups and remove those that are no longer required. HPDAC0466E A new action could not be created because the count of actions has reached the maximum permitted. Before creating another action you must first reduce the count of defined actions. Review the list of defined actions and remove those that are no longer required. HPDAC0467E Unable to create the new action because the bitmask supplied is invalid. The bitmask must have only one of bits 0 to 31 set to be a valid action bitmask. Having multiple bits set or no bits at all is invalid. Review the specified action bitmask to ensure that at least one and only one action bit is set in the mask. HPDAC0468E Unable to create new action group because an action group exists with the same name. You must choose a unique name for the new action group. HPDAC0469E Unable to locate an action group with the name supplied. Review the action group name specified and ensure that it is a valid action group name and that the group exists. HPDAC0470E Unable to create the new action because an action exists with the same name. You must choose a unique action name for the new action. HPDAC0471E Action name contains invalid characters or too many characters. The action name specified is invalid. The name must not be NULL and can contain only one character from the set [a-za-z]. Review the action name and ensure that it conforms to the criteria specified in the Security Access Manager Base Administrator's Guide. HPDAC0472E Action group name contains invalid characters. The action group name specified is invalid. The name must not be NULL and can contain only characters from the set [a-za-z0-9 +-_:]. Review the action group name and ensure that it conforms to the criteria specified in the Security Access Manager Base Administrator's Guide. HPDAC0473E The primary action group cannot be deleted. No action is required. HPDAC0474E A protected object should have only one rule attached (%s). This is a severe error indicating integrity problems with the policy database. If the problem occurs with the Security Access Manager authorization server or with a Security Access Manager resource manager application, then stop the resource manager, remove the resource manager's policy database, and start the resource manager again. If the problem occurs with the Security Access Manager policy server, then stop the policy server, restore a known good version of the master policy database, and then start the Security Access Manager servers again. If the problem persists, check IBM Electronic Support for additional information - software/sysmgmt/products/support/ Chapter 2. Security Access Manager Base Messages 7

22 HPDAC0475E HPDAC0757E HPDAC0475E A rule that is attached to a protected object cannot be found in the policy database (%s,%s). This is a severe error indicating integrity problems with the policy database. If the problem occurs with the Security Access Manager authorization server or with a Security Access Manager resource manager application, then stop the resource manager, remove the resource manager's policy database, and start the resource manager again. If the problem occurs with the Security Access Manager policy server, then stop the policy server, restore a known good version of the master policy database, and then start the Security Access Manager servers again. If the problem persists, check IBM Electronic Support for additional information - software/sysmgmt/products/support/ HPDAC0476E A protected object should have only one POP attached (%s). This is a severe error indicating integrity problems with the policy database. If the problem occurs with the Security Access Manager authorization server or with a Security Access Manager resource manager application, then stop the resource manager, remove the policy database of the resource manager, and start the resource manager again. If the problem occurs with the Security Access Manager policy server, then stop the policy server, restore a known good version of the master policy database, and then start the Security Access Manager servers again. If the problem persists, check IBM Electronic Support for additional information - software/sysmgmt/products/support/ HPDAC0750E Invalid ACL name. The ACL name received was invalid. The ACL name contained illegal characters or was NULL. Review the ACL name and ensure that it conforms to the criteria specified in the Security Access Manager Base Administrator's Guide. HPDAC0751E Invalid protected object name. The protected object name received was invalid. The protected object name contained illegal characters or was NULL. Review the protected object name and ensure that it conforms to the criteria specified in the Security Access Manager Base Administrator's Guide. HPDAC0752E The requested object was not found. Review the object name and ensure that it is valid and that it actually exists. HPDAC0753E The ACL action specified could not be mapped. There is no mapping for this ACL action in the policy database. Review the ACL name and ensure that it is valid and refers to an existing ACL action in the policy database. HPDAC0754E Privacy or data integrity quality of protection cannot be specified in the unauthenticated entry. Quality of protection cannot be enforced by the authorization client runtime for unauthenticated users. No action is required. HPDAC0755E The ACL has an unauthenticated entry but there is no any-other entry. The any-other entry must be at least as permissive as unauthenticated. Add an any-other entry to the ACL with permissions at least equal to those of the unauthenticated user. HPDAC0756E The any-other entry is missing actions from the unauthenticated entry. The any-other entry must be at least as permissive as unauthenticated. Ensure that the permissions in the ACL for the any-other entry are at least equal to those of the unauthenticated entry. HPDAC0757E An entry in the ACL is missing some actions granted by the unauthenticated entry. Users can bypass an explicit action revocation if allowed by the unauthenticated entry. Review the ACL and ensure that the unauthenticated entry does not have the permission to perform actions that other authenticated entries cannot. The permissions of the unauthenticated entry should be the most restrictive in the secure domain. 8 Version 7.0: Error Message Reference

23 HPDAC0758E HPDAC0776E HPDAC0758E An entry in the ACL that grants control does not also grant traverse. To have the control permission the user must also be able to traverse. Ensure that entries with the control permission also have the traverse permission. HPDAC0769E Too many ACL actions are already defined. Only 32 actions bits can be defined and this limit has been reached. An ACL action must be deleted before a new action can be created. HPDAC0759E No entry in the ACL grants control permission. At least one entry in the ACL must have the control permission. Otherwise the ACL cannot be modified or deleted. Add the control permission to at least one of the ACL entries. An administrative user is the most suitable candidate because control permission will authorize the user to modify and delete the ACL. HPDAC0760E The user is revoking the control permission for itself on this ACL. If the current user removes the control permission from its own ACL entry, that user can no longer modify or delete the object. If the user were the only user with control permission then the ACL can no longer be modified or deleted. To avoid losing control over the ACL, it is more prudent to have another user who has control permission remove the control permission on behalf of the current user. Login as another user who has the control permission for this ACL and have that user remove the control permission on behalf of the current user. HPDAC0766E The ACL cannot be detached from the root protected object. Try replacing the attached ACL instead. Modify or even replace the root ACL with an ACL of the desired configuration. HPDAC0767E Core ACL actions cannot be deleted. HPDAC0768E No action is required. The ACL action name already exists. for the new action. Choose a unique action name HPDAC0771E The user registry client is unavailable. The authorization client was unable to contact the user registry. The user registry client may not be configured correctly. Refer to the Installation Guide for your chosen platform and ensure that the correct user registry has been specified and that the configuration steps succeeded. Also ensure that the user registry is running and can be contacted from the client machine. The IBM Security Access Manager for Web Troubleshooting Guide contains instructions on how to ensure that the user registry is configured correctly and is operational. HPDAC0772E The LDAP user registry client returned an error status for the specified DN. The LDAP client returned an error status because the DN was invalid or there are multiples of the same DN. Ensure that the specified DN exists in the user registry and is valid and that the DN is unique. HPDAC0773E The LDAP user registry client returned an unexpected failure status. The LDAP user registry client returned an error code that was unexpected or unknown to Security Access Manager. Ensure that the LDAP registry server and local registry client runtime are correctly installed and operational then try the procedure again. The IBM Security Access Manager for Web Troubleshooting Guide contains instructions on how to ensure that the user registry is configured correctly and is operational. If the problem persists, check IBM Electronic Support for additional information - sysmgmt/products/support/ HPDAC0776E The DN specified was not found in the registry. user registry. The specified DN was not found in the Chapter 2. Security Access Manager Base Messages 9

24 HPDAC0777E HPDAC0910E Ensure that the DN specified exists in the user registry and is valid. HPDAC0777E LDAP Registry client returned a memory error. The LDAP registry client encountered a memory error. Ensure that the affected process has been configured with sufficient virtual memory for its requirements. The IBM Security Access Manager for Web Performance Tuning Guide contains instructions on how to ensure that the application is configured with the correct amount of virtual memory. Stop and restart the process. If the problem persists, check IBM Electronic Support for additional information - sysmgmt/products/support/ HPDAC0778E The specified user's account is set to invalid. When an account is created in the user registry, the user account must also be marked as valid. Start the administration console or command-line administration tool and set the user account to be valid with the 'user modify' command. HPDAC0779E The LDAP registry server is down. The LDAP registry server is not running. Ensure that the LDAP registry server is running and that the LDAP client has been correctly configured to communicate with the server. The IBM Security Access Manager for Web Troubleshooting Guide contains instructions on how to ensure that the user registry is configured correctly and is operational. HPDAC0780E A valid action group is specified, but no action is specified. The permission string contains a valid action group, but no action within this group is specified. Therefore, an authorization check cannot be performed. Ensure that a valid action for the specified action group was provided. HPDAC0901E The Authorization service is already initialized. You cannot reinitialize the authorization service once it has been initialized. The azn_shutdown() interface must be called before the aznapi client can be initialized again. Review your aznapi application and ensure that the azn_initialize() interface is called only once during the execution of the program. HPDAC0902E There was no authorization client listener port specified. The authorization client requires a TCP port to listen for authorization policy updates and azn admin service requests. Ensure that you have specified a listening port for the authorization client in the aznapi client configuration file or by using programmatic aznapi initialization attributes. HPDAC0906E An invalid parameter was supplied to the API function. A parameter supplied to the API function was NULL or outside the range of valid values. Ensure that the API function call parameters supplied meet the criteria defined for the API interface in the IBM Security Access Manager for Web Authorization C API Developer's Reference. Ifthe problem persists, check IBM Electronic Support for additional information - software/sysmgmt/products/support/ HPDAC0909E An unspecified implementation dependent error has occurred. A minor error could not be mapped to a known message catalog category. The minor error might be returned by an authorization service plug-in without first being encoded using azn_util_errcode(). Another reason this occurs is that an authorization client's message catalogs might not be synchronized with those of the Security Access Manager authorization server. If you have loaded a custom authorization service plug-in then ensure that the plug-in returns the appropriate azn_status_t error codes from its exported interfaces. If this is not the case, then the authorization client's message catalogs might not be synchronized with those of the server. Upgrade the Security Access Manager Runtime package to the same level as the server. HPDAC0910E An invalid policy cache mode value was specified. Ensure that the specified policy cache mode is a valid mode from the set of modes defined in the Security Access Manager Authorization C API Developer's Reference. 10 Version 7.0: Error Message Reference

25 HPDAC0912E HPDAC0930E HPDAC0912E An invalid database file path value was specified. Ensure that the specified database file path is valid. HPDAC0925E An invalid LDAP server SSL keyfile password was specified. Ensure that the specified password for the LDAP server SSL keyfile is correct. HPDAC0914E An invalid policy cache refresh interval value was specified. Ensure that the policy cache refresh interval specified is within the range of valid values specified in the Security Access Manager Authorization C API Developer's Reference. HPDAC0915E An invalid listen flags value was specified. The listen flags can be set to either 'enable' or 'disable'. Ensure that the listen flags configuration parameter is set to either 'enable' or 'disable'. HPDAC0919E An invalid LDAP host name was specified. name specified is valid. Ensure that the LDAP host HPDAC0920E An invalid LDAP host port was specified. port specified is valid. Ensure that the LDAP server HPDAC0923E An invalid LDAP server SSL keyfile was specified. The SSL keyfile could not be found, is invalid or has inappropriate access permissions. Ensure that the path to the LDAP server SSL keyfile is correct that the file exists, is valid and has the appropriate access permissions. HPDAC0924E An invalid LDAP server SSL keyfile DN was specified. Ensure that the specified DN for the LDAP server SSL keyfile is correct. HPDAC0926E One or more of the LDAP server values was not specified. To configure an LDAP registry server you must at least specify the server host name, the port on which to connect to the server, the DN with which to bind to the server and the password for that DN. One of these values was not specified in the configuration settings. Ensure that you have specified the LDAP registry server name, request port, bind DN, and bind DN password in the aznapi client configuration settings. HPDAC0928E The attempt to initialize the LDAP registry failed. This failure can occur when the LDAP registry server configuration settings are incorrect or when the Security Access Manager runtime is incorrectly configured for a registry type other than LDAP. Ensure that you have correctly configured the Security Access Manager Runtime package to use an LDAP user registry. The current user registry setting can be determined by looking at the 'user-reg-type' entry in the [pdrte] stanza of the 'etc/pd.conf' file in the Security Access Manager install directory. If the runtime is configured incorrectly, you will need to unconfigure all packages and reconfigure the machine again. If the runtime has been correctly configured, then ensure that the configuration parameters specified for the LDAP registry server are correct. HPDAC0930E A memory allocation call failed. In most cases this error due to the aznapi application program running out of memory. Ensure that the application has been configured with sufficient virtual memory for its requirements. The IBM Security Access Manager for Web Performance Tuning Guide contains instructions on how to ensure that the application is configured with the correct amount of virtual memory. Stop and restart the process. If the problem persists, check IBM Electronic Support for additional information - Chapter 2. Security Access Manager Base Messages 11

26 HPDAC0931E HPDAC0944E HPDAC0931E Unable to configure LDAP replica server. The replica is either misconfigured or there are too many replicas configured. Ensure that the replica LDAP server configuration settings are valid and refer to an operational replica of the master LDAP server. Also ensure that you have not registered more LDAP replicas than that allowed by the LDAP registry implementation. HPDAC0932E An invalid LDAP bind user DN was specified. Ensure that the LDAP bind user DN specified is valid. HPDAC0933E The password for the LDAP bind user was invalid. Ensure that the LDAP bind user password specified is valid. HPDAC0934E An invalid configuration file path was specified. Ensure that the path to the configuration file that was specified is valid. HPDAC0935E An error occurred loading the aznapi configuration file. Review the aznapi configuration file used to initialize the application and ensure that it is a valid stanza format file and that the entries conform to stanza format syntax. HPDAC0936E An error occurred loading the configuration file specified as the parameter to 'ldap-server-config' in the aznapi config file. Review the respective aznapi configuration file and ensure that it is a valid stanza format file and that the entries conform to stanza format syntax. HPDAC0937E An invalid maximum search size was specified. The specified maximum search size could not be converted to an integer number or is zero. Ensure that the value specified for maximum search size is a valid integer value in the range specified in the LDAP registry server documentation and is not zero. HPDAC0940E An invalid attribute value was specified for the azn_init_set_perminfo_attrs attribute. Ensure that the value specified for the azn_init_set_perminfo_attrs initialization attribute is a text string consisting of one or more valid aznapi attribute names separated by spaces. HPDAC0941E Too many permission information attributes were specified with the azn_init_set_perminfo_attrs attribute. The maximum number of permission info attributes that can be returned from an azn_decision_access_allowed_ext() call is 32. Review the list of permission information attributes that you have specified in the azn_init_set_perminfo_attrs attribute and ensure that the count of attributes is no greater than 32. HPDAC0943E An invalid trace configuration parameter was specified: %s. Either the application configuration file contains an invalid 'trace' configuration item in the [aznapi-configuration] stanza or the application is passing an invalid value for the azn_init_trace programmatic initialization attribute. The value considered invalid is shown in the error message. Correct the value of the trace configuration parameter in the configuration file or the application as appropriate. HPDAC0944E An invalid statistics configuration parameter was specified: %s. Either the application configuration file contains an invalid 'stats' configuration item in the [aznapi-configuration] stanza or the application is passing an invalid value for the azn_init_stats azn_initialize parameter. The value considered invalid is shown in the error message. Correct the value of the 'stats' configuration parameter in the configuration file or the application as appropriate. 12 Version 7.0: Error Message Reference

27 HPDAC0945E HPDAC0953E HPDAC0945E The value specified for the 'timeout' parameter in the [ldap] stanza is invalid: %s. Either the application configuration file contains an invalid 'timeout' configuration value in the [ldap] stanza or the application is passing an invalid value for the azn_init_ldap_timeout azn_initialize parameter. The value considered invalid is shown in the error message. Correct the value of the 'timeout' parameter in the [ldap] stanza. It must be a non-negative integer. HPDAC0946E The value specified for the 'authn-timeout' parameter in the [ldap] stanza is invalid: %s. Either the application configuration file contains an invalid 'authn-timeout' configuration value in the [ldap] stanza or the application is passing an invalid value for the azn_init_ldap_authn_timeout azn_initialize parameter. The value considered invalid is shown in the error message. Correct the value of the 'authn-timeout' parameter in the [ldap] stanza. It must be a non-negative integer. HPDAC0947E The value specified for the 'search-timeout' parameter in the [ldap] stanza is invalid: %s. Either the application configuration file contains an invalid 'search-timeout' configuration item in the [ldap] stanza or the application is passing an invalid value for the azn_init_ldap_search_timeout azn_initialize parameter. The value considered invalid is shown in the error message. Correct the value of the 'search-timeout' parameter in the [ldap] stanza. It must be a non-negative integer. HPDAC0948E Validation of the rule text for the rule object failed. Refer to the error log for more information about the failure. valid. The rule text of the rule policy is not Review the rule text for the rule policy named in the error log and correct any errors. HPDAC0949E Validation of the rule text for rule object %s failed. Error code 0x%x was returned along with error message %s. valid. The rule text of the rule policy is not Review the rule text for the rule policy named in the error log and correct any errors. HPDAC0950E An ADI container name was found in multiple places in the input from the application. Refer to the error log for more information about the failure. The same piece of access decision information cannot be provided to the rules evaluator from two different sources as this indicates that one piece of data may not be valid or is incorrectly named. Container names must be unique across data sources. Review your system configuration to ensure that only one of either the application context or user credentials is the source for the piece of ADI named in the error log. HPDAC0951E The ADI container name %s was found in multiple places in the input from the application. The same piece of access decision information cannot be provided to the rules evaluator from two different sources as this indicates that one piece of data may not be valid or is incorrectly named. Container names must be unique across data sources. Review your system configuration to ensure that only one of either the application context or user credentials is the source for the piece of ADI named in the error log. HPDAC0952E The XSL processor failed to evaluate the rule object. Refer to the error log for more information about the failure. The rule text of the rule policy named in the error log is not valid and caused an error condition in the XSL processor. Review the rule text for the rule policy object named in the error log and correct any errors. HPDAC0953E The XSL processor failed to evaluate the rule object %s. Error code 0x%x was returned along with error message %s. The rule text of the rule policy named in the error log is not valid and caused an error condition in the XSL processor. Review the rule text for the rule policy object named in the error log and correct any errors. Chapter 2. Security Access Manager Base Messages 13