Enterprise LDAP

ksperring · ‎Feb 04, 2014

Hi,

We have attempted to clone a staging Windchill to Production and along with server names etc all has worked out except for the Enterprise LDAP which currently produces the below exception when trying to search the user directories.

Page could not respond: /ptc1/principalpicker/principalPickerCD_step

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

The credentials are tested and valid wtihin the Enterprise LDAP.

So, I suspect that the encrypted values stored in mapcredentials may need to be re-created?

If there is any insight that anyone can offer, that would be good.

patrickchin2000 · ‎Feb 04, 2014

Hi Kevin,

I've done that many times when testing our my development/test mirrored clone with new OS and infrastructure to be the new produciton when replacing horrible Winddows OS with Red Hat Linux and old infrastructure with server blades.

Did you try exporting the Windchill LDAP only using Windows Wordpad/Word try searching for the string DC=<old host=" alias=" name="> and <old host=" alias=">. "dot" after host name. (case sensitive)

You can try replacing them with the new server name then do a delete then import. Make sure you backup the export first. if you follow the rehost guide, you should not need to do this. Also, did you properly change apache authentication.

Good luck,

Patrick

In Reply to Kevin Sperring:

Hi,

We have attempted to clone a staging Windchill to Production and along with server names etc all has worked out except for the Enterprise LDAP which currently produces the below exception when trying to search the user directories.

Page could not respond: /ptc1/principalpicker/principalPickerCD_step

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

The credentials are tested and valid wtihin the Enterprise LDAP.

So, I suspect that the encrypted values stored in mapcredentials may need to be re-created?

If there is any insight that anyone can offer, that would be good.

patrickchin2000 · ‎Feb 04, 2014

Hi Kevin,

Make sure you "clone" is a true mirror of production:

connected to AD forest(s) (if you have that already with jndi adapters)

complete install of all modules of Windchill

all info-engine adapters (WindchillDS/aphelion LDAP) are recorded in the LDAP

When ready to switch, don't forget:

the DNS aliases have to change

/etc/hosts files

Have fun,

Patrick

In Reply to Patrick Chin:

Hi Kevin,

I've done that many times when testing our my development/test mirrored clone with new OS and infrastructure to be the new produciton when replacing horrible Winddows OS with Red Hat Linux and old infrastructure with server blades.

Did you try exporting the Windchill LDAP only using Windows Wordpad/Word try searching for the string DC= and . "dot" after host name. (case sensitive)

You can try replacing them with the new server name then do a delete then import. Make sure you backup the export first. if you follow the rehost guide, you should not need to do this. Also, did you properly change apache authentication.

Good luck,

Patrick

In Reply to Kevin Sperring:

Hi,

We have attempted to clone a staging Windchill to Production and along with server names etc all has worked out except for the Enterprise LDAP which currently produces the below exception when trying to search the user directories.

Page could not respond: /ptc1/principalpicker/principalPickerCD_step

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

The credentials are tested and valid wtihin the Enterprise LDAP.

So, I suspect that the encrypted values stored in mapcredentials may need to be re-created?

If there is any insight that anyone can offer, that would be good.

ksperring · ‎Feb 04, 2014

So, the export did not contain the old server name as I would have expected. I have followed the rehost rename guide.
The Apache Auth has been updated as is working as I can login with local Windchill LDAP accounts.
The issue crops up when I try get a list of users from the Enterprise LDAP.

This is the stack trace from the Method Server logs:

2014-02-04 17:07:26,871 ERROR [ajp-bio-8010-exec-1] org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/Windchill].[MVCDispatcher] wcadmin - Servlet.service() for servlet MVCDispatcher threw exception
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3067)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2815)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2729)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at com.infoengine.jndi.DirContextWrapper.<init>(DirContextWrapper.java:84)
at com.infoengine.jndi.JNDIAdapterImpl.getDirContext(JNDIAdapterImpl.java:299)
at com.infoengine.jndi.JNDIAdapterImpl.processRequest(JNDIAdapterImpl.java:209)
at com.infoengine.procunit.adapter.Adapter.send(Adapter.java:391)
at com.infoengine.SAK.ObjectWebject.invoke(ObjectWebject.java:262)
at com.infoengine.compiledTasks.file.D$3a$5cptc$5cWindchill_10$2e1$5cWindchill$5ctasks.wt.federation.queryprincipals$2exml.invoke(queryprincipals$2exml.java:100)
at com.infoengine.SAK.Task.invoke(Task.java:1806)
at com.infoengine.SAK.Task.invoke(Task.java:1714)
at wt.org.LdapServices.queryPrincipalsTask(LdapServices.java:1245)
at wt.org.LdapServices.queryPrincipalFromLdap(LdapServices.java:1114)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at wt.services.ServiceFactory$ServerInvocationHandler.invoke(ServiceFactory.java:399)
at com.sun.proxy.$Proxy21.queryPrincipalFromLdap(Unknown Source)
at wt.org.StandardOrganizationServicesManager._readPrincipal(StandardOrganizationServicesManager.java:7074)
at wt.org.StandardOrganizationServicesManager._inflateByUfid(StandardOrganizationServicesManager.java:11029)
at wt.org.StandardOrganizationServicesManager.getPrincipal(StandardOrganizationServicesManager.java:1045)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at wt.services.ServiceFactory$ServerInvocationHandler.invoke(ServiceFactory.java:399)
at com.sun.proxy.$Proxy20.getPrincipal(Unknown Source)
at com.ptc.windchill.enterprise.picker.principal.PrincipalCommands.getRecentPrincipalsList(PrincipalCommands.java:238)
at org.apache.jsp.netmarkets.jsp.principalpicker.principalPickerCD_005fstep_jsp._jspService(principalPickerCD_005fstep_jsp.java:3022)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:605)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:544)
at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:229)
at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:250)
at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1047)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:817)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:669)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:574)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:605)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:544)
at org.apache.taglibs.standard.tag.common.core.ImportSupport.acquireString(ImportSupport.java:343)
at org.apache.taglibs.standard.tag.common.core.ImportSupport.doEndTag(ImportSupport.java:200)
at org.apache.jsp.netmarkets.jsp.components.loadWizardStep_jsp._jspx_meth_c_005fimport_005f0(loadWizardStep_jsp.java:1979)
at org.apache.jsp.netmarkets.jsp.components.loadWizardStep_jsp._jspService(loadWizardStep_jsp.java:635)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:605)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:544)
at com.ptc.core.components.tags.components.WizardTag.renderTag(WizardTag.java:904)
at com.ptc.core.components.tags.components.WizardTag.getTags(WizardTag.java:755)
at com.ptc.core.components.tags.components.WizardTag.doTag(WizardTag.java:398)
at com.ptc.windchill.enterprise.tags.picker.PrincipalPickerTag.doTag(PrincipalPickerTag.java:723)
at org.apache.jsp.netmarkets.jsp.principal.addParticipantToPAList_jsp._jspx_meth_jca_005fparticipantPicker_005f0(addParticipantToPAList_jsp.java:1825)
at org.apache.jsp.netmarkets.jsp.principal.addParticipantToPAList_jsp._jspService(addParticipantToPAList_jsp.java:681)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:412)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:238)
at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:250)
at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1047)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:817)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:669)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:574)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at wt.httpgw.filter.WTContextBeanFilter.doWithWtContextBeanHandler(WTContextBeanFilter.java:98)
at wt.httpgw.filter.WTContextBeanFilter.doFilter(WTContextBeanFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at wt.servlet.CompressionFilter.doFilter(CompressionFilter.java:248)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at wt.servlet.RequestInterrupter.doFilter(RequestInterrupter.java:327)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at wt.servlet.ServletRequestMonitor.doFilter(ServletRequestMonitor.java:1594)
at wt.servlet.ServletRequestMonitorFilter.doFilter(ServletRequestMonitorFilter.java:56)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
at org.apache.tomcat.util.threads.TaskThread.run(TaskThread.java:77)

patrickchin2000 · ‎Feb 04, 2014

Hi Kevin,

Since you are using Windchill 9.#, 8.# and 7.#, context names were stored in apheliion/WindchillDS LDAP. You have to do a complete mirror of both the database and Windchill LDAP. You may not need the vaults as of yet, which will cause vault read folder issues but not this.

Is your "clone" a complete mirror of the entire production system including the database?

It sounds like you are missing some entries in your LDAP of contexts that is not in sync with Windchill database.

Patrick

patrickchin2000 · ‎Feb 04, 2014

Hi Kevin

Which is why in the pre 9.1 M050 days. (I could be off by a few service packs). It was very imparative to have your Windchill LDAP backed up at the same time as your database in production. If they are not in sync, you can have issues where you can not start up Windchill from a recovery, restore, mirror or disaster recovery.

I still follow that lesson learned. I had experienced in the past where some admins and developers went to far with LDAP and I had to recover.

Just take a good export of both the production LDAP and database at exact the same time. Sometimes I've seen this error when someone has created acontext or renamed acontext and it is not in sync with the backup of LDAP. I could be wrong but it really resembles this issue.

Good luck,

Patrick

In Reply to Patrick Chin:

Hi Kevin,

Since you are using Windchill 9.#, 8.# and 7.#, context names were stored in apheliion/WindchillDS LDAP. You have to do a complete mirror of both the database and Windchill LDAP. You may not need the vaults as of yet, which will cause vault read folder issues but not this.

Is your "clone" a complete mirror of the entire production system including the database?

It sounds like you are missing some entries in your LDAP of contexts that is not in sync with Windchill database.

Patrick