When bad wasadmins go missing

Working yesterday on deploying a new application in a test Connections environment I was logged into the ISC using wasadmin for hours. Eventually I finish my work and restart everything to test.  I go to login to the deployment manager and no account will work, not wasadmin nor any of the LDAP administrative accounts set up.  So what do I do?  Well first I need to work out what’s going wrong and I check SystemOut.log when trying to login and see this error as a root cause

CWWIM2009E The principal ‘AnonymousUser’ does not have the role ‘administrator’ required for the operation ‘GET CONFIGURATION’

Well OK, let’s back up ,since it happened after a reboot the change could have been made any time since the previous restart and wasn’t necessarily related to the work I was doing at all.  First I need to get into the ISC and to do that I need to disable ISC security so I can get in.  I edit security.xml in the /profiles/dmgr/config/cells/<cellname> directory and find the first enabled=”true” in the security tag and change that to enabled=”false” (make sure you save a copy of this file first).  Then stop the dmgr and start it again. I have trouble stopping it as the authentication isn’t working so , since the dmgr is the only WAS server running , I just terminate java.exe from task manager.  Having done that the URL for the dmgr  <hostname>:9043/ibm/console no longer asks for a password and lets me login using just a user name.  and I’m IN - albeit with no security so no way to start servers.

I go look at the Administrative users configured in the system and sure enough the LDAP admin accounts are there but wasadmin is gone.  I can’t add wasadmin because security is disabled and it can’t find the account.  I can work around it but a better solution is to tell the ISC to use the LDAP realm instead of the defaultWimFileBasedRealm (which contains wasadmin).  I go to Global Security, re-enable security from that screen (it was disabled by my earlier security.xml change) and then go into the federated repository and change the realm name from o=defaultWIMFileBasedRealm to whatever my LDAP realm is (in this case “root”) and then change the Primary administrative user name to one of my LDAP admin accounts (in this case gabdavis).

Now I can restart dmgr and login to the ISC with the name gabdavis (my ldap account) and its ldap password.  Once in there I can go to Administrative Users and re-add wasadmin with all the roles I need then (if I wanted to) go back to Global Security and revert the realm and primary administrative account back to what was set originally (above).

And that’s it.  I hope this is useful for anyone else who has a wasadmin go astray…Backup your deployment manager profile regularly people !