Monday, September 17, 2012

Creating your first OAM 11g R2 domain

So you downloaded the Identity Management R2 release bits, spun up your little test environment and created a WebLogic domain. But the first time you sign in you get the error message "The policy store is not available; please see the log file for more details." in a pop up.

like this:

The logs aren't particularly helpful: 

####<Sep 13, 2012 6:19:42 PM EDT> <Error> <oracle.oam.engine.policy> <iamr2.oracleateam.com> <AdminServer> <[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <e3b75e49ebb52881:-4d179e40:139c1939ab6:-8000-00000000000005a3> <1347574782661> <BEA-000000> <The policy store is not available; please see the log file for more details.
oracle.security.am.common.policy.admin.store.PolicyStoreException: OAMSSA-06252: The policy store is not available; please see the log file for more details.
        at oracle.security.am.common.policy.util.OESUtils.checkAndThrowException(OESUtils.java:630)
        at oracle.security.am.common.policy.util.ResourceTypeHelper.setupHostIdentifierResourceType(ResourceTypeHelper.java:438)
        at oracle.security.am.common.policy.admin.provider.oes.DefaultApplicationDomain.createHostIdentifierPolicy(DefaultApplicationDomain.java:118)
        at oracle.security.am.common.policy.admin.provider.oes.DefaultApplicationDomain.<init>(DefaultApplicationDomain.java:93)
        at oracle.security.am.common.policy.admin.provider.oes.DefaultApplicationDomain.getGlobalDefault(DefaultApplicationDomain.java:461)
        at oracle.security.am.common.policy.admin.provider.oes.ApplicationManager.setupGlobalDefaultAppDomain(ApplicationManager.java:112)
        at oracle.security.am.common.policy.admin.provider.oes.ApplicationManager.<init>(ApplicationManager.java:61)
        at oracle.security.am.common.policy.admin.provider.oes.ApplicationManager.getApplicationManager(ApplicationManager.java:125)
        at oracle.security.am.common.policy.util.OESSetupHelper.loadOAMApplicationManager(OESSetupHelper.java:340)
        at oracle.security.am.common.policy.util.OESSetupHelper.loadOAMApplicationPolicies(OESSetupHelper.java:166)
        at oracle.security.am.common.policy.util.OESSetupHelper.loadApplicationPolicies(OESSetupHelper.java:154)
        at oracle.security.am.common.policy.admin.provider.oes.proxy.OESAdminProxy.init(OESAdminProxy.java:84)
        at oracle.security.am.common.policy.admin.provider.oes.OESPolicyAdminProvider.init(OESPolicyAdminProvider.java:130)
        at oracle.security.am.common.policy.admin.PolicyAdminFactory.getProvider(PolicyAdminFactory.java:241)
        at oracle.security.am.common.policy.admin.PolicyAdminFactory.init(PolicyAdminFactory.java:166)
        at oracle.security.am.common.policy.admin.PolicyAdminFactory.getPolicyAdmin(PolicyAdminFactory.java:334)
...
And in the -diagnostic log: 
[2012-09-13T18:19:42.364-04:00] [AdminServer] [NOTIFICATION] [] [oracle.adfdt.model.mds.MDSApplicationService] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: weblogic] [ecid: e3b75e49ebb52881:-4d179e40:139c1939ab6:-8000-00000000000005a3,0] [APP: oam_admin#11.1.2.0.0] [[
oracle.mds.exception.ReadOnlyStoreException: MDS-01273: The operation on the resource /oracle/oam/ui/adfm/DataBindings.cpx failed because source metadata store mapped to the namespace / DEFAULT is read only.
        at oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(MDSSession.java:2495)
        at oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(MDSSession.java:2548)
        at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:3493)
        at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1660)
        at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1546)
        at oracle.adfdt.model.mds.MDSApplicationService.findApplication(MDSApplicationService.java:57)
        at oracle.adfdt.model.mds.MDSModelDesignTimeContext.initServices(MDSModelDesignTimeContext.java:232)
        at oracle.adfdt.model.mds.MDSModelDesignTimeContext.<init>(MDSModelDesignTimeContext.java:82)
        at oracle.adfdt.mds.MDSDesignTimeContext.<init>(MDSDesignTimeContext.java:66)
        at oracle.adfinternal.view.page.editor.Page.getDesignTimeBindingContainer(Page.java:596)
        at oracle.adfinternal.view.page.editor.contextual.event.ContextualModelManager.getBindingContainerForView(ContextualModelManager.java:209)
        at oracle.adfinternal.view.page.editor.contextual.event.ContextualModelManager.getCurrentContextualResolver(ContextualModelManager.java:131)
        at oracle.adfinternal.view.page.editor.bean.ContextualWiringBean.getResolver(ContextualWiringBean.java:625)
        at oracle.adfinternal.view.page.editor.bean.ContextualWiringBean.clearSelection(ContextualWiringBean.java:594)
        at oracle.adfinternal.view.page.editor.bean.ContextualWiringBean.handlePageNavigation(ContextualWiringBean.java:130)
        at oracle.adfinternal.view.page.editor.contextual.event.EventHandler.processNavigation(EventHandler.java:92)
...

What did you do wrong?!
If you're seeing this it means you're just like me and you didn't bother to read the Installation Guide.
In R2 there's a tiny little extra step you need to do after creating the domain and before starting the AdminServer.

Basically it amounts to this: 

$MW_HOME/oracle_common/common/bin/wlst.sh  \
    $ORACLE_HOME/common/tools/configureSecurityStore.py \
    -d $IAM_DOMAIN_LOCATION \
    -m create \
    -c IAM \
    -p $ORA_PASS

$MW_HOME/oracle_common/common/bin/wlst.sh  \
    $ORACLE_HOME/common/tools/configureSecurityStore.py \
    -d $IAM_DOMAIN_LOCATION \
    -m validate
Where
  • $MW_HOME is where you put the Middleware home (e.g. ~/Oracle/Middleware)
  • $ORACLE_HOME is the Oracle IAM home (e.g. ~/Oracle/Middleware/Oracle_IAM1)
  • $IAM_DOMAIN_LOCATION is the domain home (e.g. ~/Oracle/Middleware/user_projects/domains/OAMDomain)
  • $ORA_PASS is the password needed to talk to the database

It's easy enough to recover if you didn't take a snapshot in VirtualBox. Just stop the AdminServer and oam_server1, recreate the domain, rerun the RCU to drop and recreate the OAM schema. Then run the wlst commands above before you start it again.

I think you might actually be able to get away without recreating the domain but I haven't tried it myself.

Posted by Chris Johnson (Oracle) at 6:54 AM
Labels: ,

3 comments:

  1. Warren StrangeSeptember 18, 2012 at 8:59:00 PM PDT

    Been there, done that, got the T-Shirt

    ReplyDelete
  2. UnknownNovember 15, 2012 at 5:40:00 AM PST

    FYI, I ran into this problem (RTFM, duh!), and tried running this without recreating the domain and it did not work. Looks like the recreation of the schema and domain are necessary.

    ReplyDelete
  3. Simon KissaneDecember 17, 2012 at 10:26:00 PM PST

    You may also see this exception during execution of configureSecurityStore.py with the -m create:

    java.lang.NullPointerException
    at oracle.security.jps.internal.policystore.xml.persistence.Entity2EntryConvertor.createAttributeEntry(Entity2EntryConvertor.java:472)

    That is caused by starting the AdminServer prior to running configureSecurityStore.py. If you have already started the AdminServer, it is too late now to run configureSecurityStore.py - you need to recreate the domain.

    ReplyDelete

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)