tag:blogger.com,1999:blog-1816408742331555186.post4211182717441195238..comments2023-05-22T03:03:54.478-07:00Comments on Oracle Fusion Middleware Security: The “reassociation” businessChris Johnson (Oracle)http://www.blogger.com/profile/13331466366556759355noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-1816408742331555186.post-91575621191508067502013-03-18T18:47:19.494-07:002013-03-18T18:47:19.494-07:00Tara, you're welcome.
I think something went w...Tara, you're welcome.<br />I think something went wrong when you ran reassociateSecurityStore. Did you notice any errors? Please let me know the exact command you've executed.<br />Andre.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-39869798926614964952013-03-14T13:11:22.798-07:002013-03-14T13:11:22.798-07:00Hi andre, thanks for the help, i am able to procee...Hi andre, thanks for the help, i am able to proceed with wslt scripts for reassociateSecurityStore, <br /><br />Whenever i run the Weblogic Server, i get this Exception : oracle.security.jps.service.policystore.PolicyObjectNotFoundException: JPS-04028: Application with name "cn=test_domain,cn=JPSContext,cn=jpsTestNode" does not exist.<br /><br />since it doesnt need to be created like in case of OID, i did not create it. Please help. Tara singhhttps://www.blogger.com/profile/16304281360766402210noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-17145472497281220942013-03-11T18:36:54.568-07:002013-03-11T18:36:54.568-07:00Tara,
you need a JRF-based domain. OPSS is not av...Tara,<br /><br />you need a JRF-based domain. OPSS is not available in standalone Weblogic.<br />You need some FMW piece (SOA, WebCenter, IdM, BI, etc) to get JRF.<br /><br />Andre.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-57530751394390408722013-03-11T18:34:19.880-07:002013-03-11T18:34:19.880-07:00nmnative,
it's not part of the setup process....nmnative,<br /><br />it's not part of the setup process. You have to do it explicitly later on, either through wlst or through EM.<br />If you want to switch back to file, you could theoretically redeploy all applications that use OPSS policy store (bunch of FMW applications, depending on your domain configuration). But that's nowhere near a supported option. It's a waste of time. Don't do it. The only option would be to back file-based policy store before going to ldap or db. But that also brings its own challenges, since you would have to transfer over all policies from ldap/db that were created after reassociation.<br /><br />Andre.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-296155101920639612013-03-11T14:02:05.168-07:002013-03-11T14:02:05.168-07:00Hi Andre,
i have standalone Weblogic setup and I...Hi Andre, <br /><br />i have standalone Weblogic setup and I am trying to configure Authorization with Db based policy store. I have created opss schema and added datasourc in weblogic. <br />I am trying to reassociateSecurity Store to Db, I always gets : javax.management.InstanceNotFoundException: javax.management.InstanceNotFoundEx<br />eption: com.oracle.jps:type=JpsConfig, please suggest if there is something missing.Tara singhhttps://www.blogger.com/profile/16304281360766402210noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-89368196223238309342013-03-11T12:36:37.078-07:002013-03-11T12:36:37.078-07:00Andre,
Thanks for the helpful post.
Can you tell...Andre,<br /><br />Thanks for the helpful post.<br /><br />Can you tell me at what point in the setup process I would have the opportunity to select what store to use (File or LDAP)? I am currently setup for LDAP and I don't recall selecting this store type. <br /><br />Since there is no supported way to change from LDAP to file what applications would need to be de-installed /reinstalled to utilize the system-jazn-data.xml file again?nmnativehttps://www.blogger.com/profile/12139503063452750897noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-71756266201929163442013-03-08T09:04:26.346-08:002013-03-08T09:04:26.346-08:00Thanks dty. Post updated.
Andre.Thanks dty. Post updated.<br /><br />Andre.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-70120891503742946142013-03-08T03:33:22.379-08:002013-03-08T03:33:22.379-08:00Great article - it simplifies for me what is a con...Great article - it simplifies for me what is a confusing area in the product docs. <br /><br />Just one typo:<br /><br /> 'servertype is the security store type. Supported values are “OID” and “Oracle_DB”.'<br /><br />- should be "DB_ORACLE"<br /><br />Also, a link to Kavtiha's post would be useful - I found it in the end and it too is very helpful<br />dtyhttps://www.blogger.com/profile/00967473473315494475noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-30117121250729654792013-02-28T17:12:41.564-08:002013-02-28T17:12:41.564-08:00Jeremy,
from an OPSS perspective, this approach ...Jeremy, <br /><br />from an OPSS perspective, this approach should be fine. I will ask around internally and get back to you. I Meanwhile, let me know which kind of issues you're getting now.<br /><br />Andre.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-81337776666849212332013-02-27T08:13:27.976-08:002013-02-27T08:13:27.976-08:00Hi Andre - another theory... I tried another itera...Hi Andre - another theory... I tried another iteration of the upgrade, this time switching from file to DB store before starting the upgrade process:<br /><br />reassociateSecurityStore(domain="IAM", datasourcename="jdbc/OPSSDBDS", servertype="DB_ORACLE", jpsroot="cn=jpsRoot")<br /><br />I then skip that execution of configureSecurityStore during the 11.1.2 upgrade process... as I'm already using a DB store. This results in a working adminserver... and oim & soa start too - although I have some issues with oim. unsure if they are related to the upgrade approach I used. Moreover, I'm not comfortable applying this process, which deviates from the official process, to my prod env.<br />Jeremyhttps://www.blogger.com/profile/09512239479465487946noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-79554049748157891312013-02-26T11:51:12.160-08:002013-02-26T11:51:12.160-08:00Jeremy,
Did you get any exceptions while running ...Jeremy,<br /><br />Did you get any exceptions while running configureSecurityStore.py -d -c IAM -p -m create ?<br /><br />Andre.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-66654781225195100652013-02-26T11:20:48.363-08:002013-02-26T11:20:48.363-08:00Hi Andre - unfortunately, em is nonfunctional when...Hi Andre - unfortunately, em is nonfunctional when I start adminserver. the app fails to start - victim of the PolicyStoreExceptions. I can browse the raw db tables, but it's hard to make sense of it.<br /><br />I have created a separate/new/non-upgraded oim 11.1.2 installation for comparison (separate schemas etc). using the official install procedure, i used configureSecurityStore with the " -m create". That installation works fine.<br /><br />It occurs to me that using "-m create" makes sense for a new install, where I don't have an existing security store, and the db store has to be fully seeded. But in the case of my upgrade, I obviously have an existing file-base security store and domain... so as you said, reassociating the domain with the new db store and migrating my existing store data to the db store would seem to be what i need. Maybe sing "-m create" is not the right switch?<br /><br />Alternatively, maybe I could switch to the db store at my baseline 11.1.1.5 state - before even starting the OIM 11.1.2 upgrade? Jeremyhttps://www.blogger.com/profile/09512239479465487946noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-13287972021259773192013-02-26T10:17:17.152-08:002013-02-26T10:17:17.152-08:00Jeremy, configureSecurityStore.py reassociates the...Jeremy, configureSecurityStore.py reassociates the domain and migrates policy data to the new policy store repository, which in your case is a database. As far as I can tell, the difference between configureSecurityStore.py and reassociateSecurityStore is that the former can be used in offline mode.<br /><br />Your policies, once in a file, should be migrated under an structure like cn=IAM,cn=JPSContext,cn=jpsroot. Check if you can browse them through Enterprise Manager.<br /><br />This obviously depends on the OPSS database schema available and the OPSS data source in the Weblogic domain.<br /><br />Andre.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-84291656713065582122013-02-26T09:31:56.320-08:002013-02-26T09:31:56.320-08:00I am working on upgrading OIM from 11.1.1.5 to 11....I am working on upgrading OIM from 11.1.1.5 to 11.1.2. My 11.1.1.5 env has a "file" security store. The upgrade procedure has me creating the OPSS schema, extending the domain for OPSS (which I think just creates the DS), running upgradeOPSS(), and then it asks me to "configure the database Security Store". The upgrade doc isn't very specific as to what I should do here. They point me to the OPSS setup procedure for a new install, running:<br />configureSecurityStore.py -d -c IAM -p -m create<br /><br />which I've tried, and results in a broken env, where adminserver throws lots of PolicyStoreExceptions in its log.<br /><br />Should I be doing reassociateSecurityStore() instead?<br />Jeremyhttps://www.blogger.com/profile/09512239479465487946noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-90872936162379630012012-06-20T21:44:27.503-07:002012-06-20T21:44:27.503-07:00Thanks this was helpful. I had more luck with the...Thanks this was helpful. I had more luck with the OPSS store. The LDAP reassociation didn't bring over the necessary code grants.stevehttps://www.blogger.com/profile/15801745582551693351noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-65783277839279777922012-06-08T10:41:17.927-07:002012-06-08T10:41:17.927-07:00The reassociation command has probably failed. If ...The reassociation command has probably failed. If this is the first domain being reassociated, make sure join parameter is set to false. Please, observe the outcome of the reassociation operation.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-87508196993213836702012-06-08T10:36:54.948-07:002012-06-08T10:36:54.948-07:00Abhi, I am not sure how harmful this message is fr...Abhi, I am not sure how harmful this message is from the SOA perspective. From a security perspective, it means that, during Weblogic startup, some application is being denied access to reading the BPM-CRYPTO key in the credential store. The way to fix this problem is creating a code grant in the policy store for the application. You may want to explore this post: http://fusionsecurity.blogspot.com/2011/04/watch-out-those-code-source-grants.html<br />Thanks,<br />Andre.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-75204049744112285042012-06-08T10:24:43.564-07:002012-06-08T10:24:43.564-07:00The reassociation command has probably failed. If ...The reassociation command has probably failed. If this is the first domain being reassociated, make sure join parameter is set to false.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-52154447972809736362012-03-15T23:43:02.907-07:002012-03-15T23:43:02.907-07:00We have reassociated OID to Oracle Webcenter, but ...We have reassociated OID to Oracle Webcenter, but when trying to start the Weblogic server, it has an error: The credential store DN is missing in the LDAP store; the target DN must be pre-configured. Do you have a workaround for this?Ryanhttps://www.blogger.com/profile/15444552528885189087noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-19360956214431349582012-03-15T19:11:23.650-07:002012-03-15T19:11:23.650-07:00hi, after reassociation i have an error like jps 0...hi, after reassociation i have an error like jps 01055. It says "Could not create ldap credential store instance." This error occured when starting weblogic server. Do you have a workaround for this? <br />ThanksRyanhttps://www.blogger.com/profile/15444552528885189087noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-89985108393335127372012-03-12T21:54:09.762-07:002012-03-12T21:54:09.762-07:00Hey Andre,
Thanks for the response.
I realized la...Hey Andre,<br /><br />Thanks for the response.<br />I realized later that the changes to be done on Enterprise Manager (Change Security Store) was already done by my team mate and me running the wlst over the configuration resulted in this unique integrity issue.<br /><br />Once the configuration was complete and I started the managed server for the SOA server, I got the below exception: <br /><br />I am currently investigating the reason for this exception. Any help would be greatly appreciated. <br /><br />Again thanks a lot for this simplified blog.<br /><br /> <br />java.security.AccessControlException: access denied (oracle.security.jps.service<br />.credstore.CredentialAccessPermission context=SYSTEM,mapName=BPM-CRYPTO,keyName=<br />BPM-CRYPTO read)<br /> at java.security.AccessControlContext.checkPermission(AccessControlConte<br />xt.java:323)<br /> at java.security.AccessController.checkPermission(AccessController.java:<br />546)<br /> at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermis<br />sion(JpsAuth.java:436)<br /> at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:496)<br /> at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:519)<br /> at oracle.security.jps.internal.credstore.util.CsfUtil.checkPermission(C<br />sfUtil.java:611)<br /> at oracle.security.jps.internal.credstore.ldap.LdapCredentialStore.getCr<br />edential(LdapCredentialStore.java:296)<br /> at oracle.bpel.services.common.util.GenerateBPMCryptoKey.storeCSFCredent<br />ialInfo(GenerateBPMCryptoKey.java:75)<br /> at oracle.bpel.services.common.util.GenerateBPMCryptoKey.main(GenerateBP<br />MCryptoKey.java:57)<br /> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br /> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.<br />java:39)<br /> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces<br />sorImpl.java:25)<br /> at java.lang.reflect.Method.invoke(Method.java:597)<br /> at weblogic.management.deploy.classdeployment.ClassDeploymentManager.inv<br />okeMain(ClassDeploymentManager.java:362)<br /> at weblogic.management.deploy.classdeployment.ClassDeploymentManager.inv<br />okeClass(ClassDeploymentManager.java:272)<br /> at weblogic.management.deploy.classdeployment.ClassDeploymentManager.acc<br />ess$000(ClassDeploymentManager.java:54)<br /> at weblogic.management.deploy.classdeployment.ClassDeploymentManager$1.r<br />un(ClassDeploymentManager.java:214)<br /> at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate<br />dSubject.java:321)<br /> at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:<br />120)<br /> at weblogic.management.deploy.classdeployment.ClassDeploymentManager.inv<br />okeClassDeployment(ClassDeploymentManager.java:207)<br /> at weblogic.management.deploy.classdeployment.ClassDeploymentManager.run<br />StartupsBeforeAppDeployments(ClassDeploymentManager.java:149)<br /> at weblogic.management.deploy.classdeployment.ClassDeploymentService.sta<br />rt(ClassDeploymentService.java:20)<br /> at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)<br /> at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)<br /> at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)<br />Error occurs while creating BPM-CRYPTO key in Credential Store<br /><br /><br /><br />Thanks,<br />Abhi@bhihttps://www.blogger.com/profile/05981053549603424279noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-86141954800388492572012-03-12T09:43:02.249-07:002012-03-12T09:43:02.249-07:00Abhi,
is this the first domain being reassociated ...Abhi,<br />is this the first domain being reassociated to DB-policy store? <br />If this is not the first domain being reassociated, which value are you giving to the join parameter?<br />Thanks,<br />Andre.Andre Correahttps://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-75485494311838235802012-03-12T07:35:56.287-07:002012-03-12T07:35:56.287-07:00Hi,
I am working on doing the re association to O...Hi,<br /><br />I am working on doing the re association to Oracle database.<br /><br />When I ran the wlst command and got an exception as below:<br /><br />Based on your work on this, can you please let me know if you have faced this issue and if you have a solution for the same.<br /><br />Starting policy store reassociation.<br />The store and ServiceConfigurator setup done.<br />Schema is seeded into the store<br />Command FAILED, Reason: oracle.security.jps.service.policystore.PolicyObjectAlre<br />adyExistsException: javax.persistence.PersistenceException: Exception [EclipseLi<br />nk-4002] (Eclipse Persistence Services - 2.1.3.v20110304-r9073): org.eclipse.per<br />sistence.exceptions.DatabaseException<br />Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001<br />: unique constraint (DEV_OPSS.IDX_JPS_RDN_PDN) violated<br /><br />Error Code: 1<br />Call: INSERT INTO JPS_DN (ENTRYID, RDN, PARENTDN) VALUES (?, ?, ?)<br /> bind => [5303, cn=systempolicy, cn=securitystore,cn=jpscontext,cn=opss4_<br />domain,]<br />Query: InsertObjectQuery(EntryId=5303:rdn=cn=systempolicy:pdn=cn=securitystore,c<br />n=jpscontext,cn=opss4_domain,: JpsStore Entry={[EntryId = 5303:Attribute RowId =<br /> 7541<br />dn = cn=SystemPolicy,cn=opss4_domain,cn=JPSContext,cn=SecurityStore, EntryId = 5<br />303:Attribute RowId = 7542<br />objectclass = top, EntryId = 5303:Attribute RowId = 7543<br />objectclass = orclContainer, EntryId = 5303:Attribute RowId = 7544<br />cn = SystemPolicy]})<br /><br />.......<br /><br />The RCU schema for opss was created on XE database on windows.<br /><br />Thanks,<br />Abhi@bhihttps://www.blogger.com/profile/05981053549603424279noreply@blogger.com