Monday, June 21, 2010

Troubleshooting OES 10gR3 cp4 Installation of WLS SM

I wanted to share 3 troubleshooting tips that I used in installing and configuring OES 10gR3 cp4 for the OES OWSM update post

SCM Won't Start


In order for the SCM to run, it needs to have to separate sockets - one for "public" and one for "private" requests. You can see the SCM configuration in ales32-scm/apps/scm-asi/SAR-INF/config.xml. By default the installer creates one listener for the hostname on port 7013 and another on 127.0.0.1 on port 7013. If in your environment the hostname maps to 127.0.0.1, then these are the same socket, and when the SCM tries to start the second listener, you'll get a BIND Exception. The way to fix this is to create a second loopback adapter, with a fixed IP address, and change the 127.0.0.1 to that IP address. This will fix the SCM start-up problem.

WLS Server with WLS SM won't start - non JRF Domain


After running the config tool, and all of the policies have been created, the WLS server won't start with an error like "User weblogic is not authorized to boot the server". This means that, most likely, the policies have not been distributed to the WLS Server, so you need to force a policy distribution. The surefire way to do this is as follows:

  • In the ales32-ssm/wls-ssm/instance/instancename/work/runtime remove the state.chk
  • Remove all of the files in ales32-ssm/wls-ssm/instance/instancename/work/runtime/policyA
  • Remove all of the files in ales32-ssm/wls-ssm/instance/instancename/work/runtime/policyB
  • At this point in ales32-ssm/wls-ssm/instance/instancename/work/runtime all you should have two empty directories, policyA and policyB
  • Log into the asi console, navigate to "Deployment", "Deployment Status" and click on the trash can next to the instance of SM. This won't hurt anything, just force the SM when it starts to re-register with the admin and get fresh policy.


If you did it right, when you restart the WLS domain, you'll get a warning about a "missing state.chk" which means that you're getting fresh policy, and the server should boot normally.

WLS Server with WLS SM won't start - JRF Domain


The most common example of a JRF domain is a SOA Suite Domain. A JRF domain is using OPSS and OPSS requires at least one LDAP authentication provider. The config tool for the WLS SM creates a WLS realm that only has the OES RDBMS authenticator. In this case, even if you get passed the previous issue, you'll hit an error like:

<Jun 21, 2010 4:35:06 PM EDT> <Error> <Security> <BEA-090892> <The dynamic loading of the OPSS java security policy provider class oracle.security.jps.internal.policystore.JavaPolicyProvider failed due to problem inside OPSS java security policy provider. Exception was thrown when loading or setting the JPSS policy provider. Enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider>
<Jun 21, 2010 4:35:06 PM EDT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The dynamic loading of the OPSS java security policy provider class oracle.security.jps.internal.policystore.JavaPolicyProvider failed due to problem inside OPSS java security policy provider. Exception was thrown when loading or setting the JPSS policy provider. Enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
weblogic.security.SecurityInitializationException: The dynamic loading of the OPSS java security policy provider class oracle.security.jps.internal.policystore.JavaPolicyProvider failed due to problem inside OPSS java security policy provider. Exception was thrown when loading or setting the JPSS policy provider. Enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1394)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace

Caused By: oracle.security.jps.JpsRuntimeException: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:256)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:248)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:130)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
Truncated. see log file for complete stacktrace

Caused By: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:675)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:254)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:248)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:130)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
Truncated. see log file for complete stacktrace

Caused By: java.security.PrivilegedActionException: oracle.security.jps.JpsException: [PolicyUtil] Unable to obtain default JPS Context!
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:622)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:254)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:248)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:130)
Truncated. see log file for complete stacktrace

Caused By: oracle.security.jps.JpsException: [PolicyUtil] Unable to obtain default JPS Context!
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:637)
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:622)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:622)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:254)
Truncated. see log file for complete stacktrace

Caused By: oracle.security.jps.service.idstore.IdentityStoreException: Failed to create identity store service instance idstore.ldap.provider:idstore.ldap. Reason: No Default or LDAP Authenticator configured on WLS.
at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getIdStoreConfig(LdapIdentityStoreProvider.java:227)
at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:108)
at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:59)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170)
Truncated. see log file for complete stacktrace

Caused By: oracle.security.jps.JpsRuntimeException: No Default or LDAP Authenticator configured on WLS

So, you need an LDAP authentication provider. The quick and dirty way to fix this is by editing the config.xml. You can simply cut and paste the DefaultAuthenticator from the other realm (myrealm) in the file and add it before the OES RDBMS authenticator

<sec:authentication-provider xsi:type="wls:default-authenticatorType">
<wls:use-retrieved-user-name-as-principal>true</wls:use-retrieved-user-name-as-principal>
</sec:authentication-provider>
<sec:authentication-provider xmlns:ext="http://www.bea.com/ns/weblogic/90/security/extension" xsi:type="ext:database-authenticatorType">
<n1:name xmlns:n1="http://www.bea.com/ns/weblogic/90/security">DatabaseAuthenticator</n1:name>
<ext:jdbc-driver-class-name>oracle.jdbc.driver.OracleDriver</ext:jdbc-driver-class-name>
<ext:jdbc-connection-url>jdbc:oracle:thin:@localhost:1521:xe</ext:jdbc-connection-url>
<ext:database-user-login>oes10gR3cp4</ext:database-user-login>
<ext:identity-scope>RootOrg!defaultOrg!defaultUsers</ext:identity-scope>
<ext:database-user-password-encrypted>{AES}uUvyzqwh98bA/POG9/jhP6ITfnptEYE0RbkaZMofsC4=</ext:database-user-password-encrypted>
</sec:authentication-provider>


This should get the server started. Now, what I like to do is to have the Default Authenticator 1st, and have it set to sufficient. Keep the RDBMS authenticator, and also have it as sufficient. By doing this, if you want to use tools like Eclipse to deploy applications to a WLS domain protected by OES, you won't run into the issue of Eclipse de-serializing the OES principals. Trust me, this is the simplest set-up.

Summary


First all, Chris helped me with some of these pointers, but he's in Europe helping a customer, so I didn't want to wait. Full credit to Chris for wading through many of these issues first. I hope that the pointers help you get OES 10gR3 CP4 WLS SM running smoothly. If you have some pointers of your own, please post them here.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.