XACML Authorization: Decision 'Indeterminate'

Hi All,
We have a Web Service management tool which does Authentication and Authorization for all the incoming WebService request.
Authorization is based on the rules that are configured for the appropriate service.
We also have XPath specification as part of rule configuration.
We have a rule configured as mentioned below
TestService authoized to the user of the particular group (TestGroup1) and XPath (\\com9:source[@VendorId='AB'])
When we tried accessing the Test Service and received the following response despite of giving a valid user (TestUser1 belonging to TestGroup1) and the proper XML element [com9:source VendorId='AB'] in the request.
<Response>
<Result ResourceID="http://testHost:testPort/TestService">
*<Decision>Indeterminate</Decision>*
<Status>
<StatusCode Value="urnasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>error in XPath: Prefix must resolve to a namespace: com9</StatusMessage>
</Status>
</Result>
</Response>
Xacml Authorization is done with the help of sunxacml.jar. API 'PDP.evaluate(RequestCtx)' is invoked and
We got the above mentioned response. We came to know that the Decision 'Indeterminate' comes if any exception occurs during authorization.
It would be very helpful if we get to know the rootcause of the decision 'Indeterminate' in the above mentioned scenario and the possible scenarios to get 'Indeterminate' decision.
Thanks in advance,
With regards,
Priya.

Found it! First, of course, there are conditions which already cover simple cases. For more elaborate authorization one can add new conditions by extending a java interface, as described here:
http://docs.sun.com/app/docs/doc/819-4675/6n6qfk0o3?a=view
By writing a new xml-document you can add a new policy service with arbitrary methods. The process is described in the manual or here:
http://developers.sun.com/identity/reference/techart/secureapps.html

Similar Messages

Authorization decision based on property of accessed resource?

Hi everyone!
Is it possible to base the decision of a policy service in AM based on a property of the accessed resource? I can specify the method and the resource name, but can I also specify a property of the resource, maybe using some plugin for AM? For example a doctor should only be allowed access to a patient's file if it's his patient, and the patient has a property naming the doctor in charge.
And another question: How can I take things such as time into account of an authorization decision? I don't want to code this in the application. The application should only ask: May $Subject access $Resource using $Method? Everything else (time, role of subject etc) should be definable on the PDP.
Thanks for comments!
Chris
PS Actually I'd need a PDP which can handle policies as powerful as those definable using XACML combined with the authentication capabilities of AM.

Found it! First, of course, there are conditions which already cover simple cases. For more elaborate authorization one can add new conditions by extending a java interface, as described here:
http://docs.sun.com/app/docs/doc/819-4675/6n6qfk0o3?a=view
By writing a new xml-document you can add a new policy service with arbitrary methods. The process is described in the manual or here:
http://developers.sun.com/identity/reference/techart/secureapps.html

Use of default XACML with custom role mapper and authorization provider

Hi,
Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
The chosen approach depends on where you're getting the role information from.

Role Mapper and Authorizer

At one point I posted a forum entry and posted a solution for my entry regarding keeping the app deployments around while recreating/overwriting the domain using WLST offline. Keep App Deployments while recreating the domain in WLST offline
Things seems to work, except that I noticed that the XACML Role Mapper and Authorizer that were created the first time around (when there is no domain folder) are getting replaced by default Role Mapper and Authorizer (on subsequent runs when the domain folder already exists and we overwrite the domain)
Basically the first readDomain is causing this. without reading the domain, I cannot get the app list.
System.setProperty("com.bea.cie.script.throwException","true")
appdeps={}
try:
readDomain('c:/temp/basicWLSDomain')
cd('/AppDeployments')
apps=ls(returnMap='true')
for app in apps:
appdeps[app]=ls(app,returnMap='true', returnType='a')
except:
pass
try:
closeDomain()
except:
pass
#=======================================================================================
# Open a domain template.
#=======================================================================================
readTemplate("c:/wls11/wlserver_10.3/common/templates/domains/wls.jar")
#=======================================================================================
# Configure the Administration Server and SSL port.
# To enable access by both local and remote processes, you should not set the
# listen address for the server instance (that is, it should be left blank or not set).
# In this case, the server instance will determine the address of the machine and
# listen on it.
#=======================================================================================
cd('Servers/AdminServer')
set('ListenAddress','')
set('ListenPort', 7001)
create('AdminServer','SSL')
cd('SSL/AdminServer')
set('Enabled', 'True')
set('ListenPort', 7002)
#=======================================================================================
# Define the user password for weblogic.
#=======================================================================================
cd('/')
cd('Security/base_domain/User/weblogic')
cmo.setPassword('weblogic11g')
#=======================================================================================
# Create a JMS Server.
#=======================================================================================
cd('/')
create('myJMSServer', 'JMSServer')
#=======================================================================================
# Create a JMS System resource.
#=======================================================================================
cd('/')
create('myJmsSystemResource', 'JMSSystemResource')
cd('JMSSystemResource/myJmsSystemResource/JmsResource/NO_NAME_0')
#=======================================================================================
# Create a JMS Queue and its subdeployment.
#=======================================================================================
myq=create('myQueue','Queue')
myq.setJNDIName('jms/myqueue')
myq.setSubDeploymentName('myQueueSubDeployment')
cd('/')
cd('JMSSystemResource/myJmsSystemResource')
create('myQueueSubDeployment', 'SubDeployment')
#=======================================================================================
# Create and configure a JDBC Data Source, and sets the JDBC user.
#=======================================================================================
cd('/')
create('myDataSource', 'JDBCSystemResource')
cd('JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
create('myJdbcDriverParams','JDBCDriverParams')
cd('JDBCDriverParams/NO_NAME_0')
set('DriverName','com.pointbase.jdbc.jdbcUniversalDriver')
set('URL','jdbc:pointbase:server://localhost/demo')
set('PasswordEncrypted', 'PBPUBLIC')
set('UseXADataSourceInterface', 'false')
create('myProps','Properties')
cd('Properties/NO_NAME_0')
create('user', 'Property')
cd('Property/user')
cmo.setValue('PBPUBLIC')
cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
create('myJdbcDataSourceParams','JDBCDataSourceParams')
cd('JDBCDataSourceParams/NO_NAME_0')
set('JNDIName', java.lang.String("myDataSource_jndi"))
cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
create('myJdbcConnectionPoolParams','JDBCConnectionPoolParams')
cd('JDBCConnectionPoolParams/NO_NAME_0')
set('TestTableName','SYSTABLES')
#=======================================================================================
# Target resources to the servers.
#=======================================================================================
cd('/')
assign('JMSServer', 'myJMSServer', 'Target', 'AdminServer')
assign('JMSSystemResource.SubDeployment', 'myJmsSystemResource.myQueueSubDeployment', 'Target', 'myJMSServer')
assign('JDBCSystemResource', 'myDataSource', 'Target', 'AdminServer')
#=======================================================================================
# Write the domain and close the domain template.
#=======================================================================================
setOption('OverwriteDomain', 'true')
setOption('CreateStartMenu', 'false')
writeDomain('c:/temp/basicWLSDomain')
closeTemplate()
#=======================================================================================
# Exit WLST.
#=======================================================================================
exit()
So I thought I will create the XACML Authorizer and Role Mapper myself instead of letting the default domain creation process do it. but that is resulting in duplicates on the first run (when the domain folder does not exist) and in the subsequent runs (when the domain folder already exists), I see one XACML and one default.
cd('/')
create('base_domain', 'SecurityConfiguration')
cd('SecurityConfiguration/base_domain/Realm/myrealm')
ls('a')
create('XACMLAuthorizer', 'weblogic.security.providers.xacml.authorization.XACMLAuthorizer','Authorizer')
create('XACMLRoleMapper', 'weblogic.security.providers.xacml.authorization.XACMLRoleMapper','RoleMapper')
I am going no where with Oracle Support. I am wondering if anyone ran into this before.

com.oracle.cie.config-wls-schema_10.3.6.0.jar has various SecurityConfiguration XML fragments and the wrong fragment is being used when the domain is recreated.
I am thinking it is a logic issue in domain creation.

ISE Authorization

I am currently migrating from CAS solution to ISE for posture assessment. Currently I am using LDAP for Authorization. When testing against ISE, I am unable to authorize users without changing the the Authorization setting to ISE on my ASA. Problem is we use LDAP to make sure the user is in the right group for access. We aren't using ISE in an Active Directory setting. Is there a way I can trigger ISE to do the Posture Assesment without having to change my current Authorization scheme to ISE?

You might be able to get it working using the AD server as the first authentication and ISE for the second one - sort of a 2-factor authentication model. As I understand it, you're really making a decision to authenticate with AD, not an authorization decision per se.
Why not integrate ISE with AD and use it for both group validation and posture assessment? That's a common deployment scenario.

Authorization Rules.

Hi,
I am in the process of setting up OAM/OID to provide secure access to a website.
Part of the website is public and part of the website is secure.
For the secure part I want to limit access to a particular group of users who belong to i.e. secureGroup which has been created through the GroupManager function of Identity Administration.
I have created a Policy Domain for the protected part. I have also created an Authorisation Rule for the allowed users to grant them access. My understanding is that I need to create an LDAP rule to provide access to the group in question.
What is the format of the rule?. the documentation goes a bit light as to the fomat of the rule. I am just not sure how to say - is current user a member of secureGroup.....
Any help or pointers would be useful.

You're on the right track, however, the LDAP filter definition will not help you with a group based authorization decision (as a 'group' object never logs into the system).
Hit the 'select user' button which opens the OAM selector app. Look closely in the top right hand corner of the UI for blue links on the blue background - one for Employees, one for Groups. Select Groups and then search for and select your group object. Save the rule.
You can make the UI better by defining tab images for the person and group objectclasses - then those links are much more obvious.
Mark

OAM - Authorization based on the authentication method

We are using OAM 10g for a customer to protect a large number of web application. In order to access those applications a user can chose from several authentication methods (e.g. client certificate, SecureId and mobile TAN). All applications use the same cookie domain and OAM provides SSO to the user. The customer now wants to define access rules for each of the applications based on the chosen authentication method.
In other words, he wants to have the flexibility to define rules such as the following:
Application A: Only accessible with client certificates
Application B: Only accessible with mobile TAN
Application D: Only accessible with SecureId or mobile TAN
Application E: Accessible with any authentication method
In order to implement this with OAM we would have assign each authentication method a different authentication level and define authorization rules that depend on those authentication levels (maybe using a custom authorization plug-in). According to the OAM documentation it doesn't seem possible to reference the authentication level in a authorization rule.
Does anyone know a way to implement these requirements.
Any help is appreciated.
Best regards,
Donat

This is how I think we can do this.
Write Authentication plug-in which adds which authentication scheme was used to login to the application in one of the multivalued attribute in OID. Write Authorization plug-in also which checks this value and makes authentication decision.
One more approach is, Create as many attributes in OID as number of authentication schemes you have. Each of them is a flag representing whether user is logged in with the authentication scheme or not. When user authenticates using an authentication scheme, turn on that flag. Also flush access server user profiles cache. In the authorization rule, use this flag to make authorization decisions. Using this approach, you do not have to write authorization plugin but this may not be scalable approach as you might have to create a new attribute in OID when new authentication scheme is added.
You can also keep this information somewhere in database or flat file and use that information in authentication and authorization plugin.
I hope one of this solutions will help you.
Thanks
Kiran Thakkar

Default Authorization Provider

Is it possible to obtain the authorization provider? I need to check if a user is
in a role using the AccessDecision.isAccessAllowed().
I realize that we can call isUserInRole() and similar method on the HttpRequest and
EJBContext, but I am trying to port a pre WL7.0 custom realm, which used ACLs, with
no impact on bean or sevlet code. I am looking for somthing analogous to weblogic.security.acl.Security.hasPermission(java.security.Principal
principal, java.lang.String aclName, java.security.acl.Permission permission, char
sep).
Thanks, Ziad--

I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
The chosen approach depends on where you're getting the role information from.

Client side authentication, 2 sided SSL

Hi,
Is using client side SSL auth. effective when working (via webservice) with a load balancer (SSL termination) that passes requests to a server connected to it?
Is this ok? considered a best practice? does the client side certificate add any security?
THANKS!

I agree with you sabre150. However, I was restricting my comments to the authentication part of Access Control (which I once defined in a book as being a three-part protocol dance, where every part is related, but independent):
i) Identification - where someone claims to be somebody who needs access to a resource;
2) Authentication - where that someone has to prove they are who they claim to be; and
3) Authorization - where the system determines if that authenticated entity is authorized to access the resource.
Sending the Client SSL certificate is Identification (anyone can do this so it doesn't prove anything). Digitally signing the nonce sent by the server is the proof (and the Authentication part of the dance). Verifying authorization is completely separate from the authentication part of the decision (which is what you referred to).
Many people confuse all three steps as "authentication" because it happens seamlessly on most systems; but in reality, they are distinct parts that can be interchanged - you can use a username-string as an identifier, a password as an authenticator and a UNIX group membership for authorization. You can also use an LDAP DN as an identifier, a digital signature as an authenticator and a XACML rule-set for authorization - and so on.
In the end, a system must do all three parts of the dance to provide access to protected resources; SSL ClientAuth focuses on only the authentication part of the dance; and for SSL ClientAuth to be considered secure, the protection of the Private Key becomes the single most important determinant. Everything after the verification of the digital signature is an authorization decision (which you pointed out).
(Sorry for the long answer, but I often make mistaken assumptions that cause me to write more cryptically than I should).
Arshad Noor
StrongAuth, Inc.

ERROR: The Propagation operation ended in error. java.lang.reflect.Undeclar

Dear all,
i am using bea weblogic 10.0 ant i am downloading the running Inventory.
but the below problem occurc when i run ant task for downloading that is
ant -buildfile propagation_ant.xml downloadSrc the below problem occurs. i am new to bea so how can i debug the problem
VERBOSE: InventoryTreeWalker: visiting node: Application:ContentServices:BEA Repository:ContentNodes:Webmasters:Sports:I won`t step down from presidency Khan.txt
ERROR: The Propagation operation ended in error.
java.lang.reflect.UndeclaredThrowableException
at weblogic.security.providers.xacml.authorization.XACMLAuthorizerMBeanImpl.policyExists(XACMLAuthorizerMBeanImpl.java:245)
at sun.reflect.GeneratedMethodAccessor477.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.bea.p13n.security.internal.SecurityProviderProxy.invoke(SecurityProviderProxy.java:48)
at $Proxy54.policyExists(Unknown Source)
at com.bea.p13n.entitlements.management.internal.SecurityPolicyDelegate$3.run(SecurityPolicyDelegate.java:241)
at com.bea.p13n.entitlements.management.internal.SecurityPolicyDelegate$3.run(SecurityPolicyDelegate.java:239)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at com.bea.p13n.entitlements.management.internal.SecurityPolicyDelegate.kernelRunAs(SecurityPolicyDelegate.java:433)
at com.bea.p13n.entitlements.management.internal.SecurityPolicyDelegate.policyExists(SecurityPolicyDelegate.java:246)
at com.bea.p13n.entitlements.management.internal.RDBMSSecurityPolicyManager.getSecurityPolicy(RDBMSSecurityPolicyManager.java:204)
at com.bea.p13n.entitlements.management.SecurityPolicyManager.getSecurityPolicy(SecurityPolicyManager.java:119)
at com.bea.propagation.content.online.util.SecurityHelper.getSecurityPolicy(SecurityHelper.java:146)
at com.bea.propagation.content.online.util.SecurityHelper.getSecurityPolicies(SecurityHelper.java:122)
at com.bea.propagation.content.online.hierarchy.ContentNodeHierarchy.discoverChildren(ContentNodeHierarchy.java:113)
at com.bea.propagation.framework.hierarchy.ListNodeHierarchy.getChildrenNodes(ListNodeHierarchy.java:113)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:215)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst(InventoryTreeWalker.java:158)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst(InventoryTreeWalker.java:102)
at com.bea.propagation.framework.tool.io.InventoryTreeExport.walkDepthFirst(InventoryTreeExport.java:88)
at com.bea.propagation.framework.tool.io.InventoryFolderExport.walkDepthFirst(InventoryFolderExport.java:110)
at com.bea.propagation.framework.tool.io.InventoryArchiveExport.walkDepthFirst(InventoryArchiveExport.java:103)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.writeInventoryToLocalFile(InventoryManagementServlet.java:1017)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.writeInventoryToLocalFile(InventoryManagementServlet.java:991)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.downloadOperation_Remote(InventoryManagementServlet.java:510)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.downloadOperation(InventoryManagementServlet.java:453)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.doService(InventoryManagementServlet.java:318)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.doPost(InventoryManagementServlet.java:199)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:315)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3393)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2140)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2046)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
ERROR: The Propagation operation ended in error.
java.lang.reflect.UndeclaredThrowableException
at weblogic.security.providers.xacml.authorization.XACMLAuthorizerMBeanImpl.policyExists(XACMLAuthorizerMBeanImpl.java:245)
at sun.reflect.GeneratedMethodAccessor477.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.bea.p13n.security.internal.SecurityProviderProxy.invoke(SecurityProviderProxy.java:48)
at $Proxy54.policyExists(Unknown Source)
at com.bea.p13n.entitlements.management.internal.SecurityPolicyDelegate$3.run(SecurityPolicyDelegate.java:241)
at com.bea.p13n.entitlements.management.internal.SecurityPolicyDelegate$3.run(SecurityPolicyDelegate.java:239)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at com.bea.p13n.entitlements.management.internal.SecurityPolicyDelegate.kernelRunAs(SecurityPolicyDelegate.java:433)
at com.bea.p13n.entitlements.management.internal.SecurityPolicyDelegate.policyExists(SecurityPolicyDelegate.java:246)
at com.bea.p13n.entitlements.management.internal.RDBMSSecurityPolicyManager.getSecurityPolicy(RDBMSSecurityPolicyManager.java:204)
at com.bea.p13n.entitlements.management.SecurityPolicyManager.getSecurityPolicy(SecurityPolicyManager.java:119)
at com.bea.propagation.content.online.util.SecurityHelper.getSecurityPolicy(SecurityHelper.java:146)
at com.bea.propagation.content.online.util.SecurityHelper.getSecurityPolicies(SecurityHelper.java:122)
at com.bea.propagation.content.online.hierarchy.ContentNodeHierarchy.discoverChildren(ContentNodeHierarchy.java:113)
at com.bea.propagation.framework.hierarchy.ListNodeHierarchy.getChildrenNodes(ListNodeHierarchy.java:113)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:215)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst_Recur(InventoryTreeWalker.java:224)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst(InventoryTreeWalker.java:158)
at com.bea.propagation.framework.InventoryTreeWalker.walkDepthFirst(InventoryTreeWalker.java:102)
at com.bea.propagation.framework.tool.io.InventoryTreeExport.walkDepthFirst(InventoryTreeExport.java:88)
at com.bea.propagation.framework.tool.io.InventoryFolderExport.walkDepthFirst(InventoryFolderExport.java:110)
at com.bea.propagation.framework.tool.io.InventoryArchiveExport.walkDepthFirst(InventoryArchiveExport.java:103)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.writeInventoryToLocalFile(InventoryManagementServlet.java:1017)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.writeInventoryToLocalFile(InventoryManagementServlet.java:991)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.downloadOperation_Remote(InventoryManagementServlet.java:510)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.downloadOperation(InventoryManagementServlet.java:453)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.doService(InventoryManagementServlet.java:318)
at com.bea.propagation.framework.tool.servlet.InventoryManagementServlet.doPost(InventoryManagementServlet.java:199)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:315)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3393)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2140)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2046)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)

your error seems to indicate that your embeddedLdap isnt in sync with the Database ? Did you either delete files from your file systems or cleanup the portal db or finally used a copy of some existing database for your domain?

Weblogic Server 10.3.0 and LDAP authentication Issue

Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
Can anyone please point me towards the right direction to get this resolved.
Thanks,
STEPS
Here are my steps I have followed:
- Created a group called Administrators in OID.
- Created a test user call uid=myadmin in the OID and assigned the above group to this user.
- Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>OIDAuthentication</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
<wls:port>1389</wls:port>
<wls:principal>cn=orcladmin</wls:principal>
<wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
<wls:credential-encrypted>removed from here</wls:credential-encrypted>
<wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
</sec:authentication-provider>
- Marked the default authentication provider as sufficient as well.
- Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
- Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
<LDAP Atn Login username: myadmin>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<authenticate user:myadmin>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authentication succeeded>
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<LDAP Atn Authenticated User myadmin>
<List groups that member: myadmin belongs to>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
*<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
*<Result has more elements: false>*
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<login succeeded for username myadmin>
- I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
<XACML RoleMapper getRoles(): returning roles Anonymous>
- I did a ldap search and I found no issues in getting the results back:
C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
objectclass=groupOfUniqueNames
objectclass=orclGroup
objectclass=top
END
Here are the log entries:
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authentication succeeded>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
<1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
<1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
<1291668685686> <BEA-000000> <Result has more elements: false>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <login succeeded for username myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <LDAP Atn Principals Added>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
     Principal: myadmin
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685686> <BEA-000000> <Signed WLS principal myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
<1291668685702> <BEA-000000> <Using Common RoleMappingService>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
<1291668685702> <BEA-000000> <     Subject: 1
     Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
<1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
<1291668685702> <BEA-000000> <     Parent: type=<url>>
<1291668685702> <BEA-000000> <     Parent: null>
<1291668685702> <BEA-000000> <     Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
<1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
<1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
<1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
<1291668685702> <BEA-000000> <     Subject: 1
     Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <     Roles:Anonymous>
<1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Direction: ONCE>
<1291668685702> <BEA-000000> <     Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
its was the "cn" attribute that was causing the result set to be empty.
from a command line we tried
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
and got the results back.
Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
Thanks everyone for showing interest on the problem and providing suggestions.

Problem while connecting the Weblogic Domain to MySql5.

Hi,
I would like to send you the entire stacktrace..
JAVA Memory arguments: -Xms256m -Xmx768m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=192m
WLS Start Mode=Development
CLASSPATH=;C:\WEBLOG~1\patch_wlw1030\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\WEBLOG~1\patch_wls1030\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\WEBLOG~1\patch_wlp1030\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\WEBLOG~1\patch_cie670\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\WEBLOG~1\patch_cie660\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\WEBLOG~1\JDK160~1\lib\tools.jar;C:\WEBLOG~1\WLSERV~1.3\server\lib\weblogic_sp.jar;C:\WEBLOG~1\WLSERV~1.3\server\lib\weblogic.jar;C:\WEBLOG~1\modules\features\weblogic.server.modules_10.3.0.0.jar;C:\WEBLOG~1\WLSERV~1.3\server\lib\webservices.jar;C:\WEBLOG~1\modules\ORGAPA~1.5/lib/ant-all.jar;C:\WEBLOG~1\modules\NETSFA~1.0_1/lib/ant-contrib.jar;;C:\WEBLOG~1\WLSERV~1.3\common\eval\pointbase\lib\pbclient57.jar;C:\WEBLOG~1\WLSERV~1.3\server\lib\xqrl.jar;C:\WEBLOG~1\WLSERV~1.3\server\lib\xquery.jar;C:\WEBLOG~1\WLSERV~1.3\server\lib\binxml.jar;
PATH=C:\WEBLOG~1\patch_wlw1030\profiles\default\native;C:\WEBLOG~1\patch_wls1030\profiles\default\native;C:\WEBLOG~1\patch_wlp1030\profiles\default\native;C:\WEBLOG~1\patch_cie670\profiles\default\native;C:\WEBLOG~1\patch_cie660\profiles\default\native;C:\WEBLOG~1\WLSERV~1.3\server\native\win\32;C:\WEBLOG~1\WLSERV~1.3\server\bin;C:\WEBLOG~1\modules\ORGAPA~1.5\bin;C:\WEBLOG~1\JDK160~1\jre\bin;C:\WEBLOG~1\JDK160~1\bin;C:\WebLogicBea\jrockit_160_05\jre\bin;E:\Oracle\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;F:\Oracle\Ora81\bin;C:\Program Files\Oracle\jre\1.1.7\bin;F:\Oracle\Ora81\orb\bin;C:\Program Files\Java\jdk1.5.0_06\bin;E:\Oracle\orb\bin;C:\WEBLOG~1\WLSERV~1.3\server\native\win\32\oci920_8
* To start WebLogic Server, use a username and *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http:\\hostname:port\console *
starting weblogic with Java version:
Cleaning up license and uid files
Starting Autonomy with CONTENT_SEARCH_OPTION = full
Autonomy Distributed Search Handler engine started.
java version "1.6.0_05"
Java(TM) SE Runtime Environment (build 1.6.0_05-b13)
Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode)
Starting WLS with line:
C:\WEBLOG~1\JDK160~1\bin\java -client -Xms256m -Xmx768m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=192m -Xverify:none -da -Dplatform.home=C:\WEBLOG~1\WLSERV~1.3 -Dwls.home=C:\WEBLOG~1\WLSERV~1.3\server -Dweblogic.home=C:\WEBLOG~1\WLSERV~1.3\server -Dweblogic.wsee.bind.suppressDeployErrorMessage=true -Dweblogic.wsee.skip.async.response=true -Dweblogic.management.discover=true -Dwlw.iterativeDev=true -Dwlw.testConsole=true -Dwlw.logErrorsToConsole=true -Dweblogic.ext.dirs=C:\WEBLOG~1\patch_wlw1030\profiles\default\sysext_manifest_classpath;C:\WEBLOG~1\patch_wls1030\profiles\default\sysext_manifest_classpath;C:\WEBLOG~1\patch_wlp1030\profiles\default\sysext_manifest_classpath;C:\WEBLOG~1\patch_cie670\profiles\default\sysext_manifest_classpath;C:\WEBLOG~1\patch_cie660\profiles\default\sysext_manifest_classpath;C:\WebLogicBea\wlportal_10.3\p13n\lib\system;C:\WebLogicBea\wlportal_10.3\light-portal\lib\system;C:\WebLogicBea\wlportal_10.3\portal\lib\system;C:\WebLogicBea\wlportal_10.3\info-mgmt\lib\system;C:\WebLogicBea\wlportal_10.3\analytics\lib\system;C:\WebLogicBea\wlportal_10.3\apps\lib\system;C:\WebLogicBea\wlportal_10.3\info-mgmt\deprecated\lib\system;C:\WebLogicBea\wlportal_10.3\content-mgmt\lib\system -Dweblogic.alternateTypesDirectory=C:\WebLogicBea\wlportal_10.3\portal\lib\security -Dweblogic.Name=AdminServer -Djava.security.policy=C:\WEBLOG~1\WLSERV~1.3\server\lib\weblogic.policy weblogic.Server
<Oct 27, 2009 11:15:35 AM IST> <Notice> <WebLogicServer> <BEA-000395> <Following extensions directory contents added to the end of the classpath:
C:\WebLogicBea\wlportal_10.3\analytics\lib\system\analytics_sys.jar;C:\WebLogicBea\wlportal_10.3\apps\lib\system\groupspace_system.jar;C:\WebLogicBea\wlportal_10.3\content-mgmt\lib\system\content_system.jar;C:\WebLogicBea\wlportal_10.3\info-mgmt\deprecated\lib\system\commerce_system.jar;C:\WebLogicBea\wlportal_10.3\info-mgmt\lib\system\wlp-schemas.jar;C:\WebLogicBea\wlportal_10.3\info-mgmt\lib\system\wlp_content_system.jar;C:\WebLogicBea\wlportal_10.3\info-mgmt\lib\system\wps_system.jar;C:\WebLogicBea\wlportal_10.3\light-portal\lib\system\netuix_common.jar;C:\WebLogicBea\wlportal_10.3\light-portal\lib\system\netuix_schemas.jar;C:\WebLogicBea\wlportal_10.3\light-portal\lib\system\netuix_system.jar;C:\WebLogicBea\wlportal_10.3\light-portal\lib\system\wsrp-client.jar;C:\WebLogicBea\wlportal_10.3\light-portal\lib\system\wsrp-common.jar;C:\WebLogicBea\wlportal_10.3\p13n\lib\system\p13n-schemas.jar;C:\WebLogicBea\wlportal_10.3\p13n\lib\system\p13n_common.jar;C:\WebLogicBea\wlportal_10.3\p13n\lib\system\p13n_system.jar;C:\WebLogicBea\wlportal_10.3\p13n\lib\system\wlp_services.jar;C:\WebLogicBea\wlportal_10.3\portal\lib\system\netuix_system-full.jar>
<Oct 27, 2009 11:15:35 AM IST> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) Client VM Version 10.0-b19 from Sun Microsystems Inc.>
<Oct 27, 2009 11:15:36 AM IST> <Info> <Management> <BEA-141107> <Version: WebLogic Server Temporary Patch for CR376251 Wed Aug 06 09:19:34 PDT 2008
WebLogic Server Temporary Patch for CR371247 Sat Aug 09 20:10:38 PDT 2008
WebLogic Server Temporary Patch for CR377673 Tue Aug 12 20:39:50 EDT 2008
WebLogic Server Temporary Patch for CR377673 Tue Aug 12 20:39:50 EDT 2008
WebLogic Server Temporary Patch for CR376759 Thu Aug 14 14:53:02 PDT 2008
WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 >
<Oct 27, 2009 11:15:42 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Oct 27, 2009 11:15:42 AM IST> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Oct 27, 2009 11:15:42 AM IST> <Notice> <Log Management> <BEA-170019> <The server log file C:\WebLogicBea\user_projects\domains\zarDbDomain\zarDbDomain\servers\AdminServer\logs\AdminServer.log is opened. All server side log events will be written to this file.>
<Oct 27, 2009 11:15:57 AM IST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Oct 27, 2009 11:16:10 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STANDBY>
<Oct 27, 2009 11:16:10 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Oct 27, 2009 11:16:40 AM IST> <Notice> <Log Management> <BEA-170027> <The Server has established connection with the Domain level Diagnostic Service successfully.>
<Oct 27, 2009 11:16:41 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to ADMIN>
<Oct 27, 2009 11:16:41 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RESUMING>
<Oct 27, 2009 11:16:41 AM IST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 192.9.200.236:7001 for protocols iiop, t3, ldap, snmp, http.>
<Oct 27, 2009 11:16:41 AM IST> <Warning> <Server> <BEA-002611> <Hostname "ZieF.pl", maps to multiple IP addresses: 192.9.200.236, 127.0.0.1>
<Oct 27, 2009 11:16:41 AM IST> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.>
<Oct 27, 2009 11:16:41 AM IST> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "AdminServer" for domain "zarDbDomain" running in Development Mode>
<Oct 27, 2009 11:16:41 AM IST> <Warning> <Server> <BEA-002611> <Hostname "192.9.200.236", maps to multiple IP addresses: 192.9.200.236, 127.0.0.1>
<Oct 27, 2009 11:16:41 AM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<Oct 27, 2009 11:16:41 AM IST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
<Oct 27, 2009 11:17:18 AM IST> <Error> <Security> <BEA-090064> <The DeployableAuthorizer "myrealm_weblogic.security.providers.xacml.authorization.XACMLAuthorizationProviderImpl" returned an error: weblogic.security.spi.ResourceCreationException: Security:090310Failed to create resource.>
<Oct 27, 2009 11:17:20 AM IST> <Error> <Deployer> <BEA-149265> <Failure occurred in the execution of deployment request with ID '1256622425468' for task '0'. Error is: 'weblogic.application.ModuleException: Exception preparing module: EJBModule(netuix.jar)
Unable to deploy EJB: ProxyPagePersistenceManager from netuix.jar:
Exception while attempting to deploy Security Policy: weblogic.security.service.ResourceCreationException: weblogic.security.spi.ResourceCreationException: Security:090310Failed to create resource
weblogic.application.ModuleException: Exception preparing module: EJBModule(netuix.jar)
Unable to deploy EJB: ProxyPagePersistenceManager from netuix.jar:
Exception while attempting to deploy Security Policy: weblogic.security.service.ResourceCreationException: weblogic.security.spi.ResourceCreationException: Security:090310Failed to create resource
at weblogic.ejb.container.deployer.EJBModule.prepare(EJBModule.java:452)
at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
Truncated. see log file for complete stacktrace
weblogic.ejb20.interfaces.PrincipalNotFoundException: Exception while attempting to deploy Security Policy: weblogic.security.service.ResourceCreationException: weblogic.security.spi.ResourceCreationException: Security:090310Failed to create resource
at weblogic.ejb.container.internal.SecurityHelperWLS.deployPolicy(SecurityHelperWLS.java:357)
at weblogic.ejb.container.internal.SecurityHelper.deployPolicy(SecurityHelper.java:306)
at weblogic.ejb.container.internal.SecurityHelper.deployPolicy(SecurityHelper.java:294)
at weblogic.ejb.container.internal.SecurityHelper.deployAllPolicies(SecurityHelper.java:249)
at weblogic.ejb.container.internal.SecurityHelper.deployAllPolicies(SecurityHelper.java:228)
Truncated. see log file for complete stacktrace
<Oct 27, 2009 11:17:20 AM IST> <Warning> <Deployer> <BEA-149004> <Failures were detected while initiating deploy task for application 'myPortalEAR'.>
<Oct 27, 2009 11:17:20 AM IST> <Warning> <Deployer> <BEA-149078> <Stack trace for message 149004
weblogic.application.ModuleException: Exception preparing module: EJBModule(netuix.jar)
Unable to deploy EJB: ProxyPagePersistenceManager from netuix.jar:
Exception while attempting to deploy Security Policy: weblogic.security.service.ResourceCreationException: weblogic.security.spi.ResourceCreationException: Security:090310Failed to create resource
at weblogic.ejb.container.deployer.EJBModule.prepare(EJBModule.java:452)
at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
Truncated. see log file for complete stacktrace
weblogic.ejb20.interfaces.PrincipalNotFoundException: Exception while attempting to deploy Security Policy: weblogic.security.service.ResourceCreationException: weblogic.security.spi.ResourceCreationException: Security:090310Failed to create resource
at weblogic.ejb.container.internal.SecurityHelperWLS.deployPolicy(SecurityHelperWLS.java:357)
at weblogic.ejb.container.internal.SecurityHelper.deployPolicy(SecurityHelper.java:306)
at weblogic.ejb.container.internal.SecurityHelper.deployPolicy(SecurityHelper.java:294)
at weblogic.ejb.container.internal.SecurityHelper.deployAllPolicies(SecurityHelper.java:249)
at weblogic.ejb.container.internal.SecurityHelper.deployAllPolicies(SecurityHelper.java:228)
Truncated. see log file for complete stacktrace
There is around 140 Tables created in mysql database...
Is there anything wrong ?
Regards
Zarrakh

Well.. When i runned the script for mysql from the weblogic domain configuration and compared the pointbase and mysql database.. i found that there are few tables, views and triggers that are missing in mysql db.. Could you telll me how can i create this missing tables, views and triggeres
Regards

WebLogic 10.3.0 WLI Domain - Microsoft AD administrator user access issue.

Hi SOA Experts,
We are facing issue of getting noaccess exception on console (below) when doing datasource testing using Microsoft AD administrator user. The same works fine when testing using WLS embedded LDAP administrator user in WLI domain. In plain WLS 10.3.0 domain (without WLI) with same Microsoft AD configuration they do not see this issue, they are able to successfully test data source using both embedded WLS administrator and Microsoft AD administrator user.
I enabled security ATN and ATZ debug flags and below is my observation.
In plain WLS 10.3.0 domain I see that default weblogic administrator user in embedded LDAP is part of administrators group. Microsoft AD administrator user is part of Administrators group from MS AD.
Whereas in WLI domain I see that default weblogic administrator user is part of Administrators & IntegrationAdministrators groups. In WLI domain Administrators group is again part of IntegrationAdministrators group (below is debug logs).
Below is Plain WLS Domain Debug log
####<Dec 6, 2010 5:20:14 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)
'> <<WLS Kernel>> <> <> <1291674014123> <BEA-000000> < Subject: 2
Principal = weblogic.security.principal.WLSUserImpl("weblogic")
Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
Below is WLI Domain Debug Log
<> <1291669863989> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
####<Dec 6, 2010 4:11:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
<> <1291669863989> <BEA-000000> < Subject: 3
Principal = weblogic.security.principal.WLSUserImpl("weblogic")
Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
Principal = weblogic.security.principal.WLSGroupImpl("IntegrationAdministrators")
The issue of Microsoft AD administrator user not able to test datasource in WLI domain seems to be happening because of IntegrationAdministrators group which comes by default with WLI domain (in plain WLS domain we do not have this group). Looks like the datasource which is being created in WLI domain seems to be being treated as WLI resource and user accessing it is being checked if it part of IntegrationAdministrators group. In this case weblogic default administrator user is part of IntegrationAdministrators, for which we do not see issue where as Microsoft AD administrator user which is not part of IntegrationAdministrators seems to be having problem.
Below is snipper of Microsoft AD administrator user in Debug logs
####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
<> <1291670011687> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
<> <1291670011687> <BEA-000000> < Subject: 2
Principal = weblogic.security.principal.WLSUserImpl("MSADAdminUser")
Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
Also one more observation about datasource which is created is in plain WLS & WLI domain created datasource resource type is shown as “jdbc” which is expected, but in addition in WLI domain I observe that created datasource resource type is marked as JMX and DS is being considered as application (below), not sure if this has something to do with the issue.
Below is WLS domain debug log, below you can see that datasource is being treated as JDBC resource which is expected.
####<Dec 6, 2010 5:21:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291674063776> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<jdbc>, application=, module=, resourceType=ConnectionPool, resource=testDS, action=reserve>
Below is WLI domain debug log, below you can see that datasource is being treated as application and it says resource type as JMX
####<Dec 6, 2010 4:12:17 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291669937755> <BEA-000000> < Resource: type=<jmx>, operation=get, application=testDS, mbeanType=weblogic.j2ee.descriptor.wl.JDBCDataSourceBean, target=Name>
I created user in embedded LDAP in WLI domain with same name as MS AD administrator user and assigned it to Administrators group, that obviously works but is not acceptable solution.
Below is exception thrown on console when testing datasource using Microsoft AD administrator user.
weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[MSADAdminUser, Administrators], on Resource weblogic.management.runtime.JDBCDataSourceRuntimeMBean Operation: invoke , Target: testPool at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:205) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy92.testPool(Unknown Source) at com.bea.console.actions.jdbc.datasources.testjdbcdatasource.TestJDBCDataSource.begin(TestJDBCDataSource.java:114) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:870) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:809) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:478) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:306) at
- BoyelT

This issue has been resolved.
The problem of Microsoft active directory administrator user not able to test the datasource in WLI domain is caused because of IntegrationAdministrators group & IntegrationAdmin role which comes in WLI domain. Assigning the Microsoft Administrator group to IntegrationAdmin role from WebLogic console has resolved the issue.
Below are steps for assigning the MS AD administrator group to IntegrationAdmin role from console in WLI domain.
======================================================
- Login to console and click on "Security Realms" and "myrealm"
- Go to "Roles and Policies" tab and expand "Global Roles" tree and "Roles" tree view under it.
- Click on "View Role Conditions" link for "IntegrationAdmin" role.
- Click on "Add Conditions" button select Group (default) for "Predicate List" drop down box and click Next button.
- Specify MS AD admin group name for "Group Argument Name" text box and hit on Add button.
======================================================
- BoyelT
Edited by: BoyelT on Dec 20, 2010 1:36 PM

Unable to expand Roles n policies after enabling Active directory security

I am running weblogic 10.3 on Linux and integrated console security with Microsoft AD.
Below error occurs when I tried to expand roles and policies.
Please help.
Message: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression
Stack Trace: com.bea.console.exceptions.ManagementException: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression at com.bea.console.actions.security.roles.RoleTableAction.createRoleNode(RoleTableAction.java:678) at com.bea.console.actions.security.roles.RoleTableAction.expandGlobalRolesNode(RoleTableAction.java:208) at com.bea.console.actions.security.roles.RoleTableAction.expandNode(RoleTableAction.java:193) at com.bea.console.actions.security.roles.RoleTableAction.execute(RoleTableAction.java:102) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116) at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:255) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158) at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:256) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:133) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:686) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:266) at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:107) at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292) at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258) at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:211) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:196) at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:54) at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(Unknown Source) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) Caused by: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression at com.bea.security.providers.xacml.entitlement.RoleManager.getRole(RoleManager.java:134) at weblogic.security.providers.xacml.authorization.XACMLRoleMapperImpl.getRoleExpression(XACMLRoleMapperImpl.java:499) at weblogic.security.providers.xacml.authorization.XACMLRoleMapperMBeanImpl.getRoleExpression(XACMLRoleMapperMBeanImpl.java:389) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:445) at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:443) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor$10$1.run(AuthenticatedSubjectInterceptor.java:582) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor$10.run(AuthenticatedSubjectInterceptor.java:580) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor.invoke(AuthenticatedSubjectInterceptor.java:573) at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:307) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426) at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366) at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source) at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy70.getRoleExpression(Unknown Source) at com.bea.console.actions.security.roles.RoleTableAction.createRoleNode(RoleTableAction.java:671) ... 81 more

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/90/security/wls http://www.bea.com/ns/weblogic/90/security/wls.xsd http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://www.bea.com/ns/weblogic/90/security/xacml http://www.bea.com/ns/weblogic/90/security/xacml.xsd http://www.bea.com/ns/weblogic/90/security http://www.bea.com/ns/weblogic/90/security.xsd">
<name>ABC</name>
<domain-version>10.0.1.0</domain-version>
<security-configuration>
<name>ABC</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType">
<sec:control-flag>OPTIONAL</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>MYSECURITY</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>ad.win.XYZ.com</wls:host>
<wls:port>3210</wls:port>
<wls:user-name-attribute>SamAccountName</wls:user-name-attribute>
<wls:principal>CN=ABC (APPLICATION),OU=Service Accounts,OU=Infrastructure Solutions,OU=USPC,DC=americas,DC=win,DC=xyz,DC=com</wls:principal>
<wls:user-base-dn>DC=americas,DC=win,DC=xyz,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{3DES}3gr1b24C1+ZescfrcJGfTA==</wls:credential-encrypted>
<wls:user-from-name-filter>(&(SamAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
<wls:cache-size>3200</wls:cache-size>
<wls:group-base-dn>DC=americas,DC=win,DC=xyz,DC=com</wls:group-base-dn>
<wls:bind-anonymously-on-referrals>true</wls:bind-anonymously-on-referrals>
<wls:all-groups-filter>(objectclass=group)</wls:all-groups-filter>
<wls:group-membership-searching>limited</wls:group-membership-searching>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{3DES}Da9bWdtd5q7ah0l1OlmgTprs5EsrhL0siPsTNKzMDOasnQwrpgSVnAKFIdM3O/CjsXOzrq2fBACcbtup4aQCbNpjynWFUDB1</credential-encrypted>
<node-manager-username>system</node-manager-username>
<node-manager-password-encrypted>{3DES}IwjibsnAdGEU/pYi+0n1bg==</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<rotation-type>byTime</rotation-type>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25000</listen-port>
<server-debug>
<debug-scope>
<name>default</name>
<enabled>true</enabled>
</debug-scope>
<debug-scope>
<name>weblogic</name>
<enabled>true</enabled>
</debug-scope>
</server-debug>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server1</name>
<ssl>
<enabled>false</enabled>
</ssl>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25010</listen-port>
<listen-port-enabled>true</listen-port-enabled>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
<java-compiler>javac</java-compiler>
<client-cert-proxy-enabled>false</client-cert-proxy-enabled>
</server>
<server>
<name>ABC_server2</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25020</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server4</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25040</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server5</name>
<ssl>
<enabled>false</enabled>
</ssl>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<machine xsi:nil="true"></machine>
<listen-port>25050</listen-port>
<cluster xsi:nil="true"></cluster>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
</server>
<server>
<name>ABC_server6</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25060</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server7</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25070</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server8</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25080</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server10</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25100</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server9</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25090</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server3</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25030</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<server-debug>
<debug-scope>
<name>default</name>
<enabled>true</enabled>
</debug-scope>
<debug-scope>
<name>weblogic</name>
<enabled>true</enabled>
</debug-scope>
</server-debug>
<listen-address></listen-address>
</server>
<embedded-ldap>
<name>ABC</name>
<credential-encrypted>{3DES}RhnPr+8XsDxhU8rgpPiikqpyeP74wxX/T2mnALX9oFI=</credential-encrypted>
</embedded-ldap>
<configuration-version>10.0.1.0</configuration-version>
<configuration-audit-type>logaudit</configuration-audit-type>
<app-deployment>
<name>ABC25090</name>
<target>ABC_server9</target>
<module-type>ear</module-type>
<source-path>/home/arajpoot/working/default-app/dist/ABC.9.5.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25080</name>
<target>ABC_server8</target>
<module-type>ear</module-type>
<source-path>/home/aherleka/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25030</name>
<target>ABC_server3</target>
<module-type>ear</module-type>
<source-path>/home/rprajapa/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25060</name>
<target></target>
<module-type>ear</module-type>
<source-path>/home/xyin/working/default-app/dist/ABC.10.1.0.ear</source-path>
<sub-deployment>
<name>/</name>
<target></target>
</sub-deployment>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<app-deployment>
<name>ABC25010</name>
<target>ABC_server1</target>
<module-type>ear</module-type>
<source-path>/home/payadav/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25050</name>
<target>ABC_server5</target>
<module-type>ear</module-type>
<source-path>/home/nchanda1/working/default-app/dist/ABC.10.0.3.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8070</name>
<target>ABC_server7</target>
<module-type>ear</module-type>
<source-path>/home/irakshit/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8020</name>
<target>ABC_server2</target>
<module-type>ear</module-type>
<source-path>/home/wchou/working/default-app/ABC.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8100</name>
<target>ABC_server10</target>
<module-type>ear</module-type>
<source-path>/home/amulik/working/default-app/dist/ABC.9.5.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8040</name>
<target>ABC_server4</target>
<module-type>ear</module-type>
<source-path>/home/nchanda1/working/default-app/dist/ABC.10.0.3.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<admin-server-name>AdminServer</admin-server-name>
<jdbc-system-resource>
<name>ABCCDWDataSource</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCCDWDataSource-2021-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCCDWDataSource_coper</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCCDWDataSource_coper-9655-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCOracleDS</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCOracleDS-5997-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCReportDataSource</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCReportDataSource-6033-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABC_NEON_DATASOURCE</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABC_NEON_DATASOURCE-9653-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCRDRDS</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCRDRDS-5401-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCtest</name>
<target>ABC_server6</target>
<descriptor-file-name>jdbc/ABCtest-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCreport</name>
<target>ABC_server6</target>
<descriptor-file-name>jdbc/ABCreport-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
</domain>

Having issue with OEG (11.1.1.6.1) and OES (11.1.1.5) integration

Hi,
I have installed latest OEG release (11.1.1.6) and OES 11.1.1.5, followed the instructions in the OEG and OES integration guide to create a policy that delegates authorization to OES through OES 11g Authorization filter.
Before testing the OEG policy, I created a OES11g authorization policy on OES Admin Server, and used a simple Java application to invoke authorization decisions successfully. But when testing the OEG policy from Service Explorer, I got the an error, and below is the trace stack:
DATA     3/19/12 17:49:15.186     trace transaction
DEBUG     3/19/12 17:49:15.186     add header Host:localhost:8080
DEBUG     3/19/12 17:49:15.186     add header Authorization:Basic d2VibG9naWM6d2VsY29tZTE=
DEBUG     3/19/12 17:49:15.186     add header SOAPAction:"http://startvbdotnet.com/web/Add"
DEBUG     3/19/12 17:49:15.186     add header User-Agent:Gateway
DEBUG     3/19/12 17:49:15.186     incoming content-length: 344
DEBUG     3/19/12 17:49:15.186     add header Connection:close
DEBUG     3/19/12 17:49:15.186     add header X-CorrelationID:Id-854f5ea44f67a9db01190000 1
DEBUG     3/19/12 17:49:15.186     add header Content-Type:text/xml; charset="utf-8"
DEBUG     3/19/12 17:49:15.186     Incoming HTTP request: method=POST, host=(unset), port=(unset), path=/, query=(unset), version=1.1
DATA     3/19/12 17:49:15.186     Firewall resolved uri '/' against '/'
DATA     3/19/12 17:49:15.186     Firewall failed to resolve uri '/' against '/healthcheck'
DEBUG     3/19/12 17:49:15.186     using handler at /
DEBUG     3/19/12 17:49:15.186     Adding MessageListener: com.vordel.circuit.FilterPathTracker@f0f11b8
DEBUG     3/19/12 17:49:15.186     Adding MessageListener: com.vordel.reporting.rtm.RealtimeMonitoring$1$1@70c7c57c
DEBUG     3/19/12 17:49:15.187     handle type text/xml with factory class com.vordel.mime.XMLBody$Factory
DEBUG     3/19/12 17:49:15.187     Adding MessageListener: com.vordel.dwe.http.HTTPMessageListener@5200089
DEBUG     3/19/12 17:49:15.187     Circuit reference [Global Request Policy] is not enabled - ignoring
DEBUG     3/19/12 17:49:15.187     Circuit reference [Custom Request Policy] is not enabled - ignoring
DEBUG     3/19/12 17:49:15.187     Circuit reference [Path Specific Policy] valid and enabled - calling
DEBUG     3/19/12 17:49:15.188     run circuit "OES11g Authorization "...
DEBUG     3/19/12 17:49:15.188     run filter [HTTP Basic] {
DEBUG     3/19/12 17:49:15.188     VordelRepository.checkCredentials: username=weblogic
DEBUG     3/19/12 17:49:15.188     } = 1, filter [HTTP Basic]
DEBUG     3/19/12 17:49:15.188     Filter [HTTP Basic] completes in 0 milliseconds.
DEBUG     3/19/12 17:49:15.188     run filter [11g Authorization] {
DEBUG     3/19/12 17:49:15.188     creating subject from 'weblogic'
DEBUG     3/19/12 17:49:15.197     checking 'write' to resource: HelloOESworld/MyResourceType/MyResource
DEBUG     3/19/12 17:49:15.262     parsing XML body from input stream of type sun.net.www.protocol.jar.JarURLConnection$JarURLInputStream. ContentSource is of type java InputStream
DATA     3/19/12 17:49:15.263     getting class javax.xml.xpath.XPath with classLoader.loadClass()
DATA     3/19/12 17:49:15.263     loaded class javax.xml.xpath.XPath
DATA     3/19/12 17:49:15.263     getting class javax.xml.xpath.XPathConstants with classLoader.loadClass()
DATA     3/19/12 17:49:15.263     loaded class javax.xml.xpath.XPathConstants
DATA     3/19/12 17:49:15.263     getting class javax.xml.namespace.QName with classLoader.loadClass()
DATA     3/19/12 17:49:15.263     loaded class javax.xml.namespace.QName
DEBUG     3/19/12 17:49:15.277     parsing XML body from input stream of type java.io.FileInputStream. ContentSource is of type java InputStream
DATA     3/19/12 17:49:15.278     getting class javax.xml.namespace.NamespaceContext with classLoader.loadClass()
DATA     3/19/12 17:49:15.279     loaded class javax.xml.namespace.NamespaceContext
DEBUG     3/19/12 17:49:15.744     parsing XML body from input stream of type sun.net.www.protocol.jar.JarURLConnection$JarURLInputStream. ContentSource is of type java InputStream
DEBUG     3/19/12 17:49:15.774     parsing XML body from input stream of type sun.net.www.protocol.jar.JarURLConnection$JarURLInputStream. ContentSource is of type java InputStream
DEBUG     3/19/12 17:49:15.845     } = 2, filter [11g Authorization]
DEBUG     3/19/12 17:49:15.845     Filter [11g Authorization] completes in 657 milliseconds.
DEBUG     3/19/12 17:49:15.845     ..."OES11g Authorization " complete.
DATA     3/19/12 17:49:15.846     getting class com.vordel.reporting.rtm.api.MetricTypeRangeCount with classLoader.loadClass()
DATA     3/19/12 17:49:15.846     loaded class com.vordel.reporting.rtm.api.MetricTypeRangeCount
DATA     3/19/12 17:49:15.847     getting class java.lang.Throwable with classLoader.loadClass()
DATA     3/19/12 17:49:15.847     loaded class java.lang.Throwable
DATA     3/19/12 17:49:15.848     getting class com.vordel.system.NativeOutputStream with classLoader.loadClass()
DATA     3/19/12 17:49:15.849     loaded class com.vordel.system.NativeOutputStream
DATA     3/19/12 17:49:15.849     getting class com.vordel.system.NativeOutputStream with classLoader.loadClass()
DATA     3/19/12 17:49:15.849     loaded class com.vordel.system.NativeOutputStream
DATA     3/19/12 17:49:15.849     getting class java.io.PrintStream with classLoader.loadClass()
DATA     3/19/12 17:49:15.849     loaded class java.io.PrintStream
ERROR     3/19/12 17:49:15.850     java exception running circuit: java.lang.RuntimeException: oracle.security.jps.service.policystore.PolicyStoreException: JPS-10619: Failed to initialize cipher for local cache encryption/decryption. at oracle.security.jps.az.internal.runtime.encryption.CipherServiceFactory.getService(CipherServiceFactory.java:61) at oracle.security.jps.az.internal.runtime.pd.receiver.UpdatePolicySet.initCipherService(UpdatePolicySet.java:211) at oracle.security.jps.az.internal.runtime.pd.receiver.UpdatePolicySet.<init>(UpdatePolicySet.java:139) at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.initializeControlledPD(PDPServiceImpl.java:296) at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.initial(PDPServiceImpl.java:368) at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.<init>(PDPServiceImpl.java:268) at oracle.security.jps.az.internal.runtime.provider.PDPServiceProvider.getInstance(PDPServiceProvider.java:89) at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139) at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170) at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191) at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:132) at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:159) at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:165) at oracle.security.jps.openaz.pep.PepRequestFactoryImpl.<init>(PepRequestFactoryImpl.java:123) at oracle.security.jps.openaz.pep.PepRequestFactoryImpl.getPepRequestFactory(PepRequestFactoryImpl.java:113) at com.vordel.circuit.oracle.oeseleveng.OES11GAuthZProcessor.invoke(OES11GAuthZProcessor.java:76) at com.vordel.circuit.InvocationEngine.invokeFilter(InvocationEngine.java:154) at com.vordel.circuit.InvocationEngine.invokeCircuit(InvocationEngine.java:43) at com.vordel.circuit.InvocationEngine.processMessage(InvocationEngine.java:229) at com.vordel.circuit.SyntheticCircuitChainProcessor.invoke(SyntheticCircuitChainProcessor.java:36) at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:290) at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:131) Caused by: oracle.security.jps.service.policystore.PolicyStoreException: JPS-10619: Failed to initialize cipher for local cache encryption/decryption. at oracle.security.jps.az.internal.runtime.encryption.AESCipherImpl.retrieveRawKey(AESCipherImpl.java:140) at oracle.security.jps.az.internal.runtime.encryption.AESCipherImpl.getKey(AESCipherImpl.java:184) at oracle.security.jps.az.internal.runtime.encryption.AESCipherImpl.<init>(AESCipherImpl.java:87) at oracle.security.jps.az.internal.runtime.encryption.CipherServiceFactory.getService(CipherServiceFactory.java:59) ... 21 more
DEBUG     3/19/12 17:49:15.850     add header Content-Type:text/plain
DEBUG     3/19/12 17:49:15.850     add header Server:
DEBUG     3/19/12 17:49:15.850     send prologue: content length -1
DEBUG     3/19/12 17:49:15.850     peer can do chunking
DEBUG     3/19/12 17:49:15.850     add header Transfer-Encoding:chunked
DEBUG     3/19/12 17:49:15.850     reused connection 0x2b72480 1 times
Am I missing something? Please help.

Hello,
I too am facing the same error. The environment details are as follows:
OS: Win2k8 64 bit
OEG: 11.1.1.6.1
OES: 11.1.1.5
OES Client: 11.1.1.5
I have also applied the patch 12917515 to OES (both server and client). This patch contains 2 sub-folders [APM and OES]. I have installed the OES sub-folder patch only.
Steps: I followed the steps as mentioned in OEG-OES 11g integration guide: http://www.oracle.com/technetwork/middleware/id-mgmt/oes11g-integration-guide-1520074.pdf
Note: Instead of using a HTTP Basic filter, I set the "authentication.subject.id" attribute manually and then call "OES 11g Authorization" filter.
Issue,
The following exception is thrown when the authorization filter runs,
java exception running circuit: java.lang.RuntimeException: oracle.security.jps.service.policystore.PolicyStoreException: JPS-10619: Failed to initialize cipher for local cache encryption/decryption. at oracle.security.jps.az.internal.runtime.encryption.CipherServiceFactory.getService(CipherServiceFactory.java:61) at oracle.security.jps.az.internal.runtime.pd.receiver.UpdatePolicySet.initCipherService(UpdatePolicySet.java:211) at oracle.security.jps.az.internal.runtime.pd.receiver.UpdatePolicySet.<init>(UpdatePolicySet.java:139) at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.initializeControlledPD(PDPServiceImpl.java:296) at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.initial(PDPServiceImpl.java:368) at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.<init>(PDPServiceImpl.java:268) at oracle.security.jps.az.internal.runtime.provider.PDPServiceProvider.getInstance(PDPServiceProvider.java:89) at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139) at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170) at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191) at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:132) at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:159) at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:165) at oracle.security.jps.openaz.pep.PepRequestFactoryImpl.<init>(PepRequestFactoryImpl.java:123) at oracle.security.jps.openaz.pep.PepRequestFactoryImpl.getPepRequestFactory(PepRequestFactoryImpl.java:113) at com.vordel.circuit.oracle.oeseleveng.OES11GAuthZProcessor.invoke(OES11GAuthZProcessor.java:76) at com.vordel.circuit.InvocationEngine.invokeFilter(InvocationEngine.java:154) at com.vordel.circuit.InvocationEngine.invokeCircuit(InvocationEngine.java:43) at com.vordel.circuit.InvocationEngine.processMessage(InvocationEngine.java:229) at com.vordel.circuit.SyntheticCircuitChainProcessor.invoke(SyntheticCircuitChainProcessor.java:36) at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:290) at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:131) Caused by: oracle.security.jps.service.policystore.PolicyStoreException: JPS-10619: Failed to initialize cipher for local cache encryption/decryption. at oracle.security.jps.az.internal.runtime.encryption.AESCipherImpl.retrieveRawKey(AESCipherImpl.java:140) at oracle.security.jps.az.internal.runtime.encryption.AESCipherImpl.getKey(AESCipherImpl.java:184) at oracle.security.jps.az.internal.runtime.encryption.AESCipherImpl.<init>(AESCipherImpl.java:87) at oracle.security.jps.az.internal.runtime.encryption.CipherServiceFactory.getService(CipherServiceFactory.java:59) ... 21 more
Is there any other patch required to make OEG work with OES 11g ? How to resolve this error ?
Any help will be greatly appreciated.
Regards.

XACML Authorization: Decision 'Indeterminate'

Similar Messages

Maybe you are looking for