Weblogic Server Start Fails After Configuring Integration With OAM (Doc ID 1135363.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Access - Version: 10.1.4.0.1 to 10.1.4.2 - Release: 10g to 10g
Information in this document applies to any platform.

Symptoms


After configuring WebLogic Server 10.x with Oracle Access Manager (OAM) SSPI Connector 10.1.4.0.1 or 10.1.4.2, WebLogic Server fails to start with error 'Authentication denied: Boot identity not valid' or if boot.properties is not used 'Authentication for user <username> denied'.

For example if boot.properties is used:


<Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)


If the boot.properties file is removed and the OAM weblogic-admin user credential is entered at the prompt when starting WebLogic then the following error is displayed:


<Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user wlsadmin denied
weblogic.security.SecurityInitializationException: Authentication for user wlsadmin denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace


The debug OAM SSPI Connector log shows that the isValidGroup call is returning false. Prior to this the connector issues a SOAP IDXML call for groupservcenter.cgi program=view that returns error 'There is no profile configured for this kind of group.'

For example:

Fri Jun 25 15:24:24 IST 2010: SCD012 : Soap Request : <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="<a href="http://schemas-xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><oblix:authentication" name="contextTextUrl_1277475048867" onclick="try{if(document.designMode && document.designMode == 'on') return false;}catch(e){} window.open('http://schemas-xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><oblix:authentication');" target="_blank" title="Click (or CTRL+Click if using Firefox) to view"><span id="3-V32ZYV1277475048867">http://schemas-xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><oblix:authentication</span></a> xmlns blix="http://www.oblix.com" type="basic"><oblix:login>wlsadmin</oblix:login><oblix:password>welcome1</oblix:password><oblix:domain></oblix:domain></oblix:authentication><oblix:request application="groupservcenter" function="view"><oblix:params> <oblix:param name="uid">wlsadmin</oblix:param> <oblix:param name="attrName">cn</oblix:param></oblix:params></oblix:request> </SOAP-ENV:Body> </SOAP-ENV:Envelope>

Fri Jun 25 15:24:24 IST 2010: SCD014 : Soap Response: <?xml version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="<a href="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><Oblix" name="contextTextUrl_1277475048867" onclick="window.open('http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><Oblix');" target="_blank" title="Click (or CTRL+Click if using Firefox) to view"><span id="3-V32ZYV1277475048867">http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><Oblix</span></a> xmlns blix="http://www.oblix.com/" xmlns="http://www.oblix.com/" oblang="en-us"><ObError><ObRequestInfo>163653040</ObRequestInfo><ObTextMessage>There is no profile configured for this kind of group.</ObTextMessage>

Fri Jun 25 15:24:24 IST 2010: Error message from SOAP response: There is no profile configured for this kind of group.

Fri Jun 25 15:24:24 IST 2010: NRD026 : Return value of NetPointRegistry: realGetGroupDisplayName null

Fri Jun 25 15:24:24 IST 2010: NRD029 : Return value of NetPointRegistry: isValidGroup false


Steps to Reproduce

Configure WebLogic Server integration with OAM SSPI Connector as per the following documentation:

Oracle Access Manager Integration Guide
10 Integrating the Security Provider for WebLogic

Step 14. 'Restart the WebLogic Server' in section '10.5 Installing and Configuring the Security Provider' is failing.



NOTE: The Access Control Lists (ACLs) for the weblogic-admin user e.g. wlsadmin have been configured correctly in OAM as follows. However the WebLogic Server error still occurs.

a) User Manager ACLs: Read privileges granted to wlsadmin for 'Full Name' and 'Login' attributes.

b) Group Manager ACLs: Read privileges granted to wlsadmin for 'Full Name' attribute.

c) User Manager Search Base: access granted to wlsadmin for Objectclass=inetorgperson and Objectclass=groupofuniquenames



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms