OAM 11g: WLS Will Break Access to OAM Policy Store - "OAMSSA-06252: The policy store is not available;" (Doc ID 1572620.1)

Last updated on MAY 04, 2017

Applies to:

Oracle Access Manager - Version 11.1.2.0.0 and later
Information in this document applies to any platform.

Symptoms

On Oracle Access Manager (OAM) 11.1.2.0.0  (and higher) or 11.1.1.5.0 (with Bundled Patch and higher version) architecture; deployed on top of WebLogic Server (WLS) 10.3.6.0 or 10.3.5.0; Weblogic 10.3.6 includes the patch directory per default and are affected per default.


When upgrading WLS with the any patch  [ Patch Set Update (PSU) ] , than you could see this issues:

The AdminServer could records error messages :
      "oracle.security.am.common.policy.admin.PolicyManagerException: OAMSSA-06252: The policy store is not available; please see the log file for more details."

or

[AdminServer] [TRACE:16] [] [oracle.oam.engine.policy] [tid: [ACTIVE].ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 1b62d
5597212993a:-27523d93:144c1f6dbb4:-8000-00000000000016b7,0] [APP: oam_admin#11.1.2.0.0] [DSID: 0000KJFJEtm6UOIMyqBh6G1J8p6W000009] [SRC_CLASS: OESPolicyAdminProvider] [SRC_METHOD: commit] THROW[[
java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:OAM11gApplication Admin Resource:DISTRIBUTE_APPLICATION_POLICY Actions:manage)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
        at java.security.AccessController.checkPermission(AccessController.java:559)
        at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:463)
        at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:523)
        at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:549)
        at oracle.security.jps.internal.policystore.util.OpssAuth.checkAdminPermission(OpssAuth.java:69)

or

<BEA-000000> <Unable to start policy admin instance oracle.security.am.common.policy.admin.PolicyManagerException: OAMSSA-06252: The policy store is not available; please see the log file for more details.
        at oracle.security.am.common.policy.admin.PolicyAdminFactory.getProvider(PolicyAdminFactory.java:243)
       [...]
Caused By: oracle.security.am.common.policy.admin.PolicyManagerException: oracle.security.am.common.policy.admin.store.PolicyStoreException: OAMSSA-06252: The policy store is not available; please see the log file for more details.
        at oracle.security.am.common.policy.admin.provider.oes.OESPolicyAdminProvider.init(OESPolicyAdminProvider.java:139)
        [...]
Caused By: oracle.security.am.common.policy.admin.store.PolicyStoreException: OAMSSA-06252: The policy store is not available; please see the log file for more details.
Caused By: java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:OAM11gApplication Actions:getApplicationPolicy)

 

or (OAM 11R2SP2)

<BEA-101162> <User defined listener oracle.security.am.lifecycle.ApplicationLifecycle failed: java.lang.ExceptionInInitializerError.
..
Caused By: oracle.security.am.admin.config.exceptions.ObjectCreationException: Cannot get implementation for type ConfigNotificationListeners.
..
Caused By: java.lang.RuntimeException: java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=OAM_STORE,keyName=coh" "read")

 

The AdminServer and the Managed Server could records the messages :

Servlet: "AMInitServlet" failed to preload on startup in Web application: "oam".
java.lang.ExceptionInInitializerError
       at oracle.security.am.engines.sso.adapter.AbstractSessionAdapterImpl.checkAndInit(AbstractSessionAdapterImpl.java:110)
       at oracle.security.am.engines.sso.adapter.AbstractSessionAdapterImpl.<init>(AbstractSessionAdapterImpl.java:88)
..
Caused by: oracle.security.am.common.utilities.exception.AmRuntimeException: OAM Server Key initialization failed.
..
Caused by: java.security.AccessControlException: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=OAM_STORE,keyName=jks read)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
       at java.security.AccessController.checkPermission(AccessController.java:549)

or

[WLS_OAM] [ERROR] [] [oracle.oam.foundation.access] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: f51078043b86c368:20a635dc:141121b60bd:-8000-0000000000000004,0] [APP: oam_server] Exception on bootstrap of component Config.[[
java.lang.ExceptionInInitializerError
      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
   ...
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: oracle.security.am.admin.config.exceptions.ObjectCreationException: Cannot get implementation for type ConfigNotificationListeners.
Caused by: (Wrapped: Failed to start Service "Cluster" (ServiceState=SERVICE_STOPPED, STATE_ANNOUNCE)) oracle.security.am.foundation.map.exceptions.MapRuntimeException: Failed to get encryption key.
Caused by: oracle.security.am.foundation.map.exceptions.MapRuntimeException: Failed to get encryption key.

  

The Agent Policy creation/updating records error messages:

    oracle.security.am.engines.rreg.client.RegController processUpdatePolicy
    SEVERE: Server side error occurred. Specific error messages are:The policy store is not available; please see the log file for more details.
    The remote registration process did not succeed! Please find the specific error message below.
    Error message passed from server is:The policy store is not available; please see the log file for more details.


 

As soon as the WLS patch are removed, the AdminServer startup and the policy update works as expected.

 

Changes

Apply PSU to the Weblogic Server which had deployed OAM.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms