Reassociating Policy Store To OID 11g Fails for FMW Applications with: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Referential integrity constraint violated for uniquemember. Specified value does not exist in directory.]

(Doc ID 1939786.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Internet Directory - Version 11.1.1 and later
Oracle Platform Security for Java - Version All and later
Information in this document applies to any platform.

Goal

Fusion Middleware (FMW) cluster applications (e.g., WebCenter Spaces or WCS, SOA, OBIEE, etc.) reassociation of the security store from the system-jazn-data.xml to an Oracle Internet Directory (OID) 11g store fails with:

wls:/WCSPrdDomain/serverConfig> reassociateSecurityStore(domain="WCSPrdDomain",admin="cn=orcladmin", password="mypassword", ldapurl="ldap://myoidhost.mycompany.com:3060",servertype="OID",jpsroot="cn=root_wcs")
Already in Domain Runtime Tree

Starting policy store reassociation.
The store and ServiceConfigurator setup done.
Schema is seeded into the store
Command FAILED, Reason: oracle.security.jps.service.policystore.PolicyStoreOperationNotAllowedException: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Referential integrity constraint violated for uniquemember. Specified value does not exist in directory.]; remaining name 'cn=SystemAdmin,cn=Admin Roles,cn=Admin Policies,cn=SystemPolicy,cn=WCSPrdDomain,cn=JPSContext,cn=root_wcs'

Traceback (innermost last):
 File "", line 1, in ?
 File "/opt/ora/middleware/oracle_common/common/wlst/jpsWlstCmd.py", line 1569, in reassociateSecurityStore
 File "/opt/ora/middleware/oracle_common/common/wlst/jpsWlstCmd.py", line 1543, in reassociateSecurityStoreImpl
  at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
  at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:223)
  at javax.management.remote.rmi.RMIConnectionImpl_1036_WLStub.invoke(Unknown Source)
  at weblogic.management.remote.common.RMIConnectionWrapper$16.run(ClientProviderBase.java:918)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
  at weblogic.security.Security.runAs(Security.java:61)
  at weblogic.management.remote.common.RMIConnectionWrapper.invoke(ClientProviderBase.java:916)
  at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:993)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)

javax.management.MBeanException: javax.management.MBeanException: oracle.security.jps.service.policystore.PolicyStoreOperationNotAllowedException: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Referential integrity constraint violated for uniquemember. Specified value does not exist in directory.]; remaining name 'cn=SystemAdmin,cn=Admin Roles,cn=Admin Policies,cn=SystemPolicy,cn=WCSPrdDomain,cn=JPSContext,cn=root_wcs'


The only workaround available is to go go into the OID shared properties within the Enterprise Manager (EM) Fusion Middleware (FMW) Control console, disable Referential Integrity (RI), then go back to the app and reassociate the policy store.  Then, run oiddiag to report any RI issues. Once found, oiddiag creates an ldif file to manually fix the problem entries.  However, also need to go back and enable RI again, then it appears to work going forward.

One concern is, when running ldapmodify to clean up any of the RI problem entries, this risks breaking the application for which had to reassociate policy store details.

Is there a work around for this type of behavior?
 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms