Reassociating Policy Store To OID 11g Fails for FMW Applications with: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Referential integrity constraint violated for uniquemember. Specified value does not exist in directory.]
(Doc ID 1939786.1)
Last updated on MAY 24, 2021
Applies to:
Oracle Internet Directory - Version 11.1.1 and laterOracle Platform Security for Java - Version All and later
Information in this document applies to any platform.
Goal
Fusion Middleware (FMW) cluster applications (e.g., WebCenter Spaces or WCS, SOA, OBIEE, etc.) reassociation of the security store from the system-jazn-data.xml to an Oracle Internet Directory (OID) 11g store fails with:
Already in Domain Runtime Tree
Starting policy store reassociation.
The store and ServiceConfigurator setup done.
Schema is seeded into the store
Command FAILED, Reason: oracle.security.jps.service.policystore.PolicyStoreOperationNotAllowedException: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Referential integrity constraint violated for uniquemember. Specified value does not exist in directory.]; remaining name 'cn=SystemAdmin,cn=Admin Roles,cn=Admin Policies,cn=SystemPolicy,cn=WCSPrdDomain,cn=JPSContext,cn=root_wcs'
Traceback (innermost last):
File "", line 1, in ?
File "/opt/ora/middleware/oracle_common/common/wlst/jpsWlstCmd.py", line 1569, in reassociateSecurityStore
File "/opt/ora/middleware/oracle_common/common/wlst/jpsWlstCmd.py", line 1543, in reassociateSecurityStoreImpl
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:223)
at javax.management.remote.rmi.RMIConnectionImpl_1036_WLStub.invoke(Unknown Source)
at weblogic.management.remote.common.RMIConnectionWrapper$16.run(ClientProviderBase.java:918)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.security.Security.runAs(Security.java:61)
at weblogic.management.remote.common.RMIConnectionWrapper.invoke(ClientProviderBase.java:916)
at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:993)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
javax.management.MBeanException: javax.management.MBeanException: oracle.security.jps.service.policystore.PolicyStoreOperationNotAllowedException: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Referential integrity constraint violated for uniquemember. Specified value does not exist in directory.]; remaining name 'cn=SystemAdmin,cn=Admin Roles,cn=Admin Policies,cn=SystemPolicy,cn=WCSPrdDomain,cn=JPSContext,cn=root_wcs'
The only workaround available is to go go into the OID shared properties within the Enterprise Manager (EM) Fusion Middleware (FMW) Control console, disable Referential Integrity (RI), then go back to the app and reassociate the policy store. Then, run oiddiag to report any RI issues. Once found, oiddiag creates an ldif file to manually fix the problem entries. However, also need to go back and enable RI again, then it appears to work going forward.
One concern is, when running ldapmodify to clean up any of the RI problem entries, this risks breaking the application for which had to reassociate policy store details.
Is there a work around for this type of behavior?
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |
| References |