OPSS - After set OUD authenticator Provider in Weblogic Console getting JPS-00056 and JPS-00027 error (Doc ID 2097485.1)

Last updated on JANUARY 20, 2016

Applies to:

Oracle Platform Security for Java - Version 11.1.1.7.0 to 12.1.3.0.0 [Release Oracle11g to 12c]
Information in this document applies to any platform.

Symptoms

On : OPSS 12.1.3.0.0 version, Java Platform Security From Oracle WebLogic Server 12.1.3.0.0 setting up OUD as Identity Store

OUD Authenticator Security Provider order issue

When moving the OUDAuthenticator on top of DefaultAuthenticator it causing Weblogic admin startup failure with this JPS error message:


####<Dec 18, 2015 12:43:37 PM EST> <Error> <Security> <qa-wls-shared1.nslc.org> <AdminServer> <[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <6166bc60-550c-4a17-9482-924a220cebd8-00000001> <1450460617736> <BEA-090892> <The loading of an OPSS java security policy provider failed due to an exception. See the exception stack trace or the server log file for the root cause. If there is no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: null>
####<Dec 18, 2015 12:43:37 PM EST> <Critical> <WebLogicServer> <qa-wls-shared1.nslc.org> <AdminServer> <main> <<WLS Kernel>> <> <> <1450460617748> <BEA-000386> <Server subsystem failed. Reason: A MultiException has 8 exceptions. They are:
1. weblogic.security.SecurityInitializationException: The loading of an OPSS java security policy provider failed due to an exception. See the exception stack trace or the server log file for the root cause. If there is no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: null
2. java.lang.IllegalStateException: Unable to perform operation: post construct on weblogic.security.PreSecurityService
3. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.security.SecurityService errors were found
4. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.security.SecurityService
5. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.jndi.internal.RemoteNamingService errors were found
6. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.jndi.internal.RemoteNamingService
7. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.protocol.ProtocolHandlerService errors were found
8. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.protocol.ProtocolHandlerService

A MultiException has 8 exceptions. They are:
1. weblogic.security.SecurityInitializationException: The loading of an OPSS java security policy provider failed due to an exception. See the exception stack trace or the server log file for the root cause. If there is no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: null
2. java.lang.IllegalStateException: Unable to perform operation: post construct on weblogic.security.PreSecurityService
3. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.security.SecurityService errors were found
4. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.security.SecurityService
5. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.jndi.internal.RemoteNamingService errors were found
6. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.jndi.internal.RemoteNamingService
7. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.protocol.ProtocolHandlerService errors were found
8. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.protocol.ProtocolHandlerService

at org.jvnet.hk2.internal.Collector.throwIfErrors(Collector.java:88)
at org.jvnet.hk2.internal.ClazzCreator.resolveAllDependencies(ClazzCreator.java:269)
.......
Caused By: weblogic.security.SecurityInitializationException: The loading of an OPSS java security policy provider failed due to an exception. See the exception stack trace or the server log file for the root cause. If there is no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: null
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1487)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.preInitialize(CommonSecurityServiceManagerDelegateImpl.java:1090)
at weblogic.security.service.SecurityServiceManager.preInitialize(SecurityServiceManager.java:925)
at weblogic.security.PreSecurityService.start(PreSecurityService.java:139)
......
Caused By: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
......
Caused By: oracle.security.jps.JpsException: JPS-00056: Failed to create identity store service instance idstore.ldap.provider:idstore.ldap. Reason: oracle.security.jps.JpsRuntimeException: JPS-00027: internal error You configured a generic WLS LDAPAuthenticator.
The identity store type cannot be determined. Please choose an LDAP Authentication provider that matches your LDAP server.
at oracle.security.jps.internal.config.OpssCommonStartup.start(OpssCommonStartup.java:211)
at oracle.security.jps.wls.JpsWlsStartup.start(JpsWlsStartup.java:80)
at oracle.security.jps.JpsStartup.start(JpsStartup.java:186)
......
Caused By: oracle.security.jps.service.idstore.IdentityStoreException: JPS-00056: Failed to create identity store service instance idstore.ldap.provider:idstore.ldap. Reason: oracle.security.jps.JpsRuntimeException: JPS-00027: internal error You configured a generic WLS LDAPAuthenticator.
The identity store type cannot be determined. Please choose an LDAP Authentication provider that matches your LDAP server.
at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getIdStoreConfig(LdapIdentityStoreProvider.java:173)
at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.access$200(LdapIdentityStoreProvider.java:88)
at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider$NoLibOvd.getInstance(LdapIdentityStoreProvider.java:222)
at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:114)
at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:121)
...........
Caused By: oracle.security.jps.JpsRuntimeException: JPS-00027: internal error You configured a generic WLS LDAPAuthenticator.
The identity store type cannot be determined. Please choose an LDAP Authentication provider that matches your LDAP server
at oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider$WlsLdapIdStoreDescriptor.checkIdStoreType(WlsLdapIdStoreConfigProvider.java:371)
at oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider$WlsLdapIdStoreDescriptor.getProperties(WlsLdapIdStoreConfigProvider.java:171)
at oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider$WlsLdapIdStoreDescriptor.<init>(WlsLdapIdStoreConfigProvider.java:124)
at oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider.getIdentityStoreConfig(WlsLdapIdStoreConfigProvider.java:94)
..........
>
####<Dec 18, 2015 12:43:37 PM EST> <Notice> <WebLogicServer> <qa-wls-shared1.nslc.org> <AdminServer> <main> <<WLS Kernel>> <> <> <1450460617761> <BEA-000365> <Server state changed to FAILED.>
####<Dec 18, 2015 12:43:37 PM EST> <Error> <WebLogicServer> <qa-wls-shared1.nslc.org> <AdminServer> <main> <<WLS Kernel>> <> <> <1450460617762> <BEA-000383> <A critical service failed. The server will shut itself down.>
####<Dec 18, 2015 12:43:37 PM EST> <Notice> <WebLogicServer> <qa-wls-shared1.nslc.org> <AdminServer> <main> <<WLS Kernel>> <> <> <1450460617763> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN.>


The issue can be reproduced at will with the following steps:
1. In WLS Administration Console
2. Go to Security Realms -> Providers -> Authentication
3. Change the order of Authentication Provider, save changes
4. Restart

The issue has the following business impact:
Due to this issue, users cannot start successfully Admin Server after reorder the ATN providers in WLS console

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms