OWSM Policies in a Policy Set Can't Be Altered or Changed (Doc ID 2721185.1)

Last updated on MAY 25, 2023

Applies to:

Symptoms

In a particular usecase there is an attempt to override the "local-optimization" property of the wss_username_token_client_policy.  In order to do this, it is necessary to make a user copy of the policy so that there is access to the settings necessary to be adjusted.

The policy in question is being attached through a policy set but it appears from looking at the logs that the incorrect policy is being referenced in the policy set.  Instead of the copy being used, the policy set is using the original policy that cannot have the setting altered.

When running the wlst command checkWSMStatus() in the domainto see if there are any underlying issues, the following error is returned:

...

Policy Manager:

FAILED.
Message(s):
OWSM Policy Manager connection URL is "<URL1>:<PORT1>,<URL2>:<PORT2>,...".
oracle.wsm.policymanager.PolicyManagerException: Unable to get the Action Executor due to "javax.security.auth.login.FailedLoginException: [Security:090938]Authentication failure: The specified user failed to log in. javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User specified user denied". <message format not found in bundle type policymanager>
at oracle.wsm.policymanager.BeanFactory.getActionExecutor(BeanFactory.java:354)
at oracle.wsm.policymanager.BeanFactory.getBeanEJB(BeanFactory.java:606)
at oracle.wsm.policymanager.BeanFactory.getBean(BeanFactory.java:511)
at oracle.wsm.config.mbean.impl.ConfigurationManagerMbeanImpl$5.run(ConfigurationManagerMbeanImpl.java:2626)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.wsm.config.mbean.impl.ConfigurationManagerMbeanImpl.getBeanAsPrivileged(ConfigurationManagerMbeanImpl.java:2622)
at oracle.wsm.config.mbean.impl.ConfigurationManagerMbeanImpl.getBean(ConfigurationManagerMbeanImpl.java:2601)
at oracle.wsm.config.mbean.impl.ConfigurationManagerMbeanImpl.getBean(ConfigurationManagerMbeanImpl.java:2582)
at oracle.wsm.config.mbean.impl.ConfigurationManagerMbeanImpl.checkPMConfiguration(ConfigurationManagerMbeanImpl.java:2376)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at oracle.as.jmx.framework.standardmbeans.spi.OracleStandardEmitterMBean.doInvoke(OracleStandardEmitterMBean.java:918)
at oracle.adf.mbean.share.AdfMBeanInterceptor.internalInvoke(AdfMBeanInterceptor.java:104)
at oracle.as.jmx.framework.generic.spi.interceptors.AbstractMBeanInterceptor.doInvoke(AbstractMBeanInterceptor.java:252)
at oracle.as.jmx.framework.generic.spi.security.AbstractMBeanSecurityInterceptor.internalInvoke(AbstractMBeanSecurityInterceptor.java:192)
at oracle.as.jmx.framework.generic.spi.interceptors.AbstractMBeanInterceptor.doInvoke(AbstractMBeanInterceptor.java:252)
at oracle.security.jps.ee.jmx.JpsJmxInterceptor$2.run(JpsJmxInterceptor.java:423)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:650)
at oracle.security.jps.ee.jmx.JpsJmxInterceptor.internalInvoke(JpsJmxInterceptor.java:442)
at oracle.as.jmx.framework.generic.spi.interceptors.AbstractMBeanInterceptor.doInvoke(AbstractMBeanInterceptor.java:252)
at oracle.as.jmx.framework.generic.spi.interceptors.ContextClassLoaderMBeanInterceptor.internalInvoke(ContextClassLoaderMBeanInterceptor.java:100)
at oracle.as.jmx.framework.generic.spi.interceptors.AbstractMBeanInterceptor.doInvoke(AbstractMBeanInterceptor.java:252)
at oracle.as.jmx.framework.generic.spi.interceptors.MBeanRestartInterceptor.internalInvoke(MBeanRestartInterceptor.java:116)
at oracle.as.jmx.framework.generic.spi.interceptors.AbstractMBeanInterceptor.doInvoke(AbstractMBeanInterceptor.java:252)
at oracle.as.jmx.framework.standardmbeans.spi.OracleStandardEmitterMBean.invoke(OracleStandardEmitterMBean.java:834)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$21.run(WLSMBeanServerInterceptorBase.java:589)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:587)
at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:249)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$21.run(WLSMBeanServerInterceptorBase.java:589)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:587)
at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:439)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$21.run(WLSMBeanServerInterceptorBase.java:589)
at java.security.AccessController.doPrivileged(Native Method)
...
at weblogic.work.ExecuteThread.run(ExecuteThread.java:360)

Policy Manager Per Url Health:
Policy Manager Access status on URL "<URL1>:<PORT1>" is "FAILED".
Policy Manager Access status on URL "<URL2>:<PORT2>" is "FAILED".
...
Error in binding Policy Manager Url with agent.
Policy Manager User Configuration:
User is locked out and not a valid PM application accessor
Policy Manager Diagnostic Messages:
Message(s):
Possible reason of failure could be : Invalid PM URL, PM application is in failed state, PM Server is not up, Invalid PM User, PM Template is not applied.
Policy Manager Url Configuration Diagnosis:
The diagnostic messages are not available for this situation. See the stack trace for more details.
Policy Manager User Configuration Diagnosis:
Make sure that user is unlocked in security configuration

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.