Friday, November 2, 2012

WebLogic Issues

#Issue: Weblogic admin server is not coming up due to incorrect orcladmin LDAP password.
This issue occurs when you have enabled SSO auth in weblogic and moved SSO Providers to be first.

Error Message:
weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection
        at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3483)
        at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3470)
        at weblogic.security.providers.authentication.LDAPAtnDelegate.userExists(LDAPAtnDelegate.java:2314)
        at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:193)
        at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
        at $Proxy25.login(Unknown Source)
        at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
        at com.bea.common.security.internal.service.IdentityImpersonationServiceImpl.impersonateIdentity(IdentityImpersonationServiceImpl.j
ava:128)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
Caused by: java.lang.reflect.InvocationTargetException
        at weblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newInstance(LDAPAtnDelegate.java:4157)
        at weblogic.security.utils.Pool.newInstance(Pool.java:37)
        at weblogic.security.utils.Pool.getInstance(Pool.java:33)
        at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3478)
        ... 39 more
Caused by: netscape.ldap.LDAPException: error result (49); Invalid credentials
        at netscape.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4871)
        at netscape.ldap.LDAPConnection.simpleBind(LDAPConnection.java:1766)
        at netscape.ldap.LDAPConnection.authenticate(LDAPConnection.java:1264)
        at netscape.ldap.LDAPConnection.authenticate(LDAPConnection.java:1273)
        at netscape.ldap.LDAPConnection.bind(LDAPConnection.java:1562)
        at weblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newInstance(LDAPAtnDelegate.java:4134)
        ... 42 more
   
Caused by: java.lang.reflect.InvocationTargetException
        at weblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newInstance(LDAPAtnDelegate.java:4157)
        at weblogic.security.utils.Pool.newInstance(Pool.java:37)
        at weblogic.security.utils.Pool.getInstance(Pool.java:33)
        at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3478)
        ... 64 more
Caused by: netscape.ldap.LDAPException: error result (49); Invalid credentials
        at netscape.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4871)
        at netscape.ldap.LDAPConnection.simpleBind(LDAPConnection.java:1766)
        at netscape.ldap.LDAPConnection.authenticate(LDAPConnection.java:1264)

Solution:
Take backup of existing config file and update.
$WL_HOME/user_projects/domains/SOAOSBDevDomain/config/config.xml
and update correct password in clean text

<realm>
      <sec:authentication-provider xsi:type="wls:oracle-internet-directory-authenticatorType">
        <sec:name>OID_AUTH</sec:name>
        <sec:control-flag>SUFFICIENT</sec:control-flag>
        <wls:host>pvttap03</wls:host>
        <wls:principal>cn=orcladmin</wls:principal>
        <wls:user-base-dn>cn=users,dc=Mytestserver,dc=ae</wls:user-base-dn>
        <wls:credential-encrypted>PWD123**</wls:credential-encrypted>
        <wls:group-base-dn>cn=WLS_ADMIN,cn=Groups,dc=Mytestserver,dc=ae</wls:group-base-dn>
      </sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-authenticatorType">
        <wls:use-retrieved-user-name-as-principal>true</wls:use-retrieved-user-name-as-principal>
      </sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
        <sec:active-type>AuthenticatedUser</sec:active-type>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
      <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
      <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
      <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:name>myrealm</sec:name>
      <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-passwo
rd-validatorType">
        <sec:name>SystemPasswordValidator</sec:name>
        <pas:min-password-length>8</pas:min-password-length>
        <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
      </sec:password-validator>
    </realm>
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)