Friday, February 26, 2016

Resolving : BEA-090892 - The loading of OPSS java security policy provider failed due to exception

Hi,

A quick tip here this error could occur for many reasons I am documenting only one of the cases here. Sometimes when you create WebLogic cluster and after pack and unpack your domain files some Java security policies does not get updated on second node.

Problem:


When you try to start a Managed server you might see the following error in the logs and it will fail to start a server. In my case I was installing Oracle Entitlement Server (OES) in a cluster environment. (I have seen this exception on other occasions as well so its good to get it documented).

(For Solution scroll down after error log)   

<Feb 22, 2016 3:30:35 PM CST> <Error> <Security> <BEA-090892> <The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=OES_SYMMETRIC_KEY_MAP,keyName=OES_SYMMETRIC_KEY_alias" "read")>
<Feb 22, 2016 3:30:35 PM CST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=OES_SYMMETRIC_KEY_MAP,keyName=OES_SYMMETRIC_KEY_alias" "read")
weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=OES_SYMMETRIC_KEY_MAP,keyName=OES_SYMMETRIC_KEY_alias" "read")
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1402)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1022)
        at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:888)
        at weblogic.security.SecurityService.start(SecurityService.java:141)
        at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
        Truncated. see log file for complete stacktrace
Caused By: java.lang.RuntimeException: java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=OES_SYMMETRIC_KEY_MAP,keyName=OES_SYMMETRIC_KEY_alias" "read")
        at oracle.security.jps.az.internal.runtime.encryption.CipherServiceFactory.getService(CipherServiceFactory.java:86)
        at oracle.security.jps.az.internal.runtime.pd.receiver.UpdatePolicySet.initCipherService(UpdatePolicySet.java:261)
        at oracle.security.jps.az.internal.runtime.pd.receiver.UpdatePolicySet.<init>(UpdatePolicySet.java:189)
        at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.initializeControlledPD(PDPServiceImpl.java:590)
        at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.initial(PDPServiceImpl.java:682)
        Truncated. see log file for complete stacktrace
Caused By: java.security.AccessControlException: access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=OES_SYMMETRIC_KEY_MAP,keyName=OES_SYMMETRIC_KEY_alias" "read")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:395)
        at java.security.AccessController.checkPermission(AccessController.java:559)
        at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:478)
        at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:538)
        at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:564)
        Truncated. see log file for complete stacktrace
>
<Feb 22, 2016 3:30:35 PM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Feb 22, 2016 3:30:35 PM CST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Feb 22, 2016 3:30:35 PM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>


Solution:


Solution is grant permissions to Java Security on WebLogic resources, In my case it was Oracle entitlement server (OES) so I had to add following to weblogic.policy file where all the security policies are defined for WLS resources.

1. Add the following to weblogic.policy file located at $MIDDLEWARE_HOME/wlserver_10.3/server/lib 

grant codeBase "file:${oes.client.home}/-" {
        permission java.security.AllPermission;
};
 2. Start the Managed server again 

Hope it helps

Cheers,
Zeeshan Baig

Thursday, February 18, 2016

Presentation Slide: Cloud Explorations - Patterns and Practices

Hi,

Last week I presented a topic on Architecture for the Cloud Platform at RMOUG. The session went well I had around 20-25 people at 8:30 AM so no complains.

Here are the slides from the session.