Monday, 28 April 2014

Solution for JpsException - The default DB policy store is missing for mixed mode

There are three types of policy store configurations supported by the WebLogic server and it comes with the file based policy store by default. The policy store can be maintained at file level, LDAP level or database level. In production mode, it is not recommended to use file based policy store since it is not as scalable as the other two types and also the LDAP based policy store adds an extra security layer.
The WebLogic server can be configured to use any one of the three different types of policy stores. There are two ways by which you can migrate the file based policy store to either database or LDAP based.
  • Using reassociateSecurityStore WLST command
  • Using Security Provider Configuration in Enterprise Manager
  • jps-config.xml is the file which stores the security configuration. The default jpsContext holds the configuration of the entire domain since this file is domain level. In case if you wish to configure application level security, you can embed another jpsContext in it. Following snippet shows a generic jpsContext of a WebLogic domain which is reassociated with an Oracle Internet Directory server. Note the .ldap extensions at the end of several service instance references.
    <jpsContext name="default">
        <serviceInstanceRef ref="credstore.ldap"/>
        <serviceInstanceRef ref="keystore.ldap"/>
        <serviceInstanceRef ref="policystore.ldap"/>
        <serviceInstanceRef ref="audit.ldap"/>
        <serviceInstanceRef ref="trust"/>
        <serviceInstanceRef ref="pdp.service"/>
        <serviceInstanceRef ref="attribute"/>
        <serviceInstanceRef ref="idstore.ldap"/>
    </jpsContext>
    Now let’s move to the main reason behind this blog post. Recently I configured one of my Oracle Adaptive Access Manager server to use OID based policy store. It is mandatory to restart the WebLogic server once it is reassociated. During startup, I encountered the following error and the server could not be started:
    <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-04001: Cannot read the default policy store.
    weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-04001: Cannot read the default policy store.
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1402)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1022)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
    at weblogic.security.SecurityService.start(SecurityService.java:141)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.JpsRuntimeException: JPS-04001: Cannot read the default policy store.
    at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.<init>(PDPServiceImpl.java:355)
    at oracle.security.jps.az.internal.runtime.provider.PDPServiceProvider.getInstance(PDPServiceProvider.java:89)
    at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
    at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170)
    at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191)
    Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.service.policystore.PolicyStoreException
    at oracle.security.jps.az.common.pd.service.PDServiceFinder.getPolicyDistributionService(PDServiceFinder.java:65)
    at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.initializeMixedMode(PDPServiceImpl.java:491)
    at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.initial(PDPServiceImpl.java:467)
    at oracle.security.jps.az.internal.runtime.service.PDPServiceImpl.<init>(PDPServiceImpl.java:352)
    at oracle.security.jps.az.internal.runtime.provider.PDPServiceProvider.getInstance(PDPServiceProvider.java:89)
    Truncated. see log file for complete stacktrace
    Caused By: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at oracle.security.jps.az.common.pd.service.PDServiceFinder.getPolicyDistributionService(PDServiceFinder.java:53)
    Truncated. see log file for complete stacktrace
    Caused By: java.lang.RuntimeException: oracle.security.jps.JpsException: The default DB policy store is missing for mixed mode.
    at oracle.security.jps.az.internal.management.pd.PD.getPolicyDistributionService(PD.java:104)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.JpsException: The default DB policy store is missing for mixed mode.
    at oracle.security.jps.az.internal.management.pd.PD.getPolicyDistributionService(PD.java:104)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    Truncated. see log file for complete stacktrace

    I have observed that you get this exception (oracle.security.jps.JpsRuntimeException: JPS-04001: Cannot read the default policy store.) whenever there is any problem in the security configurations of the WebLogic server. I think it is a generic exception which will not let you start the server. To solve this problem, you would need to observe the stacktrace more carefully. Most of the times the observation would lead you to verify the jps-config.xml file.
    You can see the exception - oracle.security.jps.JpsException: The default DB policy store is missing for mixed mode. And from the stacktrace, you can see that it arose from oracle.security.jps.az.internal.management.pd.PD.getPolicyDistributionService(PD.java:104) which means there is some inconsistency in the policy distribution service. Now you will need to check the PDP instance in the jps-config.xml file. You can see the policy distribution mode whose value is specified as mixed in my case :
    <property name="oracle.security.jps.runtime.pd.client.policyDistributionMode" value="mixed"/>.
    The parameter oracle.security.jps.runtime.pd.client.policyDistributionMode specifies the mode of policy distribution whose accepted values are controlled-push, non-controlled or controlled-pull. The value mixed indicates that the mode is a combination of controlled-pull and uncontrolled mode and it expects database policy store. Since I am using OID based policy store, I can get away with this exception by just removing this property from the pdp.service service instance which means the default distribution mode would be used during and after the initialization of security configurations of the WebLogic domain.
    In this way, to solve a security initialization problem during WebLogic server startup, you would need to analyse the stacktrace, from which you can identify the service instance or service provider in which there are high chances of inconsistencies to be found.
    This post is not just about the solution of the issue mentioned in the stacktrace but it gives an approach one should adapt in solving any problem of which you have sufficient stacktrace available.



























































    No comments: