Skip to content

Instantly share code, notes, and snippets.

@vegaasen

vegaasen/weblogic-wtfs-how-fix.md

Last active November 14, 2017 11:01
Show Gist options
  • Save vegaasen/229beabeebe182ec19d6471b4d2c554a to your computer and use it in GitHub Desktop.
Save vegaasen/229beabeebe182ec19d6471b4d2c554a to your computer and use it in GitHub Desktop.
Download ZIP
WebLogic: List of WTFs and how to fix them
Raw
weblogic-wtfs-how-fix.md

WebLogic: List of WTFs and how to fix them

Error: EnterpriseManager and CredentialsStore: o.s.j.s.c.CredentialAccessPermission

Problem

Preface:

  • Oracle Enterprise Manager > Credential Store used
  • Created our own store with the map "my.awsome.credential.map" with the key "sysadmin"
  • Throwing oracle.security.jps.service.credstore.CredentialAccessPermission in the logs
  • Issues were happening in regards to an Oracle SOA <=> Oracle OIM integration workflow thingie..

An error that were throwing exception related to the class "oracle.security.jps.service.credstore.CredentialAccessPermission" were often throwing errors in one of our application' log. It seemed to be related to the credential store we've added in the Enterprise Manager thingie.

access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=my.awsome.credential.map,keyName=*" "read")

As the error-message did not throw or describe itself any more spesific than that, it was a bit unclear what the actual problem was whilst looking at it. However, in our case, it seems to be related to the weblogic-user itself (which were used to start/initiate WebLogic Application Server itself). As we've integrated our application server to Active Directory, all roles and capabilities is configured there. However, this causes an issue. As per documentation (which is not quite that captian Obvious to find), it states that:

If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role. ..which again means that somehow, the user that is used to initiate the application server must also be part of some "Admin Role" - whatever that means.

(=> Read more here: https://docs.oracle.com/middleware/1212/wls/SECMG/atn.htm#SECMG176)

Solution to ze problem

WebLogic Console

In order to fix this stuff, perform the following stuff mentioned below to the user that is used to request the credential store in the WebLogic Console (http://localhost:0000/console) :

"Roles:"

  1. Security Realms > MyRealm > Realm Roles > Global Roles
  2. Edit Admin Role
  3. Include Account Operators
  4. Click save.

"Local roles:"

  1. Security Realms > MyRealm > Users & Groups > Groups > "New"
  2. Add Account Operators (local)
  3. Modify Account Operators (local)
  4. Add as Administrators (group inclusion)
  5. Save :-)

Enterprise Manager

Remember to add configuration for SOA in regards to credential store you've created. This looks similar to:

context=SYSTEM,mapName=my.awsome.credential.map,keyName=*" "read"

The problem should now be fixed :-).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment