Preface:
- Oracle Enterprise Manager > Credential Store used
- Created our own store with the map "my.awsome.credential.map" with the key "sysadmin"
- Throwing oracle.security.jps.service.credstore.CredentialAccessPermission in the logs
- Issues were happening in regards to an Oracle SOA <=> Oracle OIM integration workflow thingie..
An error that were throwing exception related to the class "oracle.security.jps.service.credstore.CredentialAccessPermission" were often throwing errors in one of our application' log. It seemed to be related to the credential store we've added in the Enterprise Manager thingie.
access denied ("oracle.security.jps.service.credstore.CredentialAccessPermission" "context=SYSTEM,mapName=my.awsome.credential.map,keyName=*" "read")
As the error-message did not throw or describe itself any more spesific than that, it was a bit unclear what the actual problem was whilst looking at it. However, in our case, it seems to be related to the weblogic-user itself (which were used to start/initiate WebLogic Application Server itself). As we've integrated our application server to Active Directory, all roles and capabilities is configured there. However, this causes an issue. As per documentation (which is not quite that captian Obvious to find), it states that:
If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role. ..which again means that somehow, the user that is used to initiate the application server must also be part of some "Admin Role" - whatever that means.
(=> Read more here: https://docs.oracle.com/middleware/1212/wls/SECMG/atn.htm#SECMG176)
In order to fix this stuff, perform the following stuff mentioned below to the user that is used to request the credential store in the WebLogic Console (http://localhost:0000/console) :
"Roles:"
- Security Realms > MyRealm > Realm Roles > Global Roles
- Edit Admin Role
- Include Account Operators
- Click save.
"Local roles:"
- Security Realms > MyRealm > Users & Groups > Groups > "New"
- Add Account Operators (local)
- Modify Account Operators (local)
- Add as Administrators (group inclusion)
- Save :-)
Remember to add configuration for SOA in regards to credential store you've created. This looks similar to:
context=SYSTEM,mapName=my.awsome.credential.map,keyName=*" "read"
The problem should now be fixed :-).