5 Replies Latest reply on Apr 19, 2010 10:00 AM by 727826

    User weblogic is not permitted to boot the server

    758136
      Hi,

      I am new to OES and after running the configtool, creating the ASIAuthorizationProvider and ASIRoleMapperProvider (both has Defaul Identity Directory: wls_dir and Application Deployment Parent: //app/policy/wls_app), binding the SSM, i get this error when starting the WLS admin server:

      15:33:26.312 EVENT Starting Jetty/4.2.25
      15:33:26.859 WARN!! Delete existing temp dir C:\BEA_HOME_10\ales32-ssm\wls-ssm\i
      nstance\wls_ssm\work\jar_temp\Jetty__8000__ for WebApplicationContext[/,jar:file
      :/C:/BEA_HOME_10/ales32-ssm/wls-ssm/webapp/arme.war!/]
      15:33:30.515 EVENT Started WebApplicationContext[,ARMEService]
      15:33:32.562 EVENT Started SocketListener on 0.0.0.0:8000
      15:33:32.562 EVENT Started org.mortbay.jetty.Server@176bf9e
      ARME is started now
      <Mar 5, 2010 3:33:33 PM SGT> <Notice> <Security> <BEA-090082> <Security initiali
      zing using security realm wls.>
      <Mar 5, 2010 3:33:34 PM SGT> <Critical> <Security> <BEA-090404> <User weblogic i
      s not permitted to boot the server; The server policy may have changed in such a
      way that the user is no longer able to boot the server.Reboot the server with t
      he administrative user account or contact the system administrator to update the
      server policy definitions.>
      <Mar 5, 2010 3:33:34 PM SGT> <Critical> <WebLogicServer> <BEA-000386> <Server su
      bsystem failed. Reason: weblogic.security.SecurityInitializationException: User
      weblogic is not permitted to boot the server; The server policy may have changed
      in such a way that the user is no longer able to boot the server.Reboot the ser
      ver with the administrative user account or contact the system administrator to
      update the server policy definitions.
      weblogic.security.SecurityInitializationException: User weblogic is not permitte
      d to boot the server; The server policy may have changed in such a way that the
      user is no longer able to boot the server.Reboot the server with the administrat
      ive user account or contact the system administrator to update the server policy
      definitions.
      at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.do
      BootAuthorization(Unknown Source)
      at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.in
      itialize(Unknown Source)
      at weblogic.security.service.SecurityServiceManager.initialize(Unknown S
      ource)
      at weblogic.security.SecurityService.start(SecurityService.java:141)
      at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
      Truncated. see log file for complete stacktrace
      >
      <Mar 5, 2010 3:33:34 PM SGT> <Notice> <WebLogicServer> <BEA-000365> <Server stat
      e changed to FAILED>
      <Mar 5, 2010 3:33:34 PM SGT> <Error> <WebLogicServer> <BEA-000383> <A critical s
      ervice failed. The server will shut itself down>
      <Mar 5, 2010 3:33:34 PM SGT> <Notice> <WebLogicServer> <BEA-000365> <Server stat
      e changed to FORCE_SHUTTING_DOWN>
      Stopping PointBase server...
      PointBase server stopped.

      from the WLS AdminServer.log:
      ####<Mar 5, 2010 3:33:05 PM SGT> <Info> <Socket> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774385687> <BEA-000436> <Allocating 3 reader threads.>
      ####<Mar 5, 2010 3:33:05 PM SGT> <Info> <Socket> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774385687> <BEA-000446> <Native IO Enabled.>
      ####<Mar 5, 2010 3:33:06 PM SGT> <Info> <IIOP> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774386531> <BEA-002014> <IIOP subsystem enabled.>
      ####<Mar 5, 2010 3:33:11 PM SGT> <Info> <Security> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774391656> <BEA-000000> <Starting OpenJPA 1.0.0.1>
      ####<Mar 5, 2010 3:33:17 PM SGT> <Info> <Security> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774397171> <BEA-090516> <The Authenticator provider has preexisting LDAP data.>
      ####<Mar 5, 2010 3:33:33 PM SGT> <Info> <Security> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774413421> <BEA-090516> <The CredentialMapper provider has preexisting LDAP data.>
      ####<Mar 5, 2010 3:33:33 PM SGT> <Info> <Security> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774413500> <BEA-090663> <The DeployableRoleMapper "com.bea.security.providers.authorization.asi.RoleProviderStub" implements the deprecated DeployableRoleProvider interface.>
      ####<Mar 5, 2010 3:33:33 PM SGT> <Info> <Security> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774413531> <BEA-090662> <The DeployableAuthorizer "com.bea.security.providers.authorization.asi.AuthorizationProviderStub" implements the deprecated DeployableAuthorizationProvider interface.>
      ####<Mar 5, 2010 3:33:33 PM SGT> <Info> <Security> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774413796> <BEA-090093> <No pre-WLS 8.1 Keystore providers are configured for server AdminServer for security realm wls.>
      ####<Mar 5, 2010 3:33:33 PM SGT> <Notice> <Security> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774413796> <BEA-090082> <Security initializing using security realm wls.>
      ####<Mar 5, 2010 3:33:34 PM SGT> <Critical> <Security> <SGBLM010> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267774414234> <BEA-090404> <User weblogic is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.>
      ####<Mar 5, 2010 3:33:34 PM SGT> <Critical> <WebLogicServer> <SGBLM010> <AdminServer> <main> <<WLS Kernel>> <> <> <1267774414234> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: User weblogic is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.
      weblogic.security.SecurityInitializationException: User weblogic is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.
           at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(Unknown Source)
           at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
           at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
           at weblogic.security.SecurityService.start(SecurityService.java:141)
           at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
           at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
           at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
      >
      ####<Mar 5, 2010 3:33:34 PM SGT> <Notice> <WebLogicServer> <SGBLM010> <AdminServer> <main> <<WLS Kernel>> <> <> <1267774414328> <BEA-000365> <Server state changed to FAILED>
      ####<Mar 5, 2010 3:33:34 PM SGT> <Error> <WebLogicServer> <SGBLM010> <AdminServer> <main> <<WLS Kernel>> <> <> <1267774414328> <BEA-000383> <A critical service failed. The server will shut itself down>
      ####<Mar 5, 2010 3:33:34 PM SGT> <Notice> <WebLogicServer> <SGBLM010> <AdminServer> <main> <<WLS Kernel>> <> <> <1267774414328> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
      ####<Mar 5, 2010 3:33:34 PM SGT> <Info> <WebLogicServer> <SGBLM010> <AdminServer> <main> <<WLS Kernel>> <> <> <1267774414359> <BEA-000236> <Stopping execute threads.>

      also, i just noticed that when staring OES admin server i get the following from the logs:
      system_console.log:
      2010-03-05 15:19:04,218 [JettySSLListener1-1] ERROR com.wles.soap.BLM.BlmBindingImpl - getUndistributedAttributeChanges has not been implemented properly.
      2010-03-05 15:27:17,656 [Thread-31] WARN com.bea.security.ssl.axis.AxisClientSocketFactory - Error during SSL handshake; host: SGBLM010, port: 8,000.
      2010-03-05 15:27:17,687 [Thread-31] ERROR com.bea.security.pdws.Distributor - unable to bind unbound arme
      Communication Error:; nested exception is:
           javax.net.ssl.SSLHandshakeException: Error during SSL handshake; host: SGBLM010, port: 8,000.
      2010-03-05 15:27:17,687 [Thread-31] ERROR com.bea.security.pdws.ARMEGroup - arme group '//bind/wls' error report, policyno = 52:
      2010-03-05 15:27:17,687 [Thread-31] ERROR com.bea.security.pdws.ARMEGroup - arme 'asi.null.ARME.wls_ssm.asi.SGBLM010':
      2010-03-05 15:27:33,015 [Thread-32] WARN com.bea.security.ssl.axis.AxisClientSocketFactory - Error during SSL handshake; host: SGBLM010, port: 8,000.
      2010-03-05 15:27:33,015 [Thread-32] ERROR com.bea.security.pdws.Distributor - unable to bind unbound arme
      Communication Error:; nested exception is:
           javax.net.ssl.SSLHandshakeException: Error during SSL handshake; host: SGBLM010, port: 8,000.

      WLESWebLogic.wrapper.log:
      INFO | jvm 1 | 2010/03/05 15:27:17 | Processing AxisFault, cause: javax.net.ssl.SSLHandshakeException: Error during SSL handshake; host: SGBLM010, port: 8,000.
      INFO | jvm 1 | 2010/03/05 15:27:17 | Re-throwing the fault...
      INFO | jvm 1 | 2010/03/05 15:27:18 | error.jsp: Client has closed the connection, error not reported to client.
      INFO | jvm 1 | 2010/03/05 15:27:18 | error.jsp: The exception is: com.bea.wles.management.console.utils.NestedJspException: Connection reset by peer: socket write error
      INFO | jvm 1 | 2010/03/05 15:27:33 | Processing AxisFault, cause: javax.net.ssl.SSLHandshakeException: Error during SSL handshake; host: SGBLM010, port: 8,000.
      INFO | jvm 1 | 2010/03/05 15:27:33 | Re-throwing the fault...

      although, it seems that the OES admin server is up since i am able to access the OES admin console.

      i have tried playing around the policies to grant the "weblogic" the priviliges for an Admin but is still get the same issue. Although, when i try to distribute the changes in the policy, "ASI ( Policy for entire Oracle Entitlements Server system ) " still appears in the list of changes.

      any thoughts on what the problem is? is there a way to force the distribution of the policy? maybe through the command prompt or other console?

      Edited by: user9056644 on Mar 5, 2010 12:02 AM
        • 1. Re: User weblogic is not permitted to boot the server
          Matt Carter-Oracle
          Have you applied CP2 or CP3 to OES? There were enhancements that allows these policies to be scoped within an organization. I only ask to help guide you on distributing policies for the runtime WLS domain. The ASI domain is only for the admin. There should have been a set of resources and policies created as a result of running ConfigTool for your new instance (looks like you named it 'wls'). If no CP, it will be in DefaultApp next to ASI.

          You have to distribute policies for 'wls' immediately following running ConfigTool before starting WebLogic or you will put it into a state where it can't be started. The corrective action is to remove the state.ck file under C:\BEA_HOME_10/ales32-ssm/wls-ssm/instance/wls_ssm/work/runtime, distribute policies, restart WebLogic.

          If you need to re-run ConfigTool (after installing CP for instance), revert the following files:

          <domain>/config/config.xml
          <domain>/bin/startWebLogic.sh | .cmd

          Revert from the no-ales backups created. Remove the instance folder under C:\BEA_HOME_10\ales32-ssm/wls-ssm/instance. You can then re-run ConfigTool if you have to.
          • 2. Re: User weblogic is not permitted to boot the server
            758136
            hi matt,

            thanks for your response..

            i tried applying CP3, and the patch ran successfully. but now, the OES admin console shows a "Error 404--Not Found" error. But when i go to the Entitlements Administration application, the login page shows up and i am able to login. i haven't ran yet the config tool since i think there has been a problem.

            would you know what might have gone wrong? is there a way to somehow revert the installation of CP3?

            btw, i installed OES on weblogic 10.0

            Edited by: user9056644 on Mar 8, 2010 3:12 AM
            • 3. Re: User weblogic is not permitted to boot the server
              Matt Carter-Oracle
              To revert a CP install, run 'ApplyAdminPatch downgrade'. Did you shutdown all services before installing the patch?

              You can access the WebLogic console and check the status of the deployments. I can't imagine why the /asi application would have problems.
              1 person found this helpful
              • 4. Re: User weblogic is not permitted to boot the server
                758136
                the 'ApplyAdminPatch downgrade' worked and i am able to login to the OES admin console again.

                but now i am back to my original issue which is i am not able to start my weblogic domain which is integrated to my OES wls-ssm instance.

                after running the configtool, how can i verify that the policies were created in OES? in my weblogic domain, i see that the config.xml has been modified. But in OES admin console, i didnt see new policies, so i created some of them myself and tried to distribute. this is the time where i noticed that after distributing, a couple of items were still left in the list of changes. so i thought that it might be related to the distribution of the policies. any advice?
                • 5. Re: User weblogic is not permitted to boot the server
                  727826
                  Go to Bea-Home/Ales32-admin/work/runtime

                  and delete the state.chk file and restart ur admin server. by doing this Admin server will get the new policies wherein you have given access to user "weblogic".

                  Thanks

                  Edited by: user12057577 on Apr 19, 2010 3:00 AM