Troubleshooting Entitlements in WebLogic Portal
Applies to:
Oracle WebLogic Portal - Version: 9.2.0 to 10.3.0 - Release: Weblogic Platform to AS10gR3
Information in this document applies to any platform.
Troubleshooting Entitlements, WLP
Purpose
* Causes of Entitlement problems
o Resetting DB without resetting LDAP
o Resetting LDAP without resetting DB
o Updates without running Admin server
o LDAP replication errors
* Symptoms of Entitlement problems
o Missing Roles
o Missing Entitlements
o Entitlements not properly granting access
o PAT errors when viewing or editing Entitlements
* How to get from Symptom to Cause
o Enable Debug output
o Policy Checker tool
o LDAP Browser tool
* How to resolve cause
o Backup to clean state
o Reset LDAP and DB
Last Review Date
March 1, 2010
Instructions for the Reader
A Troubleshooting Guide is provided to assist in debugging a specific issue. When possible, diagnostic tools are included in the document to assist in troubleshooting.
Troubleshooting Details
Introduction:
As covered in Entitlement Internals Note 1068721.1, entitlements define access privileges to Portal resources, which comprised of roles, role policies, security policies. It is stored in both database tables and LDAP. Please note that this has been redesigned for WLP 10.3.2 where all policies and roles haven been completely moved to the database.
Causes to Entitlement Problems
* Resetting the database
o Resetting the database tables or changing to a new database schema without also resetting the internal embedded LDAP store
* Resetting LDAP
o Resetting the internal LDAP store without also resetting the database tables
* Updates while Admin Server is not running
o Updating Entitlement or Delegated Administration (DA) data via the Portal Admin Tool (PAT) without a running Admin Server
o Propagation without a running Admin Server
o Other scenarios like deleting Role when Admin Server down results in LDAP and DB out of sync issue. It is dealt as part of an unpublished bug 8114402.
* WLS/WLP LDAP replication errors
o In a cluster, each server has its own embedded LDAP store. These LDAP instances can get out of sync with each other and with the DB.
o As part of an unpublished bug 8092191, it was found that managed server update fails resulting in LDAP out-of-sync with Admin LDAP and DB
* Other Bugs
o Unpublished bug 8135022 - Long description for Role causes loss of Role in database, which caused LDAP and DB out-of-sync.
o Unpublished bug 8115204 - Race condition when creating Roles leads to LDAP out-of-sync with database.
Symptoms of Entitlement problems
* Missing roles seen in PAT at Visitor Entitlements tab
* Missing entitlements for resources - seen in PAT at a resource's Entitlements tab
* Entitlements not properly granting access
* NullPointerException when viewing roles
o PAT display error when viewing a Role's Details tab
* Error when editing entitlements
o "Error: Could not remove policy" when editing entitlement capabilities
* Error creating entitlement -
o "Error: Could not create policy" when adding role at Entitlements tab
Symptom to Cause
* Enable debug output
* Policy Checker tool
* LDAP Browser tool
Debug Output:
You can enable debug output to display additional information about security policy processing to troubleshoot the entitlement related issues. You need to enable debug output for WLP Entitlement classes 'com.bea.p13n.entitlements' package. It produces additional output in the log that can be helpful for diagnosing Entitlement behavior.
Please refer the documentation link on how to enable debug output. In your directory, create a text file called 'debug.properties', add the name of class(es) and/or package(s) followed by ': on'. When using package names, ensure you use the option 'usePackageNames: on'
For example, to enable Debug for WLP Entitlements' package add the following two lines in your 'debug.properties' file and restart the server.
usePackageNames: on
com.bea.p13n.entitlements: on
Note that not all debug output is useful or desirable. You can minimize clutter by enabling debug for a specific class (or classes) in the com.bea.p13n .entitlements package. One useful class is 'com.bea.p13n.entitlements.Authorization', which handles security policy checking via its isAccessAllowed() method. Enable debug on a specific class by editing debug.properties and adding the class name, for example 'com.bea.p13n.entitlements.Authorization: on' instead of enabling debug for the entire package.
Please avoid adding the entire package for entitlement like 'com.bea.p13n.entitlements: on'.
The sample debug output:
[com.bea.p13n.entitlements.management.internal.SecurityHelper.getAuthenticatedSubject():290] return auth subject:principals=[weblogic, Administrators]
All Debug lines start with the fully qualified name of the WebLogic class that produced the output including the specific line number within the class. The information following the brackets is the output produced by the debug statement in the code.
Policy Checker tool:
Policy checker tool is WLP supported utility used to verify that LDAP and DB data are in sync or not. It is a JSP file, which performs the following checks, and prints a report of all roles and security policies. It also flags any discrepancy between LDAP and DB data.
* Lookup Visitor Roles, Role Policies, and Security Policies in LDAP and verify corresponding policies in database
* Lookup Visitor Roles, Role Policies, and Security Policies in database and verify corresponding policies in LDAP
* Also checks DA roles and policies
To run the Policy Checker Tool
* Please download the policy cheker tool and unzip it.
* Edit webApp/jsp/PolicyChecker.jsp
o Update the app name and webapp name to point to your application and web application
+ At Line 9 --> appName="portalApp"; //change value to app to check
+ At Line 10 --> webName="groupspace"; // change value to webapp to check
* Save the PolicyCheckerApp as a Web Application Archive (.war) file
* Deploy the PolicyCheckerApp via the WLS console or weblogic.Deployer
* Run the tool by accessing PolicyChecker.jsp
o Eg. http://localhost:7001/webApp/jsp/PolicyChecker.jsp
Tip: If deploying or running PolicyChecker has any issues, you may need to change the p13n_app.jar bundled with the policychecker.zip with the version of your WebLogic Portal. As well refer the instructions mentioned in the PolicyChecker.jsp file.
The screen shows the first of eight checks performed by the Policy Checker tool. This check has identified and reported on all the Roles in LDAP, their scope, and whether corresponding policy refs exist in the DB.
Below screen shows an example of errors found. As part of the check 5, the tool has identified and reported on the security policies found in the database.
Note that the Policy Status column shows 'No LDAP Security Policy found' indicating that the corresponding policy data is missing from LDAP. This error condition was generated by resetting the LDAP without resetting the DB.
LDAP Browser
You can use any external LDAP browser to browse the LDAP data. The prerequisite for using embedded LDAP via any external LDAP is to set a password for the embedded LDAP via the WLS console.
* In the WLS console, navigate to Domain -> Security -> Embedded LDAP.
* Edit the Credential field
* Set a new password
* Restart the server
The sample connection details for LDAP server
* Set Host to your server's host name (e.g., localhost)
* Set Port to your server's port number (e.g., 7001)
* Set Base DN to the name of your domain prefixed by dc=, for example 'dc=mydomain'
* The domain name is in the domain's config.xml in the element
* Uncheck the Anonymous Bind checkbox
* Set User DN to 'cn=Admin'
* Set Password to the password you set for the embedded LDAP via the WLS console
* Click Connect
If You are successfully connected LDAP browser user interface will show WLP embedded LDAP server as shown in the screen.
Reading LDAP
WLP security data is stored in the XACMLRole and XACMLAuthorization trees
Sample XACMLRole entry
urn@Lbea@Lxacml@L2.0@Lentitlement@Lrole1@Lrole@Ltype@AE@AFwlp@AG@AM@AOEntApp@AEportalApp@
AM@AOWebapp@AEwebApp@AM@AOResource@AEcom_bea_p13n_role_policy_pool@AM@AOCapability@AE
com_bea_p13n_appl_role_policy_pool
com_bea_p13n_admin_role_policy_pool
com_bea_p13n_role_policy_pool
com_bea_p13n_role_segment_pool
Sample XACMLAuthorization
AE@AFwlp@AG@AM@AOEntApp@AEportalApp@AM@AOWebapp@AEwebApp@AM@AOResource@
AEcom_bea_p13n@ARPortlet@ARindex_1@AM@AOCapability@AEview
* Viewing the XACML Document:
o function:string-is-in">role1
How to resolve:
1) WebLogic Portal does not have a good official story for recovering from out-of-sync conditions. WebLogic Portal's official advice is to restore the latest clean database and LDAP backup then recreate any necessary Entitlement data. It is also encouraged to backup database and LDAP early and often.
Tip: backup your LDAP and DB before attempting to modify the records.
2) On the other hand, if you have a Propagation Inventory backup to restore the LDAP data, you can use it to restore synchronization between LDAP and DB. To do this, you need to first reset the LDAP and DB to a new clean state following the steps, then reimport the Inventory. Upon import, the Entitlement data from the inventory is recreated in LDAP and database.
1. To fully reset LDAP to a clean state, delete the embedded LDAP files
* Delete /servers/AdminServer/data/ldap
* Upon server restart, the LDAP store will be recreated
2. To fully reset the DB to a clean state, use create_db.sh/cmd
3. To run create_db.sh/cmd,edit /database.properties
* Change the DB vendor as required like 'database=oracle'
* Change the connection properties for your database
* oracle.user=myuser
* oracle.password=mypassword
* oracle.url=jdbc:bea:oracle://myhost:1521;SID=mysid
4. Execute /create_db.sh (or create_db.cmd)
5. create_db.sh/cmd reruns the SQL scripts that create the WLP database tables and system data. This includes dropping any existing tables and data. The result is a database that is in the same condition as a new domain after creation with config wiz.
3) It is also possible to clean up the DB and/or LDAP by deleting individual records, which takes more research and potentially trial and error. But this approach is not supported.
Weblogic Portal 权限问题的解决
应用于:
Oracle Weblogic Protal – 版本9.2.0到10.3.0 – 发行:Weblogic平台AS10gR3
这个文件的信息使用于任何平台。
引起权限问题的原因:
·重设了DB但没有重设LDAP
·重设了LDAP但没有重设DB
·在没有运行管理服务器的情况下升级
·LDAP复制错误
权限问题的现象
·角色丢失
·权限丢失
·没有正确的授权
·当查看和编辑的时候PAT错误。
怎么从现象中找到问题的原因
·使用调试输出
·方案检查工具
·LDAP浏览过工具
怎样解决问题
·通过备份来整理状态
·重置LDAP和DB
上次回顾时间
2010-03-01
阅读说明
问题解决向导提供对特殊问题调试的帮助。诊断工具可能被用到来协助解决这个文档中的问题。
问题解决细节
介绍:
就像在笔记1068721.1中说的那样,权限和特权在门户资源中的定义非常接近,包括角色,角色方案,安全方案。他们既存储在数据库的表中也在LDAP中。请注意这个在WLP10.3.2中被重新设计,所有的方案和角色都被完全的移动到数据库中。
引起权限问题的原因
*重新设置了数据库
重新设置了数据库的表或者迁移到一个新的数据库框架但是没有重新设置内部的LDAP存储。
*重新设置了LDAP
重新设置了内部的LDAP存储但没有重新设置数据表。
*在没有启动管理服务器的情况下升级
·在没有启动管理服务器的情况下通过门户管理工具升级权限或者委托管理数据。
·在没有启动管理服务器的情况下进行传播
·其他的像在启动管理服务器没有开的情况下,删除角色导致LDAP和数据库中不同步的问题。它被认为是一个没有发布的漏洞8114402.
*WLS/WLP LDAP复制错误
·在一个集群中,每个服务器都用它自己的LDAP存储。这些LDAP实例可以彼此之间不同步,也不和数据库之间同步。
·作为一个没有发布的漏洞8092191,这个漏洞是被管服务器升级失败导致LDAP与管理服务器的LDAP和数据库不同步。
*其他漏洞
·没有发布的漏洞8135022 – 长的角色描述引起角色在数据库中丢失,引起LDAP和和数据库不同步。
·没有发布的漏洞8115204 – 在创建角色时空的条件导致LDAP和数据库不同步。
权限问题的现象
*在PAT中看见角色丢失。
*丢失对某些资源的权限 – 在资源权限表中通过PAT查看。
*没有被授予正确的权限。
*当查看角色的时候出现空指针异常。
o PAT在角色细节表中列出了错误。
*当编辑权限时出现错误
o "Error: Could not remove policy"当编辑权限时,报这样的错误。
o 当在权限表中增加角色时报"Error: Could not create policy"
从现象找到原因
*使用调试输出
*使用方案检查工具
*使用LDAP 浏览工具
调试输出:
你可以启动调试输出来显示安全方案处理的附加信息来解决权限的相关问题。你需要使用com.bea.p13n.entitlements包中相关WLP权限的类来使用调试输出。它会在日志中增加额外的输出来帮助诊断权限行为。
请查阅相关资料来了解调试输出原理。在你的目录中,创建一个文本文件叫做’debug.properties’,用’: on’来增加类或者包的名字。当使用包的名字的时候,确保你使用了’usePackageNames:on’选项。
例如,为WLP权限的包增加调试需要在你的’debug.properties’文件中增加下面两行内容并重新启动服务器。
usePackageNames: on
com.bea.p13n.entitlements: on
注意并不是所用的调试输出是有用的或者是想要的。你可以启动一个或几个需要的类在com.bea.p13n.entitlements包中来减小输出。一个有用的类’com.bea.p13n.entitlements.Authorization’可以处理安全方案的检查通过它的isAccessAllowed()方法。启动对一个类的调试需要在debug.properties中增加类的名称,例如:
'com.bea.p13n.entitlements.Authorization: on'来代替对整个包启动调试。
请避免为权限增加整个包像'com.bea.p13n.entitlements: on'。
输入结果例子如下:
[com.bea.p13n.entitlements.management.internal.SecurityHelper.getAuthenticatedSubject():290] return auth subject:principals=[weblogic, Administrators]
所有的调试行都是以weblogic类的全名开头,产生的输出包括在类中的行号。括号中的信息是代码中的调试声明的输出信息。
方案检查工具
方案检查工具是WLP支持的用来检验LDAP和DB数据之间是否同步的工具。它是一个JSP文件,它包括如下几项的检查并且为所有的角色和安全方案打印一个报告。它也标识着LDAP和DB数据之间的差异。
*在LDAP中查找访问的角色,角色方案,安全方案和在数据库中校验相应的方案。
*在数据库中查找访问的角色,角色方案,安全方案和在LDAP中校验相应的方案。
*也检查DA角色和方案
运行方案检查工具
*下载方案检查工具并解压它。
*编辑webApp/jsp/PolicyChecker.jsp这个文件。
o 修改应用的名字和网络应用的名字来指向自己的应用和网络应用。
+第九行 -->appName=”portalApp”//改变要检查的应用的名字
+第十行 àwebName=”groupspace”;//改变要检查的网络应用的名字。
*将PolicyCheckerApp保存为一个.war文件。
*部署PolicyCheckerApp
*运行PolickChecker.jsp这个文件。
o 例如:http://localhost:7001/webApp/jsp/PolicyChecker.jsp
要点:如果部署或者运行PolicyChecker出现问题,你可以改变policychecker.zip中的p13n_app.jar文件与你的weblogic Portal相适应的版本。这也在PolicyChecker.jsp文件中有说明。
屏幕上显示了方案检查工具的八分之一的检查项目。这个检查确认并且报告LDAP上的所有角色,它们的范围,以及是否在数据库中存在相应的方案裁判。
下一屏显示的是发现错误的一个例子。作为检查5的一部分,这个工具检查并且报告在数据库中发现的安全方案。
注意在方案状态列显示为'No LDAP Security Policy found'说明在LDAP中相应的方案数据已经丢失。这个错误一般是由于重置了LDAP但没有重置DB造成的。
LDAP浏览器
你可以使用任何外部的LDAP浏览器来浏览LDAP数据。使用嵌入LDAP的首要条件就是通过控制台为嵌入LDAP设置密码。
*进入WLS控制台,定位到Domain ->Security -> Embedded LDAP
*编辑新人域(Credential field)
*设置一个新密码
*重新启动服务器
一个LDAP服务器连接细节的实例
*为你的主机设置服务器主机名(像localhost)
*为服务器端口设置端口号(7001)
*为你的域代理设置名字以dc=开头,例如:’dc=mydomain’
*域的名字在域的config.xml文件中。
*不要勾选匿名绑定复选框
*设置用户DN为’cn=Admin’
*设置密码为你为嵌入LDAP设置的密码
*点击连接(Connect)
如果你成功连接到LDAP浏览器用户接口,将会在你的屏幕上显示WLP嵌入LDAP服务器。
解读LDAP
WLP安全数据存储在XACMLRole和XACMLAuthorization树中。
XACMLRole实例
urn@Lbea@Lxacml@L2.0@Lentitlement@Lrole1@Lrole@Ltype@AE@AFwlp@AG@AM@AOEntApp@AEportalApp@
AM@AOWebapp@AEwebApp@AM@AOResource@AEcom_bea_p13n_role_policy_pool@AM@AOCapability@AE
com_bea_p13n_appl_role_policy_pool
com_bea_p13n_admin_role_policy_pool
com_bea_p13n_role_policy_pool
com_bea_p13n_role_segment_pool
XACMLAuthorization实例
AE@AFwlp@AG@AM@AOEntApp@AEportalApp@AM@AOWebapp@AEwebApp@AM@AOResource@
AEcom_bea_p13n@ARPortlet@ARindex_1@AM@AOCapability@AEview
* Viewing the XACML Document:
o function:string-is-in">role1
怎样解决
1) Weblog Portal没有一个从不同步中恢复的好的,正式的实例。Weblogic Portal的官方建议是恢复到最近的正常的数据库并且备份LDAP,使得一些必须的权限数据得到保存。官方同时建议尽早的和经常的备份数据库和LDAP。
要点:在试图更改数据之前先备份数据库和LDAP。
2) 另一方面,如果你有传播的详细目录备份来恢复LDAP数据,你可以使用它来恢复LDAP和DB之间的同步问题。这样做,你首先需要按照下面的步骤将LDAP和DB重新设置在一个没有问题的环境,然后重新引入详细目录。在引入之前,详细目录的权限数据要在LDAP和数据库中重建。
1. 完全的重新设置LDAP到一个地方,首先删除嵌入LDAP文件。
*删除/servers/AdminServer/data/ldap
*重启之前,LDAP存储先要重建。
2. 使用use create_db.sh/cmd
3. 运行create_db.sh/cmd,编辑/database.properties文件
*改变数据库所有者例如’database=oracle’
* oracle.user=myuser
* oracle.password=mypassword
* oracle.url=jdbc:bea:oracle://myhost:1521;SID=mysid
4. 执行/create_db.sh (或者 create_db.cmd)
5. create_db.sh/cmd返回一个创建WLP数据库表和系统数据的SQL脚本。它包括删除确认的表和数据。结果是在新的域中创建了一个相同的数据库。
3) 它也有可能清理掉DB和LDAP中单独的记录,这需要更多的调查和反复的实验,但是现在还不支持。