Problem description
The two-way communication between two WebLogic Server domains produces a security exception.
Note: Examples of exceptions can be found in this article. |
Quick Links
Why you need to build trust between WLS domains. How to build trust between WLS 7.0 and 8.1 domains. How to build trust between the WLS 6.x and 8.1 (or 7.0) domains. What is a default trust relationship between two WLS 6.x domains. What is the default trust relationship between WLS 7.0 and/or 8.0 domains. What is the default trust relationship between the WLS 6.x and 8.1 (or 7.0) domains. Trouble shooting
Why you need to build trust between WLS domains.
During two-way communication between two WebLogic Server domains, the caller identity (or kernel identity) propagates from one domain to another. Because the principal has been validated in the calling domain, there is no need to verify the principal identity again in the second domain (server). To establish this relationship, trust must be established between two domains. EJB, JMS calls from one server to another, use by servlet run-as, or run-as of EJB identity principals from one server to another are examples of the need to build trust between domains. This is a requirement for interoperability between two domains. If there is no transaction context propagation requirement between two domains, there is no need to establish trust between domains.
Back to the top of the page
How to build trust between WLS 7.0 and 8.1 domains.
Use the WebLogic Server Management console to set domain trusts as described below. Changes the domain credential for two domains that communicate with each other, depending on the version of WLS used. Please refer to:
WLS 8.1-http://e-docs.bea.com/wls/docs81/secmanage/domain.html#1171534 WLS 7.0-http://e-docs.bea.com/wls/docs70/ secmanage/domain.html#1171534 After you change the domain credential, restart the Management Server, and then start all managed servers.
Back to the top of the page
How to build trust between the WLS 6.x and 8.1 (or 7.0) domains.
The domain credential is currently not defined in 6.x with the method set in 7.0 and 8.1. You can establish trust between 6.x and 7.0 (or 8.1) by setting the 7.0 or 8.1 domain credential (as specified above) and the system user password for the 6.x domain.
Back to the top of the page
What is a default trust relationship between two WLS 6.x domains.
If the system user has a different password in two domains, then two 6.x domains cannot trust each other.
Back to the top of the page
What is the default trust relationship between WLS 7.0 and/or 8.1 domains.
If you use the default setting to start a WebLogic Management Server in a 7.0 or 8.1 domain, because the Management Server generates a unique domain credential for the entire domain, two different domains cannot trust each other.
Back to the top of the page What is the default trust relationship between the WLS 6.x and 8.1 (or 7.0) domains.
The unique domain credential (random) generated by the Management Server in the 8.1 (or 7.0) domain does not match the system user password in 6.x, so they cannot trust each other.
Back to the top of the page |
Trouble shootingIf you have not established trust between the listed domains, the following problems may occur. problem-Between 6.x and 8.1 domains
6.x Server
<mar 3:02:04 PM est> <Warning> <Dispatcher> <runtimeexception Thrown by
RMI server: ' Weblogic.rmi.cluster.replicaawareserverref@9-jvmid: '-3417175156
082478004s:10.40.4.32:[8001,8001,8002,8002,8001,8002,-1]:mydomain:myserver ', OID
: ' 9 ', implementation: ' weblogic.jndi.internal.rootnamingnode@98540 '
Java.lang.SecurityException:Authentication for user system denied in realm Wl_realm
At Weblogic.security.acl.Realm.authenticate (realm.java:212)
At Weblogic.security.acl.Realm.getAuthenticatedName (realm.java:233)
At Weblogic.security.acl.internal.Security.authenticate (security.java:171)
At Weblogic.security.acl.internal.Security.verify (security.java:95)
At Weblogic.rmi.internal.BasicServerRef.handleRequest (basicserverref.java:292)
At Weblogic.rmi.internal.BasicExecuteRequest.execute (basicexecuterequest.java:22)
At Weblogic.kernel.ExecuteThread.execute (executethread.java:140)
At Weblogic.kernel.ExecuteThread.run (executethread.java:121) |
8.1 Server
Java.lang.SecurityException:Authentication for user system denied in realm Wl_realm
Start Server side Stack trace:
Java.lang.SecurityException:Authentication for user system denied in realm Wl_realm
At Weblogic.security.acl.Realm.authenticate (realm.java:212)
At Weblogic.security.acl.Realm.getAuthenticatedName (realm.java:233)
At Weblogic.security.acl.internal.Security.authenticate (security.java:171)
At Weblogic.security.acl.internal.Security.verify (security.java:95)
At Weblogic.rmi.internal.BasicServerRef.handleRequest (basicserverref.java:292)
At Weblogic.rmi.internal.BasicExecuteRequest.execute (basicexecuterequest.java:22)
At Weblogic.kernel.ExecuteThread.execute (executethread.java:140)
At Weblogic.kernel.ExecuteThread.run (executethread.java:121)
End server Side stack trace
At Weblogic.rjvm.BasicOutboundRequest.sendReceive (basicoutboundrequest.java:108)
At Weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke (replicaawareremoteref.java:284)
At Weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke (replicaawareremoteref.java:244)
At Weblogic.jndi.internal.ServerNamingNode_811_WLStub.lookup (Unknown Source)
At Weblogic.jndi.internal.WLContextImpl.lookup (wlcontextimpl.java:338)
At Weblogic.jndi.internal.WLContextImpl.lookup (wlcontextimpl.java:333)
At Weblogic.management.ManagedServerLocator.discoverManagedServer (managedserverlocator.java:219)
At Weblogic.management.ManagedServerLocator.discoverAllKnownServers (managedserverlocator.java:130)
At Weblogic.management.AdminServerAdmin.discoverManagedServers (adminserveradmin.java:527)
At Weblogic.management.AdminServerAdmin.finishPostListen (adminserveradmin.java:473)
At Weblogic.t3.srvr.T3Srvr.resume (t3srvr.java:1041)
At Weblogic.t3.srvr.T3Srvr.run (t3srvr.java:359)
At WebLogic. Server.main (SERVER.JAVA:32) |
Solutions
Ensure that the domain credential of the 8.1 server is the same as the system user password in the 6.1 server.
Problem-Between 8.1 domains
Client (server performing lookup)
Java.lang.SecurityException: [Security:090398]invalid subject:principals=[weblogic, Administrators]
At Weblogic.rjvm.BasicOutboundRequest.sendReceive (basicoutboundrequest.java:108)
At Weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke (replicaawareremoteref.java:284)
At Weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke (replicaawareremoteref.java:244)
At Weblogic.jndi.internal.ServerNamingNode_812_WLStub.lookup (Unknown Source)
At Weblogic.jndi.internal.WLContextImpl.lookup (wlcontextimpl.java:343)
At Weblogic.jndi.internal.WLContextImpl.lookup (wlcontextimpl.java:336)
At Javax.naming.InitialContext.lookup (initialcontext.java:347)
At Bea. SOURCESERVLET.M1 (SOURCESERVLET.JAVA:50)
At Bea. Sourceservlet.doget (sourceservlet.java:26)
At Javax.servlet.http.HttpServlet.service (httpservlet.java:740)
At Javax.servlet.http.HttpServlet.service (httpservlet.java:853)
At Weblogic.servlet.internal.servletstubimpl$servletinvocationaction.run (servletstubimpl.java:971)
At Weblogic.security.acl.internal.AuthenticatedSubject.doAs (authenticatedsubject.java:317)
At Weblogic.security.service.SecurityManager.runAs (securitymanager.java:118)
At Weblogic.servlet.internal.ServletStubImpl.invokeServlet (servletstubimpl.java:400)
At Weblogic.servlet.internal.ServletStubImpl.invokeServlet (servletstubimpl.java:305)
At Weblogic.servlet.internal.webappservletcontext$servletinvocationaction.run (webappservletcontext.java:6350)
At Weblogic.security.acl.internal.AuthenticatedSubject.doAs (authenticatedsubject.java:317)
At Weblogic.security.service.SecurityManager.runAs (securitymanager.java:118)
At Weblogic.servlet.internal.WebAppServletContext.invokeServlet (webappservletcontext.java:3635)
At Weblogic.servlet.internal.ServletRequestImpl.execute (servletrequestimpl.java:2585)
At Weblogic.kernel.ExecuteThread.execute (executethread.java:197)
At Weblogic.kernel.ExecuteThread.run (executethread.java:170) |
Server-side
<Warning> <RMI> <BEA-080003> <runtimeexception Thrown by RMI server: Weblogic.jndi.internal.adminrolebaseddispatchserverref@9-hostid: ' 3994477043249316298s:10.40.4.32:[6151,6151,-1 , -1,6151,-1,-1,0,0]:491171:myserver ', oid: ' 9 ', implementation: ' weblogic.jndi.internal.rootnamingnode@d22462 '
Java.lang.SecurityException: [Security:090398]invalid subject:principals=[weblogic, Administrators].
Java.lang.SecurityException: [Security:090398]invalid subject:principals=[weblogic, Administrators]
At Weblogic.security.service.SecurityServiceManager.seal (securityservicemanager.java:682)
At Weblogic.rjvm.MsgAbbrevInputStream.getSubject (msgabbrevinputstream.java:182)
At Weblogic.rmi.internal.BasicServerRef.acceptRequest (basicserverref.java:825)
At Weblogic.rmi.internal.BasicServerRef.dispatch (basicserverref.java:300)
At Weblogic.rjvm.RJVMImpl.dispatchRequest (rjvmimpl.java:923)
At Weblogic.rjvm.RJVMImpl.dispatch (rjvmimpl.java:844)
At Weblogic.rjvm.ConnectionManagerServer.handleRJVM (connectionmanagerserver.java:222)
At Weblogic.rjvm.ConnectionManager.dispatch (connectionmanager.java:794)
At Weblogic.rjvm.t3.T3JVMConnection.dispatch (t3jvmconnection.java:570)
At Weblogic.socket.NTSocketMuxer.processSockets (ntsocketmuxer.java:105)
At Weblogic.socket.SocketReaderRequest.execute (socketreaderrequest.java:32)
At Weblogic.kernel.ExecuteThread.execute (executethread.java:197)
At Weblogic.kernel.ExecuteThread.run (executethread.java:170) |
Solutions
Make sure that the domain credential for two 8.1 domains is the same.
Problem-Error during lookup of managed server
Managing servers
Mar, 4:41:56 PM est> <Error> <Management> <BEA-141135> <the managed Server Discovery Servi Ce could not is started on the admin server.weblogic.management.NoAccessRuntimeException:Access not allowed for subject: Principals=[], on Resourcetype:serverruntime Action:execute, Target:reconnecttoadminserver
At Weblogic.rjvm.BasicOutboundRequest.sendReceive (basicoutboundrequest.java:108)
At Weblogic.rmi.internal.BasicRemoteRef.invoke (basicremoteref.java:138)
At Weblogic.management.internal.RemoteMBeanServerImpl_812_WLStub.invoke (Unknown Source)
At Weblogic.management.internal.MBeanProxy.invoke (mbeanproxy.java:946)
At Weblogic.management.internal.MBeanProxy.invokeForCachingStub (mbeanproxy.java:481)
At Weblogic.management.runtime.ServerRuntimeMBean_Stub.reconnectToAdminServer (serverruntimembean_stub.java:1359 )
At Weblogic.management.ManagedServerLocator.discoverManagedServer (managedserverlocator.java:260)
At Weblogic.management.ManagedServerLocator.discoverAllKnownServers (managedserverlocator.java:130)
At Weblogic.management.AdminServerAdmin.discoverManagedServers (adminserveradmin.java:527)
At Weblogic.management.AdminServerAdmin.finishPostListen (adminserveradmin.java:473)
At Weblogic.t3.srvr.T3Srvr.resume (t3srvr.java:1041)
At Weblogic.t3.srvr.T3Srvr.run (t3srvr.java:359)
At WebLogic. Server.main (SERVER.JAVA:32)
caused by:weblogic.management.NoAccessRuntimeException:Access not allowed for
Subject:principals=[], on Resourcetype:serverruntime Action:execute, Target:
Reconnecttoadminserver |
Managed server
<mar 4:41:56 PM est> <Error> <Security> <BEA-090513> <serveridentity failed Validatio N, downgrading to anonymous.>
<mar 4:41:56 PM est> <Warning> <RMI> <BEA-080003> <runtimeexception thrown by RMI serv Er:weblogic.management.internal.RemoteMBeanServerImpl.invoke (Ljavax.management.ObjectName; Ljava.lang.String;
[Ljava.lang.Object; [Ljava.lang.String;]
Weblogic.management.NoAccessRuntimeException:Access not allowed to subject:principals=[], on resourcetype: Serverruntime Action:execute, Target:reconnecttoadminserver.
Weblogic.management.NoAccessRuntimeException:Access not allowed for SUBJECT:PR
Incipals=[], on Resourcetype:serverruntime Action:execute, Target:reconnecttoadminserver
At Weblogic.management.internal.securityhelper$isaccessallowedprivilegeaction.wlsrun (SecurityHelper.java:564)
At Weblogic.management.internal.securityhelper$isaccessallowedprivilegeaction.run (SecurityHelper.java:456)
At Weblogic.security.acl.internal.AuthenticatedSubject.doAs (authenticatedsubject.java:317)
At Weblogic.security.service.SecurityManager.runAs (securitymanager.java:118)
At weblogic.management.internal.SecurityHelper.isAccessAllowed (securityhelper.java:350)
At Weblogic.management.internal.RemoteMBeanServerImpl.private_invoke (remotembeanserverimpl.java:946)
At Weblogic.management.internal.RemoteMBeanServerImpl.invoke (remotembeanserverimpl.java:908)
At Weblogic.management.internal.RemoteMBeanServerImpl_WLSkel.invoke (Unknown Source)
At Weblogic.rmi.internal.BasicServerRef.invoke (basicserverref.java:477)
At Weblogic.rmi.internal.basicserverref$1.run (basicserverref.java:420)
At Weblogic.security.acl.internal.AuthenticatedSubject.doAs (authenticatedsubject.java:353)
At Weblogic.security.service.SecurityManager.runAs (securitymanager.java:144)
At Weblogic.rmi.internal.BasicServerRef.handleRequest (basicserverref.java:415)
At Weblogic.rmi.internal.BasicExecuteRequest.execute (basicexecuterequest.java:30)
At Weblogic.kernel.ExecuteThread.execute (executethread.java:197)
At Weblogic.kernel.ExecuteThread.run (executethread.java:170) |
| Solutions
This problem occurs if you use the administrative console to change domain credential and then restart the Management Server without shutting down the managed server. Because the managed server does not reboot, it also retains the cached old domain credential in memory, so the credential does not match the domain credential (new credential) of the Management Server.
When you change the domain credential, close the managed server and the Management Server sequentially. After you close the managed server, start the Management Server and then start the managed server.
|
Back to the top of the page
If you need more help.
If you already understand this pattern, but you still need additional help, you can:
Query Askbea on http://support.bea.com/(for example, using domain trust) to find other published solutions. On http://support.bea.com/, ask a more specific question to one of Bea's newsgroups.
If this does not solve your problem, and you have a valid technical support contract, you can open the support case by logging on to the following Web site: http://support.bea.com/. |
Feedback Please provide us with your comments on whether this support diagnostic mode "probing domain trust issues" is helpful, any explanations you need, and any requirements for new topics that support diagnostic mode.
|
Disclaimer Statement: Based on the terms of the maintenance and support agreement that BEA has signed with you, BEA Systems, Inc. provides technical tips and patches on this website for your use. Although you can use this information and code with the software you have obtained from the BEA license, BEA does not guarantee any form of technical know-how and patches, whether explicit or implied. Any trademarks referred to in this document are the property of their respective owners. For complete trademark information, please refer to your product brochure. |
Back to the top of the page |
