PROBLEM STATEMENT:
------------------
Configured a SOA managed server that relies on the embedded LDAP.
When the managed server starts without the admin server running(MSI Mode),
there is an exception in the log showing an attempt to connect to the admin server
internal LDAP instead of using the LDAP of the current managed server.
This problem prevents the customer from using WLS in Managed Server
Independence creating a single fault point in the admin server.
The exception reported in this case is :
Caused By: oracle.security.jps.service.idstore.IdentityStoreException:
JPS-01520: Cannot initialize identity store, cause:
oracle.security.idm.ConfigurationException:
javax.naming.CommunicationException: {host}:7001 [Root exception is
java.net.ConnectException: Connection refused].
at
oracle.security.jps.internal.idstore.util.IdentityStoreUtil.getIdentityStoreFa
ctory(IdentityStoreUtil.java:172)
at
oracle.security.jps.internal.idstore.AbstractIdmIdentityStore.getIdmFactory(Ab
stractIdmIdentityStore.java:273)
where 7001 is the AdminServer port.
EXPLANATION:
-----------
The exhibited behavior is expected and is not a product defect.
When using embedded LDAP , the Admin Server should be up and running for
SOA's authorization and look-up services to work.
This issue has already been dealt with in
The Admin server must be up for the user/role API's to work, hence in the MSI
mode we are unable to access the embedded LDAP.
The same information is also available in note :
Can not Login to BPMWorkspace application when the admin server is down [ID
1362545.1]
NOTE:
-----
If the customers wants SOA to work in MSI mode , they should set up an
external LDAP server and not reply on embedded LDAP.
DETAILED UPDATE:
----------------
When a managed server is started in MSI mode , the Embedded LDAP files are
copied over from the Admin Server to the managed server
- this LDAP detail would be used by the managed server for authentication.
[
This is the reason why authentication would work in SOA in-spite of Admin
Server being down , this can be confirmed by accessing
http://{host}:{port}/soa-infra
]
However , following authentication , some SOA applications would also perform
authorization & look-up [BPM , Worklist application etc ...].
Authorization/look-up functionality of SOA requires access to LDAP server.
Since embedded LDAP server is hosted on Admin Server , Admin Server needs
to be up and running for authorization to work.
To put it in generalized terms , the LDAP server (embedded or external)
should be accessible for SOA server to authorize users/groups/roles etc ...
Hi,
ReplyDeleteI am trying to install the fusion order demo example (FusionOrderDemo_R1PS2) on my local SOA setup. While running an ant-task seedDemoUsers to add a user, I am facing below error. Can you please help on this?
Initializing input xml file...
XMLSeedSourceReader.XMLSeedSourceReader() : IN
XMLSeedSourceReader.init() : IN
XMLSeedSourceReader.init() : File being used for seeding : default-demo-community.xml
Connecting to ldap server...
<15 Feb, 2014 5:16:59 PM IST>
oracle.security.jps.service.idstore.IdentityStoreException: JPS-01520: Cannot initialize identity store, cause: oracle.security.idm.ConfigurationException: java
x.naming.CommunicationException: 2001:0:9d38:6ab8:2c68:1e8:98e5:1cf0:7001 [Root exception is java.net.SocketException: Software caused connection abort: connect
].
at oracle.security.jps.internal.idstore.util.IdentityStoreUtil.getIdentityStoreFactory(IdentityStoreUtil.java:189)