WebLogic Server 12c - Authentication Denied

Question

WebLogic Server 12c - Authentication Denied

gwbatte opened this issue 3 years ago · 12 comments

Successfully deploy WebLogic Admin Server in AKS using WKO 3.4.3 and image

After deployment, I can successfully login using the weblogic account using the Default Authenticator. After a period of time, within (hours). I am no longer able to authenticate using the weblogic account. This has happened multiple times after multiple deployments.

[2022-09-01T14:40:10.158+00:00] [AdminServer] [NOTIFICATION] [] [oracle.wsm.agent.handler.jaxrs.RESTJeeResourceFilter] [tid: [ACTIVE].ExecuteThread: '84' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: weblogic] [ecid: 4a29cc16-2426-4992-b4ce-349e05e80104-00000477,0] [APP: wls-management-services] [partition-name: DOMAIN] [tenant-name: GLOBAL] ProcessResponse is set to false

Answer 1 · 2022-09-16T05:22:02.000Z

Hey @gwbatte it seems you are not using Azure Marketplace offer to deploy WLS on AKS, were you following the WLS on AKS samples? If not, could you share your steps of how to reproduce this issue? It'll be more helpful to diagnostic if you share the configuration files. Thank you!

Answer 2 · 2022-09-19T12:42:34.000Z

Hi @galiacheng , thank you for your reply. I have yet to try the Azure marketplace offer. I have been following the WLS on AKS samples. Please see attached of the steps I have followed.
steps.txt

Answer 3 · 2022-09-20T02:36:20.000Z

Thanks for the steps @gwbatte, they are very helpful to understand the issue. I'm hoping you can help with the following questions:

Are you able to run WLS and OIG successfully on VM?
Are you using the same value for WLS admin account password and RCU Schema sys password? I would suggest you to use the same value for them. There is a related issue: https://support.oracle.com/knowledge/Middleware/2213930_1.html

Could you share WLS operator logs and WLS logs?

You can get the operator logs with command:

# get the operator pod
kubectl get pod -n opns
kubectl log -n opns <operator-pod-name-from-above-input>

# get admin server log
kubectl get pod -n oigns
kubectl log -n oigns <admin-server-pod-name-from-above-input>

Answer 4 · 2022-09-21T15:57:17.000Z

How, if at all, is this related to #156 ?

Answer 5 · 2022-09-22T02:39:06.000Z

How, if at all, is this related to #156 ?

I guessed so Ed, from the steps @gwbatte shared in #201 (comment).

Answer 6 · 2022-09-22T14:09:34.000Z

Thanks for the steps @gwbatte, they are very helpful to understand the issue. I'm hoping you can help with the following questions:

1. Are you able to run WLS and OIG successfully on VM?

2. Are you using the same value for WLS admin account password and RCU Schema sys password? I would suggest you to use the same value for them. There is a related issue: https://support.oracle.com/knowledge/Middleware/2213930_1.html

3. Could you share WLS operator logs and WLS logs?
   You can get the operator logs with command:
   ```
   # get the operator pod
   kubectl get pod -n opns
   kubectl log -n opns <operator-pod-name-from-above-input>
   ```
   
   
       
         
       
   
         
       
   
       
     
   ```
   # get admin server log
   kubectl get pod -n oigns
   kubectl log -n oigns <admin-server-pod-name-from-above-input>
   ```

Are you using the same value for WLS admin account password and RCU Schema sys password? I would suggest you to use the same value for them. There is a related issue: https://support.oracle.com/knowledge/Middleware/2213930_1.html

I will redeploy to use the same value for both the WLS admin account and RCU Schema. I will let you know how that goes.
Cheers
Geoff

Answer 7 · 2022-09-24T01:14:51.000Z

Please see attached output

WLS admin account password and RCU Schema sys password set to same value. Same issue.

governancedomain-adminserver.txt
weblogic-operator-sample.txt

cheers
Geoff

Answer 8 · 2022-09-27T05:22:36.000Z

Hello @gwbatte thanks for the logs. I didn't see related error from the logs. We've consulted WebLogic team, they recommended to enable DebugSecurityAtn for more logs.

Steps to enable DebugSecurityAtn:

Login admin console portal
Select Environment -> Servers -> select admin server -> select Debug -> expand weblogic -> select security -> select atn -> check DebugSecurityAtn -> click Enable -> click Activate Changes
Enable DebugSecurityAtn for all the managed servers following the same approach.
Then, reproduce the issue
Collect logs from the operator, admin server and managed servers

We've invited OIG experts to help you, could you please join this Slack channel, you can ping me Haixia Cheng or Edward Burns there, then we will create a private channel and invite the expert to the channel.

Answer 9 · 2022-10-12T18:16:54.000Z

Hello @gwbatte , in the spirit of issue-tracker hygiene, we would like to resolve this issue. If we don't hear anything from you by the end of October 2022, we'll close this issue. You're welcome to open another one or re-open this one if desired.

Answer 10 · 2022-10-13T12:51:36.000Z

please don't close. I am working on getting the Debug enabled.

Answer 11 · 2022-10-14T01:34:21.000Z

Please see attached log with DebugSecurityAtn enabled. "Authentication Denied" with weblogic user
governancedomain-adminserver.log

Answer 12 · 2023-03-17T03:58:43.000Z

We can close this issue, as there is a private stack channel for it. @sanjaymantoor