Friday, November 30, 2012

JPS-02592: Failed to push ldap config data to libOvd for service instance "idstore.ldap" in JPS context "default"

Today I've run into JPS-02592 and was not able to bring up my server instance.  Here is the message:

####<Nov 29, 2012 7:49:25 PM PST> <Error> <Security> <myserver.xxx.com> <SalesServer_1> <[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1354247365330> <BEA-090892> <The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-02592: Failed to push ldap config data to libOvd for service instance "idstore.ldap" in JPS context "default", cause: oracle.xml.parser.v2.XMLParseException: Element 'root' not expected.>

How Did I Debug It?


First, I've located the jps-config.xml in my environment.  At the time of launching the server instance, it refers to the following security configuration file:

  • -Doracle.security.jps.config=/u01/rup1/instance/domains/myserver.xxx.com/CRMDomain/config/fmwconfig/jps-config.xml

I have looked inside the file.  Nothing was obvious.  The line below:

  • oracle.xml.parser.v2.XMLParseException: Element 'root' not expected.>

seems to suggest that the document may have failed with schema validation.  However, the main cause is not that.  I have experimented with several things.  For example, I've renamed jps-config.xml file and restarted the instance.  Now, the error shows that that file was missing.  This suggests that system did reference that file for security policy providers.  Another thing I have tried is to comment out the following element in that file:
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
  <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
  <property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/>
  <property name="username.attr" value="uid"/>
  <property name="PROPERTY_ATTRIBUTE_MAPPING" value="PREFERRED_LANGUAGE=orclfalanguage"/>
  <extendedProperty>
    <name>group.create.bases</name>
    <values>
      <value>cn=DataRoleGroups,cn=FusionGroups,cn=Groups,dc=us,dc=oracle,dc=com</value>
    </values>
  </extendedProperty>
</serviceInstance>

Now the system complained that "idstore.ldap" instance cannot be found.  This confirms that "idstore.ldap" is indeed used and required.

Final Solution


Puzzled by what happened, then I have found this forums thread [2].  So, I have decided to follow the instructions and gave it a try.  Fortunately, that resolved my issue.

Here are my steps:
  1. Rename $DOMAIN_HOME/config/fmwconfig/ovd/default/adapters.os_xml to be adapters.os_xml.backup
  2. Copy adapters.os_xml from $MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/templates/ to $DOMAIN_HOME/config/fmwconfig/ovd/default/
  3. Restart my server instance
At beginning, adapters.os_xml is just an empty template as:
  <?xml version="1.0" encoding="UTF-8"?>
  <adapters schvers="303" version="0"
          xmlns="http://www.octetstring.com/schemas/Adapters"
          xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
  </adapters>

After my server instance started, it get filled with new information.  When I diff the backup file with the newly touched file, the differences are:


$ diff adapters.os_xml.backup adapters.os_xml
33c33,35
<       <default/>
---
>          <default>
>             <plugin name="UserManagement"/>
>          </default>
83d84
<       <root>dc=us,dc=oracle,dc=com</root>


Warning


As I run my Fusion Applications as benchmarks only, I'm happy if the server instance can start.  But, for your case, you may want to contact Oracle's support team for any security issues.

References

  1. Configuring the Identity Store Service
  2. Problem getting started weblogic server (for BI Publisher)


10 comments:

Kim_Burns said...

Informative! I like this wonderful blog so much, my expert keyword research teammates likes this so much.

Stanley Guan said...

Thanks for the kind words! Glad to hear that it has been useful to you.

Giacomo Lacava said...

I've just fixed an EPM environment that had this exact problem, you saved my skin there :)

The bad side of a common Fusion architecture across all products is that problems like these affect all products. The good side is that you can share solutions across different product communities.

amit dewangan said...

Thanks a lot for you solution.. Its really helpful :)

amit dewangan said...

Thanks a lot for your solution :):)

Himanshu Kandwal said...

Thanks a lot man !!
Worked like magic..

Adrian said...

Thanks for the post. Google search for the error and this was the third hit but the simplest fix.

Ahmad Zyoud said...

Thanks alot

Supakit Sakdikul said...

It's work for me. Thanks a lot. :)

Miroslav Krsmanovic said...

It helped me. Thank you

Miroslav