Skip to content

Oracle Entitlement Server PD Client

March 30, 2012

Enrollment Issue

I spent couple of hours working on a problem that prevents some of our WLSM instances to fire up correctly. The issue originated from a NullPoniterException in PDClient. PDClient is required for WLSM instances running in controlled (pull/push) mode. NPE was something like this:

<Mar 28, 2012 3:26:10 PM GMT+10:00> <Error> <HTTP> <BEA-101216> <Servlet: “PDClientServiceServlethttp” failed to preload on startup in Web application  : “pd-client.war”.javax.xml.ws.WebServiceException: java.lang.NullPointerExceptionat weblogic.wsee.jaxws.WLSInstanceResolver.getSingleton(WLSInstanceResolver.java:36)
at weblogic.wsee.jaxws.WLSInstanceResolver.start(WLSInstanceResolver.java:55)
Caused By: java.lang.NullPointerException
at oracle.security.jps.soap.pd.client.PDClient.<init>(PDClient.java:46)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
Truncated. see log file for complete stacktrace

In short, although not much vivid but if you also encounter this error it’s possibly due to immature enrolment of the SM instance.

For Server based SMs (e.g. Weblogic, WebSphere, and JBoss), OESSM also creates a config inside server’s smconfig folder besides the original one under $OES_CLIENT_HOME/oes_sm_instances.

For WLSM, the configuration is under WLS_DOMAIN/config/oeswlssmconfig folder. The JPS configuration in this folder is almost independent (see jps-config.xml ) but has a small link back to original config regarding enrolment wallet.  See:

<serviceInstance location=”/oracle/Middleware/oes_client/oes_sm_instances/<SM name>/config/enroll” provider=”credstoressp” name=”credstore.enroll”/>

If the enrolment of the SM has failed, then the cwallet.sso will be still there but in an incomplete mode which prevents the correct start up of the PDClient.

How to check if Wallet is correct?

OES server comes with ORAPKI a handy tool to inspect cwallet files. You can find it under $ORACLE_MIDDLEWARE_HOME/oracle_common/bin/

Here is how to display the contents of a binary wallet file:

/oracle/Middleware/oracle_common/bin/orapki  wallet display -wallet <cwallet.sso>

For a correctly enrolled file, the contents include two user certificate entries for Oracle Secret Store.

-bash-3.00$ /oracle/Middleware/oracle_common/bin/orapki  wallet display -wallet ../../<SM Name>/config/enroll/cwallet.sso
Oracle PKI Tool : Version 11.1.1.5.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Oracle Secret Store entries:
OES_SYMMETRIC_KEY_MAP@#3#@OES_IV_PARAMETER_alias
OES_SYMMETRIC_KEY_MAP@#3#@OES_SYMMETRIC_KEY_alias
Trusted Certificates:
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE
Corporation,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

While an immature one lacks these two:

-bash-3.00$ /oracle/Middleware/oracle_common/bin/orapki  wallet display -wallet ../../<SM name>/config/enroll/cwallet.ssoOracle PKI Tool : Version 11.1.1.5.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

How to (Re) Enroll an SM?

There are couple of scripts generated by OESSM tool to initialize key and perform enrolment (under bin folder of SM instance) but there is my approach:

# prepare WLST env
.  /oracle/Middleware/wlserver_10.3/server/bin/setWLSEnv.sh

# prepare OES env
.  /oracle/Middleware/oes_client/oes_sm_instances/<name>/bin/setOesEnv.shjava -cp /oracle/Middleware/oes_client/modules/oracle.oes.sm_11.1.1/oes-client.jar: \ /oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar \
-Doracle.security.jps.config=<sm instance folder>/jps-config.xml \
-Doracle.security.oes.tools.KeyStorePassword=<passwd> oracle.security.oes.tools.SMConfigTool \
-initEnrollment –smConfigId <instance_name> -prpFileName smconfig.wls.prp \
-port <WLSM HTTP Port> -sslport <WLSM HTTPS Port> -serverLocation /oracle/Middleware/wlserver_10.3 \
-wlsPassword <weblogic password> -domainLocation /oracle/Middleware/user_projects/domains/<WLSM domain name>

PS1: InitEnrolment is the only step required for controlled-pull SMs, because they directly talk to Policy Store DB. For controlled-push SMs, need an extra step of DoEnrolment (see config.sh)

PS2: Try to use JDK 1.6.26+

Advertisements

From → java, OES

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: