WebLogic Server 12c - Authentication Denied

[gwbatte]

Successfully deploy WebLogic Admin Server in AKS using WKO 3.4.3 and image

After deployment, I can successfully login using the weblogic account using the Default Authenticator. After a period of time, within (hours). I am no longer able to authenticate using the weblogic account. This has happened multiple times after multiple deployments.

[2022-09-01T14:40:10.158+00:00] [AdminServer] [NOTIFICATION] [] [oracle.wsm.agent.handler.jaxrs.RESTJeeResourceFilter] [tid: [ACTIVE].ExecuteThread: '84' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: weblogic] [ecid: 4a29cc16-2426-4992-b4ce-349e05e80104-00000477,0] [APP: wls-management-services] [partition-name: DOMAIN] [tenant-name: GLOBAL] ProcessResponse is set to false

[galiacheng]

Hey @gwbatte it seems you are not using Azure Marketplace offer to deploy WLS on AKS, were you following the WLS on AKS samples? If not, could you share your steps of how to reproduce this issue? It'll be more helpful to diagnostic if you share the configuration files. Thank you!

[gwbatte]

Hi @galiacheng , thank you for your reply. I have yet to try the Azure marketplace offer. I have been following the WLS on AKS samples. Please see attached of the steps I have followed. steps.txt

[galiacheng]

Thanks for the steps @gwbatte, they are very helpful to understand the issue. I'm hoping you can help with the following questions:

1. Are you able to run WLS and OIG successfully on VM?

2. Are you using the same value for WLS admin account password and RCU Schema sys password? I would suggest you to use the same value for them. There is a related issue: https://support.oracle.com/knowledge/Middleware/2213930_1.html

3. Could you share WLS operator logs and WLS logs?

   You can get the operator logs with command:

   # get the operator pod
   kubectl get pod -n opns
   kubectl log -n opns <operator-pod-name-from-above-input>

   # get admin server log
   kubectl get pod -n oigns
   kubectl log -n oigns <admin-server-pod-name-from-above-input>

[edburns]

How, if at all, is this related to #156 ?

[galiacheng]

How, if at all, is this related to #156 ?

I guessed so Ed, from the steps @gwbatte shared in https://github.com/oracle/weblogic-azure/issues/201#issuecomment-1250969182.

[gwbatte]

Thanks for the steps @gwbatte, they are very helpful to understand the issue. I'm hoping you can help with the following questions:

1. Are you able to run WLS and OIG successfully on VM?

2. Are you using the same value for WLS admin account password and RCU Schema sys password? I would suggest you to use the same value for them. There is a related issue: https://support.oracle.com/knowledge/Middleware/2213930_1.html

3. Could you share WLS operator logs and WLS logs?
   You can get the operator logs with command:
   ```
   # get the operator pod
   kubectl get pod -n opns
   kubectl log -n opns <operator-pod-name-from-above-input>
   ```

   ```
   # get admin server log
   kubectl get pod -n oigns
   kubectl log -n oigns <admin-server-pod-name-from-above-input>
   ```

Are you using the same value for WLS admin account password and RCU Schema sys password? I would suggest you to use the same value for them. There is a related issue: https://support.oracle.com/knowledge/Middleware/2213930_1.html

I will redeploy to use the same value for both the WLS admin account and RCU Schema. I will let you know how that goes. Cheers Geoff

[gwbatte]

Please see attached output

WLS admin account password and RCU Schema sys password set to same value. Same issue.

governancedomain-adminserver.txt weblogic-operator-sample.txt

cheers Geoff

[galiacheng]

Hello @gwbatte thanks for the logs. I didn't see related error from the logs. We've consulted WebLogic team, they recommended to enable DebugSecurityAtn for more logs.

Steps to enable DebugSecurityAtn:

• Login admin console portal
• Select Environment -> Servers -> select admin server -> select Debug -> expand weblogic -> select security -> select atn -> check DebugSecurityAtn -> click Enable -> click Activate Changes
• Enable DebugSecurityAtn for all the managed servers following the same approach.
• Then, reproduce the issue
• Collect logs from the operator, admin server and managed servers

We've invited OIG experts to help you, could you please join this Slack channel, you can ping me Haixia Cheng or Edward Burns there, then we will create a private channel and invite the expert to the channel.

[edburns]

Hello @gwbatte , in the spirit of issue-tracker hygiene, we would like to resolve this issue. If we don't hear anything from you by the end of October 2022, we'll close this issue. You're welcome to open another one or re-open this one if desired.

[gwbatte]

please don't close. I am working on getting the Debug enabled.

[gwbatte]

Please see attached log with DebugSecurityAtn enabled. "Authentication Denied" with weblogic user governancedomain-adminserver.log

[galiacheng]

We can close this issue, as there is a private stack channel for it. @sanjaymantoor