Application Server Agent for WebLogic - User weblogic is not permitted to boot the server
search cancel

Application Server Agent for WebLogic - User weblogic is not permitted to boot the server

book

Article ID: 137055

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

The application was inaccessible, and gave the below error during the weblogic admin server restart.


<Aug 24, 2019 8:46:10 AM EDT> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>

<Aug 24, 2019 8:46:10 AM EDT> <Critical> <Security> <BEA-090404> <User weblogic is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.>

<Aug 24, 2019 8:46:10 AM EDT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: User weblogic is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions. 


Later, after the Apache restart the application became accessible, and application support team was able to restart the Weblogic admin restart.


Can you please provide us the root cause of the issue.

Environment

Release : 12.7

Component : SITEMINDER -WEB AGENT FOR APACHE

Cause

The action of "boot" is an action in WebLogic which requires Authentication\Authorization.

Resolution

The action of "boot" is an action which requires Authentication, so if SiteMinder is not configured with a User "Weblogic", and the proper Realms and Rules and Policies to allow User Weblogic to "boot" the WebLogic Server, then the request would need to pass to the WebLogic default Authentication Provider. The SiteMinder Authentication Provider was configured before the WebLogic Default Provider, and it's Control Flag was set to a value that did not allow the request to pass to the WebLogic Authentication Provider to authenticate User WebLogic for the "boot" action.

 

Modifying the WebLogic Authentication Provider Execution Order and/or Control Flag settings to ensure that a request to boot the Server is handled by the WebLogic Default Authentication Provider resolves this issue.

 

Please refer to the R12 SP2 Application Server Agent for Weblogic Guide;

 

https://ftpdocs.broadcom.com/cadocs/0/CA%20SiteMinder%20Agent%20for%20WebLogic%20r12%20SP2-ENU/Bookshelf_Files/PDF/SMWebLogicAgent_conf_enu.pdf

 

Agent Guide › Configure the SiteMinder Authentication Provider › Configure the SiteMinder Authentication Provider in WebLogic › Determine How Users Are Authenticated › Configure the Execution Order

Agent Guide › Configure the SiteMinder Authentication Provider › Configure the SiteMinder Authentication Provider in WebLogic › Determine How Users Are Authenticated › Set the Control Flag