L Troubleshooting Security in Oracle Fusion Middleware L-1 L Troubleshooting Security in Oracle Fusion Middleware This appendix describes common problems that you may encounter when configuring and using Oracle Enterprise Manager Fusion Middleware security, and explains how to solve them. It contains the following sections: ■ Diagnosing Security Errors ■ Reassociation Failure ■ Server Fails to Start ■ Failure to Grant or Revoke Permissions - Case Mismatch ■ Failure to Connect to an LDAP Server ■ Failure to Connect to the Embedded LDAP Authenticator ■ User and Role API Failure ■ Failure to Access Data in the Credential Store ■ Failure to Establish an Anonymous SSL Connection ■ Authorization Check Failure ■ User Gets Unexpected Permissions ■ Security Access Control Exception ■ Permission Check Failure ■ Policy Migration Failure ■ Characters in Policies ■ Granting Permissions in Java SE Applications ■ Troubleshooting Oracle Business Intelligence Reporting ■ Search Failure when Matching Attribute in Policy Store ■ Search Failure with an Unknown Host Exception ■ Incompatible Versions of Binaries and Policy Store ■ Need Further Help? L.1 Diagnosing Security Errors This section the tools available to diagnose and solve a variety of security errors. It contains the following sections: L-2 Oracle Fusion Middleware Application Security Guide ■ Log Files and OPSS Loggers ■ System Properties ■ Solving Security Errors The logging support with Fusion Middleware Control is explicitly stated whenever the tool can help managing, isolating, or interpreting faults when they occur. L.1.1 Log Files and OPSS Loggers This section describes the various log files and OPSS loggers supported by Oracle WebLogic Server and how to configure, set logger levels, and locate and view log files with Fusion Middleware Control, in the following sections: ■ Diagnostic Log Files ■ Generic Log Files ■ Authorization Loggers ■ Other OPSS Loggers ■ Audit Loggers ■ Managing Loggers with Fusion Middleware Control L.1.1.1 Diagnostic Log Files Each server instance in a domain writes all OPSS-based exceptions raised by its subsystems and applications to a server log file in the file system of the local host computer. By default, this log file is located in the logs directory below the server instance root directory. The names of these log files have the following format: ServerName-diagnostic.logxxxxx, where xxxxx denotes an integer between 1 and 99999. Here are some examples of diagnostic file full names: DomainNameserversAdminServerlogsAdminServer-diagnostic.log00 001 administration server log, DomainNameserverssoalogssoa-diagnostic.log00013 managed server log. All server instances output security-related errors to diagnostic files. Server-related security errors, such as exceptions raised by issues with a subject or principal, and errors that may occur while migrating or reassociating domain security data, get written in the administration server diagnostic log. Application-related security errors, such as exceptions raised by application-specific policies or credentials, get written in the corresponding managed server diagnostic log. L.1.1.2 Generic Log Files In addition to diagnostic log files, Oracle WebLogic Server supports other log files for each server in a domain and for each domain in a topology. By default and similar to diagnostic log files, server log files are located in the logs directory below the server instance root directory. Domain log files are located in the logs directory below the administration server root directory. The names of these log files have the format ServerName.logxxxxx and domain.logxxxxx, where xxxxx denotes an integer between 1 and 99999.