oracle.security.am.engines.authz.AuthorizationException: OAMSSA-14003: Policy runtime failed.

Usecase

Trying to configure or register OAM Agent with WebGate.
Resource : http://globalworld.com:8888/HelloWorld/welcome.jsp is protected using OAM and WebGate. 
globalworld.com – is configured as virtual host name in httpd.conf file on ohs instance where WebGate is configured.
hostname – of the machine where the OHS is installed is : ohshost.demo.com 

Trying to access the resource : http://globalworld.com:8888/welcome.jsp 
Error on browser :
404 – Page Not Found .

 

Error:

Error message in oam_server1-diagnostic.log without any debug enabled

[2015-08-03T01:50:00.682-07:00] [oam_server1] [WARNING] [OAM-02073] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 00576H1GNhaESOw5GFh8if00006700000H,1:30899] [APP: oam_server#11.1.2.0.0] Error while checking if the resource is protected or not.


Error message in oam_server1-diagnostic.log : TRACE:1 is enabled for the logging component – oracle.oam.controller from EM Console.

[2015-08-03T01:50:00.682-07:00] [oam_server1] [WARNING] [OAM-02073] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 00576H1GNhaESOw5GFh8if00006700000H,1:30899] [APP: oam_server#11.1.2.0.0] Error while checking if the resource is protected or not.

[2015-08-03T01:50:00.682-07:00] [oam_server1] [TRACE] [OAM-02073] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 00576H1GNhaESOw5GFh8if00006700000H,1:30899] [APP: oam_server#11.1.2.0.0] [SRC_CLASS: oracle.security.am.engines.enginecontroller.AuthzEngineController] [SRC_METHOD: checkProtected] Error while checking if the resource is protected or not.[[
oracle.security.am.engines.authz.AuthorizationException: OAMSSA-14003: Policy runtime failed.
    at oracle.security.am.engines.authz.AuthorizationEngine.isResourceProtected(AuthorizationEngine.java:231)
    at oracle.security.am.engines.enginecontroller.AuthzEngineController.checkProtected(AuthzEngineController.java:722)
    at oracle.security.am.engines.enginecontroller.AuthzEngineController.processEvent(AuthzEngineController.java:226)
    at oracle.security.am.controller.MasterController.processEvent(MasterController.java:596)
    at oracle.security.am.controller.MasterController.processRequest(MasterController.java:788)
    at oracle.security.am.proxy.oam.requesthandler.NGProvider.checkProtected(NGProvider.java:4806)
    at oracle.security.am.proxy.oam.requesthandler.NGProvider.getIsRescProtectedResponse(NGProvider.java:1481)
    at oracle.security.am.proxy.oam.requesthandler.NGProvider.getResponse(NGProvider.java:385)
    at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleRequest(RequestHandler.java:366)
    at oracle.security.am.proxy.oam.requesthandler.RequestHandler.handleMessage(RequestHandler.java:170)
    at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean.getResponseMessage(ControllerMessageBean.java:122)
    at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.__WL_invoke(Unknown Source)
    at weblogic.ejb.container.internal.MDOMethodInvoker.invoke(MDOMethodInvoker.java:35)
    at oracle.security.am.proxy.oam.requesthandler.ControllerMessageBean_eo7ylc_MDOImpl.getResponseMessage(Unknown Source)
    at oracle.security.am.proxy.oam.mina.ObClientToProxyHandler.messageReceived(ObClientToProxyHandler.java:231)
    at org.apache.mina.common.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:743)
    at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
    at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
    at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
    at org.apache.mina.common.IoFilterEvent.fire(IoFilterEvent.java:54)
    at org.apache.mina.common.IoEvent.run(IoEvent.java:62)
    at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:41)
    at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:184)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: oracle.security.am.common.policy.runtime.PolicyEvaluationException: OAMSSA-06023: Unable to determine the host identifier matching the request. Resource: Type: HTTP Operation: GET Name: WebGateResource URL: /HelloWorld/ Host: globalworld.com Port: 80.
    at oracle.security.am.common.policy.runtime.provider.entity.ResourceMapper.getAuthnPolicy(ResourceMapper.java:207)
    at oracle.security.am.common.policy.runtime.provider.entity.PolicyRuntimeProviderImpl.isResourceProtected(PolicyRuntimeProviderImpl.java:141)
    at oracle.security.am.common.policy.runtime.PolicyRuntimeImpl.isResourceProtected(PolicyRuntimeImpl.java:202)
    at oracle.security.am.engines.authz.AuthorizationEngine.isResourceProtected(AuthorizationEngine.java:229)
    ... 24 more

Explanation : 


Caused by: oracle.security.am.common.policy.runtime.PolicyEvaluationException: OAMSSA-06023: Unable to determine the host identifier matching the request. Resource: Type: HTTP Operation: GET Name: WebGateResource URL: /HelloWorld/ Host: globalworld.com Port: 80.

This message states that the request was intercepted by WebGate and was forwarded to the OAM server. 
OAM Server is trying to check the authentication and authorization policy for the requested resource and in that process OAM server first has to match the host identifier related to the resource.
WebGateResource URL: /HelloWorld/ Host: globalworld.com Port: 80.

This indicates that there is definately some issue with host identifier configuration.

Solution:

The host identifer must be configured to the fully qualified domain name of the machine where OHS is running hosting webgate. 

So once I updated the host identifer  with " ohshost.demo.com" the whole interation started working.

 

Please follow and like us:

Please add your comments here