Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

running wls 8.1 domain in compatability mode (6.1)

0 views
Skip to first unread message

Mark

unread,
Dec 8, 2003, 9:39:36 AM12/8/03
to

how do i run a wls 8.1 domain in "compatability mode" to interact with a wls 6.1
server? the guide here: http://e-docs.bea.com/wls/docs81/secmanage/security6.html#1116923,
assumes that i'm upgrading a wls 6.1 domain. i'm interested in exactly what needs
to be in a wls 8.1 config.xml to tell it that it is running compatability mode.

thanks!
~mark

Craig

unread,
Dec 8, 2003, 2:17:55 PM12/8/03
to

"Mark" <Mark.L...@cbc-companies.com> wrote:
>
>how do i run a wls 8.1 domain in "compatability mode" to interact with
>a wls 6.1 server?

No special steps are required from the security perspective for WLS 6.1 to interact
with WLS 8.1. Compatibility mode is more to running your WLS 6.1 security configuration
in WLS 8.1.

Mark

unread,
Dec 8, 2003, 2:32:49 PM12/8/03
to

thanks for the response!!!

well, i've got a bean running under 8.1 trying to call a bean in 6.1. both servers
use the username system with the same password. there's basically no security
on the bean running on the 6.1 server (as far as i can tell). when the bean on
8.1 tries to call the bean on 6.1, 6.1 appears to deny access. as shown by this
in my 6.1 log:

java.lang.SecurityException: Authentication for user system denied in realm wl_realm
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at weblogic.security.acl.internal.Security.authenticate(Security.java:125)
at weblogic.security.acl.internal.Security.verify(Security.java:87)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:237)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:22)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)

this was all working without a problem with 6.1 -> 6.1 servers. any ideas what
i can do to get these two ejb's to talk to each other?

Craig

unread,
Dec 8, 2003, 2:52:09 PM12/8/03
to

"Mark" <Mark.L...@cbc-companies.com> wrote:
>
>well, i've got a bean running under 8.1 trying to call a bean in 6.1.
> both servers
>use the username system with the same password. there's basically no
>security
>on the bean running on the 6.1 server (as far as i can tell). when the
>bean on
>8.1 tries to call the bean on 6.1, 6.1 appears to deny access. as shown
>by this
>in my 6.1 log:
>
>java.lang.SecurityException: Authentication for user system denied in
>realm wl_realm
> at weblogic.security.acl.Realm.authenticate(Realm.java:212)
>
>this was all working without a problem with 6.1 -> 6.1 servers. any
>ideas what
>i can do to get these two ejb's to talk to each other?

When both EJBs are in the same WLS domain there is no need to authenticate when
calling between them. Now you have 2 different domains communiction so you can
enable domain trust:

http://edocs.bea.com/wls/docs81/secmanage/domain.html

or you can authenticate to the WLS 6.1 domain from the WLS 8.1 domain before calling
the EJB.

-Craig

Mark

unread,
Dec 8, 2003, 3:13:11 PM12/8/03
to

when the beans were both running in wls 6.1, they were not in the same domain.
they were each in their own domain, under their own admin server. the link you
mention for enabling a trust seems only for 8.1 -> 8.1 trust. at least i can't
find a place in my 6.1 console to put the trust password that is mentioned in
the doc. is there a doc on how i can authenticate into the 6.1 domain from the
8.1 ejb? what do i need to do there? is it possible to setup a domain trust
between the 6.1 and 8.1 servers? where does the trust password need to be put?

thanks much for your help with this!!!

Craig

unread,
Dec 8, 2003, 3:36:04 PM12/8/03
to

"Mark " <Mark.L...@cbc-companies.com> wrote:
>when the beans were both running in wls 6.1, they were not in the same
>domain.
>they were each in their own domain, under their own admin server. the
>link you
>mention for enabling a trust seems only for 8.1 -> 8.1 trust. at least
>i can't
>find a place in my 6.1 console to put the trust password that is mentioned
>in

Since the WLS 6.1 servers had the same "system" user and password they where in
fact in the same security domain. WLS 8.1 now makes this trust explicit. For the
WLS 8.1 domain, make the credential the WLS 6.1 system user passoword and there
is nothing to do in WLS 6.1 domain. If this was not clear in the documentation
please file a problem report with BEA support.

>the doc. is there a doc on how i can authenticate into the 6.1 domain
>from the
>8.1 ejb? what do i need to do there? is it possible to setup a domain
>trust
>between the 6.1 and 8.1 servers? where does the trust password need
>to be put?
>
>thanks much for your help with this!!!

The authentication I'm referring to is the process by which you must supply credentials
in order to access a non-trusted domain. Authentication can be done with JAAS
or JNDI. JNDI is deprecated so you should used JAAS for new code. JAAS has been
available since WLS 6.0.

JAAS: http://edocs.bea.com/wls/docs81/security/fat_client.html#1029379
JNDI: http://edocs.bea.com/wls/docs81/security/fat_client.html#1033403

Hope this helps, -Craig

Mark

unread,
Dec 9, 2003, 6:21:09 AM12/9/03
to

Craig,

I very much appreciate your help with this matter and your responses to my troubles.
One question below.

"Craig" <c...@thefrogpad.net> wrote:
>
>"Mark " <Mark.L...@cbc-companies.com> wrote:
>>when the beans were both running in wls 6.1, they were not in the same
>>domain.
>>they were each in their own domain, under their own admin server.
>the
>>link you
>>mention for enabling a trust seems only for 8.1 -> 8.1 trust. at least
>>i can't
>>find a place in my 6.1 console to put the trust password that is mentioned
>>in
>
>Since the WLS 6.1 servers had the same "system" user and password they
>where in
>fact in the same security domain. WLS 8.1 now makes this trust explicit.
>For the
>WLS 8.1 domain, make the credential the WLS 6.1 system user passoword
>and there
>is nothing to do in WLS 6.1 domain. If this was not clear in the documentation
>please file a problem report with BEA support.


Where in the documentation would I find this type of information? I was reading
the 6.1 -> 8.1 upgrade guide, and focused on the ejb sections and some of the
security stuff in those docs after noticing the login failed in my remote server
(6.1 server). It does seem to be rather confusing that a security violation would
produce these non security related messages on my remote (8.1) server.

Mark

unread,
Dec 9, 2003, 9:20:13 AM12/9/03
to

>>Since the WLS 6.1 servers had the same "system" user and password they
>>where in
>>fact in the same security domain. WLS 8.1 now makes this trust explicit.
>>For the
>>WLS 8.1 domain, make the credential the WLS 6.1 system user passoword
>>and there
>>is nothing to do in WLS 6.1 domain. If this was not clear in the documentation
>>please file a problem report with BEA support.
>
>

in my 8.1 console, i've unchedked the box that says use generated password, and
i put my weblogic 6.1 password in the two input boxes. then i clicked the apply
button. i tried again, and again to access my ejb on a separate server. i tried
shuttind down and restarting both domains (6.1 and 8.1). i'm still not getting
through. any help on this would be most appreciated!!.

####<Dec 9, 2003 9:54:17 AM EST> <Warning> <RMI> <mlybarger> <myserver> <ExecuteThread:
'2' for queue: 'weblogic.admin.RMI'> <<WLS Kernel>> <> <BEA-080003> <RuntimeException
thrown by rmi server: weblogic.management.internal.RemoteMBeanServerImpl.invoke(Ljavax.management.ObjectName;Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String;)
weblogic.management.NoAccessRuntimeException: Access not allowed for subject:
principals=[system], on ResourceType: ServerConfig Action: execute, Target: lookupServerRuntime.
weblogic.management.NoAccessRuntimeException: Access not allowed for subject:
principals=[system], on ResourceType: ServerConfig Action: execute, Target: lookupServerRuntime
at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.wlsRun(SecurityHelper.java:557)
at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.run(SecurityHelper.java:453)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
at weblogic.management.internal.SecurityHelper.isAccessAllowed(SecurityHelper.java:347)
at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:764)
at weblogic.management.internal.RemoteMBeanServerImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:466)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:409)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:353)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:144)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:404)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:30)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)

Craig

unread,
Dec 9, 2003, 11:05:37 PM12/9/03
to

"Mark" <Mark.L...@cbc-companies.com> wrote:
>Where in the documentation would I find this type of information? I
>was reading
>the 6.1 -> 8.1 upgrade guide, and focused on the ejb sections and some
>of the
>security stuff in those docs after noticing the login failed in my remote
>server
>(6.1 server). It does seem to be rather confusing that a security violation
>would
>produce these non security related messages on my remote (8.1) server.

The authentication and authorization process in WLS 8.1 should be described in
the introduction to security manual and more details should appear in the managing
security guide.

http://edocs.bea.com/wls/docs81/secintro/concepts.html
http://edocs.bea.com/wls/docs81/secmanage/index.html

Craig

unread,
Dec 9, 2003, 11:18:25 PM12/9/03
to

"Mark" <Mark.L...@cbc-companies.com> wrote:
>in my 8.1 console, i've unchedked the box that says use generated password,
>and
>i put my weblogic 6.1 password in the two input boxes. then i clicked
>the apply
>button. i tried again, and again to access my ejb on a separate server.
> i tried
>shuttind down and restarting both domains (6.1 and 8.1). i'm still not
>getting
>through. any help on this would be most appreciated!!.
>
>####<Dec 9, 2003 9:54:17 AM EST> <Warning> <RMI> <mlybarger> <myserver>
><ExecuteThread:
>'2' for queue: 'weblogic.admin.RMI'> <<WLS Kernel>> <> <BEA-080003> <RuntimeException
>thrown by rmi server: weblogic.management.internal.RemoteMBeanServerImpl.invoke(Ljavax.management.ObjectName;Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String;)
> weblogic.management.NoAccessRuntimeException: Access not allowed for
>subject:
>principals=[system], on ResourceType: ServerConfig Action: execute, Target:
>lookupServerRuntime.

You have moved past the domain trust issue and have run into an MBean access exception.
In order to execute an MBean operation the user normally requires administrative
privileges. Does the EJB on WLS 6.1 call back to the EJB on WLS8.1 or somehow
attempt to access the WLS 8.1 server?

At this point you should consider opening a problem report with BEA Support and
supply more information about your WLS versions and application structure.

Mark

unread,
Dec 10, 2003, 10:42:45 AM12/10/03
to


I have opened a problem report with BEA. just thought I'd post here what i'm seeing.
The 8.1-6.1 interaction works fine when there's no transactions involved. when
the 8.1 begins a transaction on a method call, and that call invokes a call in
a 6.1 ejb, the errors begin).

My 6.1 application does not call back to the 8.1 application except for the response
object from the method call. I am not using MBeans at all in my application,
only stateless session beans. Maybe this is an internal weblogic bean access for
starting the transaction?

0 new messages