JpsRuntimeException: JPS-06514: Opening of file based keystore failed. | Weblogic

Oracle Weblogic Server

While starting weblogic server you might see error like “The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause.” and the server will FAIL to start.

Usually this kind of errors can cause due to many reasons and sometimes it results in finally recreating the whole domain but still there are chances to pin point and solve the issue.

Below is a summery of things to do/try while receiving this kind of errors:

 

35357875466> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed.
weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1402)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1022)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)

Caused By: oracle.security.jps.JpsRuntimeException: JPS-06514: Opening of file based keystore failed.
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:167)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:369)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1343)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1024)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:879)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: oracle.security.jps.JpsException: JPS-06514: Opening of file based keystore failed.
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPDPService(PolicyUtil.java:2866)


Usually the issue could be caused by a permissions problem with the cwallet.sso file
<WLS_DOMAIN>\config\fmwconfig\bootstrap\cwallet.sso, go to properties of it and then security.
Enable full control,modify,Read and execute,read and write permissions for the current user.

on UNIX:

chmod 0777 cwallet.sso

On Windows:

Right click on C:\Oracle (parent\root directory of the installation
Go to Properties
choice security tab
click advanced
click on the entry for Administrators Group
click change permissions
click on the entry Administrators Group
check box "Replace all child object permissions with inheritable permissions from this object"
click "OK"

If the above option does not work, then try the following:

Rename the file cwallet.sso under the domain directory and restart the server. The cwallet.sso file should get re-created.

If all above does not work, try restoring cwallet.sso file from backup and restart the server. In most cases it solves the issue.

After all above you can try to pin point the issue by using below flag in JAVA_OPTS and start the server.

Enable debug by setting the following JAVA_OPTION or JAVA_OPTS in weblogic startup script:

-Djava.security.debug=jpspolicy

Ex: set JAVA_OPTS="-Djava.security.debug=jpspolicy;%JAVA_OPTS%" -- Windows
JAVA_OPTS="-Djava.security.debug=jpspolicy:$JAVA_OPTS" -- Linux/Unix
export JAVA_OPTS

Once the above property is enabled you will see logs like below and can check what is causing the issue and you can solve it accordingly.

Like in below logs its the issue with null KeyStore name.

[JavaPolicyProvider]: System Property [java.specification.version => 1.6]
[JavaPolicyProvider]: System Property [javax.net.ssl.trustStore => /opt/bea/Middleware/wlserver_12.1/server/lib/DemoTrust.jks]
policy: reading file:/opt/bea/Middleware/wlserver_12.1/server/lib/weblogic.policy
java.lang.IllegalArgumentException: null KeyStore name
at sun.security.util.PolicyUtil.getKeyStore(PolicyUtil.java:65)
at sun.security.provider.PolicyFile.init(PolicyFile.java:635)
at sun.security.provider.PolicyFile.access$400(PolicyFile.java:266)
at sun.security.provider.PolicyFile$3.run(PolicyFile.java:546)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:519)
at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:505)
at sun.security.provider.PolicyFile.init(PolicyFile.java:464)
at sun.security.provider.PolicyFile.<init>(PolicyFile.java:309)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at java.security.Policy.getPolicyNoCheck(Policy.java:167)
at java.security.ProtectionDomain.implies(ProtectionDomain.java:224)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:352)
at java.security.AccessController.checkPermission(AccessController.java:546)
at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:458)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:518)
at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:544)
at oracle.security.jps.internal.credstore.util.CsfUtil.checkPermission(CsfUtil.java:643)
at oracle.security.jps.internal.credstore.ssp.SspCredentialStore.containsCredential(SspCredentialStore.java:320)
at oracle.security.jps.internal.keystore.file.FileKeyStoreIntegrityChecker$3.run(FileKeyStoreIntegrityChecker.java:176)
at oracle.security.jps.internal.keystore.file.FileKeyStoreIntegrityChecker$3.run(FileKeyStoreIntegrityChecker.java:174)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.internal.keystore.file.FileKeyStoreIntegrityChecker.CsContainsHash(FileKeyStoreIntegrityChecker.java:174)
at oracle.security.jps.internal.keystore.file.FileKeyStoreIntegrityChecker.<init>(FileKeyStoreIntegrityChecker.java:81)
at oracle.security.jps.internal.keystore.file.FileKeyStoreManager.<init>(FileKeyStoreManager.java:165)
at oracle.security.jps.internal.keystore.file.FileKeyStoreManager.getInstance(FileKeyStoreManager.java:146)
at oracle.security.jps.internal.keystore.file.FileKeyStoreServiceImpl.doInit(FileKeyStoreServiceImpl.java:95)
at oracle.security.jps.internal.keystore.file.FileKeyStoreServiceImpl.<init>(FileKeyStoreServiceImpl.java:76)
at oracle.security.jps.internal.keystore.file.FileKeyStoreServiceImpl.<init>(FileKeyStoreServiceImpl.java:66)
at oracle.security.jps.internal.keystore.KeyStoreProvider.getInstance(KeyStoreProvider.java:157)
at oracle.security.jps.internal.keystore.KeyStoreProvider.getInstance(KeyStoreProvider.java:64)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:132)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:127)
at oracle.security.jps.internal.policystore.PolicyUtil$2.run(PolicyUtil.java:2827)
at oracle.security.jps.internal.policystore.PolicyUtil$2.run(PolicyUtil.java:2821)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPDPService(PolicyUtil.java:2821)
at oracle.security.jps.internal.policystore.PolicyUtil.getPDPService(PolicyUtil.java:3097)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:164)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:369)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1343)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1022)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:148)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

 

In case of any ┬ęCopyright or missing credits issue please check CopyRights page for faster resolutions.

8 Responses

  1. olumide says:

    I have the exact same problem mentioned above with my Weblogic 12c server. When i attempt to start admin server, i get the error; <The loading of OPSS java security policy provider failed due to exception…… Error message: JPS 06514: Opening of file based keystore failed.

    I have checked the permissions on cwallet.sso, it belongs to oracle:oinstall and this is the account i used for the installation of weblogic. I have also run chmod -R 777 /tmp
    Additionally i ran the orapki wallet display command and it completed successfully. However none of these solutions has helped in my attempt to start admin server. i still get the same error. Please HELP.

    After running "./startWebLogic.sh -Djava.security.debug=jpspolicy" I got the following result

    Policy CodeSource: (file:/u02/oracle/middleware/wlserver_12.1/server/lib/-
    Active CodeSource: (file:/u02/oracle/middleware/oracle_common/modules/oracle.jps_11.1.1/jps-api.jar
    Policy: evaluation (codesource) failed

    Policy CodeSource: (file:/usr/java/packages/lib/ext/*
    Active CodeSource: (file:/u02/oracle/middleware/oracle_common/modules/oracle.jps_11.1.1/jps-internal.jar
    Policy: evaluation (codesource) failed

    oracle.seurity.jps.internal.keystore.file.FileKeyStoreManager openKeyStore
    Warning: Opening of filebased keystore failed.
    The loading of OPSS java security policy provider failed due to exception ……

  2. someone says:

    It seems that it is a Weblogic bug : https://kr.forums.oracle.com/forums/thread.jspa?threadID=2380035&start=15&tstart=0

    I have that problem too. Maybe some combination of older Weblogic and Webcenter conent might work…

  3. someone says:

    It says here http://www.oracle.com/technetwork/middleware/webcenter/content/downloads/index.html under required additional software to use Oracle WebLogic Server 10.3.5 or 10.3.6.

  4. Nazeeh says:

    I try to set the JAVA_OPTS by add the JAVA_OPTS to the first line of startWebLogic.bat but it’s not worked, can you tell me where I shall add the JAVA_OPTS from the file.

  5. Nazeeh says:

    also directly from the command line set JAVA_OPTS=”-Djava.security.debug=jpspolicy;%JAVA_OPTS%” but no debug

Leave a Reply