1) Boot.properties : key file to start the node manager/ weblogic
weblogic.security.SecurityInitializationException: Authentication denied: Boot i
dentity not valid; The user name and/or password from the boot identity file (bo
ot.properties) is not valid. The boot identity may have been changed since the b
oot identity file was created. Please edit and update the boot identity file wit
h the proper values of username and password. The first time the updated boot id
entity file is used to start the server, these new values are encrypted.
entity file is used to start the server, these new values are encrypted.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.do
BootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:959)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.in
itialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Auth
entication Failed: User weblogic123 javax.security.auth.login.FailedLoginExcepti
on: [Security:090302]Authentication Failed: User weblogic123 denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.log
in(LDAPAtnLoginModuleImpl.java:261)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(Log
inModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(Log
inModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Truncated. see log file for complete stacktrace
If you read the bold text your problem/solution is clearly explained at the time of starting BI Services the credentials you entered will store in boot.properties file located at
\middleware\user_projects\domains\bifoundation_domain\servers\AdminServer\security
when the credentials are wrong then it will throw above error message next time it wont ask again for the password because it already stored at boot.properties file so solution is to delete the file and start the BI Services again this time enter the right credentials without fail and the console should display below message
<Storing boot ide
ntity in the file: \middleware\user_projects\domains\bifoundation_domain\serve
rs\AdminServer\security\boot.properties>
Embedded LDAP Data : Default LDAP server
2) Weblogic Server’s default security providers use an embedded LDAP server to persist all security-related data. Each server stores this data locally,including all of the user,group,role,access control policy,and credential information.For each domain,the admin server acts as the master LDAP server and replicates new information to the embedded LDAP running on each of the managed servers.
All the data of the embedded LDAP server will store into a directory
\middleware\user_projects\domains\bifoundation_domain\servers\AdminServer\data
Whenever a WebLogic Server is started, it places all of its internal files in a server instance-specific directory. By default, the server’s directory is located in the directory it was started from and has the same name as the server instance (for example,
user_projects/bifoundation_domain/AdminServer/data).
Inside this server directory is an ldap sub directory where you will find the LDAP server’s files. shows the full directory structure and description of the embedded LDAP server directory contents.
LDAP folder has below details
backup - Zipped backup files created once a day from the ldapfiles directory
conf - Configuration files that are generated on the first server start
ldapfiles - LDAP server data files
log - LDAP server log files
replicadata - Managed server replicated data
backup time can be manged from console
If you ever encounter a problem where a managed server won’t start and you suspect that its LDAP data may be corrupt, you can either try to use one of the backup zip files from the backup directory to revert the contents of the ldap files directory or simply remove the entire ldap directory and let it be recreated when the managed server starts up and connects to the admin server
where ldap_bkp is backup file and ldap - is newly created one when I start ' Start BI Services' - weblogic
\middleware\user_projects\domains\bifoundation_domain\servers\AdminServer\data\ldap\ldapfiles has different files but below are key files to know
EmbeddedLDAP.data - is the main data file where all the users, groups, roles, and policies are stored
EmbeddedLDAP.delete - contains information about deleted entries
EmbeddedLDAP.lok -
file is used to ensure access consistency to the LDAP information. In some cases, a Weblogic Server might shutdown without allowing the embedded LDAP server to unlock the data. If this hap-pens, the server will go into a loop, waiting for the file to be removed and printing out a warning message:
<Could not obtain an exclusive lock for directory: \middleware\user_projects\domains\bifoundation_domain\servers\AdminServer\data\ldap\ldapfiles Waiting for 10 seconds and then retrying in case existing Weblogic Server is still shutting down.>
Typically, deleting the EmbeddedLDAP.lok file will resolve this issue
3) Authentication Provider : Control Flag which wont allow you to login analytics
Authentication Providers are used to derive login credentials, certificate or custom headers, using some form of LDAP, or other identity store
When a user has configured their custom provider and changed the control flag to required for both the providers (custom and Default Authenticator)
The Control Flag governs whether authentication from a provider is required. If
multiple providers are present, then at least one of them must be set to REQUIRED(but not both) You can mess up your domain resulting in not being able to start your server
anymore (if you use two Authentication Providers, define the Weblogic user in both
of them and set one to REQUIRED resulting in not being able to access the domain
anymore). In fact, you should always set the Default Authenticator to REQUIRED.