Support Article
AES unable to access monitored application
SA-2232
Summary
In newly installed AES 7.1 environment on WebLogic application server, User has observed frequent RemoteApplicationException in the PegaRULES log.
Error Messages
In Weblogic log:
<BEA-090078><User aesremoteuser in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.>
In PegaRULES log:
2014-09-21 00:01:03,530 [fault (self-tuning)'] [ STANDARD] [ AES:07.10] ( internal.mgmt.Executable) ERROR Rule-Connect-SOAP.PegaAES-Data-RSSnapshot.GetRuleSetSnapshot - Exception
com.pega.pegarules.pub.services.RemoteApplicationException: SOAP service failed
at com.pegarules.generated.activity.ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.step9_circum0(ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.java:1385)
at com.pegarules.generated.activity.ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.perform(ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.java:205)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3265)
...
Caused by: (401)Unauthorized
at com.pega.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
at com.pega.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at com.pega.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at com.pega.apache.axis.SimpleChain.doVisiting(SimpleChain.java:119)
at com.pega.apache.axis.SimpleChain.invoke(SimpleChain.java:84)
at com.pega.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at com.pega.apache.axis.client.Call.invokeEngine(Call.java:2809)
at com.pega.apache.axis.client.Call.invoke(Call.java:2792)
com.pega.pegarules.pub.services.RemoteApplicationException: SOAP service failed
at com.pegarules.generated.activity.ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.step9_circum0(ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.java:1385)
at com.pegarules.generated.activity.ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.perform(ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.java:205)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3265)
...
Caused by: (401)Unauthorized
at com.pega.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
at com.pega.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at com.pega.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at com.pega.apache.axis.SimpleChain.doVisiting(SimpleChain.java:119)
at com.pega.apache.axis.SimpleChain.invoke(SimpleChain.java:84)
at com.pega.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at com.pega.apache.axis.client.Call.invokeEngine(Call.java:2809)
at com.pega.apache.axis.client.Call.invoke(Call.java:2792)
Steps to Reproduce
Install PRPC 7.1.5 and AES 7.1 in WebLogic application server and access AES
Root Cause
For any request to an application (PRPC) with "Authorization" header, the request will be intercepted by WebLogic itself and will not be passed to the application. WebLogic tries to process authentication using the information available in the "Authorization" header.
For WebLogic Server versions 9.2 and later, client requests that use HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource.
The setting of the Security Configuration MBean flag enforce-valid-basic-auth-credentials determines this behaviour. This specifies whether or not the system should allow requests with invalid HTTP BASIC authentication credentials to access unsecured resources. The enforce-valid-basic-auth-credentials flag is true by default, and WebLogic Server authentication is performed. If authentication fails, the request will be rejected which has been noticed in this case. WebLogic Server must therefore have knowledge of the user and password.
To change the default behaviour, user may rely on an alternate authentication mechanism. For example, user might use a backend web service to authenticate the client, and WebLogic Server does not need to know about the user. With the default authentication enforcement enabled, the web service can do its own authentication, but only if WebLogic Server authentication first succeeds.
Note: The Security Configuration MBean provides domain-wide security configuration information. The enforce-valid-basic-auth-credentials flag effects the entire domain.
Resolution
If user explicitly set the enforce-valid-basic-auth-credentials flag to false, WebLogic Server does not perform authentication for HTTP BASIC authentication on client requests for which access control was not enabled for the target resource. In the previous example of a backend web service that authenticates the client, the web service can then perform its own authentication without WebLogic Server having knowledge of the user.
Suggested following instructions to update security configuration <enforce-valid-basic-auth-credentials> flag as false.
1. Add the <enforce-valid-basic-auth-credentials> element to config.xml within the <security-configuration> element.
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
2. Start or re-start all of the servers in the domain.
Published January 31, 2016 - Updated December 2, 2021
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.