Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

AES unable to access monitored application

SA-2232

Summary



In newly installed AES 7.1 environment on WebLogic application server, User has observed frequent RemoteApplicationException in the PegaRULES log.

Error Messages



In Weblogic log:
<BEA-090078><User aesremoteuser in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.>


In PegaRULES log:
            2014-09-21 00:01:03,530 [fault (self-tuning)'] [ STANDARD] [ AES:07.10] ( internal.mgmt.Executable) ERROR Rule-Connect-SOAP.PegaAES-Data-RSSnapshot.GetRuleSetSnapshot - Exception
com.pega.pegarules.pub.services.RemoteApplicationException: SOAP service failed
at com.pegarules.generated.activity.ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.step9_circum0(ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.java:1385)
at com.pegarules.generated.activity.ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.perform(ra_action_invokeaxis_3da0d7301b5c63bb26382db9d78337c3.java:205)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3265)
...
Caused by: (401)Unauthorized
at com.pega.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
at com.pega.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at com.pega.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at com.pega.apache.axis.SimpleChain.doVisiting(SimpleChain.java:119)
at com.pega.apache.axis.SimpleChain.invoke(SimpleChain.java:84)
at com.pega.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at com.pega.apache.axis.client.Call.invokeEngine(Call.java:2809)
at com.pega.apache.axis.client.Call.invoke(Call.java:2792)


Steps to Reproduce



Install PRPC 7.1.5 and AES 7.1 in WebLogic application server and access AES

Root Cause



For any request to an application (PRPC) with "Authorization" header, the request will be intercepted by WebLogic itself and will not be passed to the application. WebLogic tries to process authentication using the information available in the "Authorization" header.

For WebLogic Server versions 9.2 and later, client requests that use HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource.

The setting of the Security Configuration MBean flag enforce-valid-basic-auth-credentials determines this behaviour. This specifies whether or not the system should allow requests with invalid HTTP BASIC authentication credentials to access unsecured resources. The enforce-valid-basic-auth-credentials flag is true by default, and WebLogic Server authentication is performed. If authentication fails, the request will be rejected which has been noticed in this case. WebLogic Server must therefore have knowledge of the user and password.


To change the default behaviour, user may rely on an alternate authentication mechanism. For example, user might use a backend web service to authenticate the client, and WebLogic Server does not need to know about the user. With the default authentication enforcement enabled, the web service can do its own authentication, but only if WebLogic Server authentication first succeeds.


Note: The Security Configuration MBean provides domain-wide security configuration information. The enforce-valid-basic-auth-credentials flag effects the entire domain.

Resolution



If user explicitly set the enforce-valid-basic-auth-credentials flag to false, WebLogic Server does not perform authentication for HTTP BASIC authentication on client requests for which access control was not enabled for the target resource. In the previous example of a backend web service that authenticates the client, the web service can then perform its own authentication without WebLogic Server having knowledge of the user.

Suggested following instructions to update security configuration <enforce-valid-basic-auth-credentials> flag as false.

1. Add the <enforce-valid-basic-auth-credentials> element to config.xml within the <security-configuration> element.
              <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> 
2. Start or re-start all of the servers in the domain.

 
Suggest Edit

Published January 31, 2016 - Updated December 2, 2021

Did you find this content helpful? Yes No

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us