000011945 - Weblogic will not start 'User weblogic is not permitted to boot the server'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011945
Applies ToBEA Weblogic Server 9.2
RSA Access Manager Agent 3.6 for BEA WebLogic 9.2
Microsoft Windows 2003
IssueWeblogic will not start "User weblogic is not permitted to boot the server"
Weblogic log shows:
< CT authroization result = ACCESS_DENIED>

Weblogic log shows

<Mar 26, 2008 11:41:18 AM CDT> <Critical> <Security> <default_server> <AdminServer> <[STANDBY] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1111111> <BEA-090404> <User weblogic is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.>
####<Mar 26, 2008 11:41:18 AM CDT> <Critical> <WebLogicServer> <default_server> <AdminServer> <main> <<WLS Kernel>> <> <> <1206549678303> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: User weblogic is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.

CauseThe Weblogic server will not restart if the "Weblogic" user does not have permission.  This can be because the "Weblogic" user used to boot the server is not a ClearTrust user, or is not a member of the <Server>_Administrators and Administrators groups in the Access Manager datastore.  It can also occur if the user does not have permission to access resources on the application server, for example if the aserver is in passive mode.
ResolutionEnsure that there is no entilement defined in the ClearTrust entitlements manager that would prevent the user "Weblogic" from starting the server.
If the aserver setting cleartrust.aserver.authorization_mode= is set to passive all resources will be protected by default.  Change the mode to active or create entitlements for the "Weblogic" user.
WorkaroundInstalling the Weblogic agent.  After deploying the agent the Weblogic Server will not boot.
Legacy Article IDa39289

Attachments

    Outcomes