Tuesday, 18 December 2018

Weblogic server takes long time to start. Performance tuning of Weblogic server startup.


Weblogic server takes long time to start. Performance tuning of Weblogic server startup.

Cause:

It is observed on some Linux boxes that WebLogic server startup takes several minutes and hangs for a while. Similar behavior happens during the domain creation, when the security information gets populated.

It has also been observed WLS Admin Console slowness due to low entropy.
Linux has two devices to provide random data at any time: /dev/random and /dev/urandom. Both ways should be secure enough to use them in generating PGP keys, ssh challenges, and other applications where secure random numbers are required. Starting on kernel 2.6, default entropy is 4096 bits and problem arises when the entropy available on the system is minimum (around 100 bits or less).
The main difference between those two devices is that /dev/random runs out of random bits and makes you wait for more to be accumulated. Note that on some systems, it can block for a long time waiting for new user-generated entropy to be entered into the system.

In terms of the outcome, /dev/random is categorized as a high quality entropy device if we compare it with /dev/urandom. The latter uses the entropy pool as long as it is available, but falls back on pseudo random numeric algorithms when depleted.

Why a system could be running out of entropy?
You have to consider that an Operating System performs cryptographic operations frequently (on ssh challenges, https connections, etc.) so the /dev/random pool gets consumed quite quickly. OS also expects to feed that pool with I/O operations coming from disk, network, mouse or keyboard but that situation does not happen as quickly. This is a common pattern on virtualized environments or headless boxes.
Is important to mention that Java uses /dev/random by default as entropy generator device.
How to verify if you are encountering this issue?
  1. Check the default system entropy.
$ cat /proc/sys/kernel/random/poolsize
4096
  1. Check the available entropy.
$ cat /proc/sys/kernel/random/entropy_avail
125
On previous example, entropy is too low.
  1. Monitor the current entropy of the system by using the following command:
$ for i in $(seq 500); do cat /proc/sys/kernel/random/entropy_avail ; sleep 5; done
  1. Start a WebLogic server instance. You should see that entropy decreases or stalls.


Solution:
a) WebLogic Server Scope
i.   Edit the Weblogic startup script ($DOMAIN_HOME/bin/startWebLogic.sh)
ii.  Add the following to the JAVA_OPTIONS variable: -Djava.security.egd=file:/dev/./urandom
iii. Save the file.
iv. Set the domain environment. ($DOMAIN_HOME/bin/setDomainEnv.sh)
v.  Start WebLogic instances.
b) JDK Scope

i.   Edit the Java Security Properties file ($JAVA_HOME/jre/lib/security/java.security)
ii.  The securerandom.source property specifies the source of seed data for secure random. If that property points to /dev/random, set it as one of the options listed below.
securerandom.source=file:/dev/./urandom
securerandom.source=file:/dev/urandom
iii.  Save changes and start the WebLogic Server instances.

Temporary solution :
i. Override the JAVA_OPTIONS environment variable before starting WebLogic Server via shell scripts.
$ export JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.egd=file:/dev/./urandom"
ii. Start WebLogic instances.




Happy Learning!

Weblogic Not Starting with Error: JPS-06514: Opening of file based keystore failed

Recently, I encountered an issue where the Weblogic Admin server did not start due to an error  JPS-06514: Opening of file based keystore failed

Error Message:
<Error> <Security> <BEA-090892> <The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed.>
 <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed.
weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed.
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1402)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1022)
        at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:888)
        at weblogic.security.SecurityService.start(SecurityService.java:141)
        at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
        Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.JpsRuntimeException: JPS-06514: Opening of file based keystore failed.
        at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:190)
        at oracle.security.jps.internal.policystore.TenantJavaPolicyProvider.<init>(TenantJavaPolicyProvider.java:161)
        at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:306)
        at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:279)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.JpsException: JPS-06514: Opening of file based keystore failed.
        at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPDPService(PolicyUtil.java:3180)
        at oracle.security.jps.internal.policystore.PolicyUtil.getPDPService(PolicyUtil.java:3480)
        at oracle.security.jps.internal.policystore.PolicyUtil.getPDPService(PolicyUtil.java:3466)
        at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:188)
        at oracle.security.jps.internal.policystore.TenantJavaPolicyProvider.<init>(TenantJavaPolicyProvider.java:161)
        Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.service.keystore.KeyStoreServiceException: JPS-06514: Opening of file based keystore failed.
        at oracle.security.jps.internal.keystore.file.FileKeyStoreManager.openKeyStore(FileKeyStoreManager.java:458)
        at oracle.security.jps.internal.keystore.file.FileKeyStoreManager.openKeyStore(FileKeyStoreManager.java:392)
        at oracle.security.jps.internal.keystore.file.FileKeyStoreServiceImpl.doInit(FileKeyStoreServiceImpl.java:128)
        at oracle.security.jps.internal.keystore.file.FileKeyStoreServiceImpl.start(FileKeyStoreServiceImpl.java:901)
        at oracle.security.jps.internal.keystore.FarmKeyStoreServiceImpl.initialize(FarmKeyStoreServiceImpl.java:148)
        Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.service.keystore.KeyStoreServiceException: JPS-06519: Failed to get/set credential with map fks and key null in bootstrap credstore. Reason oracle.security.jps.service.keystore.KeyStoreServiceException: JPS-06519: Failed to get/set credential with map fks and key current.key in bootstrap credstore. Reason null
        at oracle.security.jps.internal.keystore.util.KeyStoreServiceUtil.getMasterKey(KeyStoreServiceUtil.java:453)
        at oracle.security.jps.internal.keystore.file.FileKeyStoreManager$3.run(FileKeyStoreManager.java:412)
        at oracle.security.jps.internal.keystore.file.FileKeyStoreManager$3.run(FileKeyStoreManager.java:410)
        at java.security.AccessController.doPrivileged(Native Method)
        at oracle.security.jps.internal.keystore.file.FileKeyStoreManager.openKeyStore(FileKeyStoreManager.java:410)
        Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.service.keystore.KeyStoreServiceException: JPS-06519: Failed to get/set credential with map fks and key current.key in bootstrap credstore. Reason null
        at oracle.security.jps.internal.keystore.util.KeyStoreServiceUtil.getCurrentMasterKeyAlias(KeyStoreServiceUtil.java:303)
        at oracle.security.jps.internal.keystore.util.KeyStoreServiceUtil$3.run(KeyStoreServiceUtil.java:446)
        at oracle.security.jps.internal.keystore.util.KeyStoreServiceUtil$3.run(KeyStoreServiceUtil.java:444)
        at java.security.AccessController.doPrivileged(Native Method)
        at oracle.security.jps.internal.keystore.util.KeyStoreServiceUtil.getMasterKey(KeyStoreServiceUtil.java:444)
        Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.service.credstore.CredStoreException: JPS-01061: Access to bootstrap credential store denied to application code.

Solution:


1.Delete all pki files under /tmp and rename keystores.xml(domain/config) and cwallet.sso(domain/config/fmwconfig/bootstrap).
2. Delete the tmp directory under the $DOMAIN_HOME/servers/AdminServer
3.Start the weblogic server


Happy Learning!