Problem:

• Product Name: Borland Enterprise Server
• Product Version: 5.x.x
• Product Component: Partition
• JDK Version: 1.3.1/1.4.1
• Platform/OS Version: All

Reasons for the NO_PERMISSION error when the partition start/restart?

Resolution:

The gist of the thing is that all servers in a management domain (defined by the management port) must use the same identity for the admin user: the same password, certificates, whatever is being used for authentication. If any server in the domain strays from this rule, all servers that discover the rogue server will suffer from this problem.

The symptoms can be very confusing because the situation is not necessarily caused by the poor soul who's experiencing the failures. One possible situation is changing the admin password for one server in the same management domain.

The problem here is that after the admin password has been changed, communications from that changed server to other servers in its management domain (e.g. to do license checking) will all fail due to having an invalid password for the admin user.

The security code, when it receives this failure, destroys the authenticators (credentials) it had stored for the management ORB. Once this has happened, all subsequent communications using the management ORB will fail with a NO_PERMISSION: no identity error, since the credentials establishing its identity have been thrown away. When the partition is started up and the server attempts to ping it, it receives this error, which is why the partition won't start.

This behavior is too restricting, and that the security code should be modified so that the authenticators are not removed even when they are found to be invalid for a particular connection. This way, the server whose admin password was changed would fail only when trying to talk to another server (fair enough, bad password) but would continue to work when talking to its own partitions.

To sum up: with the current behavior, the situation is that all servers in a management domain must have the same admin user; if you change the password on one server, they all must change. Once the security patch to change described above, this restriction will go away.