Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management
11g Release 2 (11.1.2)

Part Number E27239-03
Go to Documentation Home
Go to Table of Contents
Go to Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
PDF · Mobi · ePub

36 Troubleshooting Security Token Service

This chapter provides troubleshooting tips for Security Token Service:

36.1 Authorization Issues

Problem: Authorization Failure during Token Issuance operation

During a WS-Trust request issuance operation, the Security Token Service returns an error.

Error Message

The following are sample error messages that can be seen in the logs:

<Error> <> <STS-12064> <Exception: {0} Authorization Failure for Relying Party=%RELYING_PARTY_ID%, Requester=%REQUESTER_ID% and User=%USER_ID%



The Token Issuance Policy evaluation failed due to one of the following reasons:

36.2 Endpoint Issues

Problem: Endpoint not found

When accessing an Security Token Service endpoint that has been added via the Oracle Access Management Console, the server returns an error indicating that the page does not exist when retrieving the WSDL policy or that the endpoint does not exist.

Error Message

The following are possible error messages:


Security Token Service is deployed but not enabled. To enable Security Token Service, perform the following operations:

  1. Go to the Oracle Access Management Console.

  2. Navigate to System Configuration, select Common Configuration, then select Available Services.

  3. Enable Security Token Service.

Security Token Service detects the change and publishes the endpoints. No restart is required.

36.3 Mapping Operation Issues

Problem: Failure to map the AppliesTo element to a Relying Party Partner

When Security Token Service processes a WS-Trust request with an AppliesTo element referencing the Web Service Provider, the server will attempt to map the location contained in the AppliesTo element to an Security Token Service Relying Party Partner using the Resource URL defined in the Partner entry. If such a mapping fails, the server will log an Info message in the logs indicating that the operation failed and indicating what was the AppliesTo address used.

Error Message

The following is a sample of an error message:

[2011-04-22T15:08:12.632-07:00] [oam_server1] [NOTIFICATION] [STS-15542] 
[] [tid: [ACTIVE].ExecuteThread: '0' for 
queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 
f00aacae2d3f3ded:125005ed:12f7f412274:-8000-0000000000000016,0] [ wssuser-port] [APP: 
oam_server] [ sts] [ wssuser-serviceSoap12] [ oam_server] The mapping 
of the AppliesTo element from the WS-Trust Request to a Relying Party Partner failed: could not map


If the AppliesTo location should have been mapped to a Relying Party Partner, then the Partner settings should be verified to ensure that the Resource URLs are correctly defined to:

In certain cases, failure to correctly map the AppliesTo address to a Relying Party Partner will result in errors due to: