The following topics are discussed:
Some procedures in this section reference content in the Oracle Fusion Middleware guides. Those guides describe the steps using Fusion Middleware Control, but the procedures therein also apply to Fusion Applications Control.
This section contains the following background topics:
WebCenter Portal provides collaborative and social features to Oracle Fusion applications. For example through WebCenter Portal features, users can participate in discussions about opportunities, customers, and projects; and create wikis.
Figure 16-1 shows the WebCenter Services tab, which lists all the spaces available within Oracle Fusion Applications. A space is a work area, supporting a group of people of any size, which is organized around an area of interest or a common goal. Several Oracle Fusion applications use spaces to provide collaborative features, such as discussion forums and document sharing.
Oracle Fusion Applications leverages WebCenter Portal's Composer to enable users to customize the appearance of pages. Figure 16-2 shows the Oracle Fusion Applications Welcome page in Composer.
Figure 16-2 Customizing the Oracle Fusion Applications Welcome Page in Composer
Table 16-1 lists the ways in which WebCenter Portal is used within Oracle Fusion Applications.
Table 16-1 Usage of WebCenter Portal in Oracle Fusion Applications
Feature | Description | Example Usage |
---|---|---|
Oracle JSF Portlet Bridge |
Enables Oracle Fusion applications to make their task flows available as portlets to other Oracle Fusion applications. |
Oracle Fusion applications uses this technology in the UI to schedule tasks |
Composer |
Enables page customization. |
Users can customize the Oracle Fusion Applications Welcome page to add or hide components (see Figure 16-2). |
Search |
Searches WebCenter Portal object. |
Collaboration source group crawls the Jive database (discussions and announcements), Spaces schema, and content server. |
Discussions |
Provides text-based discussions between users. |
Within the Sales application in Oracle Fusion CRM, users can follow an opportunity, sales competitor, or sales reference and participate in discussions about those objects. |
Documents |
Enables content management and document sharing and collaboration. |
In Oracle Fusion Project, documents associated with a project are listed on the project page. |
Spaces |
Provides a work area, supporting a group of people of any size, that is organized around an area of interest or a common goal |
A space is automatically created for each project in Oracle Fusion Project enabling discussions, announcements, documents, links to be added to the project page. |
Wikis and Blogs |
Enables publication of wikis and blogs. |
Within the Sales application in Oracle Fusion CRM, users can follow an opportunity, sales competitor, or sales reference and create wikis about those objects. |
The components required for WebCenter Portal are automatically installed in the Oracle Fusion Applications common domain by Oracle Fusion Applications Provisioning. In addition, any WebCenter Portal Framework services required by applications are obtained through shared libraries introduced by domain extension templates used in the various product family specific domains. There are no additional steps required during installation to ensure that WebCenter Portal is correctly installed.
The WebCenter Portal server is preseeded with the necessary portal templates required for use by Oracle Fusion applications, such as Oracle Fusion CRM and Oracle Fusion Project.
Administration tasks required for WebCenter Portal might include the following:
Starting and stopping the WebCenter Portal or Discussions servers. For more information, see Start Administration Servers and Managed Servers and Stop Administration Servers and Managed Servers.
Monitoring performance of the WebCenter Portal server. For more information, see Monitor Mid-Tier Elements.
Backup and recovery. For more information, see Back Up and Recover Oracle Fusion Applications.
WebCenter Content provides a unified application for several different kinds of content management. It provides a unified repository to house unstructured content, and deliver it to business users in the proper format, and within the context of familiar applications to fit the way they work. Within Oracle Fusion Applications, WebCenter Content provides a way of including attachments for business objects, such as projects and procurement requisitions. Oracle Fusion Applications also uses WebCenter Content as the content repository for WebCenter Portal content.
./default-keystore.jks
. The base directory in this case is <Domain Home>config/fmwconfig
. For example:
(UNIX) DOMAIN_HOME/config/fmwconfig/default-keystore.jks
If the domain is using Keystore Services (KSS), the Keystore Type is set as KSS.
keytool -importkeystore -srckeystore test.jks -srcstorepass password -destkeystore keystore.p12 -deststorepass password -deststoretype PKCS12 -srcalias orakey
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem Enter Import Password: MAC verified OK cat key.pem Bag Attributes friendlyName: orakey localKeyID: 54 69 6D 65 20 31 34 32 34 38 34 30 39 35 34 30 31 30 Key Attributes: <No Attributes> -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOX5wELBJdi/fSmM … YOhzIYRsbzI+FA== -----END PRIVATE KEY-----
keytool -list -v -keystore default-keystore.jks -storepass admin123
openssl rsa -in key.pem -out key.rsa
writing RSA key
cat key.rsa
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDl+cBCwSXYv30pjEc0O1GQJTFr9lyxxDDc6kX8MEHO9ju6rxuy
…
jJhixwjA2mpvkPHijpOTj6cIQOe9nGDocyGEbG8yPhQ=
-----END RSA PRIVATE KEY-----
When running Oracle Fusion Applications, it may not be readily apparent which portions of the user interface are implemented as portlets. The only time this may actually be evident is when there is a problem.
Useful Terminology
The following list defines some common terms for WebCenter Portal portlets:
Portlet
A portlet is a region of the screen that is displayed from a remote source. In Oracle Fusion Applications, portlets conform to the Web Services for Remote Portlets (WSRP) standard, and implement the JSR 286 portlet specification.
Oracle JSF Portlet Bridge
The Oracle JSF Portlet Bridge is a component that enables an ADF application to be exposed as a WSRP portlet producer application. Oracle Fusion applications are all implemented as ADF applications.
Producer Application
A producer application is an ADF application with pages or task flows that have been enabled to run as portlets. This type of application can run in dual modes: as a servlet (like a regular web application), or as a portlet (when consumed by a consumer application through the Oracle JSF Portlet Bridge).
Consumer Application
A consumer application is an application that consumes the portlets exposed by a producer application. Before consuming a portlet (by dropping it onto a page), application developers must first register the portlet producer application with the consumer application.
Useful Resources
The following list provides some useful resources to use when diagnosing problems with WebCenter Portal portlets:
Portlet Consumer Test Page
A page that provides diagnostic information about the consumer application. Access the Portlet Consumer Test Page using the following URL:
http://host:port/context-root/faces/oracle/portlet/client/adf/diagnostic/pages/ConsumerTestPage.jspx
where:
host
is the server to which the consumer application is deployed
port
is the port to which the server is listening for HTTP requests
context-root
is the consumer web application's context root
For example:
http://mymanagedserver.example.com:8888/myapp/faces/oracle/portlet/client/adf/diagnostic/pages/ConsumerTestPage.jspx
For more information, see Examine the Portlet Consumer Test Page.
Producer Test Page
A page that provides diagnostic information about the portlet producer application. You can access the Producer Test Page using the following URL:
http://host:port/context-root/info
where:
host
is the server to which the portlet producer is deployed
port
is the port to which the server is listening for HTTP requests
context-root
is the producer web application's context root
For example:
http://portlets.example.com:9999/sample/info
The Producer Test Page includes a link to the Web Service Definition Language (WSDL) document to use for registration, for example:
http://portlets.example.com:9999/sample/portlets/wsrp2?WSDL
For more information, see Examine the Producer Test Page.
Running a Producer as a Servlet Application Through Faces
This is also known as running the application as a servlet. Before an application can act as a portlet provider, it must be able to run correctly through standard HTTP requests.
To run an application as a servlet, use the following URL:
http://host:port/context-root/faces/path-to-page/page.jspx
where:
host
is the server to which the portlet producer is deployed
port
is the port to which the server is listening for HTTP requests
context-root
is the producer web application's context root
path-to-page
is the path to the page you want to run
page
is the name of the page you want to run
For example:
http://portlets.example:9999/sample/faces/index.jspx
The Producer Test Page provides links to run such pages or task flows as servlets. For more information, see Run the JSF Portlet as a Servlet.
Logging Configuration File
The logging configuration file, logging.xml
, is located in:
DOMAIN_HOME/config/fmwconfig/servers/server/logging.xml
Diagnostic Log File
The default location of the diagnostic log file is:
DOMAIN_HOME/servers/server/logs/server-diagnostic.log
Problems and Solutions for WebCenter Portal Portlets lists specific errors codes and remedial hints WebCenter Portal Portlet issues. There are also specific tools and processes that are used for portlet diagnostics, described in this section. Topics include the following:
There is a set of tools available for both the consumer and producer to help identify and resolve issues when running Oracle JSF Portlet Bridge portlets.
If a portlet error message is encountered when a portlet is rendered, or if the portlet displays but it is not possible to interact correctly with it, there are some general steps using these tools that should be followed to diagnose the issue. These include the following:
The first step when a portlet error is encountered, is to identify which portlet producer and portlet instance is being invoked. Execute the portletDebugShow()
JavaScript from your browser to display this information over the top of the main portlet content.
To identify the portlet instance, perform the following steps:
The next step in diagnosing a portlet error is to access the Portlet Consumer Test Page (shown in the following figure) to locate the portlet producer and, if necessary, test the portlet in isolation.
Figure 16-4 The Portlet Consumer Test Page
The Portlet Consumer Test Page contains the following three tabs:
Producers
This tab lists all the producers registered with the consumer application. Selecting a producer provides specific information about that producer.
Sanity Checks
This tab may contain a predefined set of portlet instances and required parameters that can be run in the consumer application, as configured by the consumer application developer. Any failures within these portlets indicate a problem with the corresponding producer and/or portlet.
Configuration
This tab enables you to identify the consumer configuration entries for portlet consumption. It is not possible to change these values as they are stored within the application; they are displayed for reference information only.
After accessing the Portlet Consumer Test Page, it is possible to perform further diagnostic steps such as the following:
To access the Portlet Consumer Test page, perform the following steps:
The Producers tab of the Portlet Consumer Test Page lists all the producers that have been registered with the consumer application. If a portlet instance in your application displays an error message, view information about the producer that owns the portlet by selecting it on this tab.
To locate the portlet producer, perform the following steps:
If the cause of the portlet error has not yet been identified, the issue may lie with the portlet instance itself.
To locate and run the portlet instance, perform the following steps:
The Sanity Checks tab of the Portlet Consumer Test Page provides a quick overview of the state of portlet communication in your application across all products.
The Sanity Checks tab references portlet instances used within the consumer application. This list is configured by the application developer who chose the portlets to include and the parameters to pass to these portlets. The checks on this page do not render the output in the UI, but simply create a runnable instance of the portlet under the covers and report any failures if any exception is returned by the portlet.
To perform sanity checks, perform the following steps:
The Configuration tab of the Portlet Consumer Test Page (shown in the following figure) enables you to identify the consumer configuration entries for portlet consumption. This tab displays settings defined in the adf-config.xml
file, for example, the minimum and maximum timeout values and the consumer version number. It is not possible to change these values as they are stored within the application; they are displayed for reference information only.
If it is not possible to identify the cause of the error in the consumer application, the next step is to use the Producer Test Page to identify potential issues with the portlet producer application.
Access to the main Producer Test Page is public, but links to the test pages for each portlet are accessible only to users granted permission on the underlying pages and task flows.
The Producer Test Page contains the following five sections:
Portlets
A list of all the portlets within the producer. For Oracle JSF Portlet Bridge portlets, each portlet also provides a separate link to run the portlet as a servlet (this is a prerequisite to running them as portlets: if a portlet does not run as a servlet, it cannot run as a portlet).
Container Configuration
Information on where the consumer preference information is stored.
Container Version
The version number of the Portlet Producer Container.
WSDL URLs
Links to the Web Service Definition Language (WSDL) documents to use for registration.
SOAP Monitor
A link to the WSRP SOAP monitor where users with the Monitors
or Administrators
role can track the SOAP messages between the consumer and producer.
After accessing the Producer Test Page, it is possible to perform further diagnostic steps such as the following:
The Producer Test Page provides diagnostic information about the portlet producer.
To access the Producer Test Page:
To verify that an Oracle JSF Portlet Bridge portlet producer is running correctly, you must first verify that the producer application runs correctly through standard HTTP requests. If the artifacts the producer exposes as portlets do not run as servlets, they will not run as portlets.
To run a JSF portlet as a servlet:
Oracle Fusion Applications has adopted a standard to use a consumer persistence store as the persistent store. Therefore, for Oracle Fusion applications producers, the Persistent Store Type displayed on the Producer Test Page should always be set to Consumer.
Although other configurations are acceptable for applications that are built to assume such a configuration, having a non-consumer setting in Oracle Fusion applications indicates an issue in the producer. For Oracle Fusion applications to work correctly, they require a consumer persistence store.
To troubleshoot portlet issues, it is useful to add portlet log-handlers and loggers to the logging configuration file, logging.xml
.
The following example shows how to add the portlet log-handlers and loggers. The example assumes that you are running the consumer and producer applications on the same WebLogic Server instance. If you are running the consumer and producer applications on different instances, you must split them up appropriately, with the Portlet Servers and Portlet Bridge log handlers and loggers on the instance running the producer application and the Portlet Consumer log handler and logger on the instance running the consumer application.
MANDATORY: Add the log entries at the end of the file to ensure that they override any seeded settings.
The logging configuration file is located in the following location:
DOMAIN_HOME/config/fmwconfig/servers/server/logging.xml
The log file name is also defined in logging.xml
. By default the log file name is:
DOMAIN_HOME/servers/server/logs/server-diagnostic.log
Example 16-1 Configuring Log Files for Troubleshooting Portlet Issues
<!-- NOTE: You need to change the path where the logfile is located --> <log_handlers> ... <!-- Portlet Consumer --> <log_handler name="portlet-consumer-handler" class="oracle.core.ojdl.logging.ODLHandlerFactory"> <property name="format" value="ODL-Text"/> <property name="path" value="/scratch/logs/portlet-consumer.log"/> </log_handler> <!-- Portlet Producer --> <log_handler name="portlet-producer-handler" class="oracle.core.ojdl.logging.ODLHandlerFactory"> <property name="format" value="ODL-Text"/> <property name="path" value="/scratch/logs/portlet-producer.log"/> </log_handler> <!-- Portlet Bridge --> <log_handler name="portlet-bridge-handler" class="oracle.core.ojdl.logging.ODLHandlerFactory"> <property name="format" value="ODL-Text"/> <property name="path" value="/scratch/logs/portlet-bridge.log"/> </log_handler> ... </log_handlers> <loggers> ... <!-- Portlet Consumer --> <logger name="oracle.portlet.client" level="FINEST" useParentHandlers="false"> <handler name="portlet-consumer-handler"/> </logger> <!-- Portlet Servers --> <logger name="com.bea.portlets" level="FINEST" useParentHandlers="false"> <handler name="portlet-producer-handler"/> </logger> <logger name="com.bea.netuix" level="FINEST" useParentHandlers="false"> <handler name="portlet-producer-handler"/> </logger> <logger name="com.bea.wsrp" level="FINEST" useParentHandlers="false"> <handler name="portlet-producer-handler"/> </logger> <logger name="oracle.portlet.producer" level="FINEST" useParentHandlers="false"> <handler name="portlet-producer-handler"/> </logger> <!-- Portlet Bridge --> <logger name="oracle.portlet.bridge" level="FINEST" useParentHandlers="false"> <handler name="portlet-bridge-handler"/> </logger> <logger name="oracle.portlet.server.bridge" level="FINEST" useParentHandlers="false"> <handler name="portlet-bridge-handler"/> </logger> ... </loggers>
Oracle Fusion Applications utilizes portlet technology in various places, typically to remotely invoke a business view that is implemented as an Oracle Application Development Framework (ADF) task flow. This enables functionality that is implemented on one Oracle Fusion application, for example, Human Capital Management (HCM), to be incorporated into another Oracle Fusion application, for example, Customer Relationship Management (CRM), as if it was embedded in the same application. The CRM application is in fact embedding a portlet that obtains its markup from the remote HCM application, which is running on another server. The task flow that is implemented on the HCM server is made available as a portlet through a component called the Oracle JSF Portlet Bridge. This wrapper makes the task flow available as a portlet producer that can be consumed by another application.
Review Diagnostic Tools and Processes for WebCenter Portal Portlet Problems, for instructions on how to diagnose the problems detailed in this section beyond their error codes.
This section includes the following topics:
The message Portlet Consumer Error
(shown in the following figure) typically indicates that an error occurred within the operation of the portlet parts of the portlet consumer application (as opposed to the remote portlet producer application).
Figure 16-9 Portlet Displaying a Portlet Consumer Error
Consult the diagnostic log file to determine the cause of the exception. For information about portlet logging, see Configure the Portlet Logging File.
The exception that caused the error message to be displayed is logged. Wherever possible, a message is included in the log at the start of the exception stack to indicate for which portlet binding the exception occurred, see example below.
The cause is likely to be an internal error and the appropriate course of action is to contact Oracle Support with the log files of the consumer application.
Example 16-2 Example Message Logged for a Portlet Error
<PortletRenderer> <setErrorState> An error has occured for Portlet Binding portlet1. oracle.portlet.client.container.PortletContentTypeException: Unexpected content type "null" in WSRPGetMarkup response. ...
If a Portlet Timeout
message is displayed in the area of the page that is expected to contain a portlet (as shown in the following figure), this means that the consumer waited for a configured period of time for the producer to respond and did not get a response during that time, or the response did not complete during that time.
Figure 16-10 Portlet Displaying a Portlet Timeout Error
There are a number of possible causes/remedies, including the following:
If the load is high, check whether a particular process is causing this high load, and whether such a process could be run on another machine, or at a less busy time.
If no single process is causing the high load, or if the Oracle WebLogic Server is causing the high load, and if the load is consistently high, consider whether the producer hardware is adequate, or whether it is necessary to upgrade it (or add further nodes to the cluster). Also consider adjusting the Oracle WebLogic Server configuration to increase the size of the request thread pool.
Sometimes the network is overloaded, or there are problems with the network affecting communication between the consumer and producer.
Check that you can ping the producer machine from the consumer machine. Check that you can access the producer's WSRP Producer Test Page in your local browser (for information, see section Useful Resources in Introduction to WebCenter Portal Portlets). If this works, check that you can access this same page from a browser running on the consumer machine. If any of these steps cause problems, and the machine is not overloaded, this could be a network problem, which should be investigated by a system administrator.
Sometimes the log or trace files indicate that there is a deadlock (or a stuck thread) on the producer machine causing the request thread to hang.
This should not happen during normal operation. If it does occur, there will generally be an error in the producer's log files indicating the point at which the deadlock occurred. This may help diagnose the problem. In some cases, it may be possible to alleviate this by modifying the configuration of Oracle WebLogic Server.
Sometimes the producer application is running slowly (for example, due to processing large quantities of data).
In this case, the producer application may be processing large quantities of data, causing it to spend too long building the response. If the application will regularly deal with large quantities of information, it may be necessary to either add or improve producer hardware. If this is not possible you can increase the portlet timeout duration.
For information about how to configure the portlet timeout, see Portlet Timeout Limit is Too Short: Change Limits.
Sometimes the portlet timeout values have been misconfigured such that the timeout period is too short. Typically, the timeout for a portlet is set on the registration of the portlet. This may have been set to a value that does not give time for the portlet to respond. The "Related Links" documents below give the specific instructions for changing the timeouts. It is possible to configure the portlet timeout on the producer connection in the consumer application using the following:
Fusion Applications Control.
The procedures referenced in the guide describe using Fusion Middleware Control. These procedures also apply to Fusion Applications Control.
The setWSRPProducer
WLST command.
Also, the portlet section of the adf-config.xml
file allows minimum, maximum, and default values for portlet timeouts to be configured across the whole application. The maximum timeout imposes an upper limit on timeouts specified by portlet producers, so if the maximum timeout is too short, this could cause unwanted portlet timeout errors even if the timeout specified on the producer connection is longer.
After editing the adf-config.xml
file, you must redeploy the application.
For information about tuning WebLogic Server, see Tuning Performance of Oracle WebLogic Server, in the Oracle Fusion Middleware Online Documentation Library.
For information about configuring the portlet timeout on the producer connection, see section Editing Producer Registration Details Using Fusion Middleware Control in the Administering Oracle WebCenter Portal, in the Oracle Fusion Middleware Online Documentation Library.
For information about WLST commands, see the WLST Command Reference for WebLogic Server.
For information about the adf-config.xml file, see Developing WebCenter Portal Assets and Custom Components with Oracle JDeveloper.
When a section of the screen shows the Remote Portlet Communication Error
message (as shown in the following figure), and there is an otherwise blank region surrounding it, this area is expected to be filled with a portlet, which the application is not able to contact.
Figure 16-11 Portlet Displaying a Remote Portlet Communication Error
The causes/solutions discussed include the following:
The first thing to check is whether the producer is down. It could be that the producer application is not running, or the Managed Server on which it is deployed is not started. In this case, it will need to be started. Identify the application that needs to be started based on the task being attempted at the time of the portlet failure. For more information, see Identify the Portlet Instance.
Sometimes the producer log files indicate that the web services security is incorrectly configured.
In Oracle Fusion Applications deployments, web services security (WS-Security) is managed with global web services security policies.
Troubleshooting steps for web services security depend on the type of security profile being used, for example AuthN, SSL, or Message Security.
For more information about troubleshooting web service security, see:
The Diagnosing Problems section in the Oracle Fusion Middleware Administering Web Services.
Problems and Solutions for Managing Keystores and Certificates
The security policies set on the portlet producer's WSRP_v2_Service
web service ports are as follows:
WSRP_v2_ServiceDescription_Service
port: oracle/no_authentication_service_policy
WSRP_v2_PortletManagement_Service
port: oracle/no_authentication_service_policy
WSRP_v2_Markup_Service
port: no policy specified, so that it picks up the globally attached policy
WSRP_v2_Registration_Service
port: oracle/no_authentication_service_policy
If the producer ports are configured in any other way, then it may be the cause of the problem. In particular, if a local policy is applied to the WSRP_v2_Markup_Service
port, and the policy does not match the corresponding policy on the producer connection, then the port or the connection will need to be updated to specify matching policies, or be removed, so that the globally attached policies can take effect.
Sometimes the producer Managed Server cannot be reached. This may be the result of the producer being in a location that cannot be reached by the consumer application, due to intervening firewalls or incorrect routing rules. In an environment that is installed by Oracle's provisioning software, this should not be the case, but it is worth checking that you are able to access the WSDL endpoint for the producer from the machine hosting the consumer, by going to the following location:
http://host:port/context-root/portlets/wsrp2?WSDL
Where:
host
is the server to which the portlet producer is deployed
port
is the port to which the server is listening for HTTP requests
context-root
is the producer web application's context root
For example:
http://portlets.example.com:9999/sample/portlets/wsrp2?WSDL
If you cannot reach the WSDL endpoint, contact your network administrator.
If the portlet displays a Remote Portlet Error
message (as shown in the following figure), this indicates that the producer responded with an error message. The error message is returned in the form of a SOAP fault message inside the response document. There are a number of reasons the producer might return an error. The best strategy to diagnose these errors is to first find the corresponding exception stack trace in the consumer diagnostic logs (see Configure the Portlet Logging File). This stack trace shows what kind of fault was returned by the producer, plus any further information required in the response.
Figure 16-12 Portlet Displaying a Remote Portlet Error
The following document provides additional information related to subjects discussed in this section:
For more information about persistence stores, see the Setting Up a Persistence Store for a WSRP Producer section in the Developing WebCenter Portal Assets and Custom Components with Oracle JDeveloper.
The errors/solutions discussed include the following:
Problem:
The error OperationFailedException
is the most common type of Remote Portlet Error
and it is a catch-all for most unhandled exceptions raised in the producer application.
Solution:
To resolve an OperationFailedException
, examine the exception in the consumer diagnostic logs. This generally shows any exception that was raised in the producer application to trigger the fault response as the final Caused by
exception.
If required, examine the diagnostic logs on the producer application for more detail, or for any related exceptions that occurred prior to the fault being triggered. In some cases, the exception in the producer log indicates a problem that can be simply resolved, such as a database connection failure or configuration problem. In other cases, the exception might indicate a product bug.
The error InvalidRegistrationException
indicates that the producer has not been properly registered with the consumer before the consumer attempted to communicate with it. This could also occur if the producer's persistence store has been moved or deleted since the consumer registered it.
If this error is observed, the most likely cause is a problem during provisioning. It is also worth checking that the producer application is using a consumer persistence store. The following example shows how this is indicated in the producer application's web.xml
file.
Example 16-3 Persistence Store Setting in web.xml
<env-entry>
<env-entry-name>oracle/portal/wsrp/server/persistentStore</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>Consumer</env-entry-value>
</env-entry>
If the persistence store setting is not the problem, contact Oracle Support with the consumer log file.
The error InvalidHandleException
indicates that the consumer has asked the producer to render, or otherwise interact with, a portlet instance that the producer does not know about. This could occur if the producer's persistence store has been corrupted in some way since the portlet was added to the page.
If this error is observed, the most likely cause is a problem during provisioning, or a missing persistentStore
setting in the web.xml
file, as described in "InvalidRegistrationException": Check the Persistence Store Settings.
The error AccessDeniedException
indicates that the producer application decided that the current user did not have access to the portlet or task flow in question.
If this error is observed, it could either be a legitimate error message or an indication of a configuration problem. In most cases, Oracle Fusion Applications should deal with authorization errors gracefully, without a Portlet Remote Error
being displayed. If this error is caused by a configuration error, contact Oracle Support with the consumer log file.
This section describes problems and solutions related to WebCenter Portal's Composer. It includes the following topics:
User Unable to Edit a Component in Composer's Edit Mode: Check Various Causes/Solutions
Wrong Users Able to Edit a Component in Composer's Edit Mode: Check Various Causes/Solutions
Implicit Personalizations Do Not Stick: Check Various Causes/Solutions
Cannot Rearrange Components on Child Components Pane: Check ID Specifications
While in Composer's Edit mode, the user is unable to edit the properties of components on the page. It is also not possible to add content or delete some components. The icons that allow these operations on Composer's toolbar are grayed out.
For more information about MDS customization restrictions, see the Applying Component-Level Restrictions by Defining Customization Policies section in the Developing WebCenter Portal Assets and Custom Components with Oracle JDeveloper.
Causes and/or solutions include the following:
Problem
If users cannot edit a component, the first thing to check is whether they have adequate page or task flow privileges.
Solution
Ensure that the user is allowed to edit the page. Typically, only administrators are allowed to edit the page and end users are allowed to personalize the page. If the user is allowed to edit the page, edit or customize privileges must be provisioned for the page or the task flow if the component is inside a task flow (region).
Problem
An MDS customization restriction may be in place to prevent edits to the page. MDS customization restrictions can be specified to restrict editing of a page, or in the case of a task flow, a page fragment. This is typically specified using an RDF file.
Solution
Ensure that customizationAllowed
is set to true
in the cases where the user should be allowed to edit the artifact.
Problem
The id
is not specified on the component that is required to be edited. Only components that have id
specified can be edited. Note that it is highly recommended that all components on a page have an id
specified.
Solution
Ensure that the component in question has id
specified.
Problem
Some components do not show icons to collapse, expand, delete, edit properties, or add content while in Composer's Edit mode.
Solution
For possible problems and solutions, see User Unable to Edit a Component in Composer's Edit Mode: Check Various Causes/Solutions.
The end user can customize components on the page or task flow that are not intended to be edited.
For more information about MDS customization restrictions, see the Applying Component-Level Restrictions by Defining Customization Policies section in the Developing WebCenter Portal Assets and Custom Components with Oracle JDeveloper.
Possible causes and/or solutions include the following:
Problem
The Edit Current Page link appears in the Personalization menu for users who should not be able to edit the page.
Solution
In the appropriate .jspx
page, set the isPersonalizableInComposer
attribute to false
:
<f:attribute name="isPersonalizableInComposer" value="false">
Setting this option to false
prevents the Edit Current Page link displaying for non-administrator users.
Problem
The user has wrong permissions.
Solution
Check user permissions and ensure that they do not allow the user to edit the page.
Problem
An MDS customization restriction may be required to prevent edits to the page. MDS customization restrictions can be specified to restrict editing of a page, or in the case of a task flow, a page fragment. This is typically specified using an RDF file.
Solution
Ensure that customizationAllowed
is set to false
in the cases where the user should not be allowed to edit the artifact.
When the end user collapses (or expands) a task flow, the personalization does not persist and the task flow continues to show as expanded (or collapsed) on revisiting the page even after logging out and back in.
The causes and/or solutions discussed include the following:
Problem
An MDS customization restriction is in effect for the task flow container component. This prevents the implicit personalization from being persisted into the underlying MDS store.
Solution
In the Customization section of the Property Inspector for the component, set customizationAllowed
to true
.
For more information about MDS customization restrictions, see the Applying Component-Level Restrictions by Defining Customization Policies section in the Developing WebCenter Portal Assets and Custom Components with Oracle JDeveloper.
Problem
Settings under the adf-faces-config
section in adf-config.xml
may prevent personalizations from being persisted.
Solution
Edit adf-config,xml
to change the settings in the adf-faces-config
section.
For more information about personalization persistence settings in adf-config.xml
, see the Allowing User Customization on JSF Pages section in the Developing Web User Interfaces with Oracle ADF Faces.
Problem
When editing a page and bringing up the Property Inspector of a container component (such as PanelFormLayout
, PanelGroupLayout
, PanelCustomizable
, and so on), the Child Components tab does not allow the listed child component to be rearranged. The Up and Down buttons are disabled. This problem indicates that the id
is not specified on the child component that is required to be edited. Only components that have id
specified can be edited.
Solution
It is highly recommended that all components on a page have an id
specified. Ensure that all the child components have id
specified.
This section describes problems and solutions related to WebCenter Portal. Topics include:
Problem
The Document service in WebCenter Portal relies on Oracle WebCenter Content Server. If Content Server is not running when WebCenter Portal is started up WebCenter Portal will consider the Document service as unavailable. In such cases you may see the following message on Document pages:
Documents service is not available.
Solution
To resolve this problem, perform the following steps:
For information about stopping and starting WebCenter Portal, see section Starting and Stopping the Spaces Application in Administering Oracle WebCenter Portal, in the Oracle Fusion Middleware Online Documentation Library.
For information about starting the Content Server, see section Managing System Processes in Administering Oracle WebCenter Content, in the Oracle Fusion Middleware Online Documentation Library.
Problem
Sometimes the "accept invitation" functionality does not work. For workflows to work, WS Security and Global Policy Attachment (GPA) should be configured on the client and server side. Local Policy Attachment (LPA) should be removed on the client side.
Solution:
To resolve this problem, perform the following steps:
Ensure that JVM is started with the following parameter in the setDomainEnv.sh
file:
-Dwebcenter.owsm.gpa.enabled=true
Remove LPA on the client side.
GPA should be configured on the client and server side. If GPA is configured correctly, the following policies are expected:
Policy on server side: oracle/wss_saml_or_username_token_service_policy
Policy on client side: oracle/wss10_saml_token_client_policy
The causes and solutions for no spaces showing are as follows:
The first thing to check if no spaces show in the list of spaces is whether WebCenter Portal instance may be down. To check whether the WebCenter Portal instance is up and running, go to the following location:
protocol://webcenter-host:webcenter-port/webcenter
Also, check that the instance allows users to login.
If the user has not created any spaces and is not a member of any spaces the list is empty.
If the user creates a space or is assigned membership to a space, the list of spaces will no longer be empty.
If the WebCenter Portal instance is up and running and the user is a member of one or more spaces, the problem could be that GPA is not enabled or LPA has not been removed on the client side.
See the solution for Workflows Do Not Work: Check Policy Attachments.
Possible causes and solutions for creating a space errors include the following:
Problem
The WebCenter Portal instance may be down.
Solution
Check whether the WebCenter Portal instance is up and running by going to the following location:
protocol://webcenter-host:webcenter-port/webcenter
Also, check that the instance allows users to login.
Problem
The user does not have the appropriate permission to create a space.
Solution
Login to WebCenter Portal as an administrator and verify that user has the appropriate permission (Spaces-Create
) to create spaces.
Problem
One or more services are not provisioned. This can happen because the service's back-end server, such as Oracle WebCenter Content or WebCenter Portal's Discussion Server, are slow. If this is the case you will find an InterruptedException
in the logs or a timeout from the concurrency service.
Solution
The adf-config.xml
file in webcenter.ear
has a timeout duration for each service in WebCenter Portal. This can be increased.
For example, out of the box the timeout is set as follows:
<resource service="oracle.webcenter.collab.forum" resource="oracle.webcenter.collab.forum" timeoutMinPeriod="2s" timeoutMaxPeriod="10s" timeoutDefaultPeriod="5s"/>
Change this to the following:
<resource service="oracle.webcenter.collab.forum" resource="oracle.webcenter.collab.forum" timeoutMinPeriod="25s" timeoutMaxPeriod="30s" timeoutDefaultPeriod="30s"/>
There is no WLST command to set this value, update it manually.
After making changes to the adf-config.xml
file, redeploy the webcenter.ear
file.
Problem
If a socket connection to Oracle WebCenter Content is being used, the IP address for the WC_Spaces
server must be authorized to connect to Oracle WebCenter Content. If this is not the case, the logs contain a ConnectionRefused
exception.
Solution
Authorize the IP address for the WC_Spaces
server to connect to Oracle WebCenter Content.
For information about configuring the IP address for the WC_Spaces server, see section Configuring System Properties in Administering Oracle WebCenter Content, in the Oracle Fusion Middleware Online Documentation Library.
Problem
Sometimes the feature versions in Oracle WebCenter Content are not those expected by WebCenter Portal: Spaces.
Solution
Check for the following feature versions in Oracle WebCenter Content:
ExtendedUserAttributes: 1.1.1.30
JpsUserProvider: 1.0.0.7
WebCenterWorkflows: 11.1.1.4.0
To check these versions in Oracle WebCenter Content, go to Administration, then to Configuration for instanceName, and then to Feature Details.
If the versions are not correct, there may have been a problem during installation or configuration. Refer to the installation and administration guides.
This section describes problems and solutions related to search in WebCenter Portal. It includes the following topics:
Search Results Do Not Include Secured Resources: Check Various Causes and Solutions
Search Results Do Not Include Documents: Check Credentials and Update Configuration
Search Results Do Not Include Discussions and Announcements: Check Various Causes and Solutions
Search Results Do Not Include Recently Added Resources: Check Crawl Schedule
Search Results Do Not Reflect Authorization Changes: Adjust the Security Filter Lifespan Setting
Search Results Do Not Include Resources Available to Wide Audience: Grant Access to Non-Members
Problem
The Oracle Secure Enterprise Search (SES) connection is not created correctly. The search query is not submitted to Oracle SES.
Solution
Confirm the Oracle SES connection by entering the following URL for Oracle SES Web Services operations in a browser:
http://host:port/search/query/
If the URL address does not render in the browser, then either the host or port for the Oracle SES server is incorrect, or Oracle SES has not been started.
If the Oracle SES connection is correct, review the remaining topics in this section for other possible causes.
Various issues can cause search results not to include secured resources. the possibilities covered here include the following:
For information about configuring Oracle SES with an identity management system, see:
Section Configuring the Identity Store of the Administering Oracle WebCenter Portal, in the Oracle Fusion Middleware Online Documentation Library.
Section Oracle SES - Configuration of the Administering Oracle WebCenter Portal.
For information about configuring authorization endpoints, see the following sections in the Administering Oracle WebCenter Portal, in the Oracle Fusion Middleware Online Documentation Library:
Configuring Oracle SES to Search Framework Applications
Configuring Oracle SES to Search Spaces Applications
Problem
One possible cause is that the proxy login of WebCenter Portal users failed in Oracle SES.
An Oracle SES proxy login error in the WebCenter Portal diagnostic log looks similar to the following:
Received status "failed" during proxy login with application entity "weblogic" to Oracle SES at http://host:port/search/query/OracleSearch, as search user "vicki". Defaulting to public.
Solution
Confirm that Oracle SES is configured with an identity management system to validate and authenticate users.
Also confirm that WebCenter Portal and Oracle SES use the same identity management system, such as Oracle Internet Directory. All repositories (such as WebCenter Portal, WebCenter Portal Content: Content Server, and Oracle WebCenter Portal Discussions Server) must share the same user base as Oracle SES.
Additionally, each Oracle SES instance must have a trusted entity for allowing WebCenter Portal end users to be securely propagated at search time.
Problem
Another possible cause is that authorization endpoints are not configured correctly.
Locate the search log file on the Oracle SES instance. Look for phrases including the URL value. For example:
EQP-80309: Exception while opening a stream to the URI: http://host:port/sesUserAuth?userId=end-user-name QueryFilterPlugin returned null or empty array value for security attribute "WCSECATTR". Values required for all security attributes.
Solution
To resolve this problem, perform the following steps:
In the Oracle SES administration tool, go to the Home - Sources tab.
Click the Edit icon for the source to see source configuration tabs.
Click the Authorization tab to confirm the authorization connection string, user name, password, and authorization user ID format.
Problem
A third possible cause is that authorization endpoints are not returning authorization data.
Locate the search log file on the Oracle SES instance. Look for phrases including the URL value. For example:
A security filter authorization timeout for dsid = # occurred after 10000 milliseconds.
Solution
Each WebCenter Portal instance has up to four crawl sources. If an Oracle SES instance is used for more than one WebCenter Portal instance, then the number of crawl sources could potentially get quite high and cause timeout issues. This problem can also occur if the Oracle SES instance has other crawl sources for other uses. The solution is to reduce the number of crawl sources.
Problem
Crawling of WebCenter Portal Content Server documents fails.
Solution
To resolve this problem, perform the following steps:
In the Oracle SES administration tool, go to the Home - Schedules tab.
Click the Log File icon to display the log file for the source. To obtain the location of the full log, click the Status link.
The Crawler Progress Summary and Log Files by Source section displays the full path to the log file. If Oracle SES fails to log in to the Content Server crawl endpoint due to an authentication error, then the following errors are logged:
EQP-60303: Exiting saxthread due to errors EQP-80330: Unrecognized QName <http://schemas.xmlsoap.org/soap/envelope/>:Envelope oracle.search.sdk.crawler.PluginException
Update the configuration parameters of the Content Server crawl source with the correct credentials.
The two following possibilities are discussed in this section:
Problem
In some cases, the Single Record Query parameter in the crawl sourceis set to true
on the Authorization tab.
Solution
Set the Single Record Query parameter to false
.
Problem
The identity management system uses a mixed case user name, but the Oracle WebCenter Portal Discussions Server database uses an all lowercase user name.
Solution
The authorization query for the crawl source must apply the LOWER()
function to user name parameters. Using the Oracle SES administration tool, confirm that the Authorization Query for the crawl source definition looks like the following:
SELECT forumID as WCSECATTR FROM AUTHCRAWLER_FORUM_VW WHERE LOWER(username) = LOWER(?) UNION SELECT DISTINCT -1 as WCSECATTR FROM AUTHCRAWLER_FORUM_VW
Problem
A new resource was created recently, but search results do not include the new resource.
Solution
New resources must be crawled and indexed before they can be returned in search results. Crawl schedules are run periodically to index new content. If new resources are created often, then increase the frequency of the crawl schedule. If new resources need to be crawled immediately, then start the crawl schedule manually.
Problem
Some resources are accessible to more users due to authorization changes in WebCenter Portal. For example, resources in a space are now accessible to all authenticated users. The affected users cannot search for those resources.
Solution
Authorization data is cached in Oracle SES. The cache is invalidated according to the Security Filter Lifespan global setting in Oracle SES. The default value is 1 day or 1440 minutes. Adjust the value according to the general frequency of changes to authorization data.
Problem
A space is publicly accessible, but unauthenticated users cannot see space resources in search results.
Solution
By default, view access of resources is granted to space members only, even if the space is accessible to the public. View access of resources must be granted to non-members explicitly.
In WebCenter Portal: Spaces, go to Spaces Administration, click the Security then Roles tabs, and for the affected role, check the view access to the different resources.
This section describes the following problems and solutions related to the Discussions service:
User Is Not Authorized / Service Not Configured: Troubleshoot Discussions Server Configuration
Unable to Log In to the Discussions Administration Console: Check Administration Access
SOAP Fault Exceptions Seen in Announcements Region: Check GPA and wsm-pm Application
"Discussions Not Provisioned" Warning During Space Creation: Check Configurations
Problem
Navigating to a page containing the forums or announcements regions shows User
xxxx
is not authorized
or Service not configured
.
Solution
Ensure that the environment is configured properly by performing the following steps:
Check whether the discussions server is up and running by accessing the following URL:
protocol://host:port/owc_discussions
Verify that the user is able to log in to the discussions server directly. If the user is unable to log in, then execute the WLST commands shown in the following table (adding server and node information as per your environment) to ensure that the environment is properly configured by comparing them with the expected values.
Table 16-2 WLST Commands for Discussions Server Configuration
WLST Command | Expected Value |
---|---|
getDiscussionsServerProperty(appName='owc_discussions', key='AuthFactory.className') |
oracle.jive.security.JpsAuthFactory |
getDiscussionsServerProperty(appName='owc_discussions', key='UserManager.className') |
oracle.jive.security.JpsUserManager |
getDiscussionsServerProperty(appName='owc_discussions', key='GroupManager.className') |
oracle.jive.security.JpsGroupManager |
getDiscussionsServerProperty(appName='owc_discussions', key='owc_discussions.setup.complete_11.1.1.2.0') |
true |
getDiscussionsServerProperty(appName='owc_discussions', key='owc_discussions.sso.mode') |
true |
Verify that the discussions connection has been configured to use GPA. Execute the following WLST command to find out details about the connection and look for the highlighted entries.
wlst:/> listDiscussionForumConnections(appName='webcenter', verbose=1) ... Policy URI For Authenticated Access: GPA Policy URI For Public Access: GPA
Problem
User has been added to a group which has access to a particular forum, yet in WebCenter Portal the user is unable to view the content. This normally happens because of a mismatch of the user groups on the discussions server. The user-group
cache on the discussions server is refreshed once every 6 hours.
Solution
To resolve this issue consider the following options:
Clear the cache by performing the following steps:
Log in to the discussions server administration console.
Navigate to Cache Settings.
Click Clear Cache.
Change the cache size. When the cache reaches the cache size limit, the least recently used objects are pushed out of it.
To change the cache size, perform the following steps:
Log in to the discussions server administration console.
Navigate to Cache Settings.
Click Edit Caches.
Change the Group Membership cache size to the desired value, in MB, for example, 0.01. If you set this value too low, then the server may end up accessing the back-end identity management system on every request, which may result in performance issues.
Save the new setting.
Change the frequency of the cache refresh. This requires a restart of the application server.
To change the frequency of the cache refresh, perform the following steps:
Edit the jive_startup.xml
file to change the maxLifeTime
value for GroupMembership
to the desired value (in milliseconds).
Save the changes and restart the server.
Problem:
A previously working user ID is no longer able to log in to the discussions server administration console. This can happen if the administrator accidentally deletes the group that has administration access.
Solution:
To regain access, execute the following WLST command:
addDiscussionsServerAdmin
Related Documentation:
For more information about WLST commands, see the WLST Command Reference for WebLogic Server.
Problem:
The announcement region displays a SOAP fault exception instead of the announcements.
Solution:
To resolve this problem, consider the following possibilities:
Verify that the discussions connection has been configured to use GPA. Execute the following WLST command to find out details about the connection and look for the highlighted entries:
wlst:/> listDiscussionForumConnections(appName='webcenter', verbose=1) ... Policy URI For Authenticated Access: GPA Policy URI For Public Access: GPA
Check that your wsm-pm
application's configuration is correct and that there are no errors being reported in your log files. To validate the wsm-pm
application, log in to the wsm-pm
application's validation page as a user with administrative rights. Use the following format for validation:
http://host:port/wsm-pm/validator
If there are no issues with this application, then accessible policies display. If policies do not display, then investigate the related logged information on the server whose wsm-pm
application is failing.
Problem:
Clicking login or accessing the discussions server administration console displays a form-based login instead of the configured SSO login screen.
Solution:
Verify that your discussion server settings are as described in Table 16-2, specifically that the owc_discussions.sso.mode
property is set to true
.
Problem:
Creating a space returns the following warning:
Announcement, Discussions not provisioned
Solution:
To resolve this problem, perform the following steps:
WC_Spaces-diagnostic.log
files to see if there are any timeouts during space creation. Timeouts indicate that there is a bottleneck in the network. It could be that the server is unreachable or overloaded and taking more time to respond. Ensure that you are not routing the calls unnecessarily over the network when a direct access would be better.Alternatively, go to Space administration settings and provision the services manually.
Related Links:
The following document provides additional information related to subjects discussed in this section:
For more information about how to manually provision services, see section Enabling and Disabling Services Available to a Space in the Using Oracle WebCenter Portal, in the Oracle Fusion Middleware Online Documentation Library.
This section describes the following problems and solutions related to Documents Service:
Problem:
After configuring WebCenter Portal to have a active connection to a Content Repository connection (Oracle WebCenter Content: Content Server) and bouncing WebCenter Portal, the Documents service does not appear to be available in Spaces. For example, in the Home space or a space there are no documents available. The cause of the issue is likely to be in the Content Repository connection settings or that the WebCenter Portal data was not successfully seeded into the Content Server.
Solution:
To resolve this problem, perform the following steps:
Check that the Content Server is up and running. Ensure the server has the Server Port (intradoc
) configured and the Server IP Filter allows connection from WebCenter Portal:
Log in to the Content Server.
Click Administration.
Click Configuration for instance name.
Click the Server Configurations link under System Configuration.
Ensure that Server Port is listed and that Server IP Filter allows access from WebCenter Portal.
Check the Content Repository Connection settings are correct for the Content Server being used for the Document store:
Using either WLST or Fusion Applications Control display the Content Repository Connection settings.
Ensure that the connection for the Content Server is marked as the Active Connection or Primary Connection.
Ensure that the settings for the Content Server are correct.
Ensure that the Content Administrator, Root Folder and Application Name have been specified:
The Content Administrator must have administration rights in the Content Server. This user will be used to create and maintain folders for spaces content, security groups and roles, and manage content access rights.
The Root Folder and Application Name must be unique and not used by any other WebCenter Portal application using the same Content Server. If you change these values, ensure that both values are changed and not just one of them.
It is recommended the Application Name is less than 14 characters as it is used as a prefix for items created in Content Server, such as workflows, which have a limit on the length of the item name.
Check the log at the time of the WebCenter Portal start-up for any errors connecting to the Content Server or seeding the data in the Content Server:
When WebCenter Portal has an active or primary Content Repository connection and the Content Administrator, Root Folder and Application Name have been specified, then when the WebCenter Portal server starts up, data is seeded in the Content Server for that application (if it does not already exist).
If both 1 and 2 are correct, check the WebCenter Portal log for any errors when WebCenter Portal starts up. There may be errors when seeding the data in the Content Server.
If the log does not show any useful log information, turn up the logging for the Documents server and bounce WebCenter Portal to see the log messages regarding seeding the WebCenter Portal seed data:
Either use Fusion Applications Control or edit the logging.xml
file to increase the logging for oracle.webcenter.doclib.internal.model
and oracle.webcenter.doclib.internal.spaces
.
Restart WebCenter Portal.
View the log for any messages regarding the seeding of the WebCenter Portal data.
If the data is seeded correctly there should be a message logged at TRACE level similar to the following:
Content Server already contains the Space container, therefore no need to seed any data
If the seed data does not already exist, there should be a message logged at TRACE level similar to the following:
Creating WebCenter Seeded Data
Problem:
On creating a space based on a template with the Documents service, the space creation fails with an error such as the following:
Granting permissions for Documents failed
Solution:
View the WebCenter Portal log to see if there are any log messages indicating the source of the error.
If it is not clear what the cause of the error is, try resetting all the Document permissions for all the roles to see if the role mapping completes successfully. Any failures should be logged in the WebCenter Portal log.
For information about how to reset the permissions, see User Appears to Not Have the Correct Capabilities in the Documents Page for His Role: Resolve for Single or Mulitple Users.
When a user does not have the expected capabilities in the Documents page for his or her role, (for example the user is a Participant who has Write and Delete yet he or she cannot create content) it is possible that the permissions displayed in WebCenter Portal do not match those permissions actually stored in the Content Server.
If the problem affects a single user, reset the user's role by performing the following steps:
If the problem affects multiple users, resynchronize the permissions from WebCenter Portal to WebCenter Portal Content by performing the following steps:
Log in to WebCenter Portal.
Navigate to the Space administration settings.
Click the Roles tab.
For each role, do the following:
Select the role and click Edit Permissions.
Deselect all the permissions and click Save.
Click Edit Permissions again and select the desired permissions.
Click Save.
For the seeded roles the recommended permissions are as follows:
Moderator: Read, Write, Delete, Admin
Participant: Read, Write, Delete
Viewer: Read
Problem:
A Documents connection that was used with Local Policies fails to behave correctly when repurposed for GPA use.
Solution:
To resolve this problem, perform the following steps:
Related Links:
For more information about examining the Documents connection properties, see section Modifying Content Repository Connection Details in the Administering Oracle WebCenter Portal, in the Oracle Fusion Middleware Online Documentation Library.
WebCenter Content can store attachments associated with a content item. Within the Oracle Fusion Applications environment, attachments are secured by their corresponding content items. If a content item can be accessed, then its attachments can be accessed.
Problem:
When the user attempts to add an attachment, the file selection field clears and they receive the following message:
Warning: The file upload failed. The file could not be uploaded because it is too large.
Solution:
The maximum size of a file that can be uploaded is managed by the Apache MyFaces Trinidad settings. The UPLOAD_MAX_MEMORY
context parameter in the web.xml
file can be added or modified to change this size from the default of 2 MB. The profile option File Upload Maximum Size (code name FND_FILE_UPLOAD_MAX_SIZE) has been provided as a way for centrally managing the maximum file size. Where the entry in the web.xml has been set to #{applCorePrefs.maxUploadSize}, the profile option value should be checked.
For more information, see section Changing the Maximum File Upload Size in the Administering Oracle WebCenter Portal.
Problem:
The Attachment component appears in the end-user UI. The end-user expects to be able to view files that have been previously attached.
Solution:
The Document Category can be used to manage which Attachments an end-user is able to see. Attachments provide a mapping table between the Document Categories and the Document Entities. A Document Entity is a logical reference to the business object that the end-user is attaching their files to. A UI is provided for managing this mapping. Use the Manage Attachment Entities in the Functional Setup Manager.
To resolve this problem, perform the following steps:
Using the management UI, search for the Document Entity used on the problem page. This may be intuitive, or may require contacting Oracle support to obtain the name. Select the entity in the Search Results. This will update the Attachment Categories table at the bottom of the page with the list of categories that have been mapped to the Document Entity. All Document Entities will be seeded with at least one Document Category. If no document categories appear it will be necessary to contact Oracle Support to determine which Categories should be re-added.
Check the Enable Security column at the end of the Search Results table. A checked checkbox indicates that data security has been enabled on the category values for the document entity. It will be necessary to track down the Object Instance Sets and functions that have been granted to a role that the end-user is a member to determine how the data security is filtering the list of document categories mapped to the document entity. See Implement Oracle Fusion Data Security in Oracle Fusion Applications Developer's Guide.
The Attachment form functions that provide the permissions are FND_READ_APPLICATION_ATTACHMENT_DATA, FND_UPDATE_APPLICATION_ATTACHMENT_DATA, FND_DELETE_APPLICATION_ATTACHMENT_DATA.
In this instance assigning the Read permission may have been overlooked when granting the end-user permissions.
Follow up with the developer of the page that the end-user is using Attachments on. Developers have design and run time options that allow them to introduce additional filters the final list of document categories.
Problem:
When the Attachment component is shown in the UI the end-user observes that one or more of their existing attachments have no category value.
Solution:
The Document Category can be used to manage the Attachments that an end-user is able to see. Attachments provide a mapping table between the Document Categories and the Document Entities. A Document Entity is a logical reference to the business object that the end-user is attaching their files to. A UI is provided for managing this mapping. Use the Manage Attachment Entities in the Functional Setup Manager.
To resolve this problem, perform the following steps:
Using the management UI, search for the Document Entity used on the problem page. This may be intuitive, or may require contacting Oracle support to obtain the name. Select the entity in the Search Results. This will update the Attachment Categories table at the bottom of the page with the list of categories that have been mapped to the Document Entity. All Document Entities will be seeded with at least one Document Category. If no document categories appear it will be necessary to contact Oracle Support to determine which Categories should be re-added.
Check the Enable Security column at the end of the Search Results table. A checked checkbox indicates that data security has been enabled on the category values for the document entity. It will be necessary to track down the Object Instance Sets and functions that have been granted to a role that the end-user is a member to determine how the data security is filtering the list of document categories mapped to the document entity. See the Implement Oracle Fusion Data Security section in the Oracle Fusion Applications Developer's Guide.
The Attachment form functions that provide the permissions are FND_READ_APPLICATION_ATTACHMENT_DATA, FND_UPDATE_APPLICATION_ATTACHMENT_DATA, FND_DELETE_APPLICATION_ATTACHMENT_DATA.
In this instance assigning the Read permission may have been overlooked when granting the end-user permissions.
Follow up with the developer of the page that the end-user is using Attachments on. Developers have design and run time options that allow them to introduce additional filters the final list of document categories.
Problem:
The end-user navigates to their page that displays their Attachments. They want to add a new Attachment, so click on the add button (+ icon). Instead of adding a new row at the top of the Attachment table the error message is displayed.
Solution:
This error message appears if the Attachments component cannot find any Document Category values.
The Document Category can be used to manage which Attachments an end-user is able to see. Attachments provide a mapping table between the Document Categories and the Document Entities. A Document Entity is a logical reference to the business object that the end-user is attaching their files to. A UI is provided for managing this mapping. Use the Manage Attachment Entities in the Functional Setup Manager.
To resolve this problem, perform the following steps:
Using the management UI, search for the Document Entity used on the problem page. This may be intuitive, or may require contacting Oracle support to obtain the name. Select the entity in the Search Results. This will update the Attachment Categories table at the bottom of the page with the list of categories that have been mapped to the Document Entity. All Document Entities will be seeded with at least one Document Category. If no document categories appear it will be necessary to contact Oracle Support to determine which Categories should be re-added.
Check the Enable Security column at the end of the Search Results table. A checked checkbox indicates that data security has been enabled on the category values for the document entity. It will be necessary to track down the Object Instance Sets and functions that have been granted to a role that the end-user is a member to determine how the data security is filtering the list of document categories mapped to the document entity. See the Implement Oracle Fusion Data Security section in the Oracle Fusion Applications Developer's Guide.
The Attachment form functions that provide the permissions are FND_READ_APPLICATION_ATTACHMENT_DATA, FND_UPDATE_APPLICATION_ATTACHMENT_DATA, FND_DELETE_APPLICATION_ATTACHMENT_DATA.
In this instance the user may not have been granted the UPDATE permission for any categories.
Follow up with the developer of the page that the end-user is using Attachments on. Developers have design and run time options that allow them to introduce additional filters the final list of document categories.
Problem:
When the Content Server is down, it is not possible for any user to create, update or retrieve Content Server content. For example, the following error:
Error: Fails to access WSDL at <protocol://host:port/idcnativews/IdcWebRequestPort?WSDL>
Fails with the following response:
'503: Service Unavailable' for url 'protocol://host:port/idcnativews/IdcWebRequestPort?WSDL'
Solution:
To resolve this problem, perform the following steps:
Check that the connection end point is correct. To view connection details, use Oracle Enterprise Manager Fusion Applications Control (Fusion Applications Control) or the Oracle WebLogic Scripting Tool (WLST). Verbose listing also shows that this is the primary connection.
To view the connection details using the System MBean Browser, perform the following steps:
Choose Fusion Applications from the Targets menu.
In the table on the Fusion Applications target home page, click the appropriate Product Family target.
From the navigation pane, expand the product family, and then expand Fusion Applications.
Expand the cluster application you want to monitor to show each instance of the application.
Click one of the application deployment instances, for example, PayablesApp (PayablesSever_1).
The Fusion J2EE Application page appears.
From the Fusion J2EE Application menu, choose System MBean Browser.
In the System MBean Browser page, expand Application Defined MBeans.
Expand oracle.adf.share.connections, server name, application name, ADFConnections, JCR.
Click FusionAppsContentRepository.
In the Application Defined MBeans: JCR:FusionAppsContentRepository page, verify the connection properties.
To view the connection details using the Oracle WebLogic Scripting Tool (WLST), perform the following substeps:
From the fusionapps Middleware subdirectory, start the scripting tool:
(UNIX) FA_MW_HOME/oracle_common/common/bin/wlst.sh
Where DOMAIN_HOME
is located in the following locations:
(UNIX) APPLICATIONS_CONFIG/instance/domains/host/domain_name
Connect to Oracle WebLogic Server.
Use Oracle WebLogic Scripting Tool (WLST) commands. For example:
listJCRContentServerConnections(appName='LedgerApp',verbose=1) FusionAppsContentRepository Connection Name: FusionAppsContentRepository Connection Type: JCR External Appliction ID: Timeout: (not set) CIS Socket Type: jaxws CIS Server Hostname: CIS Server Port: CIS Keystore Location: CIS Private Key Alias: CIS Web URL: ${adfDomainConfig.oraclefusionapps.ucmAppInternalProtocol}://${adfDomainConfig.oraclefusionapps.ucmAppInternalHost}:${adfDomainConfig.oraclefusionapps.ucmAppInternalPort}/idcnativews Web Server Context Root: Client Security Policy: Admin User Name: FUSION_APPS_FIN_ADF_APPID Cache Invalidation Interval: (not set) Binary Cache Maximum Entry Size: (not set) The Documents primary connection is "FusionAppsContentRepository"
Note that the URL in the output is tokenized using Expression Language expressions. These expressions are resolved from the adf-domain-config.xml document from MDS. Make the following selections to resolve the expressions and return the actual destination:
System MBean Browser > Application Defined MBeans > oracle.adf.share.connections > Server: YYY > Application: ZZZApp > ADFConnections > ADFConnections > Operations Tab > exportWithResolvedExpressions > Invoke
The document picker used to select folders or documents from Content Server is provided by WebCenter.
If the connection point is incorrect, update the CIS Web URL of the FusionAppsContentRepository Java Content Repository (JCR) connection to the correct value.
Restart Content Server if it is not available. See the Managing System Processes section in Administering Oracle WebCenter Content.
Problem:
When a connection failure occurs, it is not possible for any user to create, update or retrieve Content Server content. This occurs at the point where the application is attempting to connect and authorize the connection, such as when adding or accessing an attachment. The following are indications of a connection problem:
Clicking on the link to an attachment displays a warning message instead of the attachment. For example:
Warning: The attachment information cannot be retrieved. (FND-2403)
The same text is shown for errors FND-2403
through to FND-2405
. These errors are all indicative of problems connecting to Content Server when trying to retrieve content.
Attempting to save an attachment results in an error message. For example:
Error: Your attachments changes cannot be saved. (FND-2408)
The same text is shown for errors FND-2407
through FND-2410
. These errors are all indicative of problems connecting to Content Server when trying to save content.
No connection, folder or document is available to the document picker.
Message popup beginning with the following:
oracle.stellent.ridc.protocol.ProtocolException
Solution:
To resolve this problem, perform the following steps:
Look for the error message number in the application log, for example, FND-2403
. If there is no FND
message then it is likely that the message is being bubbled up from Content Server or Oracle WebCenter Portal. Search for the text of the message in the application log. The exception message provides additional context to help determine the root cause of the problem.
Check that the Content Server is running. Restart Content Server if it is not available. See the Managing System Processes section in Administering Oracle WebCenter Content.
Determine if the JCR Connection is set correctly in this environment:
Check that the Content Server Connection has been defined. The connection name must be FusionAppsContentRepository
, and must be defined as the primary Content Server connection.
The connection must of socket type jaxws
, with the Web URL configured to point to the Content Server native web services endpoint (the idcnativews
endpoint). The Client Security Policy must be null, indicating that GPA (Global Policy Attachments) should be leveraged. A valid administrative user must also be specified as part of the definition. This connection definition is persisted in Oracle Metadata Services Repository, which happens automatically as a part of the setup. Hence, MDS Repository issues may result in issues for Attachments. For example, the connection specified in a connections.xml
is overridden by the MDS Repository configuration.
It is possible to use Oracle Enterprise Manager Fusion Applications Control (Fusion Applications Control) or the Oracle WebLogic Scripting Tool (WLST) to view connection details. Verbose listing also shows that this is the primary connection.
To view the connection details using the System MBean Browser, refer to the steps in Content Server Web Service Is Unavailable: Check Endpoints and Restart.
To view the connection details using the Oracle WebLogic Scripting Tool (WLST), refer to the steps in Content Server Web Service Is Unavailable: Check Endpoints and Restart.
Problem:
Clicking on the link of an attachment results in a 404 (page not found) error. This occurs for all users of an application.
Solution:
If the attachment type is a file or text, then it is likely to be a problem with the GetHandler
servlet.
The condition occurs when the GetHandler
servlet is not running or the application has not been defined correctly.
If the attachment type is a URL, then the value must be corrected. This can be done by verifying and re-entering the correct URL attachment.
Problem:
When the user attempts to create a new attachment or view an existing attachment, they receive an insufficient privileges
message. The following are some sample error messages that either originate from the Content Server or are found in the logs:
Content item '(null)' was not successfully checked in. User 'USERNAME' does not have sufficient privileges. Unable to download 'DOCUMENTID'. User 'USERNAME' does not have sufficient privileges. Content item '(null)' was not successfully checked in. Unable to execute service method 'checkSecurity'. The error was caused by an internally generated issue. The error has been logged. 'USERNAME' does not have sufficient privileges Invalid Security: error in processing the WS-Security header MustUnderstand headers:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\}Security are not understood internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName
Solution:
The sufficient privileges
message originates from Content Server. It means that the user for the Content Server connection does not have sufficient privileges to complete the requested steps. There are many possible configuration errors that produce this message, but it indicates a problem with the configuration of the underlying technology stack.
To resolve this issue, first check the Oracle Fusion Applications client for the following possible errors and their resolutions:
If that does not fix the issue, then check the Oracle Content Servers setup for the following possible errors and their resolutions:
Check the application log for errors and then follow the steps that match the reported error.
The following errors indicate the web service end point on Content Server may be missing the web service policy; this can be verified in several ways.
MustUnderstand headers:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\}Security are not understood com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName
From the Fusion Applications Control, perform the following steps:
From the navigation pane, expand the domain and Application Deployments, then click Oracle UCM Native Web Services (UCM_server1).
From the Application Deployment menu, choose Web Services.
In the Web Services home page, click the Web Service tab.
Click the IdcWebLoginPort endpoint to view the configuration in the IdcWebLoginPort (Web Service Endpoint) page.
On the IdcWebLoginPort (Web Service Endpoint) page, click the OWSM Policies tab and verify the Globally Attached Policy. For example:
oracle/wss_saml_or_username_token_service_policy
From the Web Services Description Language (WSDL) URL, perform the following steps:
The following exception occurs if the client GPA (Global Policy Attachments) is not set up correctly:
Invalid Security: error in processing the WS-Security header
Both the Web Service Client (Fusion Application) and Service (Content Server native web services login endpoint) leverage Globally Attached Policies (GPA) in most cases. With GPA, the domain administrator configures default policies for Web Service Client and Service resources for each domain. Clients and services which do not directly attach policies (Locally Attached Policies) use the corresponding policies configured for GPA. Issues arise when client and service policies are not compatible. For example, a message protection policy is set on the client, but not on the service. Always check that the client and service leverage GPA and that the policies are compatible. For example:
If the service policy on the Content Server login service is set to the following:
oracle/wss_saml_or_username_token_service_policy
Then the client policy should be set to the following:
oracle/wss10_saml_token_client_policy
If the service policy on the Content Server login service is set to the following:
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
Then the client policy should be set to the following:
oracle/wss11_saml_token_with_message_protection_client_policy.
Note that the GPA is set at the global domain level and affects all domains. This is done as part of provisioning, and there is no explicit action to be done for Content Server Attachments in provisioned environments.
From the Oracle WebLogic Scripting Tool (WLST), perform the following steps:
From the fusionapps
Middleware subdirectory, start the scripting tool:
(UNIX) FA_MW_HOME/oracle_common/common/bin/wlst.sh
Connect to Oracle WebLogic Server.
Run a listPolicySets()
command and then an appropriate displayPolicySet('xxxx')
command from the client domain to obtain details on the GPA defined for the web service client (ws-client).
...> listPolicySets() Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) Global Policy Sets in Repository: ... ws-client ... ...> displayPolicySet('ws-client') Policy Set Details: ------------------- Name: ws-client Type of Resources: Web Service Client Scope of Resources: Domain("*") Description: Global policy attachments for Web Service Client resources. Enabled: true Policy Reference: security : oracle/wss10_saml_token_client_policy, enabled=true
Similarly, from the CommonDomain where UCM is deployed, run WLST with appropriate listPolicySets() and displayPolicySet('xxxx') commands to obtain details on the GPA defined for the service (ws-service).
The following message indicates that there is a problem on the Oracle Fusion Applications side when attempting to generate a digital signature.
Unable to generate digital signature
If there is no such error, then skip to the Task 2: Check Oracle Content Server Setup.
Problem
In some cases, the application log may contain the following message:
Keystore has been tampered with, or password is wrong
Solution
To resolve this issue, perform the following steps:
Determine the keystore location from Fusion Applications Control:
From the navigation pane, expand the farm and then WebLogic Domain.
Select the domain, for example, FinancialDomain.
In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security, Security Provider Configuration.
In the Security Provider Configuration page, under Web Services Manager Authentication Providers, expand Keystore to see the location. The location is typically
(UNIX) DOMAIN_HOME/config/fmwconfig/default-keystore.jks
Validate the keystore password using the keytool
tool, located in located in ORACLE_HOME
/jdk/bin
. For example:
keytool -list -v -keystore default-keystore.jks -storepass admin123
Where admin123
is the keystore password.
The following error occurs if the password is incorrect:
java.security.UnrecoverableKeyException
Validate the private key alias and password using keytool
. For example:
keytool -keypasswd -alias orakey -keypass password -new password -keystore default-keystore.jks -storepass admin123
Where admin123
is the verified keystore password from Step 2, and password
is the alias entry password.
The following error occurs if the password is incorrect:
java.security.UnrecoverableKeyException
The following error occurs if there is no key pair under the alias orakey
:
java.lang.Exception
Validate that the correct passwords and entries exist in the credential store.
The credential store must contain valid password credentials for the oracle.wsm.security map providing the keystore access password, signing key alias and password, and encryption key alias and password.
View and edit credential store contents from EM (passwords are not rendered) as follows:
From the navigation pane, expand the farm and then WebLogic Domain.
Select the domain, for example, FinancialDomain.
In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security, Credentials.
Alternatively, run the WLST listCred
script with the appropriate map and key to retrieve passwords associated with credentials as follows:
listCred(map="oracle.wsm.security", key="keystore-csf-key") listCred(map="oracle.wsm.security", key="sign-csf-key") listCred(map="oracle.wsm.security", key="enc-csf-key")
To resolve this issue, perform the following steps:
Switch on logging for the FusionAppsAttachments
component:
Log in to UCM as an administrator.
Choose Administration, then System Audit Information.
In the Tracing sections Information area, add fusionappsattachments to Active Sections.
Enable Save and Full Verbose Tracing.
Click Update.
View the logs by performing the following substeps:
Log in to UCM as an administrator.
Choose Administration, then System Audit Information.
Select View Server Output.
After re-running an attempt to retrieve or create an attachment, search for the string Signature Verification Failed
. Determine the keystore location from Fusion Applications Control:
From the navigation pane, expand the farm and then WebLogic Domain.
Select the domain.
In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security, then Security Provider Configuration.
In the Security Provider Configuration page, under Web Services Manager Authentication Providers, expand Keystore to see the location. The location is typically the following:
(UNIX) DOMAIN_HOME/config/fmwconfig/default-keystore.jks
Validate the keystore password using the keytool
tool, located in ORACLE_HOME
/jdk/bin
. For example:
keytool -list -v -keystore default-keystore.jks -storepass admin123
Where admin123
is the supposed keystore password.
The following error occurs if the password is incorrect:
java.security.UnrecoverableKeyException
Validate the private key alias and password using keytool
. For example:
keytool -keypasswd -alias orakey -keypass welcome1 -new welcome1 -keystore default-keystore.jks -storepass admin123
Where admin123
is the verified keystore password from Step 2, and welcome1
is the alias entry password.
The following error occurs if the password is incorrect.
java.security.UnrecoverableKeyException
The following error occurs if there is no key pair under the alias orakey
.
java.lang.Exception
Validate that the correct passwords and entries exist in the credential store.
The credential store must contain valid password credentials for the oracle.wsm.security map providing the keystore access password, signing key alias and password, and encryption key alias and password.
Run the WLST listCred
script with the appropriate map and key.
Correct the keystore or credential store if required, as described in the following sections.
Problem:
The following error indicates that the public certificate associated with the private key used by the Attachments client was not found in the Content Server domain's keystore.
Public Certificate Map did not contain fingerprint: XXXX Public Certificate is null; Unable to verify signature
In security-hardened environments where each domain could use unique key pairs, the client's public certificate must be loaded into the Content Server domain's keystore. In non-security-hardened environments, each domain uses identical key pairs (and possibly cloned keystores), and hence the public certificate should already be present in the Content Server domain's keystore.
Solution:
Check that the keystore on the Oracle Fusion Applications client and the Content Server contain the correct keystore. In a non-security hardened environment, the keystore can be copied from one domain to another and Oracle WebLogic Server restarted.
Restart the Content Server when the keystore changes, as this public certificate is cached at startup. The Attachments caches the value upon the first access so the Oracle Fusion application may also require bouncing, although this is unlikely.
keytool
to check the certificate. For example:
keytool -list -v -keystore default-keystore.jks
Problem:
The following message indicates that the Attachment client provided a null or empty public certificate fingerprint value (XFND_CERT_FP
), which is likely due to some keystore access issue on the client.
Legacy signing request; Certificate FingerPrint missing
If this value is missing from the databinder, the signature value itself is also likely missing. If this is the case, you would also likely see the following message:
Signature Scheme Properties missing from DataBinder
This message indicates that one of the following values is null or empty in the databinder supplied by the Attachments client:
XFND_SIGNATURE
XFND_RANDOM
XFND_EXPIRES
This problem is reported when the Oracle Fusion application making the request is incorrectly configured.
Solution:
To resolve this issue, refer to Task 1: Check Oracle Fusion Applications Client. There are likely to be many clients. Therefore, you may have to check each one. The FusionAppsAttachments
logging may provide enough information to determine which client is causing the error.
Problem:
The following error indicates that the XFND_EXPIRES
(milliseconds since epoch) date value provided in the request databinder has already passed according to the Content Server's clock:
Request expiry time reached
Solution:
Check to make sure that there are no time and time zone differences between the client and Content Server. The request timeout should typically be 10 minutes.
Problem:
The following message indicates that the client-supplied, URL-safe, base64 signature could not be successfully decoded back to binary data:
Unable to base64 decode received signature
Solution:
To resolve, check the application logs for any errors when encoding the signature.
Problem:
The following errors in the application log files indicate an issue obtaining the keystore and/or the public certificate.
java.lang.NullPointerException at SigningUtils.verify !syNullPointerException java.lang.NullPointerException. at AttachmentsConfig.getPublicCertificate
Solution:
To resolve, check what exceptions are present at the Content Server start time that are associated with keystore and credential store access.
When the end-user attempts to create a new attachment, or view an existing attachment they receive an access denied message. For example:
oracle.fabric.common.PolicyEnforcementException: access denied (oracle.wsm.security.WSIdentityPermission resouce=appName assert)
This indicates a problem with configuration or provisioning of the application. Contact the Oracle Fusion Applications product team to get them to resolve the issue.
The following exception is reported:
access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=enc-csf-key read)
This issue indicates a problem with configuration or provisioning of the application.
Contact the Oracle Fusion Applications product team to get them to resolve the issue.
If applcore attachments fail during checkin, the likely causes can vary if the failure occurs across all domains or in a single domain. First, determine if attachment uploads to the central UCM instance are successful for any other domain in the installation. Then, see the following topics:
If attachments fail on all domains, possible causes are (in order of likelihood) as follows:
There is a mismatch between the "ws-service" policy of the Common Domain Web Services Manager (WSM) Global Policy Attachment (GPA) and the associated domain's corresponding "ws-client" policy.
The UCM login webservice is not using a Global Policy Attachment (GPA), but rather an incorrect Local Policy Attachment (LPA).
The WSM Policy Manager application has failed in the Common Domain.
Credential store entries are incorrect for Common Domain preventing the keystore from opening.
If using message protection policy, the keystores for the domains are not synchronized.
Clients are unable to generate digital signatures due to policy permission security issues or invalid oracle.wsm.security credential store values for the underlying keystore.
The public certificate fingerprint of the client is not in UCM server keystore.
The JCR connections are not using GPA, but rather an incorrect LPA.
The tokenized Web URL JCR connection value is incorrect.
If attachments fail on a single domain and other domains function properly, possible causes are (in order of likelihood) as follows:
There is a mismatch between the "ws-service" policy of the Common Domain Web Services Manager (WSM) Global Policy Attachment (GPA) and the associated domain's corresponding "ws-client" policy
The client keystore is not synchronized with the UCM common domain server keystore.
Clients are unable to generate digital signatures due to policy permission security issues or invalid oracle.wsm.security credential store values for the underlying keystore.
The public certificate fingerprint of the client is not in the UCM server keystore.
The JCR connection for FusionAppsAttachments is not using GPA client policy and may be somehow leveraging an LPA.
The tokenized Web URL JCR connection value is incorrect.
From the UCM domain, check the wsp:PolicyReference in the IdcWebLoginPort WSDL:
http://ucmhost:ucmport/idcnativews/IdcWebLoginPort?WSDL
Look for something similar to the following:
<wsp:PolicyReference URI="#wss_saml_or_username_token_service_policy" wsdl:required="false"/>
If the service policy is either empty or not what you expected, check to make sure that the GPA policy for ws-service has been correctly set:
From the navigation pane, expand the domain and Application Deployments, then click Oracle UCM Native Web Services (UCM_server1).
From the Application Deployment menu, choose Web Services.
In the Web Services home page, click the Web Service tab.
Click the IdcWebLoginPort endpoint to view the configuration in the IdcWebLoginPort (Web Service Endpoint) page.
On the IdcWebLoginPort (Web Service Endpoint) page, click the OWSM Policy tab and verify the correct policy is listed under Globally Attached Policy and that no policy is listed under Directly Attached Policies.
Make sure that the policy associated with GPA Web Service Endpoint resource is correct:
From the Enterprise Manager, click Weblogic Domain.
Click the domain name, for example, CommonDomain.
From the Weblogic Domain menu, choose Web Services and then Policy Sets.
Specify or change the policy as necessary.
From the client domain, check the GPA policy set for Web Service Client resources by performing the following steps:
Check the "FusionAppsContentRepository" JCR connection to make sure that the client policy is empty, meaning GPA should get used, and that the web URL is correct by performing the following steps:
The following mBean operation provides the resolved output for the web service URL:
System MBeans > Application Defined MBeans > oracle.adf.share.connections > Server: [your server name] > Application: [your application name] > ADFConnections > ADFConnections > Operations Tab > exportWithResolvedExpressions > Invoke