16 Troubleshoot Oracle WebCenter Portal and Oracle WebCenter Content

This section describes common problems that might be encountered when using Oracle WebCenter Portal and Oracle WebCenter Content, and it includes information on how to resolve them.

The following topics are discussed:

Some procedures in this section reference content in the Oracle Fusion Middleware guides. Those guides describe the steps using Fusion Middleware Control, but the procedures therein also apply to Fusion Applications Control.

16.1 Introduction to WebCenter Components and Concepts

This section contains the following background topics:

16.1.1 Introduction to WebCenter Portal

WebCenter Portal provides collaborative and social features to Oracle Fusion applications. For example through WebCenter Portal features, users can participate in discussions about opportunities, customers, and projects; and create wikis.

Figure 16-1 shows the WebCenter Services tab, which lists all the spaces available within Oracle Fusion Applications. A space is a work area, supporting a group of people of any size, which is organized around an area of interest or a common goal. Several Oracle Fusion applications use spaces to provide collaborative features, such as discussion forums and document sharing.

Figure 16-1 The WebCenter Services Tab

Description of "Figure 16-1 The WebCenter Services Tab"

Oracle Fusion Applications leverages WebCenter Portal's Composer to enable users to customize the appearance of pages. Figure 16-2 shows the Oracle Fusion Applications Welcome page in Composer.

Figure 16-2 Customizing the Oracle Fusion Applications Welcome Page in Composer

Description of "Figure 16-2 Customizing the Oracle Fusion Applications Welcome Page in Composer"

Table 16-1 lists the ways in which WebCenter Portal is used within Oracle Fusion Applications.

Table 16-1 Usage of WebCenter Portal in Oracle Fusion Applications

Feature	Description	Example Usage
Oracle JSF Portlet Bridge	Enables Oracle Fusion applications to make their task flows available as portlets to other Oracle Fusion applications.	Oracle Fusion applications uses this technology in the UI to schedule tasks
Composer	Enables page customization.	Users can customize the Oracle Fusion Applications Welcome page to add or hide components (see Figure 16-2).
Search	Searches WebCenter Portal object.	Collaboration source group crawls the Jive database (discussions and announcements), Spaces schema, and content server.
Discussions	Provides text-based discussions between users.	Within the Sales application in Oracle Fusion CRM, users can follow an opportunity, sales competitor, or sales reference and participate in discussions about those objects.
Documents	Enables content management and document sharing and collaboration.	In Oracle Fusion Project, documents associated with a project are listed on the project page.
Spaces	Provides a work area, supporting a group of people of any size, that is organized around an area of interest or a common goal	A space is automatically created for each project in Oracle Fusion Project enabling discussions, announcements, documents, links to be added to the project page.
Wikis and Blogs	Enables publication of wikis and blogs.	Within the Sales application in Oracle Fusion CRM, users can follow an opportunity, sales competitor, or sales reference and create wikis about those objects.

The components required for WebCenter Portal are automatically installed in the Oracle Fusion Applications common domain by Oracle Fusion Applications Provisioning. In addition, any WebCenter Portal Framework services required by applications are obtained through shared libraries introduced by domain extension templates used in the various product family specific domains. There are no additional steps required during installation to ensure that WebCenter Portal is correctly installed.

The WebCenter Portal server is preseeded with the necessary portal templates required for use by Oracle Fusion applications, such as Oracle Fusion CRM and Oracle Fusion Project.

Administration tasks required for WebCenter Portal might include the following:

Starting and stopping the WebCenter Portal or Discussions servers. For more information, see Start Administration Servers and Managed Servers and Stop Administration Servers and Managed Servers.
Monitoring performance of the WebCenter Portal server. For more information, see Monitor Mid-Tier Elements.
Backup and recovery. For more information, see Back Up and Recover Oracle Fusion Applications.

16.1.2 Introduction to WebCenter Content

WebCenter Content provides a unified application for several different kinds of content management. It provides a unified repository to house unstructured content, and deliver it to business users in the proper format, and within the context of familiar applications to fit the way they work. Within Oracle Fusion Applications, WebCenter Content provides a way of including attachments for business objects, such as projects and procurement requisitions. Oracle Fusion Applications also uses WebCenter Content as the content repository for WebCenter Portal content.

The following procedures might be needed when troubleshooting attachments in WebCenter Content:

16.1.2.1 Determine Keystore Type

To determine if your domain is using Keystore Service (KSS) or a JKS (file) based keystore, perform the following steps from Enterprise Manager:

From the navigation pane, expand the farm, then expand WebLogic Domain.
Select the domain, for example, FinancialDomain.
In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security, Security Provider Configuration.

If the domain is using a JKS based keystore, the Keystore Type is set as JKS and the Path value is most likely relative, for example, ./default-keystore.jks. The base directory in this case is <Domain Home>config/fmwconfig. For example:
```
(UNIX) DOMAIN_HOME/config/fmwconfig/default-keystore.jks
```
If the domain is using Keystore Services (KSS), the Keystore Type is set as KSS.

16.1.2.2 Extract a JKS (File-based) Keystore from a KSS Based Keystore

To extract the JKS keystore file from a KSS based keystore, perform the following steps:

Extract the KSS keystore to file from WLST connection, as shown in the following example:

from jpsWlstCmd import *
appStripe = 'owsm'
keyStoreName = 'keystore'
svc = getOpssService(name='KeyStoreService')
svc.exportKeyStore(appStripe=appStripe, name=keyStoreName, password='password', aliases='orakey', keypasswords='password', type='JKS', filepath='/tmp/test.jks')

If a NameError: FileOutputStream from jpsWlstCmd.py error is seen when invoking the exportKeyStore, edit the $MW_HOME/oracle_common/common/wlst/jpsWlstCmd.py, and ensure that exportKeyStore and exportKeyStoreImpl have the line "from java.io import FileOutputStream", as shown in the following example:

def exportKeyStoreImpl(self, m):
 from java.io import FileOutputStream
 from  oracle.security.jps.mas.mgmt.jmx.util import JpsJmxConstants

Check if the private key was exported, as shown in the following example:

(/tmp)% keytool -list -keystore test.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

orakey, Feb 24, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 9E:C1:66:3F:6B:7E:CF:87:EB:FE:2A:0C:6F:78:09:3A:08:42:AA:1F

If required, extract the raw private key by performing the following steps:

Import from JKS keystore the orakey entry to a new keystore of type PKCS12 format. For example:

keytool -importkeystore -srckeystore test.jks -srcstorepass password -destkeystore keystore.p12 -deststorepass password -deststoretype PKCS12 -srcalias orakey

Export the private key as shown in the following example:

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Enter Import Password:
MAC verified OK

cat key.pem
Bag Attributes 
 friendlyName: orakey
 localKeyID: 54 69 6D 65 20 31 34 32 34 38 34 30 39 35 34 30 31 30
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOX5wELBJdi/fSmM
…
YOhzIYRsbzI+FA==
-----END PRIVATE KEY-----

Convert the private key to RSA format as shown in the following example:

keytool -list -v -keystore default-keystore.jks -storepass admin123
openssl rsa -in key.pem -out key.rsa
writing RSA key

cat key.rsa
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDl+cBCwSXYv30pjEc0O1GQJTFr9lyxxDDc6kX8MEHO9ju6rxuy
…
jJhixwjA2mpvkPHijpOTj6cIQOe9nGDocyGEbG8yPhQ=
-----END RSA PRIVATE KEY-----

16.1.3 Introduction to WebCenter Portal Portlets

When running Oracle Fusion Applications, it may not be readily apparent which portions of the user interface are implemented as portlets. The only time this may actually be evident is when there is a problem.

Useful Terminology

The following list defines some common terms for WebCenter Portal portlets:

Portlet

A portlet is a region of the screen that is displayed from a remote source. In Oracle Fusion Applications, portlets conform to the Web Services for Remote Portlets (WSRP) standard, and implement the JSR 286 portlet specification.
Oracle JSF Portlet Bridge

The Oracle JSF Portlet Bridge is a component that enables an ADF application to be exposed as a WSRP portlet producer application. Oracle Fusion applications are all implemented as ADF applications.
Producer Application

A producer application is an ADF application with pages or task flows that have been enabled to run as portlets. This type of application can run in dual modes: as a servlet (like a regular web application), or as a portlet (when consumed by a consumer application through the Oracle JSF Portlet Bridge).
Consumer Application

A consumer application is an application that consumes the portlets exposed by a producer application. Before consuming a portlet (by dropping it onto a page), application developers must first register the portlet producer application with the consumer application.

Useful Resources

The following list provides some useful resources to use when diagnosing problems with WebCenter Portal portlets:

Portlet Consumer Test Page

A page that provides diagnostic information about the consumer application. Access the Portlet Consumer Test Page using the following URL:
```
http://host:port/context-root/faces/oracle/portlet/client/adf/diagnostic/pages/ConsumerTestPage.jspx
```
where:
- host is the server to which the consumer application is deployed
- port is the port to which the server is listening for HTTP requests
- context-root is the consumer web application's context root
For example:
```
http://mymanagedserver.example.com:8888/myapp/faces/oracle/portlet/client/adf/diagnostic/pages/ConsumerTestPage.jspx
```
For more information, see Examine the Portlet Consumer Test Page.
Producer Test Page

A page that provides diagnostic information about the portlet producer application. You can access the Producer Test Page using the following URL:
```
http://host:port/context-root/info
```
where:
- host is the server to which the portlet producer is deployed
- port is the port to which the server is listening for HTTP requests
- context-root is the producer web application's context root
For example:
```
http://portlets.example.com:9999/sample/info
```
The Producer Test Page includes a link to the Web Service Definition Language (WSDL) document to use for registration, for example:
```
http://portlets.example.com:9999/sample/portlets/wsrp2?WSDL
```
For more information, see Examine the Producer Test Page.
Running a Producer as a Servlet Application Through Faces

This is also known as running the application as a servlet. Before an application can act as a portlet provider, it must be able to run correctly through standard HTTP requests.

To run an application as a servlet, use the following URL:
```
http://host:port/context-root/faces/path-to-page/page.jspx
```
where:
- host is the server to which the portlet producer is deployed
- port is the port to which the server is listening for HTTP requests
- context-root is the producer web application's context root
- path-to-page is the path to the page you want to run
- page is the name of the page you want to run
For example:
```
http://portlets.example:9999/sample/faces/index.jspx
```
The Producer Test Page provides links to run such pages or task flows as servlets. For more information, see Run the JSF Portlet as a Servlet.
Logging Configuration File

The logging configuration file, logging.xml, is located in:
```
DOMAIN_HOME/config/fmwconfig/servers/server/logging.xml
```
Diagnostic Log File

The default location of the diagnostic log file is:
```
DOMAIN_HOME/servers/server/logs/server-diagnostic.log
```

16.2 Diagnostic Tools and Processes for WebCenter Portal Portlet Problems

Problems and Solutions for WebCenter Portal Portlets lists specific errors codes and remedial hints WebCenter Portal Portlet issues. There are also specific tools and processes that are used for portlet diagnostics, described in this section. Topics include the following:

16.2.1 Use Diagnostic Tools

There is a set of tools available for both the consumer and producer to help identify and resolve issues when running Oracle JSF Portlet Bridge portlets.

If a portlet error message is encountered when a portlet is rendered, or if the portlet displays but it is not possible to interact correctly with it, there are some general steps using these tools that should be followed to diagnose the issue. These include the following:

16.2.1.1 Identify the Portlet Instance

The first step when a portlet error is encountered, is to identify which portlet producer and portlet instance is being invoked. Execute the portletDebugShow() JavaScript from your browser to display this information over the top of the main portlet content.

To identify the portlet instance, perform the following steps:

Enter the following command in the Location field of your browser:
```
javascript:portletDebugShow()
```
In Internet Explorer and Google Chrome, type this command in the Location field. If the command is pasted into the field, the javascript piece is removed.

In Firefox 6 and above, do not enter JavaScript in the Location field, enter the command in the JavaScript Console.
After running the script, every portlet now displays the following information:
- Producer name
- Portlet name
- Portlet instance ID
- Execution Context IDs (ECIDs)
  
  The ECIDs are unique IDs used to identify a portlet request. Use the ECIDs to correlate the messages across different consumer and producer log files using Fusion Applications Control. The same ECID is propagated from the consumer to the producer.
  
  Broken portlets show two ECIDs: one for the request in which the error occurred and one for request in which the error was reported.
  
  For IFRAME portlets, for example Oracle JSF Portlet Bridge portlets, the ECIDs are different. This is because the error is reported in a later request than the one in which the original exception occurred. When checking the logs, look for both ECIDs, as either may contain relevant information.
Figure 16-3 Portlets Debugging Enabled

Description of "Figure 16-3 Portlets Debugging Enabled"

If all of the information cannot be seen due to the size of the portlet, click anywhere within the diagnostic information to display it in a separate panel that is not confined to the portlet dimensions.

Use this information in the subsequent diagnostic steps to help locate the issue.

The ECIDs shown in the portlet diagnostic information do not reflect partial page rendering requests that have been made to the portlet producer (using the portlet consumer resource proxy). These requests may update the portlet, but the ECIDs are not recorded in the portlet diagnostic information. Errors that occur during these requests are logged on the producer and by the portlet resource proxy on the consumer but you cannot use the ECID information reported in the portlet diagnostic information to help you determine the ECIDs for the relevant log entries.
When debugging the portlets is finished, enter the following command to hide the portlet debugging information:
```
javascript:portletDebugHide()
```
MANDATORY: In Internet Explorer and Google Chrome, type this command in the Location field. If the command is pasted into the field, the javascript piece is removed.

In Firefox 6 and above, do not enter JavaScript in the Location field, enter the command in the JavaScript Console.

16.2.1.2 Examine the Portlet Consumer Test Page

The next step in diagnosing a portlet error is to access the Portlet Consumer Test Page (shown in the following figure) to locate the portlet producer and, if necessary, test the portlet in isolation.

Figure 16-4 The Portlet Consumer Test Page

Description of "Figure 16-4 The Portlet Consumer Test Page"

The Portlet Consumer Test Page contains the following three tabs:

Producers

This tab lists all the producers registered with the consumer application. Selecting a producer provides specific information about that producer.
Sanity Checks

This tab may contain a predefined set of portlet instances and required parameters that can be run in the consumer application, as configured by the consumer application developer. Any failures within these portlets indicate a problem with the corresponding producer and/or portlet.
Configuration

This tab enables you to identify the consumer configuration entries for portlet consumption. It is not possible to change these values as they are stored within the application; they are displayed for reference information only.

After accessing the Portlet Consumer Test Page, it is possible to perform further diagnostic steps such as the following:

16.2.1.2.1 Access the Portlet Consumer Test Page

To access the Portlet Consumer Test page, perform the following steps:

In your browser, enter the following URL for the Portlet Consumer Test Page:
```
http://host:port/context-root/faces/oracle/portlet/client/adf/diagnostic/pages/ConsumerTestPage.jspx
```
If the consumer application is secured, the Portlet Consumer Test Page can be accessed only by users granted permission to view those pages.
In the Portlet Consumer Test Page, it is possible to perform further diagnostic steps as described in the following sections.

16.2.1.2.2 Locate the Portlet Producer

The Producers tab of the Portlet Consumer Test Page lists all the producers that have been registered with the consumer application. If a portlet instance in your application displays an error message, view information about the producer that owns the portlet by selecting it on this tab.

To locate the portlet producer, perform the following steps:

In the Portlet Consumer Test Page, select the portlet producer that owns the portlet instance that is reporting the error.

This information was noted in Identify the Portlet Instance.
The following information is provided for the selected producer:
- Producer Test Page: A link to the Producer Test Page.
- Configuration: Details of potential issues surrounding skins, security, and timeouts associated with the using producer.
- Offered Portlets: A list of all portlets offered by the producer. If there are no offered portlets listed, this indicates that there is a problem with the registration metadata for the producer.
- Portlet Instances: A list of all portlet instances for the selected producer in the consumer application. This list may be empty.
Use this information to identify potential issues with the producer.

16.2.1.2.3 Locate and Run the Portlet Instance

If the cause of the portlet error has not yet been identified, the issue may lie with the portlet instance itself.

To locate and run the portlet instance, perform the following steps:

In the Portlet Consumer Test Page, select the portlet producer that owns the portlet instance that is reporting the error.

This information was noted in Identify the Portlet Instance.
Under Portlet Instances, select the portlet instance to display the Consumer Test Page: Portlet page.

This information was noted in Identify the Portlet Instance.

Figure 16-5 Sample Renderer Portlet in the Consumer Test Page: Portlet Page

Description of "Figure 16-5 Sample Renderer Portlet in the Consumer Test Page: Portlet Page"
The Portlet Consumer Test Page: Portlet page renders the portlet in a standalone page. If the portlet runs correctly on this page, the problem is most likely caused by other components on the page containing the broken portlet.
The Parameters section enables you to experiment with how the portlet looks using a stretch or flow layout.
If the portlet accepts parameters, the Parameters section also lists all the public parameters for the portlet. Enter values for any parameters to test that the portlet is receiving parameters correctly.
To navigate back to the Portlet Consumer Test Page, click the producer name link at the top of the page.

16.2.1.2.4 Perform Sanity Checks

The Sanity Checks tab of the Portlet Consumer Test Page provides a quick overview of the state of portlet communication in your application across all products.

Figure 16-6 The Sanity Checks Tab

Description of "Figure 16-6 The Sanity Checks Tab"

The Sanity Checks tab references portlet instances used within the consumer application. This list is configured by the application developer who chose the portlets to include and the parameters to pass to these portlets. The checks on this page do not render the output in the UI, but simply create a runnable instance of the portlet under the covers and report any failures if any exception is returned by the portlet.

To perform sanity checks, perform the following steps:

In the Portlet Consumer Test Page, click the Sanity Checks tab.
Click the check link next to the portlet that needs to be tested.

The results of the sanity tests are displayed in the Status column.

If any sanity tests have failed, run the corresponding portlet to troubleshoot the issue.
To run sanity checks on all listed portlets, click the Run all Sanity Checks link.

16.2.1.2.5 Check Consumer Configuration Entries

The Configuration tab of the Portlet Consumer Test Page (shown in the following figure) enables you to identify the consumer configuration entries for portlet consumption. This tab displays settings defined in the adf-config.xml file, for example, the minimum and maximum timeout values and the consumer version number. It is not possible to change these values as they are stored within the application; they are displayed for reference information only.

Figure 16-7 The Configuration Tab

Description of "Figure 16-7 The Configuration Tab"

16.2.1.3 Examine the Producer Test Page

If it is not possible to identify the cause of the error in the consumer application, the next step is to use the Producer Test Page to identify potential issues with the portlet producer application.

Access to the main Producer Test Page is public, but links to the test pages for each portlet are accessible only to users granted permission on the underlying pages and task flows.

The Producer Test Page contains the following five sections:

Portlets

A list of all the portlets within the producer. For Oracle JSF Portlet Bridge portlets, each portlet also provides a separate link to run the portlet as a servlet (this is a prerequisite to running them as portlets: if a portlet does not run as a servlet, it cannot run as a portlet).
Container Configuration

Information on where the consumer preference information is stored.
Container Version

The version number of the Portlet Producer Container.
WSDL URLs

Links to the Web Service Definition Language (WSDL) documents to use for registration.
SOAP Monitor

A link to the WSRP SOAP monitor where users with the Monitors or Administrators role can track the SOAP messages between the consumer and producer.

After accessing the Producer Test Page, it is possible to perform further diagnostic steps such as the following:

16.2.1.3.1 Access the Producer Test Page

The Producer Test Page provides diagnostic information about the portlet producer.

To access the Producer Test Page:

In your browser, enter the URL for the Producer Test Page:
```
http://host:port/context-root/info
```
In the Producer Test Page, you can perform further diagnostic steps as described in the following sections.

16.2.1.3.2 Run the JSF Portlet as a Servlet

To verify that an Oracle JSF Portlet Bridge portlet producer is running correctly, you must first verify that the producer application runs correctly through standard HTTP requests. If the artifacts the producer exposes as portlets do not run as servlets, they will not run as portlets.

To run a JSF portlet as a servlet:

In the Producer Test Page, click the run as servlet link next to the portlet.
The portlet is called using standard HTTP to request the underlying page or task flow. The results of the request are displayed in a new browser window.

If the resulting page or task flow does not render correctly, then there is a problem with the producer application that must be resolved before you can run the page or task flow as a portlet.
If the portlet accepts parameters, click show parameters to list them and provide values. When you click run as servlet, the portlet call includes the parameter values.

16.2.1.3.3 Check the Persistent Store Type

Oracle Fusion Applications has adopted a standard to use a consumer persistence store as the persistent store. Therefore, for Oracle Fusion applications producers, the Persistent Store Type displayed on the Producer Test Page should always be set to Consumer.

Although other configurations are acceptable for applications that are built to assume such a configuration, having a non-consumer setting in Oracle Fusion applications indicates an issue in the producer. For Oracle Fusion applications to work correctly, they require a consumer persistence store.

16.2.1.3.4 Examine the SOAP Monitor

The SOAP monitor provides access to the SOAP requests between the consumer and producer when rendering a portlet. This is very useful in diagnosing problems at the communication level.

To examine the SOAP monitor, perform the following steps:

In the Producer Test Page, click the SOAP Monitor link at the bottom of the page.
When prompted, enter your user name and password.

To access the SOAP monitor you must be a member of the Monitors or Administrators role in the Identity Management System.
By default, the SOAP monitor is disabled, so the page is empty. You must first enable the monitor by clicking the Enable link at the top of the page.
The page does not automatically refresh, so to display SOAP messages, you must click the Refresh link.
To force a request to the failing portlet, go to the Portlet Consumer Test Page: Portlet page for the portlet and select Refresh Portlet.
When the portlet has rendered, or failed, click the Refresh link in the SOAP monitor to display the captured request.

Figure 16-8 SOAP Monitor

Description of "Figure 16-8 SOAP Monitor"
Investigate the SOAP messages that were sent and the responses to try to narrow down the cause of the problem.

If after rerunning the portlet and refreshing the SOAP monitor, there are no messages displayed, this indicates that there may be a security issue between the producer and the consumer. Verify that the correct WS-Security settings are set up for the producer and consumer to communicate.

16.2.2 Configure the Portlet Logging File

To troubleshoot portlet issues, it is useful to add portlet log-handlers and loggers to the logging configuration file, logging.xml.

The following example shows how to add the portlet log-handlers and loggers. The example assumes that you are running the consumer and producer applications on the same WebLogic Server instance. If you are running the consumer and producer applications on different instances, you must split them up appropriately, with the Portlet Servers and Portlet Bridge log handlers and loggers on the instance running the producer application and the Portlet Consumer log handler and logger on the instance running the consumer application.

MANDATORY: Add the log entries at the end of the file to ensure that they override any seeded settings.

The logging configuration file is located in the following location:

DOMAIN_HOME/config/fmwconfig/servers/server/logging.xml

The log file name is also defined in logging.xml. By default the log file name is:

DOMAIN_HOME/servers/server/logs/server-diagnostic.log

Example 16-1 Configuring Log Files for Troubleshooting Portlet Issues

<!-- NOTE: You need to change the path where the logfile is located -->
<log_handlers>
...
   <!-- Portlet Consumer -->
   <log_handler name="portlet-consumer-handler" class="oracle.core.ojdl.logging.ODLHandlerFactory">
      <property name="format" value="ODL-Text"/>
      <property name="path" value="/scratch/logs/portlet-consumer.log"/>
   </log_handler>

   <!-- Portlet Producer -->
   <log_handler name="portlet-producer-handler" class="oracle.core.ojdl.logging.ODLHandlerFactory">
      <property name="format" value="ODL-Text"/>
      <property name="path" value="/scratch/logs/portlet-producer.log"/>
   </log_handler>

   <!-- Portlet Bridge -->
   <log_handler name="portlet-bridge-handler" class="oracle.core.ojdl.logging.ODLHandlerFactory">
      <property name="format" value="ODL-Text"/>
      <property name="path" value="/scratch/logs/portlet-bridge.log"/>
   </log_handler>
...
</log_handlers>

<loggers>
...
   <!-- Portlet Consumer -->
   <logger name="oracle.portlet.client" level="FINEST" useParentHandlers="false">
      <handler name="portlet-consumer-handler"/>
   </logger>

   <!-- Portlet Servers -->
   <logger name="com.bea.portlets" level="FINEST" useParentHandlers="false">
      <handler name="portlet-producer-handler"/>
   </logger>
   <logger name="com.bea.netuix" level="FINEST" useParentHandlers="false">
      <handler name="portlet-producer-handler"/>
   </logger>
   <logger name="com.bea.wsrp" level="FINEST" useParentHandlers="false">
      <handler name="portlet-producer-handler"/>
   </logger>
   <logger name="oracle.portlet.producer" level="FINEST" useParentHandlers="false">
      <handler name="portlet-producer-handler"/>
   </logger>

   <!-- Portlet Bridge -->
   <logger name="oracle.portlet.bridge" level="FINEST" useParentHandlers="false">
      <handler name="portlet-bridge-handler"/>
   </logger>
   <logger name="oracle.portlet.server.bridge" level="FINEST" useParentHandlers="false">
      <handler name="portlet-bridge-handler"/>
   </logger>
...
</loggers>

16.3 Problems and Solutions for WebCenter Portal Portlets

Oracle Fusion Applications utilizes portlet technology in various places, typically to remotely invoke a business view that is implemented as an Oracle Application Development Framework (ADF) task flow. This enables functionality that is implemented on one Oracle Fusion application, for example, Human Capital Management (HCM), to be incorporated into another Oracle Fusion application, for example, Customer Relationship Management (CRM), as if it was embedded in the same application. The CRM application is in fact embedding a portlet that obtains its markup from the remote HCM application, which is running on another server. The task flow that is implemented on the HCM server is made available as a portlet through a component called the Oracle JSF Portlet Bridge. This wrapper makes the task flow available as a portlet producer that can be consumed by another application.

Review Diagnostic Tools and Processes for WebCenter Portal Portlet Problems, for instructions on how to diagnose the problems detailed in this section beyond their error codes.

This section includes the following topics:

16.3.1 "Portlet Consumer Error": Check Logs for Hints about Portlet Binding

The message Portlet Consumer Error (shown in the following figure) typically indicates that an error occurred within the operation of the portlet parts of the portlet consumer application (as opposed to the remote portlet producer application).

Figure 16-9 Portlet Displaying a Portlet Consumer Error

Description of "Figure 16-9 Portlet Displaying a Portlet Consumer Error"

Consult the diagnostic log file to determine the cause of the exception. For information about portlet logging, see Configure the Portlet Logging File.

The exception that caused the error message to be displayed is logged. Wherever possible, a message is included in the log at the start of the exception stack to indicate for which portlet binding the exception occurred, see example below.

The cause is likely to be an internal error and the appropriate course of action is to contact Oracle Support with the log files of the consumer application.

Example 16-2 Example Message Logged for a Portlet Error

<PortletRenderer> <setErrorState> An error has occured for Portlet Binding
portlet1.
oracle.portlet.client.container.PortletContentTypeException: Unexpected content
type "null" in WSRPGetMarkup response.
...

16.3.2 "Portlet Timeout" Error: Check Various Causes/Solutions

If a Portlet Timeout message is displayed in the area of the page that is expected to contain a portlet (as shown in the following figure), this means that the consumer waited for a configured period of time for the producer to respond and did not get a response during that time, or the response did not complete during that time.

Figure 16-10 Portlet Displaying a Portlet Timeout Error

Description of "Figure 16-10 Portlet Displaying a Portlet Timeout Error"

There are a number of possible causes/remedies, including the following:

16.3.2.1 Producer Machine is Overloaded: Check Tuning and Hardware Needs

With Portlet Timeout errors, the first thing to check is whether the producer machine is overloaded. Check the load on the producer Managed Server. The tools used to do this vary depending on the operating system that is running on the producer.

If the load is high, check whether a particular process is causing this high load, and whether such a process could be run on another machine, or at a less busy time.
If no single process is causing the high load, or if the Oracle WebLogic Server is causing the high load, and if the load is consistently high, consider whether the producer hardware is adequate, or whether it is necessary to upgrade it (or add further nodes to the cluster). Also consider adjusting the Oracle WebLogic Server configuration to increase the size of the request thread pool.

16.3.2.2 Network is Overloaded: Ping Machines and Check Test Page in Browser to Verify

Sometimes the network is overloaded, or there are problems with the network affecting communication between the consumer and producer.

Check that you can ping the producer machine from the consumer machine. Check that you can access the producer's WSRP Producer Test Page in your local browser (for information, see section Useful Resources in Introduction to WebCenter Portal Portlets). If this works, check that you can access this same page from a browser running on the consumer machine. If any of these steps cause problems, and the machine is not overloaded, this could be a network problem, which should be investigated by a system administrator.

16.3.2.3 Stuck Thread on Producer Machine: Check Logs to Diagnose

Sometimes the log or trace files indicate that there is a deadlock (or a stuck thread) on the producer machine causing the request thread to hang.

This should not happen during normal operation. If it does occur, there will generally be an error in the producer's log files indicating the point at which the deadlock occurred. This may help diagnose the problem. In some cases, it may be possible to alleviate this by modifying the configuration of Oracle WebLogic Server.

16.3.2.4 Application Delay from Too Much Data: Analyze Hardware and Timeout Limits

Sometimes the producer application is running slowly (for example, due to processing large quantities of data).

In this case, the producer application may be processing large quantities of data, causing it to spend too long building the response. If the application will regularly deal with large quantities of information, it may be necessary to either add or improve producer hardware. If this is not possible you can increase the portlet timeout duration.

For information about how to configure the portlet timeout, see Portlet Timeout Limit is Too Short: Change Limits.

16.3.2.5 Portlet Timeout Limit is Too Short: Change Limits

Sometimes the portlet timeout values have been misconfigured such that the timeout period is too short. Typically, the timeout for a portlet is set on the registration of the portlet. This may have been set to a value that does not give time for the portlet to respond. The "Related Links" documents below give the specific instructions for changing the timeouts. It is possible to configure the portlet timeout on the producer connection in the consumer application using the following:

Fusion Applications Control.

The procedures referenced in the guide describe using Fusion Middleware Control. These procedures also apply to Fusion Applications Control.
The setWSRPProducer WLST command.

Also, the portlet section of the adf-config.xml file allows minimum, maximum, and default values for portlet timeouts to be configured across the whole application. The maximum timeout imposes an upper limit on timeouts specified by portlet producers, so if the maximum timeout is too short, this could cause unwanted portlet timeout errors even if the timeout specified on the producer connection is longer.

After editing the adf-config.xml file, you must redeploy the application.

For information about tuning WebLogic Server, see Tuning Performance of Oracle WebLogic Server, in the Oracle Fusion Middleware Online Documentation Library.

For information about configuring the portlet timeout on the producer connection, see section Editing Producer Registration Details Using Fusion Middleware Control in the Administering Oracle WebCenter Portal, in the Oracle Fusion Middleware Online Documentation Library.

For information about WLST commands, see the WLST Command Reference for WebLogic Server.

For information about the adf-config.xml file, see Developing WebCenter Portal Assets and Custom Components with Oracle JDeveloper.

16.3.3 "Remote Portlet Communication Error": Check Various Causes/Solutions

When a section of the screen shows the Remote Portlet Communication Error message (as shown in the following figure), and there is an otherwise blank region surrounding it, this area is expected to be filled with a portlet, which the application is not able to contact.

Figure 16-11 Portlet Displaying a Remote Portlet Communication Error

Description of "Figure 16-11 Portlet Displaying a Remote Portlet Communication Error"

The causes/solutions discussed include the following:

16.3.3.1 The Producer is Down: Restart the Application or Managed Server

The first thing to check is whether the producer is down. It could be that the producer application is not running, or the Managed Server on which it is deployed is not started. In this case, it will need to be started. Identify the application that needs to be started based on the task being attempted at the time of the portlet failure. For more information, see Identify the Portlet Instance.

16.3.3.2 Web Services Security Configuration is Wrong: Troubleshoot Security Settings

Sometimes the producer log files indicate that the web services security is incorrectly configured.

In Oracle Fusion Applications deployments, web services security (WS-Security) is managed with global web services security policies.

Troubleshooting steps for web services security depend on the type of security profile being used, for example AuthN, SSL, or Message Security.

For more information about troubleshooting web service security, see:

The Diagnosing Problems section in the Oracle Fusion Middleware Administering Web Services.
Problems and Solutions for Managing Keystores and Certificates
Problems and Solutions for Identity Propagation Using SAML

The security policies set on the portlet producer's WSRP_v2_Service web service ports are as follows:

WSRP_v2_ServiceDescription_Service port: oracle/no_authentication_service_policy
WSRP_v2_PortletManagement_Service port: oracle/no_authentication_service_policy
WSRP_v2_Markup_Service port: no policy specified, so that it picks up the globally attached policy
WSRP_v2_Registration_Service port: oracle/no_authentication_service_policy

If the producer ports are configured in any other way, then it may be the cause of the problem. In particular, if a local policy is applied to the WSRP_v2_Markup_Service port, and the policy does not match the corresponding policy on the producer connection, then the port or the connection will need to be updated to specify matching policies, or be removed, so that the globally attached policies can take effect.

16.3.3.3 The Producer Managed Server Can't be Reached: Check the WSDL Endpoints to Confirm Routing

Sometimes the producer Managed Server cannot be reached. This may be the result of the producer being in a location that cannot be reached by the consumer application, due to intervening firewalls or incorrect routing rules. In an environment that is installed by Oracle's provisioning software, this should not be the case, but it is worth checking that you are able to access the WSDL endpoint for the producer from the machine hosting the consumer, by going to the following location:

http://host:port/context-root/portlets/wsrp2?WSDL

Where:

host is the server to which the portlet producer is deployed
port is the port to which the server is listening for HTTP requests
context-root is the producer web application's context root

For example:

http://portlets.example.com:9999/sample/portlets/wsrp2?WSDL

If you cannot reach the WSDL endpoint, contact your network administrator.

16.3.4 "Remote Portlet Error": Check Various Causes/Solutions

If the portlet displays a Remote Portlet Error message (as shown in the following figure), this indicates that the producer responded with an error message. The error message is returned in the form of a SOAP fault message inside the response document. There are a number of reasons the producer might return an error. The best strategy to diagnose these errors is to first find the corresponding exception stack trace in the consumer diagnostic logs (see Configure the Portlet Logging File). This stack trace shows what kind of fault was returned by the producer, plus any further information required in the response.

Figure 16-12 Portlet Displaying a Remote Portlet Error

Description of "Figure 16-12 Portlet Displaying a Remote Portlet Error"

The following document provides additional information related to subjects discussed in this section:

For more information about persistence stores, see the Setting Up a Persistence Store for a WSRP Producer section in the Developing WebCenter Portal Assets and Custom Components with Oracle JDeveloper.

The errors/solutions discussed include the following:

16.3.4.1 "OperationFailedException": Check Logs for Hints

Problem:

The error OperationFailedException is the most common type of Remote Portlet Error and it is a catch-all for most unhandled exceptions raised in the producer application.

Solution:

To resolve an OperationFailedException, examine the exception in the consumer diagnostic logs. This generally shows any exception that was raised in the producer application to trigger the fault response as the final Caused by exception.

If required, examine the diagnostic logs on the producer application for more detail, or for any related exceptions that occurred prior to the fault being triggered. In some cases, the exception in the producer log indicates a problem that can be simply resolved, such as a database connection failure or configuration problem. In other cases, the exception might indicate a product bug.

16.3.4.2 "InvalidRegistrationException": Check the Persistence Store Settings

The error InvalidRegistrationException indicates that the producer has not been properly registered with the consumer before the consumer attempted to communicate with it. This could also occur if the producer's persistence store has been moved or deleted since the consumer registered it.

If this error is observed, the most likely cause is a problem during provisioning. It is also worth checking that the producer application is using a consumer persistence store. The following example shows how this is indicated in the producer application's web.xml file.

Example 16-3 Persistence Store Setting in web.xml

<env-entry>
  <env-entry-name>oracle/portal/wsrp/server/persistentStore</env-entry-name>
  <env-entry-type>java.lang.String</env-entry-type>
  <env-entry-value>Consumer</env-entry-value>
</env-entry>

If the persistence store setting is not the problem, contact Oracle Support with the consumer log file.

16.3.4.3 "InvalidHandleException": Check Persistence Store Settings

The error InvalidHandleException indicates that the consumer has asked the producer to render, or otherwise interact with, a portlet instance that the producer does not know about. This could occur if the producer's persistence store has been corrupted in some way since the portlet was added to the page.

If this error is observed, the most likely cause is a problem during provisioning, or a missing persistentStore setting in the web.xml file, as described in "InvalidRegistrationException": Check the Persistence Store Settings.

16.3.4.4 "AccessDeniedException": Check Configurations

The error AccessDeniedException indicates that the producer application decided that the current user did not have access to the portlet or task flow in question.

If this error is observed, it could either be a legitimate error message or an indication of a configuration problem. In most cases, Oracle Fusion Applications should deal with authorization errors gracefully, without a Portlet Remote Error being displayed. If this error is caused by a configuration error, contact Oracle Support with the consumer log file.

16.4 Problems and Solutions for WebCenter Portal's Composer

This section describes problems and solutions related to WebCenter Portal's Composer. It includes the following topics:

16.4.1 User Unable to Edit a Component in Composer's Edit Mode: Check Various Causes/Solutions

While in Composer's Edit mode, the user is unable to edit the properties of components on the page. It is also not possible to add content or delete some components. The icons that allow these operations on Composer's toolbar are grayed out.

For more information about MDS customization restrictions, see the Applying Component-Level Restrictions by Defining Customization Policies section in the Developing WebCenter Portal Assets and Custom Components with Oracle JDeveloper.

Causes and/or solutions include the following:

16.4.1.1 User Has Inadequate Privileges: Check Privilege Settings

Problem

If users cannot edit a component, the first thing to check is whether they have adequate page or task flow privileges.

Solution

Ensure that the user is allowed to edit the page. Typically, only administrators are allowed to edit the page and end users are allowed to personalize the page. If the user is allowed to edit the page, edit or customize privileges must be provisioned for the page or the task flow if the component is inside a task flow (region).

16.4.1.2 MDS Customization Restriction: Remove if Needed

Problem

An MDS customization restriction may be in place to prevent edits to the page. MDS customization restrictions can be specified to restrict editing of a page, or in the case of a task flow, a page fragment. This is typically specified using an RDF file.

Solution

Ensure that customizationAllowed is set to true in the cases where the user should be allowed to edit the artifact.

16.4.1.3 Component ID is Not Found: Ensure that an ID is Specified

Problem

The id is not specified on the component that is required to be edited. Only components that have id specified can be edited. Note that it is highly recommended that all components on a page have an id specified.

Solution

Ensure that the component in question has id specified.

16.4.2 Unable to Personalize Some Components

Problem

Some components do not show icons to collapse, expand, delete, edit properties, or add content while in Composer's Edit mode.

Solution

For possible problems and solutions, see User Unable to Edit a Component in Composer's Edit Mode: Check Various Causes/Solutions.

16.4.3 Wrong Users Able to Edit a Component in Composer's Edit Mode: Check Various Causes/Solutions

The end user can customize components on the page or task flow that are not intended to be edited.

Possible causes and/or solutions include the following:

16.4.3.1 "Edit Current Page" Link Displayed for Users Who Should Not See It: Set Appropriate Attribute

Problem

The Edit Current Page link appears in the Personalization menu for users who should not be able to edit the page.

Solution

In the appropriate .jspx page, set the isPersonalizableInComposer attribute to false:

<f:attribute name="isPersonalizableInComposer" value="false">

Setting this option to false prevents the Edit Current Page link displaying for non-administrator users.

16.4.3.2 User Has Wrong Permissions

Problem

The user has wrong permissions.

Solution

Check user permissions and ensure that they do not allow the user to edit the page.

16.4.3.3 MDS Customization Restriction Needed: Specify Using an RDF File

Problem

An MDS customization restriction may be required to prevent edits to the page. MDS customization restrictions can be specified to restrict editing of a page, or in the case of a task flow, a page fragment. This is typically specified using an RDF file.

Solution

Ensure that customizationAllowed is set to false in the cases where the user should not be allowed to edit the artifact.

16.4.4 Implicit Personalizations Do Not Stick: Check Various Causes/Solutions

When the end user collapses (or expands) a task flow, the personalization does not persist and the task flow continues to show as expanded (or collapsed) on revisiting the page even after logging out and back in.

The causes and/or solutions discussed include the following:

16.4.4.1 MDS Customization Restriction: Remove or Relax the Restriction

Problem

An MDS customization restriction is in effect for the task flow container component. This prevents the implicit personalization from being persisted into the underlying MDS store.

Solution

Ensure that the MDS customization restriction is removed or relaxed for the required component.

In the Customization section of the Property Inspector for the component, set customizationAllowed to true.

16.4.4.2 The adf-faces-config Settings are Wrong

Problem

Settings under the adf-faces-config section in adf-config.xml may prevent personalizations from being persisted.

Solution

Edit adf-config,xml to change the settings in the adf-faces-config section.

For more information about personalization persistence settings in adf-config.xml, see the Allowing User Customization on JSF Pages section in the Developing Web User Interfaces with Oracle ADF Faces.

16.4.5 Cannot Rearrange Components on Child Components Pane: Check ID Specifications

Problem

When editing a page and bringing up the Property Inspector of a container component (such as PanelFormLayout, PanelGroupLayout, PanelCustomizable, and so on), the Child Components tab does not allow the listed child component to be rearranged. The Up and Down buttons are disabled. This problem indicates that the id is not specified on the child component that is required to be edited. Only components that have id specified can be edited.

Solution

It is highly recommended that all components on a page have an id specified. Ensure that all the child components have id specified.

16.5 Problems and Solutions for Oracle WebCenter Portal

This section describes problems and solutions related to WebCenter Portal. Topics include:

16.5.1 Documents Service Is Not Available When Content Server Is Not Running: Restart Components

Problem

The Document service in WebCenter Portal relies on Oracle WebCenter Content Server. If Content Server is not running when WebCenter Portal is started up WebCenter Portal will consider the Document service as unavailable. In such cases you may see the following message on Document pages:

Documents service is not available.

Solution

To resolve this problem, perform the following steps:

Shut down WebCenter Portal.
Start the Content Server.
Start WebCenter Portal: Space, so it can recheck if the Document service is configured.

For information about stopping and starting WebCenter Portal, see section Starting and Stopping the Spaces Application in Administering Oracle WebCenter Portal, in the Oracle Fusion Middleware Online Documentation Library.

For information about starting the Content Server, see section Managing System Processes in Administering Oracle WebCenter Content, in the Oracle Fusion Middleware Online Documentation Library.

16.5.2 Workflows Do Not Work: Check Policy Attachments

Problem

Sometimes the "accept invitation" functionality does not work. For workflows to work, WS Security and Global Policy Attachment (GPA) should be configured on the client and server side. Local Policy Attachment (LPA) should be removed on the client side.

Solution:

To resolve this problem, perform the following steps:

Ensure that JVM is started with the following parameter in the setDomainEnv.sh file:
```
-Dwebcenter.owsm.gpa.enabled=true
```
Remove LPA on the client side.
GPA should be configured on the client and server side. If GPA is configured correctly, the following policies are expected:
- Policy on server side: oracle/wss_saml_or_username_token_service_policy
- Policy on client side: oracle/wss10_saml_token_client_policy

16.5.3 List of Spaces Does Not Show Any Spaces: Check Various Causes/Solutions

The causes and solutions for no spaces showing are as follows:

16.5.3.1 WebCenter Portal Spaces Instance Down: Check Status

The first thing to check if no spaces show in the list of spaces is whether WebCenter Portal instance may be down. To check whether the WebCenter Portal instance is up and running, go to the following location:

protocol://webcenter-host:webcenter-port/webcenter

Also, check that the instance allows users to login.

16.5.3.2 User Has Not Created Spaces: Create or Assign Membership to a Space

The list of spaces displays only those spaces that the currently logged in user has created or to which the user has membership.

If the user has not created any spaces and is not a member of any spaces the list is empty.
If the user creates a space or is assigned membership to a space, the list of spaces will no longer be empty.

16.5.3.3 Possible Problems with GPA or LPA

If the WebCenter Portal instance is up and running and the user is a member of one or more spaces, the problem could be that GPA is not enabled or LPA has not been removed on the client side.

See the solution for Workflows Do Not Work: Check Policy Attachments.

16.5.4 Creating a Space Throws an Error or Warning: Check Various Causes/Solutions

Possible causes and solutions for creating a space errors include the following:

16.5.4.1 WebCenter Portal Spaces Instance Down: Check Status

Problem

The WebCenter Portal instance may be down.

Solution

Check whether the WebCenter Portal instance is up and running by going to the following location:

protocol://webcenter-host:webcenter-port/webcenter

Also, check that the instance allows users to login.

16.5.4.2 User Does Not Have Permissions to Create a Space: Check Permissions

Problem

The user does not have the appropriate permission to create a space.

Solution

Login to WebCenter Portal as an administrator and verify that user has the appropriate permission (Spaces-Create) to create spaces.

16.5.4.3 "InterruptedException" Because Services are not Provisioned: Change Timeout Settings

Problem

One or more services are not provisioned. This can happen because the service's back-end server, such as Oracle WebCenter Content or WebCenter Portal's Discussion Server, are slow. If this is the case you will find an InterruptedException in the logs or a timeout from the concurrency service.

Solution

The adf-config.xml file in webcenter.ear has a timeout duration for each service in WebCenter Portal. This can be increased.

For example, out of the box the timeout is set as follows:

<resource service="oracle.webcenter.collab.forum" resource="oracle.webcenter.collab.forum" timeoutMinPeriod="2s" timeoutMaxPeriod="10s" timeoutDefaultPeriod="5s"/>

Change this to the following:

<resource service="oracle.webcenter.collab.forum" resource="oracle.webcenter.collab.forum" timeoutMinPeriod="25s" timeoutMaxPeriod="30s" timeoutDefaultPeriod="30s"/>

There is no WLST command to set this value, update it manually.

After making changes to the adf-config.xml file, redeploy the webcenter.ear file.

16.5.4.4 "ConnectionRefused" Error: Authorize WC_Spaces IP Address

Problem

If a socket connection to Oracle WebCenter Content is being used, the IP address for the WC_Spaces server must be authorized to connect to Oracle WebCenter Content. If this is not the case, the logs contain a ConnectionRefused exception.

Solution

Authorize the IP address for the WC_Spaces server to connect to Oracle WebCenter Content.

For information about configuring the IP address for the WC_Spaces server, see section Configuring System Properties in Administering Oracle WebCenter Content, in the Oracle Fusion Middleware Online Documentation Library.

16.5.4.5 Features Not Available in WebCenter Content Version: Check Version

Problem

Sometimes the feature versions in Oracle WebCenter Content are not those expected by WebCenter Portal: Spaces.

Solution

Check for the following feature versions in Oracle WebCenter Content:

ExtendedUserAttributes: 1.1.1.30
JpsUserProvider: 1.0.0.7
WebCenterWorkflows: 11.1.1.4.0

To check these versions in Oracle WebCenter Content, go to Administration, then to Configuration for instanceName, and then to Feature Details.

If the versions are not correct, there may have been a problem during installation or configuration. Refer to the installation and administration guides.

16.6 Problems and Solutions for Search in WebCenter Portal

This section describes problems and solutions related to search in WebCenter Portal. It includes the following topics:

16.6.1 No Search Results Found: Check Oracle SES Server Status

Problem

The Oracle Secure Enterprise Search (SES) connection is not created correctly. The search query is not submitted to Oracle SES.

Solution

Confirm the Oracle SES connection by entering the following URL for Oracle SES Web Services operations in a browser:

http://host:port/search/query/

If the URL address does not render in the browser, then either the host or port for the Oracle SES server is incorrect, or Oracle SES has not been started.

If the Oracle SES connection is correct, review the remaining topics in this section for other possible causes.

16.6.2 Search Results Do Not Include Secured Resources: Check Various Causes and Solutions

Various issues can cause search results not to include secured resources. the possibilities covered here include the following:

For information about configuring Oracle SES with an identity management system, see:

Section Configuring the Identity Store of the Administering Oracle WebCenter Portal, in the Oracle Fusion Middleware Online Documentation Library.
Section Oracle SES - Configuration of the Administering Oracle WebCenter Portal.

For information about configuring authorization endpoints, see the following sections in the Administering Oracle WebCenter Portal, in the Oracle Fusion Middleware Online Documentation Library:

Configuring Oracle SES to Search Framework Applications
Configuring Oracle SES to Search Spaces Applications

16.6.2.1 No Secured Resources: Check the for Proxy Login Errors

Problem

One possible cause is that the proxy login of WebCenter Portal users failed in Oracle SES.

An Oracle SES proxy login error in the WebCenter Portal diagnostic log looks similar to the following:

Received status "failed" during proxy login with application entity "weblogic" to
Oracle SES at http://host:port/search/query/OracleSearch, as search user
"vicki". Defaulting to public.

Solution

Confirm that Oracle SES is configured with an identity management system to validate and authenticate users.

Also confirm that WebCenter Portal and Oracle SES use the same identity management system, such as Oracle Internet Directory. All repositories (such as WebCenter Portal, WebCenter Portal Content: Content Server, and Oracle WebCenter Portal Discussions Server) must share the same user base as Oracle SES.

Additionally, each Oracle SES instance must have a trusted entity for allowing WebCenter Portal end users to be securely propagated at search time.

16.6.2.2 No Secured Resources: Check Authorization Endpoints

Problem

Another possible cause is that authorization endpoints are not configured correctly.

Locate the search log file on the Oracle SES instance. Look for phrases including the URL value. For example:

EQP-80309: Exception while opening a stream to the URI: http://host:port/sesUserAuth?userId=end-user-name

QueryFilterPlugin returned null or empty array value for security attribute "WCSECATTR". Values required for all security attributes.

Solution

To resolve this problem, perform the following steps:

In the Oracle SES administration tool, go to the Home - Sources tab.
Click the Edit icon for the source to see source configuration tabs.
Click the Authorization tab to confirm the authorization connection string, user name, password, and authorization user ID format.

16.6.2.3 No Secured Resources: Consider Number of Crawl Sources

Problem

A third possible cause is that authorization endpoints are not returning authorization data.

Locate the search log file on the Oracle SES instance. Look for phrases including the URL value. For example:

A security filter authorization timeout for dsid = # occurred after 10000 milliseconds.

Solution

Each WebCenter Portal instance has up to four crawl sources. If an Oracle SES instance is used for more than one WebCenter Portal instance, then the number of crawl sources could potentially get quite high and cause timeout issues. This problem can also occur if the Oracle SES instance has other crawl sources for other uses. The solution is to reduce the number of crawl sources.

16.6.3 Search Results Do Not Include Documents: Check Credentials and Update Configuration

Problem

Crawling of WebCenter Portal Content Server documents fails.

Solution

To resolve this problem, perform the following steps:

In the Oracle SES administration tool, go to the Home - Schedules tab.
Click the Log File icon to display the log file for the source. To obtain the location of the full log, click the Status link.
The Crawler Progress Summary and Log Files by Source section displays the full path to the log file. If Oracle SES fails to log in to the Content Server crawl endpoint due to an authentication error, then the following errors are logged:
```
EQP-60303: Exiting saxthread due to errors

EQP-80330: Unrecognized QName <http://schemas.xmlsoap.org/soap/envelope/>:Envelope oracle.search.sdk.crawler.PluginException
```
Update the configuration parameters of the Content Server crawl source with the correct credentials.

16.6.4 Search Results Do Not Include Discussions and Announcements: Check Various Causes and Solutions

The two following possibilities are discussed in this section:

16.6.4.1 No Discussions and Announcements: Check Single Record Query

Problem

In some cases, the Single Record Query parameter in the crawl sourceis set to true on the Authorization tab.

Solution

Set the Single Record Query parameter to false.

16.6.4.2 No Discussions and Announcements: Check for Lowercase User Names

Problem

The identity management system uses a mixed case user name, but the Oracle WebCenter Portal Discussions Server database uses an all lowercase user name.

Solution

The authorization query for the crawl source must apply the LOWER() function to user name parameters. Using the Oracle SES administration tool, confirm that the Authorization Query for the crawl source definition looks like the following:

SELECT forumID as WCSECATTR FROM AUTHCRAWLER_FORUM_VW WHERE LOWER(username) = LOWER(?) UNION SELECT DISTINCT -1 as WCSECATTR FROM AUTHCRAWLER_FORUM_VW

16.6.5 Search Results Do Not Include Recently Added Resources: Check Crawl Schedule

Problem

A new resource was created recently, but search results do not include the new resource.

Solution

New resources must be crawled and indexed before they can be returned in search results. Crawl schedules are run periodically to index new content. If new resources are created often, then increase the frequency of the crawl schedule. If new resources need to be crawled immediately, then start the crawl schedule manually.

16.6.6 Search Results Do Not Reflect Authorization Changes: Adjust the Security Filter Lifespan Setting

Problem

Some resources are accessible to more users due to authorization changes in WebCenter Portal. For example, resources in a space are now accessible to all authenticated users. The affected users cannot search for those resources.

Solution

Authorization data is cached in Oracle SES. The cache is invalidated according to the Security Filter Lifespan global setting in Oracle SES. The default value is 1 day or 1440 minutes. Adjust the value according to the general frequency of changes to authorization data.

16.6.7 Search Results Do Not Include Resources Available to Wide Audience: Grant Access to Non-Members

Problem

A space is publicly accessible, but unauthenticated users cannot see space resources in search results.

Solution

By default, view access of resources is granted to space members only, even if the space is accessible to the public. View access of resources must be granted to non-members explicitly.

In WebCenter Portal: Spaces, go to Spaces Administration, click the Security then Roles tabs, and for the affected role, check the view access to the different resources.

16.7 Problems and Solutions for the Discussions Service

This section describes the following problems and solutions related to the Discussions service:

16.7.1 User Is Not Authorized / Service Not Configured: Troubleshoot Discussions Server Configuration

Problem

Navigating to a page containing the forums or announcements regions shows User xxxx is not authorized or Service not configured.

Solution

Ensure that the environment is configured properly by performing the following steps:

Check whether the discussions server is up and running by accessing the following URL:
```
protocol://host:port/owc_discussions
```

Verify that the user is able to log in to the discussions server directly. If the user is unable to log in, then execute the WLST commands shown in the following table (adding server and node information as per your environment) to ensure that the environment is properly configured by comparing them with the expected values.

Table 16-2 WLST Commands for Discussions Server Configuration

WLST Command	Expected Value
getDiscussionsServerProperty(appName='owc_discussions', key='AuthFactory.className')	oracle.jive.security.JpsAuthFactory
getDiscussionsServerProperty(appName='owc_discussions', key='UserManager.className')	oracle.jive.security.JpsUserManager
getDiscussionsServerProperty(appName='owc_discussions', key='GroupManager.className')	oracle.jive.security.JpsGroupManager
getDiscussionsServerProperty(appName='owc_discussions', key='owc_discussions.setup.complete_11.1.1.2.0')	true
getDiscussionsServerProperty(appName='owc_discussions', key='owc_discussions.sso.mode')	true

Verify that the discussions connection has been configured to use GPA. Execute the following WLST command to find out details about the connection and look for the highlighted entries.
```
wlst:/> listDiscussionForumConnections(appName='webcenter', verbose=1)
...
Policy URI For Authenticated Access: GPA
Policy URI For Public Access: GPA
```

16.7.2 "User Is Not Authorized" Message for Member of a Group that Has Access: Troubleshoot User Group Cache

Problem

User has been added to a group which has access to a particular forum, yet in WebCenter Portal the user is unable to view the content. This normally happens because of a mismatch of the user groups on the discussions server. The user-group cache on the discussions server is refreshed once every 6 hours.

Solution

To resolve this issue consider the following options:

Clear the cache by performing the following steps:
1. Log in to the discussions server administration console.
2. Navigate to Cache Settings.
3. Click Clear Cache.
Change the cache size. When the cache reaches the cache size limit, the least recently used objects are pushed out of it.

To change the cache size, perform the following steps:
1. Log in to the discussions server administration console.
2. Navigate to Cache Settings.
3. Click Edit Caches.
4. Change the Group Membership cache size to the desired value, in MB, for example, 0.01. If you set this value too low, then the server may end up accessing the back-end identity management system on every request, which may result in performance issues.
5. Save the new setting.
Change the frequency of the cache refresh. This requires a restart of the application server.

To change the frequency of the cache refresh, perform the following steps:
1. Edit the jive_startup.xml file to change the maxLifeTime value for GroupMembership to the desired value (in milliseconds).
2. Save the changes and restart the server.

16.7.3 Unable to Log In to the Discussions Administration Console: Check Administration Access

Problem:

A previously working user ID is no longer able to log in to the discussions server administration console. This can happen if the administrator accidentally deletes the group that has administration access.

Solution:

To regain access, execute the following WLST command:

addDiscussionsServerAdmin

16.7.4 SOAP Fault Exceptions Seen in Announcements Region: Check GPA and wsm-pm Application

Problem:

The announcement region displays a SOAP fault exception instead of the announcements.

Solution:

To resolve this problem, consider the following possibilities:

Verify that the discussions connection has been configured to use GPA. Execute the following WLST command to find out details about the connection and look for the highlighted entries:
```
wlst:/> listDiscussionForumConnections(appName='webcenter', verbose=1)
...
Policy URI For Authenticated Access: GPA
Policy URI For Public Access: GPA
```
Check that your wsm-pm application's configuration is correct and that there are no errors being reported in your log files. To validate the wsm-pm application, log in to the wsm-pm application's validation page as a user with administrative rights. Use the following format for validation:
```
http://host:port/wsm-pm/validator
```
If there are no issues with this application, then accessible policies display. If policies do not display, then investigate the related logged information on the server whose wsm-pm application is failing.

16.7.5 Discussions Server Displays a Form-Based Login Instead of SSO Login Screen: Verify Correct Server Settings

Problem:

Clicking login or accessing the discussions server administration console displays a form-based login instead of the configured SSO login screen.

Solution:

Verify that your discussion server settings are as described in Table 16-2, specifically that the owc_discussions.sso.mode property is set to true.

16.7.6 "Discussions Not Provisioned" Warning During Space Creation: Check Configurations

Problem:

Creating a space returns the following warning:

Announcement, Discussions not provisioned

Solution:

To resolve this problem, perform the following steps:

Verify that the discussions server is configured properly as described in User Is Not Authorized / Service Not Configured: Troubleshoot Discussions Server Configuration.
Verify that your discussions server connection is correctly configured. You can check on the connection information using Fusion Applications Control.
Check the WC_Spaces-diagnostic.log files to see if there are any timeouts during space creation. Timeouts indicate that there is a bottleneck in the network. It could be that the server is unreachable or overloaded and taking more time to respond. Ensure that you are not routing the calls unnecessarily over the network when a direct access would be better.

Alternatively, go to Space administration settings and provision the services manually.

16.8 Problems and Solutions for the Documents Service

This section describes the following problems and solutions related to Documents Service:

16.8.1 Documents Service Unavailable: Check Content Repository and Content Server

Problem:

After configuring WebCenter Portal to have a active connection to a Content Repository connection (Oracle WebCenter Content: Content Server) and bouncing WebCenter Portal, the Documents service does not appear to be available in Spaces. For example, in the Home space or a space there are no documents available. The cause of the issue is likely to be in the Content Repository connection settings or that the WebCenter Portal data was not successfully seeded into the Content Server.

Solution:

To resolve this problem, perform the following steps:

Check that the Content Server is up and running. Ensure the server has the Server Port (intradoc) configured and the Server IP Filter allows connection from WebCenter Portal:
1. Log in to the Content Server.
2. Click Administration.
3. Click Configuration for instance name.
4. Click the Server Configurations link under System Configuration.
5. Ensure that Server Port is listed and that Server IP Filter allows access from WebCenter Portal.
Check the Content Repository Connection settings are correct for the Content Server being used for the Document store:
1. Using either WLST or Fusion Applications Control display the Content Repository Connection settings.
2. Ensure that the connection for the Content Server is marked as the Active Connection or Primary Connection.
3. Ensure that the settings for the Content Server are correct.
4. Ensure that the Content Administrator, Root Folder and Application Name have been specified:
  - The Content Administrator must have administration rights in the Content Server. This user will be used to create and maintain folders for spaces content, security groups and roles, and manage content access rights.
  - The Root Folder and Application Name must be unique and not used by any other WebCenter Portal application using the same Content Server. If you change these values, ensure that both values are changed and not just one of them.
  - It is recommended the Application Name is less than 14 characters as it is used as a prefix for items created in Content Server, such as workflows, which have a limit on the length of the item name.
Check the log at the time of the WebCenter Portal start-up for any errors connecting to the Content Server or seeding the data in the Content Server:
1. When WebCenter Portal has an active or primary Content Repository connection and the Content Administrator, Root Folder and Application Name have been specified, then when the WebCenter Portal server starts up, data is seeded in the Content Server for that application (if it does not already exist).
2. If both 1 and 2 are correct, check the WebCenter Portal log for any errors when WebCenter Portal starts up. There may be errors when seeding the data in the Content Server.
3. If the log does not show any useful log information, turn up the logging for the Documents server and bounce WebCenter Portal to see the log messages regarding seeding the WebCenter Portal seed data:
  1. Either use Fusion Applications Control or edit the logging.xml file to increase the logging for oracle.webcenter.doclib.internal.model and oracle.webcenter.doclib.internal.spaces.
  2. Restart WebCenter Portal.
  3. View the log for any messages regarding the seeding of the WebCenter Portal data.
  4. If the data is seeded correctly there should be a message logged at TRACE level similar to the following:
```
Content Server already contains the Space container, therefore no need to seed any data
```
  5. If the seed data does not already exist, there should be a message logged at TRACE level similar to the following:
```
Creating WebCenter Seeded Data
```

16.8.2 Granting Permissions Errors in Documents When Creating a Space: Check Logs and Permissions

Problem:

On creating a space based on a template with the Documents service, the space creation fails with an error such as the following:

Granting permissions for Documents failed

Solution:

View the WebCenter Portal log to see if there are any log messages indicating the source of the error.

If it is not clear what the cause of the error is, try resetting all the Document permissions for all the roles to see if the role mapping completes successfully. Any failures should be logged in the WebCenter Portal log.

For information about how to reset the permissions, see User Appears to Not Have the Correct Capabilities in the Documents Page for His Role: Resolve for Single or Mulitple Users.

16.8.3 User Appears to Not Have the Correct Capabilities in the Documents Page for His Role: Resolve for Single or Mulitple Users

When a user does not have the expected capabilities in the Documents page for his or her role, (for example the user is a Participant who has Write and Delete yet he or she cannot create content) it is possible that the permissions displayed in WebCenter Portal do not match those permissions actually stored in the Content Server.

16.8.3.1 Resolve for a Single User

If the problem affects a single user, reset the user's role by performing the following steps:

Log in to WebCenter Portal.
Navigate to the space.
Navigate to the Space administration settings.
Click the Members tab.
Select the affected user.
Click Change Role.
Select a different role and click OK.
Click Change Role again.
Select the original role and click OK.

16.8.3.2 Resolve for Multiple Users

If the problem affects multiple users, resynchronize the permissions from WebCenter Portal to WebCenter Portal Content by performing the following steps:

Log in to WebCenter Portal.
Navigate to the Space administration settings.
Click the Roles tab.
For each role, do the following:
1. Select the role and click Edit Permissions.
2. Deselect all the permissions and click Save.
3. Click Edit Permissions again and select the desired permissions.
4. Click Save.
For the seeded roles the recommended permissions are as follows:
- Moderator: Read, Write, Delete, Admin
- Participant: Read, Write, Delete
- Viewer: Read

16.8.4 Documents Connection Not Working after Switching to Global Policy Attachment: Check Connection Properties and Security Policy

Problem:

A Documents connection that was used with Local Policies fails to behave correctly when repurposed for GPA use.

Solution:

To resolve this problem, perform the following steps:

Examine the Documents connection properties using Fusion Applications Control or WLST.
Verify that the client security policy is not set.

If it is set, clear the value. For example, using WLST:

setJCRContentServerConnection(
  [application name],
  [connection name],
  clientSecurityPolicy=null);

16.9 Problems and Solutions for Attachments in WebCenter Content

WebCenter Content can store attachments associated with a content item. Within the Oracle Fusion Applications environment, attachments are secured by their corresponding content items. If a content item can be accessed, then its attachments can be accessed.

16.9.1 Attachment File Is Too Large: Change the Maximum Size Parameter

Problem:

When the user attempts to add an attachment, the file selection field clears and they receive the following message:

Warning: The file upload failed.
The file could not be uploaded because it is too large.

Solution:

The maximum size of a file that can be uploaded is managed by the Apache MyFaces Trinidad settings. The UPLOAD_MAX_MEMORY context parameter in the web.xml file can be added or modified to change this size from the default of 2 MB. The profile option File Upload Maximum Size (code name FND_FILE_UPLOAD_MAX_SIZE) has been provided as a way for centrally managing the maximum file size. Where the entry in the web.xml has been set to #{applCorePrefs.maxUploadSize}, the profile option value should be checked.

For more information, see section Changing the Maximum File Upload Size in the Administering Oracle WebCenter Portal.

16.9.2 No Attachments Appear in the Attachment Component

Problem:

The Attachment component appears in the end-user UI. The end-user expects to be able to view files that have been previously attached.

Solution:

The Document Category can be used to manage which Attachments an end-user is able to see. Attachments provide a mapping table between the Document Categories and the Document Entities. A Document Entity is a logical reference to the business object that the end-user is attaching their files to. A UI is provided for managing this mapping. Use the Manage Attachment Entities in the Functional Setup Manager.

To resolve this problem, perform the following steps:

Using the management UI, search for the Document Entity used on the problem page. This may be intuitive, or may require contacting Oracle support to obtain the name. Select the entity in the Search Results. This will update the Attachment Categories table at the bottom of the page with the list of categories that have been mapped to the Document Entity. All Document Entities will be seeded with at least one Document Category. If no document categories appear it will be necessary to contact Oracle Support to determine which Categories should be re-added.
Check the Enable Security column at the end of the Search Results table. A checked checkbox indicates that data security has been enabled on the category values for the document entity. It will be necessary to track down the Object Instance Sets and functions that have been granted to a role that the end-user is a member to determine how the data security is filtering the list of document categories mapped to the document entity. See Implement Oracle Fusion Data Security in Oracle Fusion Applications Developer's Guide.

The Attachment form functions that provide the permissions are FND_READ_APPLICATION_ATTACHMENT_DATA, FND_UPDATE_APPLICATION_ATTACHMENT_DATA, FND_DELETE_APPLICATION_ATTACHMENT_DATA.

In this instance assigning the Read permission may have been overlooked when granting the end-user permissions.
Follow up with the developer of the page that the end-user is using Attachments on. Developers have design and run time options that allow them to introduce additional filters the final list of document categories.

16.9.3 No Category Value Appears for an Attachment

Problem:

When the Attachment component is shown in the UI the end-user observes that one or more of their existing attachments have no category value.

Solution:

The Document Category can be used to manage the Attachments that an end-user is able to see. Attachments provide a mapping table between the Document Categories and the Document Entities. A Document Entity is a logical reference to the business object that the end-user is attaching their files to. A UI is provided for managing this mapping. Use the Manage Attachment Entities in the Functional Setup Manager.

To resolve this problem, perform the following steps:

Using the management UI, search for the Document Entity used on the problem page. This may be intuitive, or may require contacting Oracle support to obtain the name. Select the entity in the Search Results. This will update the Attachment Categories table at the bottom of the page with the list of categories that have been mapped to the Document Entity. All Document Entities will be seeded with at least one Document Category. If no document categories appear it will be necessary to contact Oracle Support to determine which Categories should be re-added.
Check the Enable Security column at the end of the Search Results table. A checked checkbox indicates that data security has been enabled on the category values for the document entity. It will be necessary to track down the Object Instance Sets and functions that have been granted to a role that the end-user is a member to determine how the data security is filtering the list of document categories mapped to the document entity. See the Implement Oracle Fusion Data Security section in the Oracle Fusion Applications Developer's Guide.

The Attachment form functions that provide the permissions are FND_READ_APPLICATION_ATTACHMENT_DATA, FND_UPDATE_APPLICATION_ATTACHMENT_DATA, FND_DELETE_APPLICATION_ATTACHMENT_DATA.

In this instance assigning the Read permission may have been overlooked when granting the end-user permissions.
Follow up with the developer of the page that the end-user is using Attachments on. Developers have design and run time options that allow them to introduce additional filters the final list of document categories.

16.9.4 Add an Attachment Returns the error message "You do not have permission to add a new attachment"

Problem:

The end-user navigates to their page that displays their Attachments. They want to add a new Attachment, so click on the add button (+ icon). Instead of adding a new row at the top of the Attachment table the error message is displayed.

Solution:

This error message appears if the Attachments component cannot find any Document Category values.

To resolve this problem, perform the following steps:

Using the management UI, search for the Document Entity used on the problem page. This may be intuitive, or may require contacting Oracle support to obtain the name. Select the entity in the Search Results. This will update the Attachment Categories table at the bottom of the page with the list of categories that have been mapped to the Document Entity. All Document Entities will be seeded with at least one Document Category. If no document categories appear it will be necessary to contact Oracle Support to determine which Categories should be re-added.
Check the Enable Security column at the end of the Search Results table. A checked checkbox indicates that data security has been enabled on the category values for the document entity. It will be necessary to track down the Object Instance Sets and functions that have been granted to a role that the end-user is a member to determine how the data security is filtering the list of document categories mapped to the document entity. See the Implement Oracle Fusion Data Security section in the Oracle Fusion Applications Developer's Guide.

The Attachment form functions that provide the permissions are FND_READ_APPLICATION_ATTACHMENT_DATA, FND_UPDATE_APPLICATION_ATTACHMENT_DATA, FND_DELETE_APPLICATION_ATTACHMENT_DATA.

In this instance the user may not have been granted the UPDATE permission for any categories.
Follow up with the developer of the page that the end-user is using Attachments on. Developers have design and run time options that allow them to introduce additional filters the final list of document categories.

16.9.5 Content Server Web Service Is Unavailable: Check Endpoints and Restart

Problem:

When the Content Server is down, it is not possible for any user to create, update or retrieve Content Server content. For example, the following error:

Error: Fails to access WSDL at <protocol://host:port/idcnativews/IdcWebRequestPort?WSDL>

Fails with the following response:

'503: Service Unavailable' for url 'protocol://host:port/idcnativews/IdcWebRequestPort?WSDL'

Solution:

To resolve this problem, perform the following steps:

Check that the connection end point is correct. To view connection details, use Oracle Enterprise Manager Fusion Applications Control (Fusion Applications Control) or the Oracle WebLogic Scripting Tool (WLST). Verbose listing also shows that this is the primary connection.
- To view the connection details using the System MBean Browser, perform the following steps:
  1. Choose Fusion Applications from the Targets menu.
  2. In the table on the Fusion Applications target home page, click the appropriate Product Family target.
  3. From the navigation pane, expand the product family, and then expand Fusion Applications.
  4. Expand the cluster application you want to monitor to show each instance of the application.
  5. Click one of the application deployment instances, for example, PayablesApp (PayablesSever_1).
    
    The Fusion J2EE Application page appears.
  6. From the Fusion J2EE Application menu, choose System MBean Browser.
  7. In the System MBean Browser page, expand Application Defined MBeans.
  8. Expand oracle.adf.share.connections, server name, application name, ADFConnections, JCR.
  9. Click FusionAppsContentRepository.
  10. In the Application Defined MBeans: JCR:FusionAppsContentRepository page, verify the connection properties.
- To view the connection details using the Oracle WebLogic Scripting Tool (WLST), perform the following substeps:
  1. From the fusionapps Middleware subdirectory, start the scripting tool:
```
(UNIX) FA_MW_HOME/oracle_common/common/bin/wlst.sh
```
    Where DOMAIN_HOME is located in the following locations:
```
(UNIX) APPLICATIONS_CONFIG/instance/domains/host/domain_name
```
  2. Connect to Oracle WebLogic Server.
  3. Use Oracle WebLogic Scripting Tool (WLST) commands. For example:
```
listJCRContentServerConnections(appName='LedgerApp',verbose=1)
FusionAppsContentRepository
Connection Name: FusionAppsContentRepository
Connection Type: JCR
External Appliction ID:
Timeout: (not set)
CIS Socket Type: jaxws
CIS Server Hostname:
CIS Server Port:
CIS Keystore Location:
CIS Private Key Alias:
CIS Web URL: ${adfDomainConfig.oraclefusionapps.ucmAppInternalProtocol}://${adfDomainConfig.oraclefusionapps.ucmAppInternalHost}:${adfDomainConfig.oraclefusionapps.ucmAppInternalPort}/idcnativews
Web Server Context Root:
Client Security Policy:
Admin User Name: FUSION_APPS_FIN_ADF_APPID
Cache Invalidation Interval: (not set)
Binary Cache Maximum Entry Size: (not set)
The Documents primary connection is "FusionAppsContentRepository"
```
    Note that the URL in the output is tokenized using Expression Language expressions. These expressions are resolved from the adf-domain-config.xml document from MDS. Make the following selections to resolve the expressions and return the actual destination:
```
System MBean Browser > Application Defined MBeans > oracle.adf.share.connections > Server: YYY > Application: ZZZApp > ADFConnections > ADFConnections > Operations Tab > exportWithResolvedExpressions > Invoke
```
    The document picker used to select folders or documents from Content Server is provided by WebCenter.
If the connection point is incorrect, update the CIS Web URL of the FusionAppsContentRepository Java Content Repository (JCR) connection to the correct value.
Restart Content Server if it is not available. See the Managing System Processes section in Administering Oracle WebCenter Content.

16.9.6 Content Server Connection Failure: Troubleshoot Connections

Problem:

When a connection failure occurs, it is not possible for any user to create, update or retrieve Content Server content. This occurs at the point where the application is attempting to connect and authorize the connection, such as when adding or accessing an attachment. The following are indications of a connection problem:

Clicking on the link to an attachment displays a warning message instead of the attachment. For example:
```
Warning: The attachment information cannot be retrieved. (FND-2403)
```
The same text is shown for errors FND-2403 through to FND-2405. These errors are all indicative of problems connecting to Content Server when trying to retrieve content.
Attempting to save an attachment results in an error message. For example:
```
Error: Your attachments changes cannot be saved. (FND-2408)
```
The same text is shown for errors FND-2407 through FND-2410. These errors are all indicative of problems connecting to Content Server when trying to save content.
No connection, folder or document is available to the document picker.

Message popup beginning with the following:

oracle.stellent.ridc.protocol.ProtocolException

Solution:

To resolve this problem, perform the following steps:

Look for the error message number in the application log, for example, FND-2403. If there is no FND message then it is likely that the message is being bubbled up from Content Server or Oracle WebCenter Portal. Search for the text of the message in the application log. The exception message provides additional context to help determine the root cause of the problem.
Check that the Content Server is running. Restart Content Server if it is not available. See the Managing System Processes section in Administering Oracle WebCenter Content.
Determine if the JCR Connection is set correctly in this environment:
- Check that the Content Server Connection has been defined. The connection name must be FusionAppsContentRepository, and must be defined as the primary Content Server connection.
- The connection must of socket type jaxws, with the Web URL configured to point to the Content Server native web services endpoint (the idcnativews endpoint). The Client Security Policy must be null, indicating that GPA (Global Policy Attachments) should be leveraged. A valid administrative user must also be specified as part of the definition. This connection definition is persisted in Oracle Metadata Services Repository, which happens automatically as a part of the setup. Hence, MDS Repository issues may result in issues for Attachments. For example, the connection specified in a connections.xml is overridden by the MDS Repository configuration.
It is possible to use Oracle Enterprise Manager Fusion Applications Control (Fusion Applications Control) or the Oracle WebLogic Scripting Tool (WLST) to view connection details. Verbose listing also shows that this is the primary connection.

To view the connection details using the System MBean Browser, refer to the steps in Content Server Web Service Is Unavailable: Check Endpoints and Restart.

To view the connection details using the Oracle WebLogic Scripting Tool (WLST), refer to the steps in Content Server Web Service Is Unavailable: Check Endpoints and Restart.

16.9.7 Clicking Attachments Link Results in a 404 Error: Check GetHandler Servlet

Problem:

Clicking on the link of an attachment results in a 404 (page not found) error. This occurs for all users of an application.

Solution:

If the attachment type is a file or text, then it is likely to be a problem with the GetHandler servlet.

The condition occurs when the GetHandler servlet is not running or the application has not been defined correctly.

To resolve this problem, perform the following steps:

One way to confirm that the servlet is available is to go to the console:

Deployments, Application, then Application Root, Monitoring, and then Servlets
Restart the GetHandler servlet if it is not running.
If the servlet is running then the issue is likely to be with the configuration of the application. Contact the Oracle Fusion Applications product team to resolve the issue with the configuration of the application.

If the attachment type is a URL, then the value must be corrected. This can be done by verifying and re-entering the correct URL attachment.

16.9.8 Authorization Failure/"Insufficient Privileges" Error:

Problem:

When the user attempts to create a new attachment or view an existing attachment, they receive an insufficient privileges message. The following are some sample error messages that either originate from the Content Server or are found in the logs:

Content item '(null)' was not successfully checked in. User 'USERNAME' does not have sufficient privileges.

Unable to download 'DOCUMENTID'. User 'USERNAME' does not have sufficient privileges.

Content item '(null)' was not successfully checked in. Unable to execute service method 'checkSecurity'. The error was caused by an internally generated issue. The error has been logged.

'USERNAME' does not have sufficient privileges

Invalid Security: error in processing the WS-Security header

MustUnderstand headers:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\}Security are not understood

internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName
com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName

com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName

Solution:

The sufficient privileges message originates from Content Server. It means that the user for the Content Server connection does not have sufficient privileges to complete the requested steps. There are many possible configuration errors that produce this message, but it indicates a problem with the configuration of the underlying technology stack.

To resolve this issue, first check the Oracle Fusion Applications client for the following possible errors and their resolutions:

If that does not fix the issue, then check the Oracle Content Servers setup for the following possible errors and their resolutions:

16.9.8.1 Task 1: Check Oracle Fusion Applications Client

Check the application log for errors and then follow the steps that match the reported error.

16.9.8.1.1 Misunderstood Headers or No Namespace URL Error

The following errors indicate the web service end point on Content Server may be missing the web service policy; this can be verified in several ways.

MustUnderstand headers:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\}Security are not understood

com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName

From the Fusion Applications Control, perform the following steps:

From the navigation pane, expand the domain and Application Deployments, then click Oracle UCM Native Web Services (UCM_server1).
From the Application Deployment menu, choose Web Services.
In the Web Services home page, click the Web Service tab.
Click the IdcWebLoginPort endpoint to view the configuration in the IdcWebLoginPort (Web Service Endpoint) page.
On the IdcWebLoginPort (Web Service Endpoint) page, click the OWSM Policies tab and verify the Globally Attached Policy. For example:
```
oracle/wss_saml_or_username_token_service_policy
```

From the Web Services Description Language (WSDL) URL, perform the following steps:

Point your browser to the following URL:

http://contentserver_host:contentserver_port/idcnativews/IdcWebLoginPort?WSDL

Check that the WSDL contains a binding reference to the appropriate service policy. For example:
```
<wsp:PolicyReference URI="#wss_saml_or_username_token_service_policy" ...
```

16.9.8.1.2 Invalid Security Error

The following exception occurs if the client GPA (Global Policy Attachments) is not set up correctly:

Invalid Security: error in processing the WS-Security header

Both the Web Service Client (Fusion Application) and Service (Content Server native web services login endpoint) leverage Globally Attached Policies (GPA) in most cases. With GPA, the domain administrator configures default policies for Web Service Client and Service resources for each domain. Clients and services which do not directly attach policies (Locally Attached Policies) use the corresponding policies configured for GPA. Issues arise when client and service policies are not compatible. For example, a message protection policy is set on the client, but not on the service. Always check that the client and service leverage GPA and that the policies are compatible. For example:

If the service policy on the Content Server login service is set to the following:
```
oracle/wss_saml_or_username_token_service_policy
```
Then the client policy should be set to the following:
```
oracle/wss10_saml_token_client_policy
```

If the service policy on the Content Server login service is set to the following:

oracle/wss11_saml_or_username_token_with_message_protection_service_policy

Then the client policy should be set to the following:

oracle/wss11_saml_token_with_message_protection_client_policy.

Note that the GPA is set at the global domain level and affects all domains. This is done as part of provisioning, and there is no explicit action to be done for Content Server Attachments in provisioned environments.

From the Oracle WebLogic Scripting Tool (WLST), perform the following steps:

From the fusionapps Middleware subdirectory, start the scripting tool:
```
(UNIX) FA_MW_HOME/oracle_common/common/bin/wlst.sh
```
Connect to Oracle WebLogic Server.

Run a listPolicySets() command and then an appropriate displayPolicySet('xxxx') command from the client domain to obtain details on the GPA defined for the web service client (ws-client).

    ...> listPolicySets()
    Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
    For more help, use help(domainRuntime)
    Global Policy Sets in Repository:
...
  ws-client 
...
...> displayPolicySet('ws-client')

    Policy Set Details:
    -------------------
    Name: ws-client
    Type of Resources: Web Service Client
    Scope of Resources: Domain("*")
    Description: Global policy attachments for Web Service Client resources.
    Enabled: true
    Policy Reference: security : oracle/wss10_saml_token_client_policy, enabled=true

Similarly, from the CommonDomain where UCM is deployed, run WLST with appropriate listPolicySets() and displayPolicySet('xxxx') commands to obtain details on the GPA defined for the service (ws-service).

16.9.8.1.3 Unable to Generate Digital Signature Error

The following message indicates that there is a problem on the Oracle Fusion Applications side when attempting to generate a digital signature.

Unable to generate digital signature

If there is no such error, then skip to the Task 2: Check Oracle Content Server Setup.

16.9.8.1.3.1 Keystore or Password Error

This procedure applies only to JKS (file-based) keystore. For more information about keystore type, see the Determine Keystore Type and the Extract a JKS (File-based) Keystore from a KSS Based Keystore sections.

Problem

In some cases, the application log may contain the following message:

Keystore has been tampered with, or password is wrong

Solution

To resolve this issue, perform the following steps:

Determine the keystore location from Fusion Applications Control:
1. From the navigation pane, expand the farm and then WebLogic Domain.
2. Select the domain, for example, FinancialDomain.
3. In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security, Security Provider Configuration.
4. In the Security Provider Configuration page, under Web Services Manager Authentication Providers, expand Keystore to see the location. The location is typically
```
(UNIX) DOMAIN_HOME/config/fmwconfig/default-keystore.jks
```
Validate the keystore password using the keytool tool, located in located in ORACLE_HOME/jdk/bin. For example:
```
keytool -list -v -keystore default-keystore.jks -storepass admin123
```
Where admin123 is the keystore password.

The following error occurs if the password is incorrect:
```
java.security.UnrecoverableKeyException
```
Validate the private key alias and password using keytool. For example:
```
keytool -keypasswd -alias orakey -keypass password -new password -keystore default-keystore.jks -storepass admin123
```
Where admin123 is the verified keystore password from Step 2, and password is the alias entry password.

The following error occurs if the password is incorrect:
```
java.security.UnrecoverableKeyException
```
The following error occurs if there is no key pair under the alias orakey:
```
java.lang.Exception
```
Validate that the correct passwords and entries exist in the credential store.

The credential store must contain valid password credentials for the oracle.wsm.security map providing the keystore access password, signing key alias and password, and encryption key alias and password.

View and edit credential store contents from EM (passwords are not rendered) as follows:
1. From the navigation pane, expand the farm and then WebLogic Domain.
2. Select the domain, for example, FinancialDomain.
3. In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security, Credentials.
Alternatively, run the WLST listCred script with the appropriate map and key to retrieve passwords associated with credentials as follows:
```
listCred(map="oracle.wsm.security", key="keystore-csf-key")
listCred(map="oracle.wsm.security", key="sign-csf-key")
listCred(map="oracle.wsm.security", key="enc-csf-key")
```

16.9.8.2 Task 2: Check Oracle Content Server Setup

To resolve this issue, perform the following steps:

Switch on logging for the FusionAppsAttachments component:
1. Log in to UCM as an administrator.
2. Choose Administration, then System Audit Information.
3. In the Tracing sections Information area, add fusionappsattachments to Active Sections.
4. Enable Save and Full Verbose Tracing.
5. Click Update.
View the logs by performing the following substeps:
1. Log in to UCM as an administrator.
2. Choose Administration, then System Audit Information.
3. Select View Server Output.
After re-running an attempt to retrieve or create an attachment, search for the string Signature Verification Failed. Determine the keystore location from Fusion Applications Control:
1. From the navigation pane, expand the farm and then WebLogic Domain.
2. Select the domain.
3. In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security, then Security Provider Configuration.
4. In the Security Provider Configuration page, under Web Services Manager Authentication Providers, expand Keystore to see the location. The location is typically the following:
```
(UNIX) DOMAIN_HOME/config/fmwconfig/default-keystore.jks
```
Validate the keystore password using the keytool tool, located in ORACLE_HOME/jdk/bin. For example:
```
keytool -list -v -keystore default-keystore.jks -storepass admin123
```
Where admin123 is the supposed keystore password.

The following error occurs if the password is incorrect:
```
java.security.UnrecoverableKeyException
```
Validate the private key alias and password using keytool. For example:
```
keytool -keypasswd -alias orakey -keypass welcome1 -new welcome1 -keystore default-keystore.jks -storepass admin123
```
Where admin123 is the verified keystore password from Step 2, and welcome1 is the alias entry password.

The following error occurs if the password is incorrect.
```
java.security.UnrecoverableKeyException
```
The following error occurs if there is no key pair under the alias orakey.
```
java.lang.Exception
```
Validate that the correct passwords and entries exist in the credential store.

The credential store must contain valid password credentials for the oracle.wsm.security map providing the keystore access password, signing key alias and password, and encryption key alias and password.

Run the WLST listCred script with the appropriate map and key.
Correct the keystore or credential store if required, as described in the following sections.

16.9.8.2.1 Public Certificate Map Error

Problem:

The following error indicates that the public certificate associated with the private key used by the Attachments client was not found in the Content Server domain's keystore.

Public Certificate Map did not contain fingerprint: XXXX Public Certificate is null; Unable to verify signature

In security-hardened environments where each domain could use unique key pairs, the client's public certificate must be loaded into the Content Server domain's keystore. In non-security-hardened environments, each domain uses identical key pairs (and possibly cloned keystores), and hence the public certificate should already be present in the Content Server domain's keystore.

Solution:

Check that the keystore on the Oracle Fusion Applications client and the Content Server contain the correct keystore. In a non-security hardened environment, the keystore can be copied from one domain to another and Oracle WebLogic Server restarted.

Restart the Content Server when the keystore changes, as this public certificate is cached at startup. The Attachments caches the value upon the first access so the Oracle Fusion application may also require bouncing, although this is unlikely.

Use the keytool to check the certificate. For example:

keytool -list -v -keystore default-keystore.jks

16.9.8.2.2 Legacy Signing Request Error

Problem:

The following message indicates that the Attachment client provided a null or empty public certificate fingerprint value (XFND_CERT_FP), which is likely due to some keystore access issue on the client.

Legacy signing request; Certificate FingerPrint missing

If this value is missing from the databinder, the signature value itself is also likely missing. If this is the case, you would also likely see the following message:

Signature Scheme Properties missing from DataBinder

This message indicates that one of the following values is null or empty in the databinder supplied by the Attachments client:

XFND_SIGNATURE
XFND_RANDOM
XFND_EXPIRES

This problem is reported when the Oracle Fusion application making the request is incorrectly configured.

Solution:

To resolve this issue, refer to Task 1: Check Oracle Fusion Applications Client. There are likely to be many clients. Therefore, you may have to check each one. The FusionAppsAttachments logging may provide enough information to determine which client is causing the error.

16.9.8.2.3 Request Expiry Time Reached Error

Problem:

The following error indicates that the XFND_EXPIRES (milliseconds since epoch) date value provided in the request databinder has already passed according to the Content Server's clock:

Request expiry time reached

Solution:

Check to make sure that there are no time and time zone differences between the client and Content Server. The request timeout should typically be 10 minutes.

16.9.8.2.4 Unable to Base64 Decode Received Signature Error

Problem:

The following message indicates that the client-supplied, URL-safe, base64 signature could not be successfully decoded back to binary data:

Unable to base64 decode received signature

Solution:

To resolve, check the application logs for any errors when encoding the signature.

16.9.8.2.5 Unable to Verify Signature Error

Problem:

The following errors in the application log files indicate an issue obtaining the keystore and/or the public certificate.

java.lang.NullPointerException at SigningUtils.verify !syNullPointerException java.lang.NullPointerException. at AttachmentsConfig.getPublicCertificate

Solution:

To resolve, check what exceptions are present at the Content Server start time that are associated with keystore and credential store access.

16.9.9 Application Access Denied

When the end-user attempts to create a new attachment, or view an existing attachment they receive an access denied message. For example:

oracle.fabric.common.PolicyEnforcementException: access denied (oracle.wsm.security.WSIdentityPermission resouce=appName assert)

This indicates a problem with configuration or provisioning of the application. Contact the Oracle Fusion Applications product team to get them to resolve the issue.

16.9.10 CredentialAccessPermission Denied

The following exception is reported:

access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=enc-csf-key read)

This issue indicates a problem with configuration or provisioning of the application.

Contact the Oracle Fusion Applications product team to get them to resolve the issue.

16.9.11 Applcore Attachment Checkin Failure: Check Various Causes and Solutions

If applcore attachments fail during checkin, the likely causes can vary if the failure occurs across all domains or in a single domain. First, determine if attachment uploads to the central UCM instance are successful for any other domain in the installation. Then, see the following topics:

16.9.11.1 Checkin Failure Causes for All Domains

If attachments fail on all domains, possible causes are (in order of likelihood) as follows:

There is a mismatch between the "ws-service" policy of the Common Domain Web Services Manager (WSM) Global Policy Attachment (GPA) and the associated domain's corresponding "ws-client" policy.
The UCM login webservice is not using a Global Policy Attachment (GPA), but rather an incorrect Local Policy Attachment (LPA).
The WSM Policy Manager application has failed in the Common Domain.
Credential store entries are incorrect for Common Domain preventing the keystore from opening.
If using message protection policy, the keystores for the domains are not synchronized.
Clients are unable to generate digital signatures due to policy permission security issues or invalid oracle.wsm.security credential store values for the underlying keystore.
The public certificate fingerprint of the client is not in UCM server keystore.
The JCR connections are not using GPA, but rather an incorrect LPA.
The tokenized Web URL JCR connection value is incorrect.

16.9.11.2 Checkin Failure Causes for Single Domain

If attachments fail on a single domain and other domains function properly, possible causes are (in order of likelihood) as follows:

There is a mismatch between the "ws-service" policy of the Common Domain Web Services Manager (WSM) Global Policy Attachment (GPA) and the associated domain's corresponding "ws-client" policy
The client keystore is not synchronized with the UCM common domain server keystore.
Clients are unable to generate digital signatures due to policy permission security issues or invalid oracle.wsm.security credential store values for the underlying keystore.
The public certificate fingerprint of the client is not in the UCM server keystore.
The JCR connection for FusionAppsAttachments is not using GPA client policy and may be somehow leveraging an LPA.
The tokenized Web URL JCR connection value is incorrect.

16.9.11.3 Checkin Failure Solution 1: Policy Manager Active

From the UCM domain, check if the Web Services Manager policy manager is active:
```
http://ucmhost:adminport/wsm-pm/validator 
```
It should prompt for credentials, and then return a status such as Policy Manager Status: Operational, along with a table of policies.
If the application does not appear to be responding, open the UCM Domain Weblogic Server Administration Console the following, to see if it is active:

Deployments, Summary of Deployments, and then wsm-pm deployment

16.9.11.4 Checkin Failure Solution 2: Correct Service Policy

From the UCM domain, check the wsp:PolicyReference in the IdcWebLoginPort WSDL:
```
http://ucmhost:ucmport/idcnativews/IdcWebLoginPort?WSDL 
```

Look for something similar to the following:

<wsp:PolicyReference URI="#wss_saml_or_username_token_service_policy" wsdl:required="false"/>

If the service policy is either empty or not what you expected, check to make sure that the GPA policy for ws-service has been correctly set:
1. From the navigation pane, expand the domain and Application Deployments, then click Oracle UCM Native Web Services (UCM_server1).
2. From the Application Deployment menu, choose Web Services.
3. In the Web Services home page, click the Web Service tab.
4. Click the IdcWebLoginPort endpoint to view the configuration in the IdcWebLoginPort (Web Service Endpoint) page.
5. On the IdcWebLoginPort (Web Service Endpoint) page, click the OWSM Policy tab and verify the correct policy is listed under Globally Attached Policy and that no policy is listed under Directly Attached Policies.
Make sure that the policy associated with GPA Web Service Endpoint resource is correct:
1. From the Enterprise Manager, click Weblogic Domain.
2. Click the domain name, for example, CommonDomain.
3. From the Weblogic Domain menu, choose Web Services and then Policy Sets.
4. Specify or change the policy as necessary.

16.9.11.5 Checkin Failure Solution 3: Correct Client Policy

From the client domain, check the GPA policy set for Web Service Client resources by performing the following steps:

From the Enterprise Manager, click Weblogic Domain.
Click the domain name, for example, CRMDomain.
From the Weblogic Domain menu, choose Web Services and then Policy Sets.
Make sure that the policy set associated with GPA Web Service Client resources is correct.

16.9.11.6 Checkin Failure Solution 4: Correct JCR Connection

Check the "FusionAppsContentRepository" JCR connection to make sure that the client policy is empty, meaning GPA should get used, and that the web URL is correct by performing the following steps:

The System MBean browser within EM shows the details of the connection:

System MBean Browser > oracle.adf.share.connections > Server: YYY > Application: ZZZApp > ADFConnections > ADFConnections > JCR > FusionAppsContentRepository

Make sure the Client Security Policy is empty.

The Web URL will likely point to properties such as the following:

${adfDomainConfig.oraclefusionapps.ucmAppInternalProtocol}://
${adfDomainConfig.oraclefusionapps.ucmAppInternalHost}:
${adfDomainConfig.oraclefusionapps.ucmAppInternalPort}/idcnativews

The following mBean operation provides the resolved output for the web service URL:

System MBeans > Application Defined MBeans > oracle.adf.share.connections > Server: [your server name] > Application: [your application name] > ADFConnections > ADFConnections > Operations Tab > exportWithResolvedExpressions > Invoke