| Oracle® Application Server Web Services Security Guide 10g (10.1.3.5.0) Part Number E13983-01 |
|
|
View PDF |
| Oracle® Application Server Web Services Security Guide 10g (10.1.3.5.0) Part Number E13983-01 |
|
|
View PDF |
This chapter describes solutions to some of the errors you might encounter when working with Oracle Application Server Web Services Security. The errors are divided into these categories.
When you are troubleshooting errors that occur on the client side, the important file to look at is the <generated_name>_Stub.xml deployment descriptor file. For errors that occur on the server side, the important files to check are the oracle-webservices.xml deployment descriptor and the wsmgtm.xml management configuration file.
Logging Errors
Errors are logged in the log.xml file (ORACLE_HOME/j2ee/home/log/oc4j/log.xml). To log the errors described in this appendix, set the logging level to TRACE:32 in the j2ee-logging.xml logging configuration file, then restart the Web service for the new value to take effect.
The value of the logging level cannot be reset with Application Server Control.
Error Numbers
Error numbers for the current release (10.1.3.1.0) of Web Services Security have the format OWS-20nnn where n represents an integer. In previous releases, they have the format J2EE-WSEnnnnn.
Where appropriate, error numbers are listed for the errors described in this appendix.
See Also:
The appendix "Error Message Prefixes" in the Oracle Application Server Web Services Developer's Guide describes all of the prefixes for OracleAS Web Services error messages.
Missing <wsse:Security> in SOAP header
This error message is thrown when the incoming message is missing the security header. Check that the client outbound policy is present in <generated_name>_Stub.xml client-side deployment descriptor and the server outbound policy is present in the oracle-webservices.xml server-side deployment descriptor or the wsmgmt.xml file.
If the outbound policy (security configuration) does not exist, then check the Web service description and the port name. If you configured security only on the operation level, then make sure that the <runtime enabled="security"/> element is set at the port level.
SOAP must understand error
The enabled="security" attribute may be missing. Check whether the enabled="security" attribute is present in the oracle-webservices.xml file and in the client side management file. If it is present in oracle-webservices.xml then check it in the wsmgmt.xml file.
Unable to fetch realm
The realm name may be incorrect or missing. Check the default realm name in ORACLE_HOME/j2ee/home/config/jazn.xml file. If you have included your own orion-application.xml file, then check the realm name in the <jazn> element. The realm name must be a valid realm and must exist in the XML/LDAP repository base on the JAZN provider.
OWS-20098: Could not resolve subject key identifier
Make sure that the keystore contains the signer's public key certificate. For example, if the client side keystore has a signature key with the alias xyz, then the server side keystore must have the public key certificate corresponding to the alias xyz.
See "Using Keystores" for information on importing certificates into the keytool or Oracle Wallet.
Exception when validating the signer certificate path to the trusted root
Import the signer's certificate which contains the matching public key (which corresponds to signer's private key) and trusted CA certificates into the keystore. If the certificates are chained, you must import all of the certificates in the chain.
See "Using Keystores" for information on importing certificates into the keytool or Oracle Wallet.
OWS-20014: Certificate for encryption not found
The <recipient-key> element may be missing or may contain an incorrect value. Check the <recipient-key> element is present in the outbound <encrypt> element. It must point to a valid key; the key must be specified in the <key-store> element's path attribute. If you are using the <use-request-cert> element for encrypting the response back to the client using the client's public key, make sure that the outbound policy for the client is configured with <x509-token/>.
For information on the <recipient-key> element, see "Encryption Elements for Outbound Messages". For information on the <use-request-cert> element, see "Encrypting a Message with a Signature Key".
OWS-20060, OWS-20061: No key/certificate exists for alias <some_alias>
Check that a private key or certificate with the specified alias is present in the keystore.
See "Using Keystores" for information on adding keys and certificates to the keystore or Oracle Wallet.
OWS-20063: Invalid recipient key alias
Check that you have included a public key with the correct recipient key alias in the keystore.
See "Using Keystores" for information on adding keys and certificates to the keystore or Oracle Wallet.
OWS-20074: Invalid keystore path
Check the value of the <key-store> element's path attribute is correct.
For the client side, the keystore path must be absolute. If the client application is deployed in the OC4J container, then it can be relative to ORACLE_HOME/j2ee/home.
For the server side port-level keystore, the path must be relative to the application's root directory. For example, if you have deployed an application test-application, the path to the keystore must be relative to the ORACLE_HOME/j2ee/instance/applications/test-application/ directory.
For the server side global-level keystore, the path must be relative to the ORACLE_HOME/j2ee/home/config directory.
If you are using the oracle.security.jazn.config system property to point to the config directory, then the server side global keystore path must be relative to the directory specified in this property. Note that this property is valid only for the server side global-level keystore path.
See "Keystore Elements" for more information on the <key-store> element.
Error reading keystore data
Check the value of the <key-store> element's password attribute. Either the password is incorrect or some one has tampered with the keystore.
See "Keystore Elements" for more information on the password attribute.
Error getting certificate chain with alias <some_alias>
Check that the certificate chain is present in the keystore. Use the keytool -list command to view your keystore.
See "Using Keystores" for more information on keytool commands.
Error getting trusted certificates
Check that you have added all the trusted CA certificates to the keystore. Use the keytool -list command to view your keystore.
See "Using Keystores" for more information on keytool commands.
Element with specific namespace and local part must be signed
In the outbound <signature> element, make sure that the values for the name-space and local-part attributes of <tbs-elements> are correct. These values must match the name-space and the local-part values for the element expected to be signed in the inbound <verify-signature> element.
For more information on these elements, see "Signature Verification Elements for Inbound Messages" and "Signature Elements for Outbound Messages".
Element with specific namespace and local part not found
In the outbound <signature> element, make sure that the values for the name-space and local-part attributes of <tbs-elements> are present and correct.
For more information on these elements and attributes, see"Signature Elements for Outbound Messages".
Missing created or Missing timestamp
The outbound <signature> element must contain an <add-timestamp> element with its created attribute set to true. For example:
<signature>
<add-timestamp created="true" expiry="28800"/>
</signature>
See "Signature Elements for Outbound Messages" for more information about the <add-timestamp> element.
Timestamp expired
This indicates that there may be a mis-match between the clock times on the machines on which the client and Web service application run. Set the clock-skew property in the inbound <verify-signature> element to adjust the time difference between the machines. The value is in milliseconds. For example:
<verify-signature>
<property name="clock-skew" value="5000"/>
</ verify-signature>
For more information on using clock skew, see "Adjusting the Clock Skew Between a Client and a Web Service Application".
Invalid timestamp
This indicates that there may be a mis-match between the clock times on the machines on which the client and Web service application run. Check the value of the timestamp set in the request, and adjust the setting of the clock-skew property in the inbound <verify-signature> element.
The value of the timestamp in the request message must be earlier than the value (message arrival time – clock skew).
For more information on using clock skew, see "Adjusting the Clock Skew Between a Client and a Web Service Application".
Policy requires integrity
Check that the outbound <signature> element contains a valid configuration. It must also match the inbound <verify-signature> configuration (if it is present).
For more information on these elements, see "Signature Verification Elements for Inbound Messages" and "Signature Elements for Outbound Messages".
OWS-20005: Element not found for signing
In the outbound policy <signature> element, check that the values of the name-space and local-part attributes of <tbs-elements> are valid.
For more information on these elements, see "Signature Elements for Outbound Messages".
OWS-20096: Signature certificate missing Subject Key Identifier
Check the signature key that you have configured for signing. The public key certificate must have a Subject Key Identifier extension.
OWS-20015: Cannot use certificate for KEY_ENCIPHERMENT
Check that the recipient-key (or client signature key in the case of use-request-cert) has a key usage extension with value key encipherment.
OWS-20018, OWS-20019: Signature key/certificate not found
Check that the <signature-key> element has been configured with a valid alias and password. The private key or certificate must be present in the keystore configured in the <key-store> tag.
For more information on these elements, see "Keystore Elements" and "Signature and Encryption Key Elements".
Invalid <signature-methods/> configured must have at least one signature algorithm
The <signature-methods> element in the inbound <verify-signature> element is optional. It should be omitted if no signature algorithms are being specified. If the <signature-methods> element is present, then it must have at least one valid signature algorithm. Acceptable signature algorithms are RSA-SHA1 (default), RSA-MD5, and DSA-SHA1.
For more information on the <signature-methods> element, see "Signature Verification Elements for Inbound Messages".
No errors are returned if a Web service that requires signed messages receives unsigned messages
If a client sends unsigned messages to a Web service that is configured to accept only signed messages, no errors or exceptions are returned.
Incorrect error returned by Web services configured for signature verification
If a client sends an encrypted message to a Web service configured for signature verification, a null pointer exception is returned. This is an incorrect exception for this problem. The correct exception should be oracle.j2ee.ws.common.soap.fault.SOAP11FaultException with an appropriate string message.
OWS-20002: Encryption key not found at Port/Global Level
You will see this error message if the inbound policy is configured to <decrypt> and the encryption key is missing at port/global level. Check the <encryption-key> element and the <key-store> element. Make sure that the values for the alias and password attributes are correct.
For more information on these elements, see "Keystore Elements" and "Signature and Encryption Key Elements".
URI content must be encrypted
In the outbound <encrypt> element, check that the <tbe-element> subelement in the <tbe-elements> element has the correct name-space and local-part attribute values.
For more information on the <tbe-element> subelement, see "Encryption Elements for Outbound Messages".
Policy requires confidentiality
Check that the outbound <encrypt> element has a valid configuration and matches the configuration of the inbound <decrypt> element.
For more information about these elements, see "Decryption Elements for Inbound Messages" and "Encryption Elements for Outbound Messages".
Invalid <keytransport-methods/> configured. Must have at least one algorithm
The <keytransport-methods> element in the inbound <decrypt> element is optional and should be omitted if no key transport methods are being specified. If the <keytransport-methods> element is present, then it must have at least one valid key transport algorithm. Acceptable key transport algorithms are RSA-1_5 (default) or RSA-OAEP-MGF1P.
For more information on the <keytransport-methods> element, see "Decryption Elements for Inbound Messages".
Invalid <encryption-methods/> configured. Must have at least one algorithm.
The <encryption-methods> element in the inbound <decrypt> element is optional and should be omitted if no encryption methods are being specified. If the <encryption-methods> element is present, then it must have at least one valid encryption algorithm. Acceptable encryption algorithms are 3DES, AES-128 (default), and AES-192.
For more information on the <encryption-methods> element, see "Decryption Elements for Inbound Messages".
Invalid security token specified
An Invalid security token specified or similar error message is returned when attempting to invoke the Web service.
There could be several reasons for this error:
For a user name token with plain text password authentication:
An incorrect user name was entered.
An incorrect password was entered.
An incorrect realm <realm name>/<user name> was entered. Check whether the realm name and user name are correct. Check whether the format is correct. For example, the format requires a forward slash (/), not a double slash (//) or backslash (\).
An incorrect value for the password-type attribute was entered. The value should be PLAINTEXT (one word). Check that it was not entered as two words or misspelled.
For a user name token with digest password authentication:
Check all of the reasons listed under user name token with plain text password authentication (described earlier).
An incorrect value for the password-type attribute was entered. The value should be DIGEST.
Check the values for the add-nonce and add-created attributes. For digest password authentication, these attributes should always be set to true.
For X.509 token authentication:
By default, the service expects RSA-SHA1 as the certificate's key encryption algorithm. If DSA was used as the certificate's key encryption algorithm instead, then check that it was correctly configured. The server and client side configuration should explicitly specify DSA as the signature method.
For SAML token authentication:
An incorrect user name was entered.
Policy requires authentication token
The outbound policy must have one of the authentication tokens expected by the server. For example, if your inbound policy contains <verify-x509-token> and <verify-username-token> then your outbound policy must have either <username-token> or <x509-token>.
Note:
Only one authentication token can be included in the outbound policy. The inbound policy can have more than one authentication token.Encryption element not found
In the outbound <encrypt> element, check that the <tbe-element> subelement in the <tbe-elements> element has valid name-space and local-part attribute values.
For more information on these attributes, see "Encryption Elements for Outbound Messages".
Invalid subject-confirmation method
Check that the subject <confirmation-method> subelement in the <saml-token> element contains a valid value. The acceptable confirmation methods are SENDER-VOUCHES (default), SENDER-VOUCHES-UNSIGNED, and HOLDER-OF-KEY.
For more information on the <confirmation-method> subelement, see "SAML Token Elements for Outbound Messages".
Cannot find X.509 token
Check that the configuration for the <signature-key> element contains valid values for the alias and password attributes.
The private key with the alias value must exist in the keystore.
For more information on checking the keystore contents, see"Using Keystores". For more information on the <signature-key> element, see "Signature and Encryption Key Elements".
OWS-20012: No username found
Check that the <username-token> element in the outbound policy has a valid name attribute. If you are setting the user name with Stub.USERNAME_PROPERTY, then check that the value that is set by this property is correct. If you are using a callback handler, then check the value set in the Namecallback.
For more information about the <username-token> element, see "Username Token Elements for Outbound Messages". For more information about using Stub properties and callback handlers, see "How to Configure the Username Token for the Client Side".
OWS-20022: Invalid assertion, missing public key
Check the definition of the holder-of-key assertion. The assertion must contain the user's public key in the subject.
Cannot authenticate user or invalid token
The primary reason for this error is that the user cannot be found in the repository. Depending on your provider, different attributes are used to map the user. Check that the mapping attribute and the realm name is correct in the jazn.xml file. Also, if the provider is XML, then check the location of the jazn-data.xml file specified in orion-application.xml. By default, this will be system-jazn-data.xml and the user must be present in this repository. If there is a local jazn-data.xml file, then the user must be present in this file. By default, for an XML provider, the mapping attribute is CN.
|
 Copyright © 2006, 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|