Oracle® Application Server Web Services Security Guide 10g (10.1.3.5.0) Part Number E13983-01 |
|
|
View PDF |
This chapter describes solutions to some of the errors you might encounter when working with Oracle Application Server Web Services Security. The errors are divided into these categories.
When you are troubleshooting errors that occur on the client side, the important file to look at is the <
generated_name
>_Stub.xml
deployment descriptor file. For errors that occur on the server side, the important files to check are the oracle-webservices.xml
deployment descriptor and the wsmgtm.xml
management configuration file.
Logging Errors
Errors are logged in the log.xml
file (ORACLE_HOME
/j2ee/home/log/oc4j/log.xml
). To log the errors described in this appendix, set the logging level to TRACE:32
in the j2ee-logging.xml
logging configuration file, then restart the Web service for the new value to take effect.
The value of the logging level cannot be reset with Application Server Control.
Error Numbers
Error numbers for the current release (10.1.3.1.0) of Web Services Security have the format OWS-20
nnn where n represents an integer. In previous releases, they have the format J2EE-WSE
nnnnn.
Where appropriate, error numbers are listed for the errors described in this appendix.
See Also:
The appendix "Error Message Prefixes" in the Oracle Application Server Web Services Developer's Guide describes all of the prefixes for OracleAS Web Services error messages.
Missing <wsse:Security> in SOAP header
This error message is thrown when the incoming message is missing the security header. Check that the client outbound policy is present in <
generated_name
>_Stub.xml
client-side deployment descriptor and the server outbound policy is present in the oracle-webservices.xml
server-side deployment descriptor or the wsmgmt.xml
file.
If the outbound policy (security configuration) does not exist, then check the Web service description and the port name. If you configured security only on the operation level, then make sure that the <runtime enabled="security"/>
element is set at the port level.
SOAP must understand error
The enabled="security"
attribute may be missing. Check whether the enabled="security"
attribute is present in the oracle-webservices.xml
file and in the client side management file. If it is present in oracle-webservices.xml
then check it in the wsmgmt.xml
file.
Unable to fetch realm
The realm name may be incorrect or missing. Check the default realm name in ORACLE_HOME
/j2ee/home/config/jazn.xml
file. If you have included your own orion-application.xml
file, then check the realm name in the <jazn>
element. The realm name must be a valid realm and must exist in the XML/LDAP repository base on the JAZN provider.
OWS-20098: Could not resolve subject key identifier
Make sure that the keystore contains the signer's public key certificate. For example, if the client side keystore has a signature key with the alias xyz
, then the server side keystore must have the public key certificate corresponding to the alias xyz
.
See "Using Keystores" for information on importing certificates into the keytool or Oracle Wallet.
Exception when validating the signer certificate path to the trusted root
Import the signer's certificate which contains the matching public key (which corresponds to signer's private key) and trusted CA certificates into the keystore. If the certificates are chained, you must import all of the certificates in the chain.
See "Using Keystores" for information on importing certificates into the keytool or Oracle Wallet.
OWS-20014: Certificate for encryption not found
The <recipient-key>
element may be missing or may contain an incorrect value. Check the <recipient-key>
element is present in the outbound <encrypt>
element. It must point to a valid key; the key must be specified in the <key-store>
element's path
attribute. If you are using the <use-request-cert>
element for encrypting the response back to the client using the client's public key, make sure that the outbound policy for the client is configured with <x509-token/>
.
For information on the <recipient-key>
element, see "Encryption Elements for Outbound Messages". For information on the <use-request-cert>
element, see "Encrypting a Message with a Signature Key".
OWS-20060, OWS-20061: No key/certificate exists for alias <some_alias>
Check that a private key or certificate with the specified alias is present in the keystore.
See "Using Keystores" for information on adding keys and certificates to the keystore or Oracle Wallet.
OWS-20063: Invalid recipient key alias
Check that you have included a public key with the correct recipient key alias in the keystore.
See "Using Keystores" for information on adding keys and certificates to the keystore or Oracle Wallet.
OWS-20074: Invalid keystore path
Check the value of the <key-store>
element's path
attribute is correct.
For the client side, the keystore path must be absolute. If the client application is deployed in the OC4J container, then it can be relative to ORACLE_HOME
/j2ee/home
.
For the server side port-level keystore, the path must be relative to the application's root directory. For example, if you have deployed an application test-application
, the path to the keystore must be relative to the ORACLE_HOME
/j2ee/instance/applications/test-application/
directory.
For the server side global-level keystore, the path must be relative to the ORACLE_HOME
/j2ee/home/config
directory.
If you are using the oracle.security.jazn.config
system property to point to the config
directory, then the server side global keystore path must be relative to the directory specified in this property. Note that this property is valid only for the server side global-level keystore path.
See "Keystore Elements" for more information on the <key-store>
element.
Error reading keystore data
Check the value of the <key-store>
element's password
attribute. Either the password is incorrect or some one has tampered with the keystore.
See "Keystore Elements" for more information on the password
attribute.
Error getting certificate chain with alias <some_alias>
Check that the certificate chain is present in the keystore. Use the keytool -list
command to view your keystore.
See "Using Keystores" for more information on keytool commands.
Error getting trusted certificates
Check that you have added all the trusted CA certificates to the keystore. Use the keytool -list
command to view your keystore.
See "Using Keystores" for more information on keytool commands.
Element with specific namespace and local part must be signed
In the outbound <signature>
element, make sure that the values for the name-space
and local-part
attributes of <tbs-elements>
are correct. These values must match the name-space
and the local-part
values for the element expected to be signed in the inbound <verify-signature>
element.
For more information on these elements, see "Signature Verification Elements for Inbound Messages" and "Signature Elements for Outbound Messages".
Element with specific namespace and local part not found
In the outbound <signature>
element, make sure that the values for the name-space
and local-part
attributes of <tbs-elements>
are present and correct.
For more information on these elements and attributes, see"Signature Elements for Outbound Messages".
Missing created or Missing timestamp
The outbound <signature>
element must contain an <add-timestamp>
element with its created
attribute set to true
. For example:
<signature>
<add-timestamp created="true" expiry="28800"/>
</signature>
See "Signature Elements for Outbound Messages" for more information about the <add-timestamp>
element.
Timestamp expired
This indicates that there may be a mis-match between the clock times on the machines on which the client and Web service application run. Set the clock-skew
property in the inbound <verify-signature>
element to adjust the time difference between the machines. The value is in milliseconds. For example:
<verify-signature>
<property name="clock-skew" value="5000"/>
</ verify-signature>
For more information on using clock skew, see "Adjusting the Clock Skew Between a Client and a Web Service Application".
Invalid timestamp
This indicates that there may be a mis-match between the clock times on the machines on which the client and Web service application run. Check the value of the timestamp set in the request, and adjust the setting of the clock-skew
property in the inbound <verify-signature>
element.
The value of the timestamp in the request message must be earlier than the value (message arrival time – clock skew).
For more information on using clock skew, see "Adjusting the Clock Skew Between a Client and a Web Service Application".
Policy requires integrity
Check that the outbound <signature>
element contains a valid configuration. It must also match the inbound <verify-signature>
configuration (if it is present).
For more information on these elements, see "Signature Verification Elements for Inbound Messages" and "Signature Elements for Outbound Messages".
OWS-20005: Element not found for signing
In the outbound policy <signature>
element, check that the values of the name-space
and local-part
attributes of <tbs-elements>
are valid.
For more information on these elements, see "Signature Elements for Outbound Messages".
OWS-20096: Signature certificate missing Subject Key Identifier
Check the signature key that you have configured for signing. The public key certificate must have a Subject Key Identifier extension.
OWS-20015: Cannot use certificate for KEY_ENCIPHERMENT
Check that the recipient-key (or client signature key in the case of use-request-cert
) has a key usage extension with value key encipherment.
OWS-20018, OWS-20019: Signature key/certificate not found
Check that the <signature-key>
element has been configured with a valid alias and password. The private key or certificate must be present in the keystore configured in the <key-store>
tag.
For more information on these elements, see "Keystore Elements" and "Signature and Encryption Key Elements".
Invalid <signature-methods/> configured must have at least one signature algorithm
The <signature-methods>
element in the inbound <verify-signature>
element is optional. It should be omitted if no signature algorithms are being specified. If the <signature-methods>
element is present, then it must have at least one valid signature algorithm. Acceptable signature algorithms are RSA-SHA1
(default), RSA-MD5
, and DSA-SHA1
.
For more information on the <signature-methods>
element, see "Signature Verification Elements for Inbound Messages".
No errors are returned if a Web service that requires signed messages receives unsigned messages
If a client sends unsigned messages to a Web service that is configured to accept only signed messages, no errors or exceptions are returned.
Incorrect error returned by Web services configured for signature verification
If a client sends an encrypted message to a Web service configured for signature verification, a null pointer exception is returned. This is an incorrect exception for this problem. The correct exception should be oracle.j2ee.ws.common.soap.fault.SOAP11FaultException
with an appropriate string message.
OWS-20002: Encryption key not found at Port/Global Level
You will see this error message if the inbound policy is configured to <decrypt>
and the encryption key is missing at port/global level. Check the <encryption-key>
element and the <key-store>
element. Make sure that the values for the alias
and password
attributes are correct.
For more information on these elements, see "Keystore Elements" and "Signature and Encryption Key Elements".
URI content must be encrypted
In the outbound <encrypt>
element, check that the <tbe-element>
subelement in the <tbe-elements>
element has the correct name-space
and local-part
attribute values.
For more information on the <tbe-element>
subelement, see "Encryption Elements for Outbound Messages".
Policy requires confidentiality
Check that the outbound <encrypt>
element has a valid configuration and matches the configuration of the inbound <decrypt>
element.
For more information about these elements, see "Decryption Elements for Inbound Messages" and "Encryption Elements for Outbound Messages".
Invalid <keytransport-methods/> configured. Must have at least one algorithm
The <keytransport-methods>
element in the inbound <decrypt>
element is optional and should be omitted if no key transport methods are being specified. If the <keytransport-methods>
element is present, then it must have at least one valid key transport algorithm. Acceptable key transport algorithms are RSA-1_5
(default) or RSA-OAEP-MGF1P
.
For more information on the <keytransport-methods>
element, see "Decryption Elements for Inbound Messages".
Invalid <encryption-methods/> configured. Must have at least one algorithm.
The <encryption-methods>
element in the inbound <decrypt>
element is optional and should be omitted if no encryption methods are being specified. If the <encryption-methods>
element is present, then it must have at least one valid encryption algorithm. Acceptable encryption algorithms are 3DES
, AES-128
(default), and AES-192
.
For more information on the <encryption-methods>
element, see "Decryption Elements for Inbound Messages".
Invalid security token specified
An Invalid security token specified
or similar error message is returned when attempting to invoke the Web service.
There could be several reasons for this error:
For a user name token with plain text password authentication:
An incorrect user name was entered.
An incorrect password was entered.
An incorrect realm <realm name>/
<user name> was entered. Check whether the realm name and user name are correct. Check whether the format is correct. For example, the format requires a forward slash (/
), not a double slash (//
) or backslash (\
).
An incorrect value for the password-type
attribute was entered. The value should be PLAINTEXT
(one word). Check that it was not entered as two words or misspelled.
For a user name token with digest password authentication:
Check all of the reasons listed under user name token with plain text password authentication (described earlier).
An incorrect value for the password-type attribute was entered. The value should be DIGEST
.
Check the values for the add-nonce
and add-created
attributes. For digest password authentication, these attributes should always be set to true
.
For X.509 token authentication:
By default, the service expects RSA-SHA1
as the certificate's key encryption algorithm. If DSA was used as the certificate's key encryption algorithm instead, then check that it was correctly configured. The server and client side configuration should explicitly specify DSA as the signature method.
For SAML token authentication:
An incorrect user name was entered.
Policy requires authentication token
The outbound policy must have one of the authentication tokens expected by the server. For example, if your inbound policy contains <verify-x509-token>
and <verify-username-token>
then your outbound policy must have either <username-token>
or <x509-token>
.
Note:
Only one authentication token can be included in the outbound policy. The inbound policy can have more than one authentication token.Encryption element not found
In the outbound <encrypt>
element, check that the <tbe-element>
subelement in the <tbe-elements>
element has valid name-space
and local-part
attribute values.
For more information on these attributes, see "Encryption Elements for Outbound Messages".
Invalid subject-confirmation method
Check that the subject <confirmation-method>
subelement in the <saml-token>
element contains a valid value. The acceptable confirmation methods are SENDER-VOUCHES
(default), SENDER-VOUCHES-UNSIGNED
, and HOLDER-OF-KEY
.
For more information on the <confirmation-method>
subelement, see "SAML Token Elements for Outbound Messages".
Cannot find X.509 token
Check that the configuration for the <signature-key>
element contains valid values for the alias
and password
attributes.
The private key with the alias
value must exist in the keystore.
For more information on checking the keystore contents, see"Using Keystores". For more information on the <signature-key>
element, see "Signature and Encryption Key Elements".
OWS-20012: No username found
Check that the <username-token>
element in the outbound policy has a valid name
attribute. If you are setting the user name with Stub.USERNAME_PROPERTY
, then check that the value that is set by this property is correct. If you are using a callback handler, then check the value set in the Namecallback
.
For more information about the <username-token>
element, see "Username Token Elements for Outbound Messages". For more information about using Stub properties and callback handlers, see "How to Configure the Username Token for the Client Side".
OWS-20022: Invalid assertion, missing public key
Check the definition of the holder-of-key assertion. The assertion must contain the user's public key in the subject.
Cannot authenticate user or invalid token
The primary reason for this error is that the user cannot be found in the repository. Depending on your provider, different attributes are used to map the user. Check that the mapping attribute and the realm name is correct in the jazn.xml
file. Also, if the provider is XML, then check the location of the jazn-data.xml
file specified in orion-application.xml
. By default, this will be system-jazn-data.xml
and the user must be present in this repository. If there is a local jazn-data.xml
file, then the user must be present in this file. By default, for an XML provider, the mapping attribute is CN
.