This chapter provides troubleshooting tips for Security Token Service:
Problem: Authorization Failure during Token Issuance operation
During a WS-Trust request issuance operation, the Security Token Service returns an error.
The following are sample error messages that can be seen in the logs:
<Error> <oracle.security.fed.controller.ApplicationController> <STS-12064> <Exception: {0}
oracle.security.fed.event.EventException: oracle.security.fed.event.EventException: Authorization Failure for Relying Party=%RELYING_PARTY_ID%, Requester=%REQUESTER_ID% and User=%USER_ID%
When:
%RELYING_PARTY_ID% indicates the Relying Party Partner ID.
If the WS-Trust request did not contain an AppliesTo element, then the %RELYING_PARTY_ID% is set to MissingRP
if the WS-Trust request contained an AppliesTo element but it could not be mapped to a Relying Party Partner, then the %RELYING_PARTY_ID% is set to UnknownRP
if the WS-Trust request contained an AppliesTo element and it was mapped to a Relying Party Partner, then the %RELYING_PARTY_ID% is set to Relying Party Partner ID.
%REQUESTER_ID% is set to the Requester Partner ID, if the incoming request was mapped to a Requester Partner. If %REQUESTER_ID% is not null, it will be used when evaluating the Token Issuance Policy, against any present Identity Condition.
%USER_ID% is set to the User ID, if the incoming request was mapped to a user record. If %USER_ID% is not null and if %REQUESTER_ID% is null, it will be used when evaluating the Token Issuance Policy, against any present Identity Condition.
The Token Issuance Policy evaluation failed due to one of the following reasons:
No TokenServiceRP resource referencing the %RELYING_PARTY_ID% is defined and assigned to a Token Issuance Policy. In this case, create TokenServiceRP resource referencing the %RELYING_PARTY_ID% and assign it to a Token Issuance Policy.
A TokenServiceRP resource referencing the %RELYING_PARTY_ID% exists and is assigned to a Token Issuance Policy, but the policy contains conditions that are not met. In this case, review the policy rules: if the policies are correct, then the client is not allowed to request a token; otherwise, update the policies/conditions to include the client's identity.
When accessing an Security Token Service endpoint that has been added via the Oracle Access Management Console, the server returns an error indicating that the page does not exist when retrieving the WSDL policy or that the endpoint does not exist.
The following are possible error messages:
When retrieving the WSDL policy, a 404 HTTP error code is returned.
When sending a WS-Trust request, an error is reported:
<Error> <oracle.webservices.service> <OWS-04115> <An error occurred for port: PortableProvider: oracle.j2ee.ws.server.EndpointNotFoundException: /PATH.>
Security Token Service is deployed but not enabled. To enable Security Token Service, perform the following operations:
Go to the Oracle Access Management Console.
Navigate to System Configuration, select Common Configuration, then select Available Services.
Enable Security Token Service.
Security Token Service detects the change and publishes the endpoints. No restart is required.
Problem: Failure to map the AppliesTo element to a Relying Party Partner
When Security Token Service processes a WS-Trust request with an AppliesTo element referencing the Web Service Provider, the server will attempt to map the location contained in the AppliesTo element to an Security Token Service Relying Party Partner using the Resource URL defined in the Partner entry. If such a mapping fails, the server will log an Info message in the logs indicating that the operation failed and indicating what was the AppliesTo address used.
The following is a sample of an error message:
[2011-04-22T15:08:12.632-07:00] [oam_server1] [NOTIFICATION] [STS-15542] [oracle.security.fed.eventhandler.sts.creation.v13.CreateV13TokenEventHandler] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: f00aacae2d3f3ded:125005ed:12f7f412274:-8000-0000000000000016,0] [WEBSERVICE_PORT.name: wssuser-port] [APP: oam_server] [J2EE_MODULE.name: sts] [WEBSERVICE.name: wssuser-serviceSoap12] [J2EE_APP.name: oam_server] The mapping of the AppliesTo element from the WS-Trust Request to a Relying Party Partner failed: could not map http://relying.party.test.com/testing/service
If the AppliesTo location should have been mapped to a Relying Party Partner, then the Partner settings should be verified to ensure that the Resource URLs are correctly defined to:
be the exact match of the AppliesTo address
be a parent of the AppliesTo address.
For example, if the AppliesTo address is http://relying.party.test.com/testing/service, a parent could be http://relying.party.test.com/testing/ or http://relying.party.test.com/. In both cases, the AppliesTo location would be mapped to a Relying Party Partner with any of those Resource URLs defined.
Note:
this message is recorded at Notification level, thus in order for Security Token Service to record it, the appropriate logging level must be set to include the Notification:1 level.In certain cases, failure to correctly map the AppliesTo address to a Relying Party Partner will result in errors due to:
Authorization evaluation failures
Security Token Service not being able to retrieve certificate belonging to the Relying Party Partner.