| Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service 11g Release 1 (11.1.1) Part Number E15478-06 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service 11g Release 1 (11.1.1) Part Number E15478-06 |
|
|
PDF · Mobi · ePub |
This chapter provides troubleshooting tips for Oracle Security Token Service:
Problem: Authorization Failure during Token Issuance operation
During a WS-Trust request issuance operation, the Oracle Security Token Service returns an error.
Error Message
The following are sample error messages that can be seen in the logs:
<Error> <oracle.security.fed.controller.ApplicationController> <STS-12064> <Exception: {0}
oracle.security.fed.event.EventException: oracle.security.fed.event.EventException: Authorization Failure for Relying Party=%RELYING_PARTY_ID%, Requester=%REQUESTER_ID% and User=%USER_ID%
When:
%RELYING_PARTY_ID% indicates the Relying Party Partner ID.
If the WS-Trust request did not contain an AppliesTo element, then the %RELYING_PARTY_ID% is set to MissingRP
if the WS-Trust request contained an AppliesTo element but it could not be mapped to a Relying Party Partner, then the %RELYING_PARTY_ID% is set to UnknownRP
if the WS-Trust request contained an AppliesTo element and it was mapped to a Relying Party Partner, then the %RELYING_PARTY_ID% is set to Relying Party Partner ID.
%REQUESTER_ID% is set to the Requester Partner ID, if the incoming request was mapped to a Requester Partner. If %REQUESTER_ID% is not null, it will be used when evaluating the Token Issuance Policy, against any present Identity Constraint.
%USER_ID% is set to the User ID, if the incoming request was mapped to a user record. If %USER_ID% is not null and if %REQUESTER_ID% is null, it will be used when evaluating the Token Issuance Policy, against any present Identity Constraint.
Issue
The Token Issuance Policy evaluation failed due to one of the following reasons:
No TokenServiceRP resource referencing the %RELYING_PARTY_ID% is defined and assigned to a Token Issuance Policy. In this case, create TokenServiceRP resource referencing the %RELYING_PARTY_ID% and assign it to a Token Issuance Policy.
A TokenServiceRP resource referencing the %RELYING_PARTY_ID% exists and is assigned to a Token Issuance Policy, but the policy contains constraints that are not met. In this case, review the policy rules: if the policies are correct, then the client is not allowed to request a token; otherwise, update the policies/constraints to include the client's identity.
Problem: Endpoint not found
When accessing an Oracle Security Token Service endpoint that has been added via the OAM/OSTS console, the server returns an error indicating that the page does not exist when retrieving the WSDL policy or that the endpoint does not exist.
Error Message
The following are possible error messages:
When retrieving the WSDL policy, a 404 HTTP error code is returned.
When sending a WS-Trust request, an error is reported:
<Error> <oracle.webservices.service> <OWS-04115> <An error occurred for port: PortableProvider: oracle.j2ee.ws.server.EndpointNotFoundException: /PATH.>
Solution
The Oracle Security Token Service application is deployed but not enabled. To enable Oracle Security Token Service, perform the following operations:
Go to the OAM Admin console.
Navigate to System Configuration, select Common Configuration, then select Available Services.
Enable Oracle Security Token Service.
Oracle Security Token Service will detect the change and will publish the endpoints. No restart is required.
Problem: Failure to map the AppliesTo element to a Relying Party Partner
When Oracle Security Token Service processes a WS-Trust request with an AppliesTo element referencing the Web Service Provider, the server will attempt to map the location contained in the AppliesTo element to an Oracle Security Token Service Relying Party Partner using the Resource URL defined in the Partner entry. If such a mapping fails, the server will log an Info message in the logs indicating that the operation failed and indicating what was the AppliesTo address used.
Error Message
The following is a sample of an error message:
[2011-04-22T15:08:12.632-07:00] [oam_server1] [NOTIFICATION] [STS-15542] [oracle.security.fed.eventhandler.sts.creation.v13.CreateV13TokenEventHandler] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: f00aacae2d3f3ded:125005ed:12f7f412274:-8000-0000000000000016,0] [WEBSERVICE_PORT.name: wssuser-port] [APP: oam_server] [J2EE_MODULE.name: sts] [WEBSERVICE.name: wssuser-serviceSoap12] [J2EE_APP.name: oam_server] The mapping of the AppliesTo element from the WS-Trust Request to a Relying Party Partner failed: could not map http://relying.party.test.com/testing/service
Solution
If the AppliesTo location should have been mapped to a Relying Party Partner, then the Partner settings should be verified to ensure that the Resource URLs are correctly defined to:
be the exact match of the AppliesTo address
be a parent of the AppliesTo address.
For example, if the AppliesTo address is http://relying.party.test.com/testing/service, a parent could be http://relying.party.test.com/testing/ or http://relying.party.test.com/. In both cases, the AppliesTo location would be mapped to a Relying Party Partner with any of those Resource URLs defined.
Note:
this message is recorded at Notification level, thus in order for OSTS to record it, the appropriate logging level must be set to include the Notification:1 level.In certain cases, failure to correctly map the AppliesTo address to a Relying Party Partner will result in errors due to:
Authorization evaluation failures
Oracle Security Token Service not being able to retrieve certificate belonging to the Relying Party Partner.
|
 Copyright © 2000, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|