Oracle® Fusion Applications Administrator's Troubleshooting Guide 11g Release 6 (11.1.6) Part Number E25450-05 |
|
|
PDF · Mobi · ePub |
This chapter describes common problems that you might encounter when using Oracle WebCenter Content and explains how to solve them. This chapter contains the following topics:
Some procedures in this chapter reference content in the Oracle Fusion Middleware guides. These guides describe using Fusion Middleware Control. These procedures also apply to Fusion Applications Control.
This section provides guidelines and a process for using the information in this chapter. Using the following guidelines and process will focus and minimize the time you spend resolving problems.
Guidelines
When using the information in this chapter, Oracle recommends:
After performing any of the solution procedures in this chapter, immediately retrying the failed task that led you to this troubleshooting information. If the task still fails when you retry it, perform a different solution procedure in this chapter and then try the failed task again. Repeat this process until you resolve the problem.
Making notes about the solution procedures you perform, symptoms you see, and data you collect while troubleshooting. If you cannot resolve the problem using the information in this chapter and you must log a service request, the notes you make will expedite the process of solving the problem.
Process
Follow the process outlined in Table 11-1 when using the information in this chapter. If the information in a particular section does not resolve your problem, proceed to the next step in this process.
Table 11-1 Process for Using the Information in this Chapter
Step | Section to Use | Purpose |
---|---|---|
2 |
Section 11.2 through Section 11.3 |
Perform problem-specific troubleshooting procedures. These sections describe:
|
3 |
Use My Oracle Support to get additional troubleshooting information about Oracle Fusion Applications or Oracle SOA Suite. My Oracle Support provides access to several useful troubleshooting resources, including Knowledge Base articles and Community Forums and Discussions. |
|
4 |
Log a service request if the information in this chapter and My Oracle Support does not resolve your problem. You can log a service request using My Oracle Support at |
Oracle WebCenter Content stores attachments. Within the Oracle Fusion Applications environment, attachments are secured by their corresponding content items. If you can access a content item, then you can access its attachment.
Problem
When the end-user attempts to add an attachment they receive the following message in a popup:
Warning: The file upload failed. The file could not be uploaded because it is too large.
The file selection field will also have been cleared.
Solution
The maximum size of a file that can be uploaded is managed by the Apache MyFaces Trinidad settings. The UPLOAD_MAX_MEMORY
context parameter in the web.xml
file can be added or modified to change this size from the default of 2 MB.
For more information, see the "Changing the Maximum File Upload Size" section in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.
This section covers the following topics:
Problem
When the Content Server is down, it is not possible for any user to create, update or retrieve Content Server content. For example, the following error:
Error: Fails to access WSDL at <protocol://host:port/idcnativews/IdcWebRequestPort?WSDL>
Fails with the following response:
'503: Service Unavailable' for url 'protocol://host:port/idcnativews/IdcWebRequestPort?WSDL'
Solution
To resolve this issue:
Check that the connection end point is correct. If it is incorrect, update the CIS Web URL
of the FusionAppsContentRepository
Java Content Repository (JCR) connection to the correct value.
Restart Content Server if it is not available. See the "Starting and Stopping Content Server" section in the Oracle WebCenter Content System Administrator's Guide for Content Server.
Problem
The application using attachments is unable to connect to Content Server. When a connection failure occurs, it is not for any user to create, update or retrieve Content Server content. This occurs at the point where the application is attempting to connect and authorize the connection. The following are indications of a connection problem:
Clicking on the link of an file or text attachment displays a warning message instead of the attachment. For example:
Warning: The attachment information cannot be retrieved. (FND-2403)
The same text is shown for errors FND-2403
through to FND-2405
. These errors are all indicative of problems connecting to Content Server when trying to retrieve content.
Attempting to save an attachment results in an error message. For example:
Error: Your attachments changes cannot be saved. (FND-2408)
The same text is shown for errors FND-2407
through FND-2410
. These errors are all indicative of problems connecting to Content Server when trying to save content.
No connection, folder or document is available to the document picker.
Message popup beginning with the following:
oracle.stellent.ridc.protocol.ProtocolException
Solution
To solve this problem:
Look for the error message number in the application log, for example, FND-2403
. If there is no FND
message then it is likely that the message is being bubbled up from Content Server or Oracle WebCenter Portal. Search for the text of the message in the application log. The exception message will provide additional context to help determine the root cause of the problem.
Check that the Content Server is running. Restart Content Server if it is not available. See the "Starting and Stopping Content Server" section in the Oracle WebCenter Content System Administrator's Guide for Content Server.
Determine if the JCR Connection is set correctly in this environment:
Check that the Content Server Connection has been defined. The connection name must be FusionAppsContentRepository
, and must be defined as the primary Content Server connection.
The connection must of socket type jaxws
, with the Web URL configured to point to the Content Server native web services endpoint (the idcnativews
endpoint). The Client Security Policy must be null indicating that GPA (Global Policy Attachments) should be leveraged. A valid administrative user must also be specified as part of the definition. This connection definition is persisted in Oracle Metadata Repository, which happens automatically as a part of the setup. Hence, MDS Repository issues may result in issues for Attachments. For example, the connection specified in a connections.xml
is overridden by the MDS Repository configuration.
You can use Oracle Enterprise Manager Fusion Applications Control (Fusion Applications Control) or WLST to view connection details. Verbose listing will also show that this is the primary connection.
To use the System MBean Browser in Fusion Applications Control to view the connection details
Navigate to a product family home page:
From the Targets menu, choose Fusion Applications.
The Fusion Applications target home page displays.
In the table on the Fusion Applications target home page, click the appropriate Product Family target.
From the navigation pane, expand the product family, then Fusion Applications.
Expand the cluster application you want to monitor to show each instance of the application.
Click one of the application deployment instances, for example, PayablesApp (PayablesSever_1).
The Fusion J2EE Application page displays.
From the Fusion J2EE Application menu, choose System MBean Browser.
In the System MBean Browser page, expand Application Defined MBeans.
Expand oracle.adf.share.connections, server name, application name, ADFConnections, JCR.
Click FusionAppsContentRepository.
In the Application Defined MBeans: JCR:FusionAppsContentRepositor page, view the attribute value for RequestFileDirectory.
To use WLST:
From the fusionapps
Middleware subdirectory, start the WLST:
(UNIX) FA_MW_HOME/oracle_common/common/bin/wlst.sh (Windows) FA_MW_HOME\oracle_common\common/bin\wlst.cmd
where DOMAIN_HOME
is located in the following locations:
(UNIX) APPLICATIONS_CONFIG/instance/domains/host/domain_name (Windows) APPLICATIONS_CONFIG\instance\domains\host\domain_name
Connect to Oracle WebLogic Server.
Use WLST commands. For example:
listJCRContentServerConnections(appName='app_name',verbose=1)
FusionAppsContentRepository
Connection Name: FusionAppsContentRepository
Connection Type: JCR
External Appliction ID:
Timeout: (not set)
CIS Socket Type: jaxws
CIS Server Hostname:
CIS Server Port:
CIS Keystore Location:
CIS Private Key Alias:
CIS Web URL: http://abcd.example.com:15012/idcnativews
Web Server Context Root:
Client Security Policy:
Admin User Name: FUSION_APPS_SETUP_ADF_APPID
Cache Invalidation Interval: (not set)
Binary Cache Maximum Entry Size: (not set)
The Documents primary connection is "FusionAppsContentRepository"
The document picker used to select folders or documents from Content Server is provided by Web Center.
Problem
Clicking on the link of an Attachment results in a 404 (page not found) error. This occurs for all users an application.
Solution
If the Attachment type is a file or text, then it is likely to be a problem with the GetHandler
servlet.
The condition occurs when the GetHandler
servlet is not running or the application has not been defined correctly.
One way to confirm that the servlet is available is to go to the console:
Deployments > Application > Application Root > Monitoring > Servlets
Restart the GetHandler
servlet if it is not running.
If the servlet is running then the issue is likely to be with the configuration of the application. Contact the Oracle Fusion Applications product team to resolve the issue with the configuration of the application.
If the Attachment type is a URL, then the value needs to be corrected. This can be done by deleting and re-entering the URL attachment.
Problem
When the end-user attempts to create a new attachment, or view an existing attachment they receive an insufficient privileges
message. Here are some sample error messages which are either bubbled up to the user from Content Server or found in the logs:
Content item '(null)' was not successfully checked in. User '<USERNAME>' does not have sufficient privileges. Unable to download 'DOCUMENTID'. User 'USERNAME' does not have sufficient privileges. Content item '(null)' was not successfully checked in. Unable to execute service method 'checkSecurity'. The error was caused by an internally generated issue. The error has been logged. user does not have sufficient privileges Invalid Security: error in processing the WS-Security header MustUnderstand headers:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\}Security are not understood internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName dom.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName
Solution
The sufficient privileges
message originate from Content Server. It means that the user for the Content Server connection does not have sufficient privileges to complete the requested steps. There are many possible misconfiguration mistakes that result in this error. It is indicative of a problem with the configuration of the underlying technology stack.
To resolve this issue, follow the procedures in the following tasks:
Check the application log for errors that occurred at this time and then follow the steps matches the reported error:
Section 11.3.4.1.1, "Misunderstood Headers or No Namespace URL Error"
Section 11.3.4.1.3, "Unable to Generate Digital Signature Error"
The following errors indicate the web service end point on Content Server may be missing the web service policy; this can be verified in a number of ways.
MustUnderstand headers:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\}Security are not understood com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName
From Fusion Applications Control:
From the navigation pane, expand the farm, Application Deployments, Internal Applications, Oracle UCM Native Web Services (UCMCluster).
Choose Oracle UCM Native Web Services (UCM_server1).
From the Application Deployment menu, choose Web Services.
In the Web Services home page, click the Web Service Endpoints tab.
Click the IdcWebLoginPort endpoint to view the configuration in the IdcWebLoginPort (Web Service Endpoint) page.
in the IdcWebLoginPort (Web Service Endpoint) page, click the WebLogic Policy Violations tab.
From Oracle WebLogic Server Administration Console:
From the left pane, from Domain Structure, select Deployments.
From the Summary of Deployments page, expand Oracle UCM Native Web Services and click IdcWebLoginService.
Click the Configuration tab, and then click the WS-Policy sub-tab.
Click IdcWebLoginPort to ensure the oracle/wss_saml_or_username_token_service_policy is associated.
From the WSDL URL
Point your browser to the following URL:
http://contentserver_host:contentserver_port /idcnativews/IdcWebLoginPort?WSDL
Check that the WSDL contains a binding reference to the appropriate service policy:
<wsp:PolicyReference URI="#wss_saml_or_username_token_service_policy" ...
The following exception occurs if the client GPA (Global Policy Attachments) is not set up correctly.
Invalid Security: error in processing the WS-Security header
GPA must be configured for Web Service Client (ws-client
) on the client, and the policy must match and correspond to the service policy defined for the Content Server native web services endpoint. This exception will occur if the client GPA (Global Policy Attachments) is not set up correctly. GPA must be configured for Web Service Client (ws-client
) on the client, and the policy must match and correspond to the service policy defined for the Content Server native web services endpoint. For example:
- If the service policy on Content Server login service is set to oracle/wss_saml_or_username_token_service_policy
, then the client policy should be set to oracle/wss10_saml_token_client_policy
- If the service policy on Content Server login service is set to oracle/wss11_saml_or_username_token_with_message_protection_service_policy
then the client policy should be set to oracle/wss11_saml_token_with_message_protection_client_policy
Note that the GPA is set at the global domain level and impacts all domains. This is done as part of provisioning, and there is no explicit action to be done for Content Server Attachments in provisioning environments.
From WLST:
From the fusionapps
Middleware subdirectory, start the WLST:
(UNIX) FA_MW_HOME/oracle_common/common/bin/wlst.sh (Windows) FA_MW_HOME\oracle_common\common/bin\wlst.cmd
where DOMAIN_HOME
is located in the following locations:
(UNIX) APPLICATIONS_CONFIG/instance/domains/host/domain_name (Windows) APPLICATIONS_CONFIG\instance\domains\host\domain_name
Connect to Oracle WebLogic Server.
Run a listPolicySets()
command and then an appropriate displayPolicySet('xxxx')
command from the client domain to obtain details on the GPA defined.
...> listPolicySets() Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) Global Policy Sets in Repository: base-domain-ws-client ...> displayPolicySet('base-domain-ws-client') Policy Set Details: ------------------- Name: base-domain-ws-client Type of Resources: Web Service Client Scope of Resources: Domain("base_domain") Description: Global policy attachments for Web Service Client resources. Enabled: true Policy Reference: security : oracle/wss10_saml_token_client_policy, enabled=true
The following message indicates that there is a problem on the Oracle Fusion Applications side when attempting to generate a digital signature.
Unable to generate digital signature
This message indicates that there is a problem on the Oracle Fusion Applications side when attempting to generate a digital signature. If there is no such error, then skip to the Section 11.3.4.2.
Keystore or Password Error
In some case, the application log may contains the following message:
Keystore has been tampered with, or password is wrong
To resolve this error:
Determine the keystore location from Fusion Applications Control:
From the navigation pane, expand the farm and then WebLogic Domain.
Select the domain.
In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security > Security Provider Configuration.
In the Security Provider Configuration page, under Web Services Manager Authentication Providers, expand Keystore to see the location. The location is typically
(UNIX) DOMAIN_HOME/config/fmwconfig/default-keystore.jks (Windows) DOMAIN_HOME\config\fmwconfig\default-keystore.jks
Validate the keystore password using the keytool
tool, located in located in ORACLE_HOME
/jdk/bin
on UNIX and ORACLE_HOME
\jdk\bin
on Windows. For example:
keytool -list -v -keystore default-keystore.jks -storepass admin123
where admin123
is the keystore password.
The following error will occur if the password is incorrect:
java.security.UnrecoverableKeyException
Validate the private key alias and password using keytool
. For example:
keytool -keypasswd -alias orakey -keypass welcome1 -new welcome1 -keystore default-keystore.jks -storepass admin123
where admin123
is the verified keystore password from Step 2, and welcome1
is the alias entry password.
The following error will occur if the password is incorrect.
java.security.UnrecoverableKeyException
The following error will occur if there is no key pair under the alias orakey
.
java.lang.Exception
Validate that the correct passwords and entries exist in the credential store.
The credential store must contain valid password credentials for the oracle.wsm.security map providing the keystore access password, signing key alias and password, and encryption key alias and password.
Run the WLST listCred
script with the appropriate map and key. See the section "listCred" in the Oracle Fusion Middleware Application Security Guide.
In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security > Security Provider Configuration.
Access Denied Error
The following error is indicative of a problem with configuration or provisioning of the application.
Access Denied
Contact the Oracle Fusion Applications product team to get the issue resolved.
To resolve this error:
Switch on logging for the FusionAppsAttachments
component:
Login to the UCM UI with administration privilege.
Go to Administration node > System Audit Information.
In the Tracing sections Information area, add fusionappsattachments to Active Sections.
Enable Save and Full Verbose Tracing.
Click Update.
View the logs:
Login to the UCM UI with administration privilege.
Go to Administration node > System Audit Information.
Select View Server Output.
After re-running an attempt to retrieve or create an attachment, search for the string Signature Verification Failed
. Determine the keystore location from Fusion Applications Control:
From the navigation pane, expand the farm and then WebLogic Domain.
Select the domain.
In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security > Security Provider Configuration.
In the Security Provider Configuration page, under Web Services Manager Authentication Providers, expand Keystore to see the location. The location is typically
(UNIX) DOMAIN_HOME/config/fmwconfig/default-keystore.jks (Windows) DOMAIN_HOME\config\fmwconfig\default-keystore.jks
Validate the keystore password using the keytool
tool, located in located in ORACLE_HOME
/jdk/bin
on UNIX and ORACLE_HOME
\jdk\bin
on Windows. For example:
keytool -list -v -keystore default-keystore.jks -storepass admin123
where admin123
is the supposed keystore password.
The following error will occur if the password is incorrect:
java.security.UnrecoverableKeyException
Validate the private key alias and password using keytool
. For example:
keytool -keypasswd -alias orakey -keypass welcome1 -new welcome1 -keystore default-keystore.jks -storepass admin123
where admin123
is the verified keystore password from Step 2, and welcome1
is the alias entry password.
The following error will occur if the password is incorrect.
java.security.UnrecoverableKeyException
The following error will occur if there is no key pair under the alias orakey
.
java.lang.Exception
Validate that the correct passwords and entries exist in the credential store.
The credential store must contain valid password credentials for the oracle.wsm.security map providing the keystore access password, signing key alias and password, and encryption key alias and password.
Run the WLST listCred
script with the appropriate map and key. See the section "listCred" in the Oracle Fusion Middleware Application Security Guide.
Correct the keystore or credential store if required:
Problem
This following error indicates that the public certificate associated with the private key used by the Attachments client was not found in the Content Server domain's keystore.
Public Certificate Map did not contain fingerprint: XXXX Public Certificate is null; Unable to verify signature
In security-hardened environments whereby each domain is potentially using unique keypairs, the client's public certificate must be loaded into the Content Server domain's keystore. In non-security-hardened environments, each domain would be using identical keypairs (and possibly cloned keystores), and hence the public certificate should already be present in the Content Server domain's keystore.
Solution
Check the keystore on the Oracle Fusion Applications client and the Content Server contain the correct keystore. In a non-security hardened environment, the keystore can be copied from one domain to another and Oracle WebLogic Server restarted. The Content Server will need to be bounced when the keystore changes, as this public certificate is cached at startup. The Attachments caches the value upon the first access so the Oracle Fusion application may also require bouncing, although this is unlikely.
Use the keytool
to check the certificate. For example:
keytool -list -v -keystore default-keystore.jks
See the Oracle Fusion Applications Security Guide for the correct configuration of the keystore.
Problem
The following message indicates that the Attachment client provided a null or empty public certificate fingerprint value (XFND_CERT_FP
), which is likely due to some keystore access issue on the client.
Legacy signing request; Certificate FingerPrint missing
If this value is missing from the databinder, the signature value itself is also likely missing. If this is the case, one would also likely to see the following message:
Signature Scheme Properties missing from DataBinder
This message indicates that one of the following values was null or empty in the databinder supplied by the Attachments client:
XFND_SIGNATURE, XFND_RANDOM
XFND_EXPIRES
This problem is reported when the Oracle Fusion application making the request is incorrectly configured.
Solution
Once the Oracle Fusion application is configured correctly, then there will no longer be a problem.
To resolve this issue, Section 11.3.4.1. There are likely to be many clients. Therefore, you may need to check each one. The FusionAppsAttachments
logging may provide enough information to determine which client is provoking the error.
Problem
The following error indicates that the XFND_EXPIRES
(milliseconds since epoch) date value provided in the request databinder has already passed according to the Content Server's clock.
Request expiry time reached
Solution
Check to ensure there are no time and timezone differences between the client and Content Server. The request timeout should typically be 10 minutes.
Problem
The following message indicates that the client-supplied, URL-safe, base64 signature could not be successfully decoded back to binary data.
Unable to base64 decode received signature
Solution
Check the application logs for any errors when encoding the signature.
Solution
The following errors in the application log files indicate an issue obtaining the keystore and/or the public certificate.
java.lang.NullPointerException at SigningUtils.verify !syNullPointerException java.lang.NullPointerException. at AttachmentsConfig.getPublicCertificate
Solution
Check what exceptions are present at the Content Server start time associated with keystore and credential store access.
Problem
When the end-user attempts to create a new attachment, or view an existing attachment they receive an access denied message. For example:
oracle.fabric.common.PolicyEnforcementException: access denied (oracle.wsm.security.WSIdentityPermission resouce=appName assert)
Solution
This is indicative of a problem with configuration or provisioning of the application. Contact the Oracle Fusion Applications product team to get them to resolve the issue.
Problem
The following exception is reported:
access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=enc-csf-key read)
This issue is indicative of a problem with configuration or provisioning of the application.
Solution
Contact the Oracle Fusion Applications product team to get them to resolve the issue.