Oracle® Fusion Applications Administrator's Troubleshooting Guide 11g Release 7 Refresh 2 (11.1.7) Part Number E25450-08 |
|
|
PDF · Mobi · ePub |
This chapter describes common problems that you might encounter when using Oracle WebCenter Content and explains how to solve them. This chapter contains the following topics:
Some procedures in this chapter reference content in the Oracle Fusion Middleware guides. These guides describe using Fusion Middleware Control. These procedures also apply to Fusion Applications Control.
This section provides guidelines and a process for using the information in this chapter that will minimize the time you spend resolving problems.
Guidelines
When using the information in this chapter, Oracle recommends:
After performing any of the solution procedures in this chapter, immediately retrying the failed task that led you to this troubleshooting information. If the task still fails when you retry it, perform a different solution procedure in this chapter and then try the failed task again. Repeat this process until you resolve the problem.
Making notes about the solution procedures you perform, symptoms you see, and data you collect while troubleshooting. If you cannot resolve the problem using the information in this chapter and you must log a service request, the notes you make will expedite the process of solving the problem.
Process
Follow the process outlined in Table 12-1 when using the information in this chapter. If the information in a particular section does not resolve your problem, proceed to the next step in this process.
Table 12-1 Process for Using the Information in this Chapter
Step | Section to Use | Purpose |
---|---|---|
1 |
Section 12.2 through Section 12.3 |
Perform problem-specific troubleshooting procedures. These sections describe:
|
2 |
Use My Oracle Support to get additional troubleshooting information about Oracle Fusion Applications or Oracle SOA Suite. My Oracle Support provides access to several useful troubleshooting resources, including Knowledge Base articles and Community Forums and Discussions. |
|
3 |
Log a service request if the information in this chapter and My Oracle Support does not resolve your problem. You can log a service request using My Oracle Support at |
Oracle WebCenter Content can store attachments associated with a content item. Within the Oracle Fusion Applications environment, attachments are secured by their corresponding content items. If you can access a content item, then you can access its attachments.
Problem
When the user attempts to add an attachment, the file selection field clears and they receive the following message:
Warning: The file upload failed. The file could not be uploaded because it is too large.
Solution
The maximum size of a file that can be uploaded is managed by the Apache MyFaces Trinidad settings. The UPLOAD_MAX_MEMORY
context parameter in the web.xml
file can be added or modified to change this size from the default of 2 MB.
For more information, see the "Changing the Maximum File Upload Size" section in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.
This section covers the following topics:
Problem
When the Content Server is down, it is not possible for any user to create, update or retrieve Content Server content. For example, the following error:
Error: Fails to access WSDL at <protocol://host:port/idcnativews/IdcWebRequestPort?WSDL>
Fails with the following response:
'503: Service Unavailable' for url 'protocol://host:port/idcnativews/IdcWebRequestPort?WSDL'
Solution
To resolve this issue:
Check that the connection end point is correct. If it is incorrect, update the CIS Web URL
of the FusionAppsContentRepository
Java Content Repository (JCR) connection to the correct value.
Restart Content Server if it is not available. See "Managing System Processes" in Oracle Fusion Middleware Administering Oracle WebCenter Content.
Problem
When a connection failure occurs, it is not possible for any user to create, update or retrieve Content Server content. This occurs at the point where the application is attempting to connect and authorize the connection, such as when adding or accessing an attachment. The following are indications of a connection problem:
Clicking on the link to an attachment displays a warning message instead of the attachment. For example:
Warning: The attachment information cannot be retrieved. (FND-2403)
The same text is shown for errors FND-2403
through to FND-2405
. These errors are all indicative of problems connecting to Content Server when trying to retrieve content.
Attempting to save an attachment results in an error message. For example:
Error: Your attachments changes cannot be saved. (FND-2408)
The same text is shown for errors FND-2407
through FND-2410
. These errors are all indicative of problems connecting to Content Server when trying to save content.
No connection, folder or document is available to the document picker.
Message popup beginning with the following:
oracle.stellent.ridc.protocol.ProtocolException
Solution
To resolve this issue:
Look for the error message number in the application log, for example, FND-2403
. If there is no FND
message then it is likely that the message is being bubbled up from Content Server or Oracle WebCenter Portal. Search for the text of the message in the application log. The exception message provides additional context to help determine the root cause of the problem.
Check that the Content Server is running. Restart Content Server if it is not available. See "Managing System Processes" in Oracle Fusion Middleware Administering Oracle WebCenter Content.
Determine if the JCR Connection is set correctly in this environment:
Check that the Content Server Connection has been defined. The connection name must be FusionAppsContentRepository
, and must be defined as the primary Content Server connection.
The connection must of socket type jaxws
, with the Web URL configured to point to the Content Server native web services endpoint (the idcnativews
endpoint). The Client Security Policy must be null, indicating that GPA (Global Policy Attachments) should be leveraged. A valid administrative user must also be specified as part of the definition. This connection definition is persisted in Oracle Metadata Repository, which happens automatically as a part of the setup. Hence, MDS Repository issues may result in issues for Attachments. For example, the connection specified in a connections.xml
is overridden by the MDS Repository configuration.
You can use Oracle Enterprise Manager Fusion Applications Control (Fusion Applications Control) or the Oracle WebLogic Scripting Tool (WLST) to view connection details. Verbose listing also shows that this is the primary connection.
Use the System MBean Browser to view the connection details:
Choose Fusion Applications from the Targets menu.
In the table on the Fusion Applications target home page, click the appropriate Product Family target.
From the navigation pane, expand the product family, then expand Fusion Applications.
Expand the cluster application you want to monitor to show each instance of the application.
Click one of the application deployment instances, for example, PayablesApp (PayablesSever_1).
The Fusion J2EE Application page displays.
From the Fusion J2EE Application menu, choose System MBean Browser.
In the System MBean Browser page, expand Application Defined MBeans.
Expand oracle.adf.share.connections, server name, application name, ADFConnections, JCR.
Click FusionAppsContentRepository.
In the Application Defined MBeans: JCR:FusionAppsContentRepository page, verify the connection properties.
To use the Oracle WebLogic Scripting Tool (WLST):
From the fusionapps
Middleware subdirectory, start the scripting tool:
(UNIX) FA_MW_HOME/oracle_common/common/bin/wlst.sh (Windows) FA_MW_HOME\oracle_common\common/bin\wlst.cmd
Where DOMAIN_HOME
is located in the following locations:
(UNIX) APPLICATIONS_CONFIG/instance/domains/host/domain_name (Windows) APPLICATIONS_CONFIG\instance\domains\host\domain_name
Connect to Oracle WebLogic Server.
Use Oracle WebLogic Scripting Tool (WLST) commands. For example:
listJCRContentServerConnections(appName='LedgerApp',verbose=1) FusionAppsContentRepository Connection Name: FusionAppsContentRepository Connection Type: JCR External Appliction ID: Timeout: (not set) CIS Socket Type: jaxws CIS Server Hostname: CIS Server Port: CIS Keystore Location: CIS Private Key Alias: CIS Web URL: ${adfDomainConfig.oraclefusionapps.ucmAppInternalProtocol}://${adfDomainConfig.oraclefusionapps.ucmAppInternalHost}:${adfDomainConfig.oraclefusionapps.ucmAppInternalPort}/idcnativews Web Server Context Root: Client Security Policy: Admin User Name: FUSION_APPS_FIN_ADF_APPID Cache Invalidation Interval: (not set) Binary Cache Maximum Entry Size: (not set) The Documents primary connection is "FusionAppsContentRepository"
Note that the URL in the output is tokenized using Expression Language expressions. These expressions are resolved from the adf-domain-config.xml document from MDS. Make the following selections to resolve the expressions and return the actual destination:
System MBean Browser > Application Defined MBeans > oracle.adf.share.connections > Server: YYY > Application: ZZZApp > ADFConnections > ADFConnections > Operations Tab > exportWithResolvedExpressions > Invoke
The document picker used to select folders or documents from Content Server is provided by WebCenter.
Problem
Clicking on the link of an attachment results in a 404 (page not found) error. This occurs for all users of an application.
Solution
If the attachment type is a file or text, then it is likely to be a problem with the GetHandler
servlet.
The condition occurs when the GetHandler
servlet is not running or the application has not been defined correctly.
One way to confirm that the servlet is available is to go to the console:
Deployments > Application > Application Root > Monitoring > Servlets
Restart the GetHandler
servlet if it is not running.
If the servlet is running then the issue is likely to be with the configuration of the application. Contact the Oracle Fusion Applications product team to resolve the issue with the configuration of the application.
If the attachment type is a URL, then the value must be corrected. This can be done by verifying and re-entering the correct URL attachment.
Problem
When the user attempts to create a new attachment or view an existing attachment, they receive an insufficient privileges
message. Here are some sample error messages that either originate from the Content Server or are found in the logs:
Content item '(null)' was not successfully checked in. User 'USERNAME' does not have sufficient privileges. Unable to download 'DOCUMENTID'. User 'USERNAME' does not have sufficient privileges. Content item '(null)' was not successfully checked in. Unable to execute service method 'checkSecurity'. The error was caused by an internally generated issue. The error has been logged. 'USERNAME' does not have sufficient privileges Invalid Security: error in processing the WS-Security header MustUnderstand headers:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\}Security are not understood internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName
Solution
The sufficient privileges
message originates from Content Server. It means that the user for the Content Server connection does not have sufficient privileges to complete the requested steps. There are many possible configuration errors that produce this message, but it indicates a problem with the configuration of the underlying technology stack.
To resolve this issue, follow the procedures in the following tasks:
Check the application log for errors and then follow the steps that match the reported error:
Section 12.3.4.1.1, "Misunderstood Headers or No Namespace URL Error"
Section 12.3.4.1.3, "Unable to Generate Digital Signature Error"
The following errors indicate the web service end point on Content Server may be missing the web service policy; this can be verified in several ways.
MustUnderstand headers:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\}Security are not understood com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: No NamespaceURI, SOAP requires faultcode content to be a QName
From the Fusion Applications Control:
From the navigation pane, expand the domain and Application Deployments, then click Oracle UCM Native Web Services (UCM_server1).
From the Application Deployment menu, choose Web Services.
In the Web Services home page, click the Web Service tab.
Click the IdcWebLoginPort endpoint to view the configuration in the IdcWebLoginPort (Web Service Endpoint) page.
On the IdcWebLoginPort (Web Service Endpoint) page, click the OWSM Policy tab and verify the Globally Attached Policy. For example:
oracle/wss_saml_or_username_token_service_policy
From the Web Services Description Language (WSDL) URL:
Point your browser to the following URL:
http://contentserver_host:contentserver_port/idcnativews/IdcWebLoginPort?WSDL
Check that the WSDL contains a binding reference to the appropriate service policy. For example:
<wsp:PolicyReference URI="#wss_saml_or_username_token_service_policy" ...
The following exception occurs if the client GPA (Global Policy Attachments) is not set up correctly.
Invalid Security: error in processing the WS-Security header
Both the Web Service Client (Fusion Application) and Service (Content Server native web services login endpoint) leverage Globally Attached Policies (GPA) in most cases. With GPA, the domain administrator configures default policies for Web Service Client and Service resources for each domain. Clients and services which do not directly attach policies (Locally Attached Policies) use the corresponding policies configured for GPA. Issues arise when client and service policies are not compatible. For example, a message protection policy is set on the client, but not on the service. Always check that the client and service leverage GPA and that the policies are compatible. For example:
If the service policy on Content Server login service is set to:
oracle/wss_saml_or_username_token_service_policy
Then the client policy should be set to:
oracle/wss10_saml_token_client_policy
If the service policy on Content Server login service is set to:
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
Then the client policy should be set to:
oracle/wss11_saml_token_with_message_protection_client_policy.
Note that the GPA is set at the global domain level and impacts all domains. This is done as part of provisioning, and there is no explicit action to be done for Content Server Attachments in provisioned environments.
From the Oracle WebLogic Scripting Tool (WLST):
From the fusionapps
Middleware subdirectory, start the scripting tool:
(UNIX) FA_MW_HOME/oracle_common/common/bin/wlst.sh (Windows) FA_MW_HOME\oracle_common\common/bin\wlst.cmd
Connect to Oracle WebLogic Server.
Run a listPolicySets()
command and then an appropriate displayPolicySet('xxxx')
command from the client domain to obtain details on the GPA defined for the web service client (ws-client).
...> listPolicySets() Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) Global Policy Sets in Repository: ... ws-client ... ...> displayPolicySet('ws-client') Policy Set Details: ------------------- Name: ws-client Type of Resources: Web Service Client Scope of Resources: Domain("*") Description: Global policy attachments for Web Service Client resources. Enabled: true Policy Reference: security : oracle/wss10_saml_token_client_policy, enabled=true
Similarly, from the CommonDomain where UCM is deployed, run WLST with appropriate listPolicySets() and displayPolicySet('xxxx') commands to obtain details on the GPA defined for the service (ws-service).
The following message indicates that there is a problem on the Oracle Fusion Applications side when attempting to generate a digital signature.
Unable to generate digital signature
If there is no such error, then skip to the Section 12.3.4.2.
Keystore or Password Error
In some cases, the application log may contain the following message:
Keystore has been tampered with, or password is wrong
To resolve this issue:
Determine the keystore location from Fusion Applications Control:
From the navigation pane, expand the farm and then WebLogic Domain.
Select the domain, for example, FinancialDomain.
In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security > Security Provider Configuration.
In the Security Provider Configuration page, under Web Services Manager Authentication Providers, expand Keystore to see the location. The location is typically
(UNIX) DOMAIN_HOME/config/fmwconfig/default-keystore.jks (Windows) DOMAIN_HOME\config\fmwconfig\default-keystore.jks
Validate the keystore password using the keytool
tool, located in located in ORACLE_HOME
/jdk/bin
on UNIX and ORACLE_HOME
\jdk\bin
on Windows. For example:
keytool -list -v -keystore default-keystore.jks -storepass admin123
Where admin123
is the keystore password.
The following error occurs if the password is incorrect:
java.security.UnrecoverableKeyException
Validate the private key alias and password using keytool
. For example:
keytool -keypasswd -alias orakey -keypass welcome1 -new welcome1 -keystore default-keystore.jks -storepass admin123
Where admin123
is the verified keystore password from Step 2, and welcome1
is the alias entry password.
The following error occurs if the password is incorrect.
java.security.UnrecoverableKeyException
The following error occurs if there is no key pair under the alias orakey
.
java.lang.Exception
Validate that the correct passwords and entries exist in the credential store.
The credential store must contain valid password credentials for the oracle.wsm.security map providing the keystore access password, signing key alias and password, and encryption key alias and password.
You can view and edit credential store contents from EM (passwords are not rendered):
From the navigation pane, expand the farm and then WebLogic Domain.
Select the domain, for example, FinancialDomain.
In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security > Credentials.
Alternatively, run the WLST listCred
script with the appropriate map and key to retrieve passwords associated with credentials:
listCred(map="oracle.wsm.security", key="keystore-csf-key") listCred(map="oracle.wsm.security", key="sign-csf-key") listCred(map="oracle.wsm.security", key="enc-csf-key")
For more information, see the section "listCred" in the Oracle Fusion Middleware Application Security Guide.
Access Denied Error
The following error indicates a problem with configuration or provisioning of the application.
Access Denied
Contact the Oracle Fusion Applications product team to resolve the issue.
To resolve this issue:
Switch on logging for the FusionAppsAttachments
component:
Log in to UCM as an administrator.
Choose Administration > System Audit Information.
In the Tracing sections Information area, add fusionappsattachments to Active Sections.
Enable Save and Full Verbose Tracing.
Click Update.
View the logs:
Log in to UCM as an administrator.
Choose Administration > System Audit Information.
Select View Server Output.
After re-running an attempt to retrieve or create an attachment, search for the string Signature Verification Failed
. Determine the keystore location from Fusion Applications Control:
From the navigation pane, expand the farm and then WebLogic Domain.
Select the domain.
In the Oracle WebLogic Server Domain home page, from the WebLogic Domain menu, choose Security > Security Provider Configuration.
In the Security Provider Configuration page, under Web Services Manager Authentication Providers, expand Keystore to see the location. The location is typically
(UNIX) DOMAIN_HOME/config/fmwconfig/default-keystore.jks (Windows) DOMAIN_HOME\config\fmwconfig\default-keystore.jks
Validate the keystore password using the keytool
tool, located in ORACLE_HOME
/jdk/bin
on UNIX and ORACLE_HOME
\jdk\bin
on Windows. For example:
keytool -list -v -keystore default-keystore.jks -storepass admin123
Where admin123
is the supposed keystore password.
The following error occurs if the password is incorrect:
java.security.UnrecoverableKeyException
Validate the private key alias and password using keytool
. For example:
keytool -keypasswd -alias orakey -keypass welcome1 -new welcome1 -keystore default-keystore.jks -storepass admin123
Where admin123
is the verified keystore password from Step 2, and welcome1
is the alias entry password.
The following error occurs if the password is incorrect.
java.security.UnrecoverableKeyException
The following error occurs if there is no key pair under the alias orakey
.
java.lang.Exception
Validate that the correct passwords and entries exist in the credential store.
The credential store must contain valid password credentials for the oracle.wsm.security map providing the keystore access password, signing key alias and password, and encryption key alias and password.
Run the WLST listCred
script with the appropriate map and key. See the section "listCred" in the Oracle Fusion Middleware Application Security Guide.
Correct the keystore or credential store if required. See the following sections:
Problem
This following error indicates that the public certificate associated with the private key used by the Attachments client was not found in the Content Server domain's keystore.
Public Certificate Map did not contain fingerprint: XXXX Public Certificate is null; Unable to verify signature
In security-hardened environments where each domain could use unique key pairs, the client's public certificate must be loaded into the Content Server domain's keystore. In non-security-hardened environments, each domain uses identical key pairs (and possibly cloned keystores), and hence the public certificate should already be present in the Content Server domain's keystore.
Solution
Check that the keystore on the Oracle Fusion Applications client and the Content Server contain the correct keystore. In a non-security hardened environment, the keystore can be copied from one domain to another and Oracle WebLogic Server restarted. You must restart the Content Server when the keystore changes, as this public certificate is cached at startup. The Attachments caches the value upon the first access so the Oracle Fusion application may also require bouncing, although this is unlikely.
Use the keytool
to check the certificate. For example:
keytool -list -v -keystore default-keystore.jks
See the Oracle Fusion Applications Security Guide for the correct configuration of the keystore.
Problem
The following message indicates that the Attachment client provided a null or empty public certificate fingerprint value (XFND_CERT_FP
), which is likely due to some keystore access issue on the client.
Legacy signing request; Certificate FingerPrint missing
If this value is missing from the databinder, the signature value itself is also likely missing. If this is the case, you would also likely see the following message:
Signature Scheme Properties missing from DataBinder
This message indicates that one of the following values is null or empty in the databinder supplied by the Attachments client:
XFND_SIGNATURE
XFND_RANDOM
XFND_EXPIRES
This problem is reported when the Oracle Fusion application making the request is incorrectly configured.
Solution
To resolve this issue, refer to Section 12.3.4.1. There are likely to be many clients. Therefore, you may have to check each one. The FusionAppsAttachments
logging may provide enough information to determine which client is causing the error.
Problem
The following error indicates that the XFND_EXPIRES
(milliseconds since epoch) date value provided in the request databinder has already passed according to the Content Server's clock.
Request expiry time reached
Solution
Check to make sure that there are no time and time zone differences between the client and Content Server. The request timeout should typically be 10 minutes.
Problem
The following message indicates that the client-supplied, URL-safe, base64 signature could not be successfully decoded back to binary data.
Unable to base64 decode received signature
Solution
Check the application logs for any errors when encoding the signature.
Solution
The following errors in the application log files indicate an issue obtaining the keystore and/or the public certificate.
java.lang.NullPointerException at SigningUtils.verify !syNullPointerException java.lang.NullPointerException. at AttachmentsConfig.getPublicCertificate
Solution
Check what exceptions are present at the Content Server start time that are associated with keystore and credential store access.
Problem
When the end-user attempts to create a new attachment, or view an existing attachment they receive an access denied message. For example:
oracle.fabric.common.PolicyEnforcementException: access denied (oracle.wsm.security.WSIdentityPermission resouce=appName assert)
Solution
This indicates a problem with configuration or provisioning of the application. Contact the Oracle Fusion Applications product team to get them to resolve the issue.
Problem
The following exception is reported:
access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=enc-csf-key read)
This issue indicates a problem with configuration or provisioning of the application.
Solution
Contact the Oracle Fusion Applications product team to get them to resolve the issue.
If applcore attachments fail during checkin, the likely causes can vary if the failure occurs across all domains or in a single domain.
First, determine if attachment uploads to the central UCM instance are successful for any other domain in the installation.
Failure Across Domains
If attachments fail on all domains, possible causes are (in order of likelihood):
There is a mismatch between the "ws-service" policy of the Common Domain Web Services Manager (WSM) Global Policy Attachment (GPA) and the associated domain's corresponding "ws-client" policy.
The UCM login webservice is not using a Global Policy Attachment (GPA), but rather an incorrect Local Policy Attachment (LPA).
The WSM Policy Manager application has failed in the Common Domain.
Credential store entries are incorrect for Common Domain preventing the keystore from opening.
If using message protection policy, the keystores for the domains are not synchronized.
Clients are unable to generate digital signatures due to policy permission security issues or invalid oracle.wsm.security credential store values for the underlying keystore.
The public certificate fingerprint of the client is not in UCM server keystore.
The JCR connections are not using GPA, but rather an incorrect LPA.
The tokenized Web URL JCR connection value is incorrect.
Failure in a Single Domain
If attachments fail on a single domain and other domains function properly, possible causes are (in order of likelihood):
There is a mismatch between the "ws-service" policy of the Common Domain Web Services Manager (WSM) Global Policy Attachment (GPA) and the associated domain's corresponding "ws-client" policy
The client keystore is not synchronized with the UCM common domain server keystore.
Clients are unable to generate digital signatures due to policy permission security issues or invalid oracle.wsm.security credential store values for the underlying keystore.
The public certificate fingerprint of the client is not in the UCM server keystore.
The JCR connection for FusionAppsAttachments is not using GPA client policy and may be somehow leveraging an LPA.
The tokenized Web URL JCR connection value is incorrect.
Investigate the following to find possible solutions.
Policy Manager Active
From the UCM domain, check if the Web Services Manager policy manager is active:
http://ucmhost:adminport/wsm-pm/validator
It should prompt for credentials, and then return a status such as Policy Manager Status: Operational
, along with a table of policies.
If the application does not appear to be responding, open the UCM Domain Weblogic Server Administration Console the following to see if it is active:
Deployments > Summary of Deployments > wsm-pm deployment
Correct Service Policy
From the UCM domain, check the wsp:PolicyReference in the IdcWebLoginPort WSDL:
http://ucmhost:ucmport/idcnativews/IdcWebLoginPort?WSDL
Look for something similar to the following:
<wsp:PolicyReference URI="#wss_saml_or_username_token_service_policy" wsdl:required="false"/>
If the service policy is either empty or not what you expected, check to make sure that the GPA policy for ws-service has been correctly set:
From the navigation pane, expand the domain and Application Deployments, then click Oracle UCM Native Web Services (UCM_server1).
From the Application Deployment menu, choose Web Services.
In the Web Services home page, click the Web Service tab.
Click the IdcWebLoginPort endpoint to view the configuration in the IdcWebLoginPort (Web Service Endpoint) page.
On the IdcWebLoginPort (Web Service Endpoint) page, click the OWSM Policy tab and verify the correct policy is listed under Globally Attached Policy and that no policy is listed under Directly Attached Policies.
Make sure that the policy associated with GPA Web Service Endpoint resource is correct:
From the Enterprise Manager, click Weblogic Domain.
Click the domain name, for example, CommonDomain.
From the Weblogic Domain menu, choose Web Services and then Policy Sets.
Specify or change the policy as necessary.
Correct Client Policy
From the client domain, check the GPA policy set for Web Service Client resources.
From the Enterprise Manager, click Weblogic Domain.
Click the domain name, for example, CRMDomain.
From the Weblogic Domain menu, choose Web Services and then Policy Sets.
Make sure that the policy set associated with GPA Web Service Client resources is correct.
Correct JCR Connection
Check the "FusionAppsContentRepository" JCR connection to make sure that the client policy is empty, meaning GPA should get used, and that the web URL is correct.
The System MBean browser within EM can show the details of the connection. System MBean Browser > oracle.adf.share.connections > Server: YYY > Application: ZZZApp > ADFConnections > ADFConnections > JCR > FusionAppsContentRepository
Make sure the Client Security Policy is empty.
The Web URL will likely point to properties such as:
${adfDomainConfig.oraclefusionapps.ucmAppInternalProtocol}:// ${adfDomainConfig.oraclefusionapps.ucmAppInternalHost}: ${adfDomainConfig.oraclefusionapps.ucmAppInternalPort}/idcnativews
The following mBean operation provides the resolved output for the web service URL:
System MBeans > Application Defined MBeans > oracle.adf.share.connections > Server: [your server name] > Application: [your application name] > ADFConnections > ADFConnections > Operations Tab > exportWithResolvedExpressions > Invoke