4 Troubleshooting

This chapter discusses common errors that can occur while implementing security and the corresponding resolution.

Error Getting Response; java.net.SocketException: Connection Reset

Description

The client application does not receive a response from the Web service. The error above is shown in SOAP User Interface (UI).

Solution

Check that the service is up and running, and that your client is pointing to the correct URL and using the correct protocol (HTTP or HTTPS).

SOAP Response is ”Unknown Exception, Internal System Processing Error”

SOAP Response

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Body>
        <env:Fault>
         <faultcode>env:Server</faultcode>
        <faultstring>Unknown exception, internal system processing error.</faultstring>
        </env:Fault>
   </env:Body>
</env:Envelope>

Solution

There are one or more problems with your security settings. With policy A:

• Make sure the credentials are correct

• Make sure the WSS-Password Type = PasswordText and WSS Time To Live = 5000

• Make sure the time on your PC or client machine matches the time on the server machine

SOAP Response is ”Error on Verifying Message Against Security Policy Error Code: 1025"

SOAP Response

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Body>
        <env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <faultcode>wsse:InvalidSecurity</faultcode>
        <faultstring>Error on verifying message against security policy Error code:1025</faultstring>
      </env:Fault>
   </env:Body>
</env:Envelope>

Solution

Make sure that the policy configured in WLS matches the tokens that the client (SOAPUI, Java application, WebInspect etc) is sending. For Policy A, you need to configure credentials, WSS Password Type = PasswordText and WSS Time to Live = 5000.

Null Pointer Exception

If the following exception is seen in server logs, it is generally because the server is not able to access the keystore. Either the keystore is corrupt or the password provided in domain's Web service security configuration does not match with the actual password of the keystore.

java.lang.NullPointerException
at weblogic.wsee.security.bst.ServerBSTCredentialProvider.getX509Credential(ServerBSTCredentialProvider.java:180)at weblogic.wsee.security.bst.ServerBSTCredentialProvider.initCredentialFromContext(ServerBSTCredentialProvider.java:161)at weblogic.wsee.security.bst.ServerBSTCredentialProvider.initCredentials(ServerBSTCredentialProvider.java:111)at weblogic.wsee.security.configuration.WssConfiguration.initDefaultConfiguration(WssConfiguration.java:416)at weblogic.wsee.security.configuration.WssConfiguration.init(WssConfiguration.java:134)at ....

Solution

Run the following script to configure WebLogic server.

app-service-security-config.sh –config-wls-cert-keystore

This script asks for the keystore and alias passwords. Enter the correct values. After the script is run, bounce the Weblogic server.

Useful Commands for Troubleshooting Security Issues

JVM Parameters for SSL Debug

-Dssl.debug=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off -Dweblogic.StdoutDebugEnabled=true

Location Identity and Trust Stores for WebLogic

/wlserver_12.2.1.3.0/server/lib/DemoIdentity.jks
/wlserver_12.2.1.3.0/server/lib/DemoTrust.jks

Generate a Certificate for Development Purposes

. <domain-home>/bin/setDomainEnv.sh
java utils.CertGen -certfile ServerCert -keyfile ServerKey -keyfilepass DemoIdentityPassPhrase -cn rsbhost.example.com

Import the Certificate to DemoIdentity Keystore

java utils.ImportPrivateKey -certfile ServerCert.der -keyfile ServerKey.der -keyfilepass DemoIdentityPassPhrase -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -alias DemoIdentity -keypass DemoIdentityPassPhrase

Keytool Commands

keytool -list -v -keystore DemoIdentity.jks
keytool -delete -alias demoidentity -keystore DemoIdentity.jks
keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password>
keytool -exportcert -storetype JKS -alias <AliasName>  -keystore <KeystoreFile> -storepass <Password> -rfc -file <Certificate File Name>

Location of Java Keystore

%JAVA_HOME%\lib\security\cacerts