16 Diagnosing Problems with OWSM

16.2.1 Unable to Connect to the Policy Manager

The following errors appear when you attempt to connect the Policy Manager:

• WSM-06157: The repository database is not configured correctly or not running.

• WSM-06160: The policy manager application has not been deployed or is not running.

• WSM-06161: The policy manager application has not been deployed.

• WSM-06162: The policy manager application is not running or is not configured correctly.

• WSM-06159: Cannot connect to the policy manager due to credential issue.

• WSM-02120: Unable to connect to the policy access service.

Problem

The problem may be:

• The Policy Manager is down. You can determine if the Policy Manager is down as follows:

  • The state of the Policy Manager in the General area of the OWSM Policy Manager home page, as described in "Diagnosing Problems with OWSM Policy Manager" is shown as Shutdown.

  • The status of the wsm-pm internal application on the Domain home page in Fusion Middleware Control is Down, as shown in Figure 16-2. To access the Domain home page, select Home from the WebLogic Domain menu in the top left-hand corner of the page.

    Figure 16-2 OWSM Policy Manager Shutdown (Farm Page)

    
    Description of "Figure 16-2 OWSM Policy Manager Shutdown (Farm Page)"
    
    

  • An error dialog box displays when you attempt to access the OWSM policy management pages in Fusion Middleware Control. This error information is also written to the diagnostic log file, as described in "Reviewing Sample Logs" in Administering Web Services.

• The domain is configured to use auto-discovery with SSL.

  OWSM supports an auto-discovery feature that it uses to locate and connect to the OWSM Policy Manager. If the domain is configured to use auto-discovery with SSL, then the auto-discovery logic will always try to connect to an SSL-enabled server. To ensure that the secure connection is maintained, the auto-discovery logic will not attempt to connect to a Policy Manager on a non-SSL server, even if the SSL-enabled server goes down. Therefore, even though there is a Policy Manager running, because it is running on a non-SSL enabled server, it is ignored and an error message is displayed.

• The credential required to access the Policy Manager is invalid or is not authorized.

• The repository may not be configured correctly.

• The cross-component wiring for the Policy Manager and Agent may not be current.

Solution

If the Policy Manager is down:

Restart the wsm-pm application as described in "Starting and Stopping Applications" in Administering Oracle Fusion Middleware.

If the domain is configured to use auto-discovery with SSL:

• Verify that the wsm-pm Policy Manager application is targeted to an SSL server. You can do so using the WebLogic Server Administration Console as described in "Target an Enterprise application to a server" in the Oracle WebLogic Server Administration Console Online Help.

• Verify that SSL has been configured correctly and that there are no SSL certificate issues. For additional information, see "Configuring Keystores for SSL".

• If the SSL-enabled server is down, restart it, and the Policy Manager application, as described in "Starting and Stopping Oracle Fusion Middleware" in Administering Oracle Fusion Middleware.

• Verify that the service table and component configuration is correctly configured for SSL. For more information, see "Using Cross-Component Wiring for Auto-Discovery of Policy Manager".

• If you want to use the Policy Manager on a non-SSL enabled server, modify the auto-discovery configuration. For more information, see the following topics:

  • "Configuring the Policy Manager Connection Using Fusion Middleware Control"

  • "Configuring the Policy Manager Connection Using WLST"

If there is a credential issue when attempting to access the Policy Manager:

By default, the OWSM run time uses the OracleSystemUser account. If you are not using the default user accounts, you need to modify the configuration as described in "Modifying the Default User".

If there is a problem with the repository configuration:

• Verify that the database and MDS schema are setup correctly. This configuration is performed as part of the installation process. For more information, see "Creating the Database Schemas" in Installing and Configuring the Oracle Fusion Middleware Infrastructure.

• Verify that the JDBC configuration is correct. The JDBC configuration is defined when you create the domain using the Fusion Middleware Configuration Wizard. For more information, see "Configuring Your WebLogic Domain" in Installing and Configuring the Oracle Fusion Middleware Infrastructure.

If there is a problem with the cross-component wiring:

• Verify that the service table entry corresponding to the OWSM Policy Manager contains the correct URL.

• Verify that the wiring between the OWSM Agent Hook and the OWSM Policy Manager is in the wired state.

For more information, see the following topics:

• "Verifying Service Table Entries and Components Using Fusion Middleware Control"

• "Verifying Agent Bindings Using Fusion Middleware Control"

16.2.2 Key or Credential Store Error After an Application Invokes Web Service

After an application invokes a web service, a key store or credential store error such as the following appears:

• WSM-00056: The key <alias_name> is not retrieved

• WSM-00256: The property "Keystore Sign Alias" is not set

• WSM-0024: Unable to read key from KSS keystore

• WSM-00340: Key does not exist in the KSS keystore

Problem

The problem may be:

• For the JKS keystore:

  • The alias for the signature key or encryption key in the OWSM keystore configuration does not exist in the OWSM keystore.

  • The signature key, encryption key, or OWSM keystore password is not synchronized between the keystore file and the keystore configuration for OWSM. That is, at least one of the passwords does not have identical values in both locations.

  • The signature key is not set.

  • There is a missing key in the credential store.

• For the KSS keystore:

  • The keystore may have not been initialized or the necessary permissions are not granted.

  • The key does not exist in the keystore. The key you entered on the domain configuration Message Security screen cannot be found in the keystore.

Solution

To verify the alias for the signature key and encryption key in the OWSM keystore configuration exists in the OWSM keystore file:

1. Use Fusion Middleware Control to identify the alias for the signature key and encryption key in the OWSM keystore configuration by performing the procedure in "Configuring the OWSM Keystore".

2. For a JKS keystore, verify that the aliases identified in step 1 exist in the OWSM keystore file.

   Use the keytool -list command on the OWSM keystore file, as described in step 4 of "Generating Private Keys and Creating the Java Keystore". For detailed information about using the keytool utility, see the keytool - Key and Certificate Management Tool document at the following URL:

   http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

   Note:

   If you are unable to locate the document at the above URL, you can access it by searching for it on the Search Java SE Technical Documentation web page at:

   http://download.oracle.com/javase/search.html

   • Ensure each alias is synchronized in both the keystore file and the OWSM keystore configuration in the credential store. If they are not, you can edit the alias in the OWSM keystore configuration by performing the procedure described in "Configuring the OWSM Keystore". You can edit the alias in the OWSM keystore file using the keytool -changealias command.

     Note:

     Before you edit an alias, be sure that doing so will not affect any other web service.

   • If the alias for the signature key or encryption key does not exist in the OWSM keystore file, add it as described in "Generating Private Keys and Creating the Java Keystore".

3. For a KSS keystore, verify that the aliases identified in step 1 exist in the OWSM keystore file.

   Use Fusion Middleware Control to manage the contents of the keystore and ensure that the alias matches. For more information, see "Managing Keys and Certificates with the Keystore Service" in Securing Applications with Oracle Platform Security Services.

For a JKS keystore, ensure that the signature key, encryption key, and OWSM keystore file passwords are each synchronized in the keystore file and the keystore configuration for OWSM:

1. Use keytool to reset the passwords in the OWSM keystore file. Because the passwords are not visible, resetting them is the only method to ensure that they have identical respective values in both locations.

   • Use the keytool -storepasswd command to reset the OWSM keystore file password.

   • Use the keytool -keypasswd command to reset the signature key password and encryption key password.

2. Use Fusion Middleware Control to reset the passwords in the OWSM keystore configuration to the same respective values you set in step 1, as described in "Configuring the OWSM Keystore".

16.2.3 Trust Certificate Error After Application Invokes Web Service

After an application invokes a web service, a trust certificate error such as the following appears:

WSM-00138: The path to the certificate is invalid due to exception

Problem

The problem may be, if the web service is advertising its certificate in the Web Services Description Language (WSDL), the client may not be configured correctly to trust that certificate or its issuer.

Solution

To verify the client is configured to trust the web service's certificate advertised in the WSDL or its issuer:

1. Verify the client keystore has either the certificate of the web service or the certificate of its issuer.

   For a KSS keystore, use Fusion Middleware Control to identify the certificates in the client keystore. For more information, see "Managing Keys and Certificates with the Keystore Service" in Securing Applications with Oracle Platform Security Services.

   For the JKS keystore, use the keytool –list command to identify the certificates in the client keystore. If either of the certificates is missing from the client keystore, use the keytool –importcert command to add them. Refer to the keytool - Key and Certificate Management Tool document on the Java SE Technical Documentation web site for more information about using keytool. You can access this document at the following URL:

   http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

2. If the certificate is not published in the service's WSDL, verify that the value for the keystore.recipient.alias override property of the client policy is identical to the alias of the certificate in the OWSM keystore file.

   For more information, see "Overview of Policy Configuration Overrides".

16.2.4 SAML Assertion Error Appears During Identity Propagation

After an application attempts to propagate a user's identity by calling a different application, InvalidSecurityToken, FailedAuthentication, and SAML assertion issuer related errors appear.

Problem

The problem may be:

• The SAML issuer name for the SAML token is not configured or is configured incorrectly.

• The subject.precedence configuration override is set incorrectly.

Solution

To troubleshoot the SAML issuer name configuration:

Verify that the SAML Issuer Name that the client is using is among the issuers configured in the Oracle WebLogic Server domain. To do so, perform the steps described in "Configuring SAML Trusted Issuers and DN Lists Using Fusion Middleware Control".

If the SAML Issuer Name that the client is using is not configured as an issuer in the Oracle WebLogic Server domain, Oracle recommends changing the issuer name on the client by updating its saml.issuer.name override to one of the issuers configured in the domain.

If you cannot change the issuer name on the client, you can add its issuer name to the Oracle WebLogic Server domain by performing the steps in the "Configuring SAML Trusted Issuers and DN Lists Using Fusion Middleware Control".

To troubleshoot the subject.precedence configuration override:

1. Set the subject.precedence override value in your current client policy to false to change the identity to a different user. By default, the subject.precedence override is set to true.

2. Set the appropriate Credential Store Framework key override on the client policy that contains the user name and password of the user you want to send to the service. If an entry for this user does not exist in the Credential Store Framework, you must add it. For more information, see "Configuring the Credential Store"

3. Ensure the appropriate Web Services Identity Permission is set for the client application by performing the steps in "Configuring SAML Web Service Clients for Identity Switching".

16.2.5 Policy Access Error After an Application Invokes Web Service

After an application attempts to invoke a web service, a policy access error such as the following appears:

• WSM-06156: The policy URI is missing, empty or contains invalid characters.

• WSM-06158: The referenced policy does not exist in the repository.

• WSM-02017: The document was not found in the repository.

Problem

The problem may be:

• The policy URI is missing or the policy name is misspelled.

• The Policy Manager is down

• The policy does not exist in the repository

• The policy attachment is not in effect due to a cache delay.

Solution

To diagnose and solve policy access issues:

1. Verify that the Policy Manager is running as described in "Diagnosing Problems with OWSM Policy Manager" and "Unable to Connect to the Policy Manager".

2. Verify that the mds-owsm datasource connection is reachable and available. For more information, see "Understanding and Managing Data Sources" in Administering Oracle Fusion Middleware.

3. Verify that the policy exists in the OWSM repository by viewing the contents of the repository using the Policy Manager Validator page. For details about accessing the Validator page and viewing the contents of the repository, see "Diagnosing Problems with OWSM Policy Manager".

4. If the policy exists in the repository, verify that the policy URI is consistent with the policy URI in the repository.

5. If the policy does not exist in the OWSM repository, do one of the following:

   • For predefined policies:

     • Verify that the repository has been upgraded with all of the latest predefined policies using the upgradeWSMRepository() command. For more information, see "upgradeWSMRepository" in WLST Command Reference for Infrastructure Components.

     • Reset the contents of the repository using the resetWSMRepository command as described in "Rebuilding the OWSM Repository".

   • For a custom policy:

     • Import it into the repository as described in "Importing Web Service Policies". For information on creating a custom policy, see "Creating a New Web Service Policy".

6. Check if the user is in a role that has the right permission granted. To modify any roles or permissions, refer to "Modifying the User's Group or Role".

7. Verify the policy accessor and cache delay.

   The amount of time it takes for a policy attachment to take effect is determined by the OWSM policy accessor and policy cache property settings. By default, this delay can be up to a maximum of 11 minutes. To reduce the amount of the delay, if necessary, you can tune the following cache property settings:

   • Initial Cache Refresh, default 600000 milliseconds (10 minutes)

   • Cache Refresh Time, default 600000 milliseconds (10 minutes)

   For details about tuning these properties, see the following sections:

   • "Configuring High Availability and Cache Management Using Fusion Middleware Control".

   • "Configuring High Availability and Cache Management Using WLST"

16.2.6 Unable to Access User in Credential Store

When OWSM attempts to access a user in the credential store, an error such as the following occurs:

WSM-00015: The user name is missing

Problem

OWSM cannot locate the user name in the credential store. This can be caused by any of the following:

• The credential map oracle.wsm.security does not exist in the credential store.

• The user is not listed in the map used by OWSM.

• The CSF key for the entry does not exist in the credential store.

Solution

Verify that the credential map oracle.wsm.security exists in the credential store. OWSM only reads from this credential store map.

To determine if the oracle.wsm.security credential map exists in the credential store, refer to the procedure in "Configuring the Credential Store".

If your application uses a credential map other than oracle.wsm.security, ensure that any users that OWSM needs to access are duplicated in the oracle.wsm.security credential map.

16.2.7 Authorization Error After an Application Invokes Web Service

After an application attempts to invoke a web service, an error such as the following appears:

java.security.AccessControlException: access denied (oracle.wsm.security.WSFunctionPermission

Problem

Generally this is not really a problem but rather intended behavior; that is, the system was unable to authorize the user for the action that the user is attempting. To debug check the calling server diagnostic log for the authorization error. The error may look similar to the following:

2011-01-06T22:15:43.691-08:00] [SalesServer_2] [ERROR] [] [oracle.jbo.server.svc.ServicePermissionCheckInterceptor_w2f8f5_Impl] 
[tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] 
[userId: FMW_APPS_CRM_SELFSERVICE_ADF_APPID] 
[ecid: 004aIPwzJDGE8TQRyaI7T00001WJ00EJ8f,0:1:3:1:11:0x5f5e189:6:1] 
[WEBSERVICE_PORT.name: PartnerServiceSoapHttpPort] [APP: SalesApp#V2.0] 
[J2EE_MODULE.name: partnerCenterCorePublicModel]
[WEBSERVICE.name: PartnerService] [J2EE_APP.name: SalesApp_V2.0] 
[URI: /partnerCenterCorePublicModel/PartnerService] [[
java.security.AccessControlException: access denied (oracle.wsm.security.WSFunctionPermission 
http://xmlns.oracle.com/apps/partnerMgmt/partnerCenter/PartnerService#updatePartner invoke)
                at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
                at java.security.AccessController.checkPermission(AccessController.java:546)
                at oracle.jbo.server.svc.ServicePermissionCheckInterceptor.checkPermission(ServicePermissionCheckInterceptor.java:103)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Solution

Pay careful attention to the following information in the log, which is shown in bold text in the example above.

1. The application stripe name – which is SalesApp#V2.0 in the above log. Make sure it matches what you configured for your application. For information about how to configure the stripe name, see "Configuring the Servlet Filter and the EJB Interceptor" in Securing Applications with Oracle Platform Security Services.

2. The permission grant, which is comprised of the following:

   1. Resource name, which is http://xmlns.oracle.com/apps/partnerMgmt/partnerCenter/PartnerService#updatePartner in the above log.

   2. Action, which is invoke in the above log.

   Both of these pieces of information must be specified correctly in your permission grant. For more information, see "Determining Authorization Permissions".

If your application uses an LDAP-based authenticator and stores all roles in the LDAP, ensure that OWSM can access the users and roles as described in "Modifying the Default User".

16.2.8 Timestamp Error After an Application Invokes Web Service

After an application invokes a web service, a timestamp or clockSkew error such as the following occurs:

WSM-00060: Error validating timestamp

Problem

The problem will either manifest itself as a timestamp validation or clockSkew error as shown below:

Caused By: FAULT CODE: InvalidSecurityToken FAULT MESSAGE: Found invalid condition "on or after" in SAML assertion.
Current Time:Fri Feb 11 22:16:42 IST 2011, clockSkew:300000 milli seconds, NotOnOrAfter Time:Fri Feb 11 14:21:42 IST 2011.

This problem usually happens if your server and client clocks are more than five minutes apart after they are converted to the same time zone.

Solution

Change your client or server clock in one of the following ways so that they are within five minutes, both set to the correct time:

• Adjust the Clock Skew as described in "Configuring Security Policy Enforcement Using Fusion Middleware Control".

• Set the system clock

• Use an ntp server to maintain the time

16.2.9 Multiple Authentication Security Policy Error After an Application Invokes a Web Service

After an application invokes a web service, a multiple policy error (WSM-01823) appears in the log. This error appears, for example, if multiple authentication policies are attached to a subject.

Problem

More than one authentication policy was attached to a subject. This can happen if you have two policy sets that each attach an authentication policy to the same resource type, such as a web service. For example, if you have two policy sets defined in the OWSM repository for your domain and one defines the policy scope as Domain("domain_name") and the other as Domain ("*"). The following listing illustrates an example of this scenario.

wls:/base_domain/serverConfig> displayWSMPolicySet('default-domain-ws-domain_gpa')

   Policy Set Details:
   -------------------
   Display Name:                default-domain-ws-domain_gpa
   Type of Resources:   SOAP Web Service
   Scope of Resources:  DOMAIN("base_domain")
   Description:         Global policy attachments for Web Service Endpoint resources.
   Enabled:             true
   Policy Reference:    URI=oracle/wss11_saml_or_username_token_with_message_protection_service_policy, category=security, enabled=true

wls:/base_domain/serverConfig> displayWSMPolicySet('default-domain-ws-domain')

   Policy Set Details:
   -------------------
   Display Name:                default-domain-ws-domain
   Type of Resources:   SOAP Web Service
   Scope of Resources:  DOMAIN("*")
   Description:         Global policy attachments for Web Service Endpoint resources.
   Enabled:             true
   Policy Reference:    URI=oracle/wss_saml_or_username_token_service_policy, category=security, enabled=true

In this example, there are two policy sets with different names and different authentication policies pointing to the same resource type on the domain.

Solution

To verify if you have multiple policy sets attempting to attach authentication policies:

1. Use the listWSMPolicySets() command to display a list of the policy sets in the domain. For more information about this command, see "Viewing a List of Policy Sets".

2. Use the listWSMPolicySubjects command, with the detail argument set to true, to view the endpoint (port) and policy details for all applications and composites in the domain, the secure status of the endpoints, any configuration overrides and constraints, and if the endpoints have a valid configuration.

   Using the policy sets defined in the example scenario, the output from the listWSMPolicySubjects(detail=true) command is displayed as follows. Note that the two policies in conflict and the policy sets with which they are associated are shown in bold text.

   wls:/base_domain/serverConfig> listWSMPolicySubjects(detail=true)
    
   Application: /WLS/base_domain/jaxwsejb30ws
    
     Assembly: #jaxwsejb
    
       Subject: WS-Service({http://www.oracle.com/jaxws/tests/concrete}WsdlConcreteService#WsdlConcretePort)
    
           URI=/"oracle/mex_request_processing_service_policy", category=wsconfig, policy-status=enabled; source=local policy set; reference-status=enabled; effective=true
                   Property name="local.policy.reference.source", value="IMPLIED_FEATURE"
           URI="oracle/mtom_encode_fault_service_policy", category=wsconfig, policy-status=enabled; source=local policy set; reference-status=enabled; effective=true
                   Property name="local.policy.reference.source", value="IMPLIED_FEATURE"
           URI="oracle/max_request_size_policy", category=wsconfig, policy-status=enabled; source=local policy set; reference-status=enabled; effective=true
                   Property name="local.policy.reference.source", value="IMPLIED_FEATURE"
                   Property name="max.request.size", value="-1"
           URI="oracle/request_processing_service_policy", category=wsconfig, policy-status=enabled; source=local policy set; reference-status=enabled; effective=true
                   Property name="local.policy.reference.source", value="IMPLIED_FEATURE"
           URI="oracle/soap_request_processing_service_policy", category=wsconfig, policy-status=enabled; source=local policy set; reference-status=enabled; effective=true
                   Property name="local.policy.reference.source", value="IMPLIED_FEATURE"
           URI="oracle/ws_logging_level_policy", category=wsconfig, policy-status=enabled; source=local policy set; reference-status=enabled; effective=true
                   Property name="local.policy.reference.source", value="IMPLIED_FEATURE"
                   Property name="logging.level", value=""
           URI="oracle/test_page_processing_service_policy", category=wsconfig, policy-status=enabled; source=local policy set; reference-status=enabled; effective=true
                   Property name="local.policy.reference.source", value="IMPLIED_FEATURE"
           URI="oracle/wsdl_request_processing_service_policy", category=wsconfig, policy-status=enabled; source=local policy set; reference-status=enabled; effective=true
                   Property name="local.policy.reference.source", value="IMPLIED_FEATURE"
           URI="oracle/wss11_saml_or_username_token_with_message_protection_service_policy", 
   category=security, policy-status=enabled; source=global policy set "default-domain-ws-domain_gpa", scope="DOMAIN('base_domain')"; reference-status=enabled; effective=true
           URI="oracle/wss_saml_or_username_token_service_policy",
    category=security, policy-status=enabled; source=global policy set "default-domain-ws-domain", scope="DOMAIN('*')";
   reference-status=enabled; effective=true
    
           The policy subject is invalid in this context because of the following error:
                   WSM-01827 : Attaching multiple policies of category "security/authentication" is not supported. 
   Policies in list [ "oracle/wss11_saml_or_username_token_with_message_protection_service_policy" ]
    already have the category, current policy "oracle/wss_saml_or_username_token_service_policy" also has that category.
   

3. If a conflict is found, do one of the following:

   • Delete one of the policy sets as described in "Deleting Policy Sets Using WLST".

   • Disable one of the policy sets as described in "Enabling and Disabling a Policy Set".

For more information, see "Determining the Secure Status of an Endpoint".