16 Diagnosing Problems

This chapter contains the following sections:

Diagnosing Problems with Oracle WSM Policy Manager

The Oracle WSM Policy Manager manages all Oracle WSM policies and needs to be running to use the Oracle WSM policy framework. You can check the current state of the Policy Manager and review its response time, load, and other data from the Oracle WSM Policy Manager page in Oracle Enterprise Manager Fusion Middleware Control.

To view the Oracle WSM Policy Manager page:

  1. In the Navigator pane, expand Application Deployments.

  2. Under Application Deployments, expand Internal Applications.

  3. Select wsm-pm.

    The Oracle WSM Policy Manager home page is displayed.

    Figure 16-1 Oracle WSM Policy Manager Page

    Description of Figure 16-1 follows
    Description of "Figure 16-1 Oracle WSM Policy Manager Page"

  4. From the Policy Manager page, you can perform one or more of the following tasks:

    • In the General area of the page, you can check the current state of the Policy Manager and identify the server to which it is deployed.

    • In the Response and Load section of the page, you can view the response time and current load. To view this information in tabular form, click Table View.

    • In the Entry Points section of the page, you can validate the connection to the Policy Manager. To do so, in the Web Modules table, click the Test Point URL for wsm-pm. On the Validate Policy Manager page, click the Validate Policy Manager link, as shown in Figure 16-2.

      Figure 16-2 Validate Policy Manager Page

      Description of Figure 16-2 follows
      Description of "Figure 16-2 Validate Policy Manager Page"

    You can also access the Validator page in a Web browser using the following URL:

    http://host:port/wsm-pm/validator

    In this URL, host and port represent the host and port number on which the Policy Manager is running.

    If the connection to the Policy Manager fails, an error message is displayed. If the connection to the Policy Manager is successful, the Policy Manager Validator page displays the following information:

    • The status of the Policy Manager.

    • The total number of Oracle WSM policies in the Oracle WSM Repository

    • The name, latest version, and description of all the Oracle WSM policies in the Oracle WSM Repository.

    • The total number of Oracle WSM assertion templates in the repository

    • The name, latest version, and description of all the Oracle WSM assertion templates in the Oracle WSM Repository.

    • The creation date and build label of the repository.

    A sample Policy Manager Validator page is shown in Figure 16-3.

    Figure 16-3 Policy Manager Validator Page

    Description of Figure 16-3 follows
    Description of "Figure 16-3 Policy Manager Validator Page"

    For details about the Oracle WSM Repository, see Chapter 17, "Maintaining the Oracle WSM Repository."

Diagnosing Common Problems with Oracle WSM

The following sections describe some common problems you may encounter while using Oracle WSM, as well as possible solutions:

Unable to Connect to the Policy Manager

The following errors appear when you attempt to connect the Policy Manager:

  • WSM-06157: The repository database is not configured correctly or not running.

  • WSM-06160: The policy manager application has not been deployed or is not running.

  • WSM-06161: The policy manager application has not been deployed.

  • WSM-06162: The policy manager application is not running or is not configured correctly.

  • WSM-06159: Cannot connect to the policy manager due to credential issue.

Problem

The problem may be:

  • The Policy Manager is down. You can determine if the Policy Manager is down as follows:

  • The Policy Manager is targeted to an SSL server.

    Oracle Web Services Manager (WSM) supports an auto-discovery feature that it uses to locate and connect to an Oracle WSM Policy Manager within the same WebLogic domain. If the domain includes an SSL-configured server that has a Policy Manager deployed, the auto-discovery logic will connect to that Policy Manager and will not try to connect to any Policy Managers deployed on non-SSL servers. To ensure that the secure connection is maintained, the auto-discovery logic will not attempt to connect to a Policy Manager on a non-SSL server, even if the SSL-enabled server goes down. Therefore, even though there is a Policy Manager running, because it is running on a non-SSL enabled server, it is ignored and an error message is displayed.

  • The credential required to access the Policy Manager is invalid or is not authorized.

  • The repository may not be configured correctly.

Solution

If the Policy Manager is down:

Restart the wsm-pm application as described in "Starting and Stopping Applications" in Oracle Fusion Middleware Administrator's Guide.

If the Policy Manager is targeted to an SSL Server:

  • Verify that the wsm-pm Policy Manager application is targeted to an SSL server. You can do so using the WebLogic Server Administration Console as described in "Target an Enterprise application to a server" in the Oracle WebLogic Server Administration Console Help.

  • Verify that SSL has been configured correctly and that there are no SSL certificate issues. For additional information, see "Configuring Keystores for SSL".

  • If the SSL-enabled server is down, restart it, and the Policy Manager application, as described in "Starting and Stopping Oracle Fusion Middleware" in Oracle Fusion Middleware Administrator's Guide.

  • If you want to use the Policy Manager on the non-SSL enabled server, untarget the Policy Manager application from the SSL-enabled server. For information about targeting applications to a server, see Managing Deployed Applications in Deploying Applications to Oracle WebLogic Server. To change the target server using the WebLogic Server Administration Console, see "Change target servers" in Oracle WebLogic Server Administration Console Help.

If there is a credential issue when attempting to access the Policy Manager:

By default, the Oracle WSM run time uses the OracleSystemUser account. If you are not using the default user accounts, you need to modify the configuration as described in "Modifying the Default User".

If there is a problem with the repository configuration:

Key or Credential Store Error After an Application Invokes Web Service

After an application invokes a Web service, a key store or credential store error such as the following appears:

  • WSM-00056: The key <alias_name> is not retrieved

  • WSM-00256: The property "Keystore Sign Alias" is not set

Problem

The problem may be:

  • The alias for the signature key or encryption key in the Oracle WSM keystore configuration does not exist in the Oracle WSM keystore.

  • The signature key, encryption key, or Oracle WSM keystore password is not synchronized between the keystore file and the keystore configuration for Oracle WSM. That is, at least one of the passwords does not have identical values in both locations.

Solution

To verify the alias for the signature key and encryption key in the Oracle WSM keystore configuration exist in the Oracle WSM keystore file:

  1. Use Fusion Middleware Control to identify the alias for the signature key and encryption key in the Oracle WSM keystore configuration by performing the procedure in "Configuring the Oracle WSM Keystore".

  2. Verify the aliases identified in step 1 exist in the Oracle WSM keystore file. To do so, use the keytool -list command on the Oracle WSM keystore file, as described in step 4 of "Generating Private Keys and Creating the Java Keystore". For detailed information about using the keytool utility, see the keytool - Key and Certificate Management Tool document at the following URL:

    http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

    Note:

    If you are unable to locate the document at the above URL, you can access it by searching for it on the Search Java SE Technical Documentation Web page at:

    http://download.oracle.com/javase/search.html

    • Ensure each alias is synchronized in both the keystore file and the Oracle WSM keystore configuration in the credential store. If they are not, you can edit the alias in the Oracle WSM keystore configuration by performing the procedure described in "Configuring the Oracle WSM Keystore". You can edit the alias in the Oracle WSM keystore file using the keytool -changealias command.

      Note:

      Before you edit an alias, be sure that doing so will not affect any other Web service.

    • If the alias for the signature key or encryption key does not exist in the Oracle WSM keystore file, add it as described in "Generating Private Keys and Creating the Java Keystore".

To ensure that the signature key, encryption key, and Oracle WSM keystore file passwords are each synchronized in the keystore file and the keystore configuration for Oracle WSM:

  1. Use keytool to reset the passwords in the Oracle WSM keystore file. Because the passwords are not visible, resetting them is the only method to ensure that they have identical respective values in both locations.

    • Use the keytool -storepasswd command to reset the Oracle WSM keystore file password.

    • Use the keytool -keypasswd command to reset the signature key password and encryption key password.

  2. Use Fusion Middleware Control to reset the passwords in the Oracle WSM keystore configuration to the same respective values you set in step 1, as described in "Configuring the Oracle WSM Keystore".

Trust Certificate Error After Application Invokes Web Service

After an application invokes a Web service, a trust certificate error such as the following appears:

WSM-00138: The path to the certificate is invalid due to exception

Problem

The problem may be, if the Web service is advertising its certificate in the Web Services Description Language (WSDL), the client may not be configured correctly to trust that certificate or its issuer.

Solution

To verify the client is configured to trust the Web service's certificate advertised in the WSDL or its issuer:

  1. Verify the client keystore has either the certificate of the Web service or the certificate of its issuer.

    Use the keytool –list command to identify the certificates in the client keystore. If either of the certificates is missing from the client keystore, use the keytool –importcert command to add them.

    Refer to the keytool - Key and Certificate Management Tool document on the Java SE Technical Documentation Web site for more information about using keytool. You can access this document at the following URL:

    http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

  2. If the certificate is not published in the service's WSDL, verify that the value for the keystore.recipient.alias override property of the client policy is identical to the alias of the certificate in the Oracle WSM keystore file.

    For more information, see "Attaching Client Policies Permitting Overrides".

SAML Assertion Error Appears During Identity Propagation

After an application attempts to propagate a user's identity by calling a different application using Oracle SOA, InvalidSecurityToken, FailedAuthentication, and SAML assertion issuer related errors appear.

Problem

The problem may be:

  • The SAML issuer name for the SAML token is not configured or is configured incorrectly.

  • The subject.precedence configuration override is set incorrectly.

Solution

To troubleshoot the SAML issuer name configuration:

Verify that the SAML Issuer Name that the client is using is among the issuers configured in the Oracle WebLogic Server domain. To do so, perform the steps described in "Adding an Additional SAML Assertion Issuer Name".

If the SAML Issuer Name that the client is using is not configured as an issuer in the Oracle WebLogic Server domain, Oracle recommends changing the issuer name on the client by updating its saml.issuer.name override to one of the issuers configured in the domain.

If you cannot change the issuer name on the client, you can add its issuer name to the Oracle WebLogic Server domain by performing the steps in the "Adding an Additional SAML Assertion Issuer Name".

Note:

If you make any changes to the issuers configured in the Oracle WebLogic Server domain, you must restart the Managed Server where Oracle WSM is deployed.

To troubleshoot the subject.precedence configuration override:

  1. Set the subject.precedence override value in your current client policy to false to change the identity to a different user. By default, the subject.precedence override is set to true.

  2. Set the appropriate Credential Store Framework key override on the client policy that contains the user name and password of the user you want to send to the service. If an entry for this user does not exist in the Credential Store Framework, you must add it. For more information, see "Configuring the Credential Store"

  3. Ensure the appropriate Web Services Identity Permission is set for the client application by performing the steps in "Configuring SAML Web Service Clients for Identity Switching".

Policy Access Error After an Application Invokes Web Service

After an application attempts to invoke a Web service, a policy access error such as the following appears:

  • WSM-06156: The policy URI is missing, empty or contains invalid characters.

  • WSM-06158: The referenced policy does not exist in the repository.

  • WSM-02017: The document was not found in the repository.

Problem

The problem may be:

  • The policy URI is missing or the policy name is misspelled.

  • The Policy Manager is down

  • The policy does not exist in the repository

  • The policy attachment is not in effect due to a cache delay.

Solution

To diagnose and solve policy access issues:

  1. Verify that the Policy Manager is running as described in "Diagnosing Problems with Oracle WSM Policy Manager" and "Unable to Connect to the Policy Manager".

  2. Verify that the mds-owsm datasource connection is reachable and available. For more information, see "Understanding and Managing Data Sources" in Oracle Fusion Middleware Administrator's Guide.

  3. Verify that the policy exists in the Oracle WSM Repository by viewing the contents of the repository using the Policy Manager Validator page. For details about accessing the Validator page and viewing the contents of the repository, see "Diagnosing Problems with Oracle WSM Policy Manager".

  4. If the policy exists in the repository, verify that the policy URI is consistent with the policy URI in the repository.

  5. If the policy does not exist in the Oracle WSM Repository, do one of the following:

  6. Check if the user is in a role that has the right permission granted. To modify any roles or permissions, refer to "Modify the User's Group or Role".

  7. Verify the policy accessor and cache delay.

    The amount of time it takes for a policy attachment to take effect is determined by the Oracle WSM policy accessor and policy cache property settings. By default, this delay can be up to a maximum of 11 minutes. To reduce the amount of the delay, if necessary, you can tune the following cache property settings:

    • Policy Accessor

      cache.refresh.initial, default 600000 milliseconds (10 minutes)

      cache.refresh.repeat, default 600000 milliseconds (10 minutes)

    • Policy Cache

      cache.tolerance, default is 60000 milliseconds (1 minute)

    For details about tuning these properties, see "Configuring Platform Policy Properties".

Unable to Access User in Credential Store

When Oracle WSM attempts to access a user in the credential store, an error such as the following occurs:

WSM-00015: The user name is missing

Problem

Oracle WSM cannot locate the user name in the credential store. This can be caused by any of the following:

  • The credential map oracle.wsm.security does not exist in the credential store.

  • The user is not listed in the map used by Oracle WSM.

  • The csf key for the entry does not exist in the credential store.

Solution

Verify that the credential map oracle.wsm.security exists in the credential store. Oracle WSM only reads from this credential store map.

To determine if the oracle.wsm.security credential map exists in the credential store, refer to the procedure in "Configuring the Credential Store".

If your application uses a credential map other than oracle.wsm.security, ensure that any users that Oracle WSM needs to access are duplicated in the oracle.wsm.security credential map.

Authorization Error After an Application Invokes Web Service

After an application attempts to invoke a Web service, an error such as the following appears:

java.security.AccessControlException: access denied (oracle.wsm.security.WSFunctionPermission

Problem

Generally this is not really a problem rather intended behavior; that is, the system was unable to authorize the user for the action that the user is attempting. To debug check the calling server diagnostic log for the authorization error. The error may look similar to the following:

2011-01-06T22:15:43.691-08:00] [SalesServer_2] [ERROR] [] [oracle.jbo.server.svc.ServicePermissionCheckInterceptor_w2f8f5_Impl] 
[tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] 
[userId: FMW_APPS_CRM_SELFSERVICE_ADF_APPID] 
[ecid: 004aIPwzJDGE8TQRyaI7T00001WJ00EJ8f,0:1:3:1:11:0x5f5e189:6:1] 
[WEBSERVICE_PORT.name: PartnerServiceSoapHttpPort] [APP: SalesApp#V2.0] 
[J2EE_MODULE.name: partnerCenterCorePublicModel]
[WEBSERVICE.name: PartnerService] [J2EE_APP.name: SalesApp_V2.0] 
[URI: /partnerCenterCorePublicModel/PartnerService] [[
java.security.AccessControlException: access denied (oracle.wsm.security.WSFunctionPermission 
http://xmlns.oracle.com/apps/partnerMgmt/partnerCenter/PartnerService#updatePartner invoke)
                at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
                at java.security.AccessController.checkPermission(AccessController.java:546)
                at oracle.jbo.server.svc.ServicePermissionCheckInterceptor.checkPermission(ServicePermissionCheckInterceptor.java:103)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Solution

Pay careful attention to the following information in the log, which is shown in bold text in the example above.

  1. The application stripe name – which is SalesApp#V2.0 in the above log. Make sure it matches what you configured for your application. For information about how to configure the stripe name, see "Configuring the Servlet Filter and the EJB Interceptor" in Oracle Fusion Middleware Application Security Guide.

  2. The permission grant, which is comprised of the following:

    1. Resource name, which is http://xmlns.oracle.com/apps/partnerMgmt/partnerCenter/PartnerService#updatePartner in the above log.

    2. Action, which is invoke in the above log.

    Both of these pieces of information must be specified correctly in your permission grant. For more information, see "How Authorization Permissions Are Determined".

If your application uses an LDAP-based authenticator and stores all roles in the LDAP, ensure that Oracle WSM can access the users and roles as described in "Modifying the Default User".

Timestamp Error After an Application Invokes Web Service

After an application invokes a Web service, a timestamp or clockSkew error such as the following occurs:

WSM-00060: Error validating timestamp

Problem

The problem will either manifest itself as a timestamp validation or clockSkew error as shown below:

Caused By: FAULT CODE: InvalidSecurityToken FAULT MESSAGE: Found invalid condition "on or after" in SAML assertion.
Current Time:Fri Feb 11 22:16:42 IST 2011, clockSkew:300000 milli seconds, NotOnOrAfter Time:Fri Feb 11 14:21:42 IST 2011.

This problem usually happens if your server and client clocks are more than five minutes apart after they are converted to the same time zone.

Solution

Change your client or server clock in one of the following ways so that they are within five minutes, both set to the correct time:

Multiple Authentication Security Policy Error After an Application Invokes a Web Service

After an application invokes a Web service, a multiple policy error (WSM-01823) appears in the log. This error appears, for example, if multiple authentication policies are attached to a subject.

Problem

More than one authentication policy was attached to a subject. This can happen if you have two policy sets that each attach an authentication policy to the same resource type, such as a Web service. For example, if you have two policy sets defined in the Oracle WSM Repository for your domain and one defines the policy scope as Domain("domain_name") and the other as Domain ("*"). The following listing illustrates an example of this scenario.

wls:/soa_domain/serverConfig> displayPolicySet('default-domain-ws-domain_gpa')

   Policy Set Details:
   -------------------
   Name:                default-domain-ws-domain_gpa
   Type of Resources:   Web Service Endpoint
   Scope of Resources:  Domain("soa_domain")
   Description:         Global policy attachments for Web Service Endpoint resources.
   Enabled:             true
   Policy Reference:    security : oracle/wss11_saml_or_username_token_with_message_protection_service_policy, enabled=true

wls:/soa_domain/serverConfig> displayPolicySet('default-domain-ws-domain')

   Policy Set Details:
   -------------------
   Name:                default-domain-ws-domain
   Type of Resources:   Web Service Endpoint
   Scope of Resources:  Domain("*")
   Description:         Global policy attachments for Web Service Endpoint resources.
   Enabled:             true
   Policy Reference:    security : oracle/wss_saml_or_username_token_service_policy, enabled=true

In this example, there are two policy sets with different names and different authentication policies pointing to the same resource type on the domain.

Note:

If the authentication policies attached to the subject are exact duplicates of each other, including any configuration overrides, the policy attachment is viewed as a duplicate and the configuration is valid.

Solution

To verify if you have multiple policy sets attempting to attach authentication policies:

  1. Use the listPolicySets() command to display a list of the policy sets in the domain. For more information about this command, see "Displaying a List of Policy Sets Using WLST".

  2. Use the listWebServices or listWebServiceClients command, with the detail argument set to true, to view the endpoint (port) and policy details for all applications and composites in the domain, the secure status of the endpoints, any configuration overrides and constraints, and if the endpoints have a valid configuration.

    Using the policy sets defined in the example scenario, the output from the listWebServices(detail=true) command is displayed as follows. Note that the two policies in conflict and the policy sets with which they are associated are shown in bold text.

    wls:/soa_domain/serverConfig> listWebServices(detail=true)
     
    /soa_domain/jrfServer_admin/jaxws-sut-no-policy :
            moduleName=jaxws-service, moduleType=web, serviceName={http://namespace/}TestService
            enableTestPage: true
            enableWSDL: true
     
                    TestPort        http://host.example.com:8344/jaxws-service/TestService
                    enable: true
                    enableREST: false
                    enableSOAP: true
                    maxRequestSize: -1
                    loggingLevel: NULL
                    Constraint: No Constraint
                            (global) security : oracle/wss11_saml_or_username_token_with_message_protection_service_policy, enabled=true
                                    /policysets/global/default-domain-ws-domain_gpa : Domain("*")
                            (global) security : oracle/wss_saml_or_username_token_service_policy, enabled=true
                                    /policysets/global/default-domain-ws-domain : Domain("*")
                    Attached policy or policies are not valid.
                    One or more attached policies are not compatible with endpoint or other attached policy.
    
  3. If a conflict is found, do one of the following:

For more information, see "Determining the Secure Status of an Endpoint".

Diagnosing Policy Attachment Issues Using WLST

To ensure that there are no conflicts between directly-attached policies and policies attached globally using policy sets, use the following WLST commands:

  • listWebServices (detail="true") — Displays a list of the Web services in a domain including endpoint configuration, the effective set of policies attached to each endpoint, the secure status of the endpoint, any configuration overrides and constraints, and if the endpoint has a valid configuration. For information about using this command, see "Viewing the Web Services in a Domain Using WLST".

  • listWebServiceClients (detail="true") — Displays a list of the Web service clients in a domain including endpoint configuration, the effective set of policies attached to each endpoint, the secure status of the endpoint, any configuration overrides and constraints, and if the endpoint has a valid configuration. For information about using this command, see "Viewing Web Service Clients", "Using WLST"

    Note:

    An endpoint is considered secure if the policies attached to it (either directly, or externally using a policy set) enforce authentication, authorization, or message protection behaviors.

If your configuration includes policies attached globally using policy sets, you can view information about the policy sets using the following commands:

To view the effective policies for an endpoint using Fusion Middleware Control, see "Viewing the Policies That are Attached to a Web Service".

For more information about determining if the endpoint is secure and has a valid configuration, see "Determining the Secure Status of an Endpoint".

Sample Valid Configuration Output with Globally and Directly Attached Policies

The following example shows sample output from the listWebServices(detail=true) command for a valid configuration. Because you can specify the priority of a global or directly attached policy (using the reference.priority configuration override), the effective field indicates if directly attached policies are in effect for the endpoint.

Note:

To simplify endpoint management, all directly attached policies are shown in the output regardless of whether they are in effect for the endpoint. In contrast, only globally attached policies that are in effect for the endpoint are displayed.

/jrfServer_domain/jrfServer_admin/jaxws-sut :
        moduleName=jaxws-sut-service, moduleType=web, serviceName={http://namespace/}TestService
        enableTestPage: true
        enableWSDL: true
 
                TestPort        http://host.example.com:9315/jaxws-sut-service/TestService
                enable: true
                enableREST: false
                enableSOAP: true
                maxRequestSize: -1
                loggingLevel: NULL
                management : oracle/log_policy, enabled=true
                security : oracle/wss_username_token_service_policy , enabled=true , effective=false
                Constraint: No Constraint
                        (global) security : oracle/wss_saml_or_username_token_service_policy, enabled=true
                                /policysets/global/all-domains-default-web-service-policies : Domain("*")
                                        reference.priority=1
                Constraint: HTTPHeader('VIRTUAL_HOST_TYPE','external')
                        (global) security : oracle/wss10_message_protection_service_policy, enabled=true
                                /policysets/global/domainExternal : Domain("*")
                Attached policy or policies are valid; endpoint is secure.

Sample Valid Configuration Output with Directly Attached Policies Only

The following example shows sample output from the listWebServices(detail=true) command for a valid configuration. The directly attached policy is shown in bold text.

/jrfServer_domain/jrfServer_admin/jaxws-sut-no-policy :
        moduleName=jaxws-service, moduleType=web, serviceName={http://namespace/}TestService
        enableTestPage: true
        enableWSDL: true
 
                TestPort        http://host.example.com:8344/jaxws-service/TestService
                enable: true
                enableREST: false
                enableSOAP: true
                maxRequestSize: -1
                loggingLevel: NULL
                security : oracle/wss_saml_or_username_token_service_policy, enabled=true
                Attached policy or policies are valid; endpoint is secure.

Diagnosing Problems With a Domain Configuration using WLST

To ensure that there are no problems with the configuration of your domain, use the checkWSMStatus WLST command. The checkWSMStatus command returns the status of the policy manager (wsm-pm), the agent (agent), and the credential store and keystore configuration (credstore). The status of the components can be checked together or individually.

This command can be run after the provisioning of your WSM-protected Web service; there is no need to wait until after the first invocation.

Note:

The Policy Manager (wsm-pm) application must be deployed and running for the checkWSMStatus command function correctly.

For more information on this command, see checkWSMStatus in WebLogic Scripting Tool Command Reference.

In the following example, the checkWSMStatus command returns a failure for the credential store because it is missing the key keystore-csf-key.

wls:/base_domain/serverConfig> checkWSMStatus('credstore')
 
Credential Store Configuration:
 
 
FAILED.
        Message(s):
             keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
                 Description: The "keystore.pass.csf.key" property points to the CSF alias that is mapped to the username and password of the keystore. 
Only the password is used; username is redundant in the case of the keystore.
             keystore-csf-key : Credentials not configured.
 
Credential Store Diagnostic Messages:
        Message(s):
                 The csf-key keystore-csf-key is not present in the credential store. 
 
 Perform the following steps to update the credential store (using WLST commands):-
 1. connect()
 2. createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore-csf-key", password="<keystore-password>", desc="Keystore Password CSF Key")
 NOTE:- All the above commands are based on the Domain level configurations. 
The actual csf key may be overridden at runtime due to config override. 
See Documentation for more details.
false

In the following example, the checkWSMStatus command returns the status of the credential store and keys, the policy manager, and the enforcement agent for the domain base_domain.

wls:/base_domain/serverConfig> checkWSMStatus()
 
Credential Store Configuration:
 
PASSED.
        Message(s):
             keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
                 Description: The "keystore.pass.csf.key" property points to the
 CSF alias that is mapped to the username and password of the keystore. 
Only the password is used; username is redundant in the case of the keystore.
             keystore-csf-key : Credentials configured.
             keystore.sig.csf.key : Property is configured and its value is "sign-csf-key".
                 Description: The "keystore.sig.csf.key" property points to the
 CSF alias that is mapped to the username and password of the private key that is used for signing.
             sign-csf-key : Credentials configured.
             Sign Key : Key configured.
                 Alias - orakey
             Sign Certificate : Certificate configured.
                 Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
                 Expiry - June 28, 2020 11:17:12 AM PDT
             keystore.enc.csf.key : Property is configured and its value is "enc-csf-key".
                 Description: The "keystore.enc.csf.key" property points to the
 CSF alias that is mapped to the username and password of the private key that is used for decryption.
             enc-csf-key : Credentials configured.
             Encrypt Key : Key configured.
                 Alias - orakey
             Encrypt Certificate : Certificate configured.
                 Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
                 Expiry - June 28, 2020 11:17:12 AM PDT
 
Policy Manager:
 
PASSED.
        Message(s):
             OWSM Policy Manager connection state is OK.
             OWSM Policy Manager connection URL is "t3://host:7001".
 
Enforcement Agent:
 
PASSED.
        Message(s):
             Enforcement is successful.
             Service URL: http://host:7001/Diagnostic/DiagnosticService?wsdl

Diagnosing Common Oracle WSM Exceptions for WS-Trust Use Cases

Table 16-1lists the common Oracle WSM exceptions and errors that can occur during an end-to-end WS-Trust use case scenario. The probable cause and recommended solutions are also provided. For details about how to configure the supported WS-Trust use cases, see the following topics:

Table 16-1 Common Oracle WSM Exceptions and Errors for WS-Trust Use Cases

Exception/Error Possible Cause Solution

WSM-00015: The user name is missing.

  1. The sts.auth.user.csf.key configuration property may not be overridden in the STS issued token client policy.

  2. If the property has been overridden, the CSF key may not be available in the credential store or the override may not be specifying the correct value.

Override the sts.auth.user.csf.key property in the STS issued token client policy with the correct value from the credential store.

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

When communicating with any service over an SSL channel, a valid SSL certificate for the service must be available in the trusted keystore for the JRE distribution being used in the environment. In most cases, the SSL certificate is found in the following directory:

JAVA_HOME/jre/lib/security/cacerts

This exception can occur due to either of the following:

  • The SSL certificate for the service could not be found in the trusted keystore.

  • The SSL certificate present in the trusted keystore may have expired.

Ensure that a valid SSL certificate for the service has been imported into the trusted keystore at JAVA_HOME/jre/lib/security/cacerts.For more information, see "Configuring Keystores for SSL".

WSM-00323 : STS ISSUER_ADDRESS obtained from WSDL is null. Local STS configuration is also not available.

This exception occurs because both the client and the service do not have an STS trust config policy attached. For a simple WS-Trust use case, the STS trust config policy must be attached to either the client or the service application. Because there are no policies attached, the client does not know which STS to communicate with to get the SAML token.

Attach an STS trust config policy to the client or service application as required for your configuration. For more information, see "WS-Trust Policies and Configuration Steps".

FailedAuthentication: Security Token cannot be authenticated: Error in receiving the request: oracle.wsm.security.SecurityException: WSM-00062 : The path to the certificate used for the signature is invalid.

The web service provider or Relying Party is not able to validate the Issuer's signature on the incoming SAML token.

Make sure that you have imported the issuer's public key/certificate into the JKS/KSS keystore that the service is using.

For detailed procedures, see "Configuring Keystores for Message Protection".

InvalidSecurityToken : The security token is not valid. SAML assertion issuer name is invalid.

WSM-00376 : SAML token authentication failed for issuer "<issuer name>".

The SAML assertion issuer name is not configured in the trusted issuers list in the domain in which the Relying Party service is deployed.

Add the issuer to the list of trusted issuers in the domain in which the service is running.

For detailed procedures, see "Defining Trusted Issuers and a Trusted DN List for Signing Certificates".

WSM-00231: Cannot find client compatible policy for STS <STS WSDL URI>, port name <STS port name>"

This exception can be thrown when a third party STS server is protected using a policy that does not have a compatible client policy in Oracle WSM.

Any STS endpoint that the client is trying to communicate with is protected with a security policy. Oracle STS uses Oracle WSM which provides compatible client and service policies. In this case, the client should not have any trouble finding the corresponding client policy.

The Oracle WSM trust client has been tested with most common STS servers so it is unlikely that this exception will occur.

In the event that this exception is thrown, a possible workaround is to attach a new or cloned version of the oracle/sts_trust_config_client_policy on the client side and configure it with the client policy to be used to communicate with the STS. For details, see "Manually Configuring the STS Config Policy From the Web Service Client: Main Steps".


Diagnosing Problems Using Logs

Oracle Fusion Middleware components, including Web services, generate log files containing messages that record all types of events, including startup and shutdown information, errors, warning messages, access information on HTTP requests, and so on. Each log message includes specific information such as time, component ID, and user to assist you in pinpointing and diagnosing problems that arise.

You can review log messages to diagnose problems with specific components, such as Web services. There are two categories of log files that you can reference to assist in diagnosing problems with Web services:

For more information about logging in Oracle Fusion Middleware, see "Managing Log Files and Diagnostic Data" in Oracle Fusion Middleware Administrator's Guide.

The following sections describe how to use diagnostic and message logs to diagnose problems. A set of sample logs is provided at the end of this section.

Using Diagnostic Logs for Web Services

Diagnostic logs enable you to access diagnostic data about specific feature components in Oracle Fusion Middleware.

The following sections describe how to view and manage diagnostic log files:

Setting the Log Level for Diagnostic Logs

You set the logging level for Web service and Oracle WSM components at the WebLogic Server level, using the Log Configuration page.

In addition, you can override the log levels set at the server level for a specific Web service endpoint from the Web Service Endpoint page. The logging level set at the Web service endpoint level must be "finer grained" than the level set at the WebLogic Server level. Otherwise, the logging level set at the WebLogic Server level will be used.

The following procedures describe how to set the log level for diagnostic logs at the WebLogic Server and Web service endpoint levels. For more information, see "Setting the Level of Information Written to Log Files" in Oracle Fusion Middleware Administrator's Guide.

To set the log level for diagnostics logs at the WebLogic Server level:

  1. Navigate to the WebLogic Server for which you want to configure a logger.

    1. In the navigator pane, expand WebLogic Domain.

    2. Expand the domain.

    3. Select the desired server from the list.

      The WebLogic Server home page is displayed.

  2. From the WebLogic Sever menu, select Logs > Log Configuration.

    The Log Configuration page is displayed.

  3. Select the Log Levels tab.

    The list of loggers is displayed, as shown in Figure 16-6.

    The Log Levels page shows the name of the logger, the current logging level, which you can edit, and the associated log file (for example, olh-handler). For information about configuring the log files, see "Configuring Log Files for a Web Service".

    Figure 16-6 Log Levels Page

    Description of Figure 16-6 follows
    Description of "Figure 16-6 Log Levels Page"

  4. Expand Root Logger.

  5. Expand oracle.

  6. Set the logging level for one or more of the following components:

    • oracle.webservices—Web service components.

    • oracle.wsm—Oracle WSM components.

    You can fine tune the logging level by expanding either of the above components and specifying the logging level at the subcomponent level.

    To change the logging level for a logger, navigate to the logger in the Logger Name column and select the desired logging level from the Oracle Diagnostic Logging Level (Java Level) drop-down menu.

    For example, select TRACE:32 from the drop-down menu associated with the oracle.wsm logger.

    By default, the logging levels are inherited from the parent and set to NOTIFICATION: 1 (INFO) for the Web service and Oracle WSM components and subcomponents.

  7. Click Apply to store the new logging level.

To set the log level for diagnostic logs at the Web service endpoint level:

  1. Navigate to the Web Service Endpoint page, as described in "Viewing the Details for a Web Service Endpoint".

  2. Click the Configuration tab.

  3. Set the Logging Level field to one of the following settings: Severe, Warning, Information, Configuration, Fine, Finer, Finest or NULL.

    Note:

    You can also set the log level at the Web service endpoint using the setWebServiceConfiguration WLST command. Set the loggingLevel property of the itemProperties argument to one of the following settings: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, or NULL. For details about using this command, see "setWebServiceConfiguration" in WebLogic Scripting Tool Command Reference.

Viewing Diagnostic Logs

You can view the diagnostic log files for an ADF and WebCenter Web service endpoint from the Log Messages page.

To view diagnostic logs for a Web service endpoint:

Navigate to the Web Service Endpoint page, as described in "Viewing the Details for a Web Service Endpoint", and in the Quick Links section of the Web Services Endpoint page (top right), click Diagnostic Logs.

Note:

You can view a summary of all faults incurred by the Web services in your application. For more information, see "Monitoring the Performance of Web Services".

The Log Messages page is displayed, as shown in the following figure.

Figure 16-7 Log Messages Page

Description of Figure 16-7 follows
Description of "Figure 16-7 Log Messages Page"

Click on a message in the message area to view more details at the bottom of the page. If desired, you can export a message to a text, XML, or CSV file by selecting the messages on the list and clicking Export Messages to File.

You can control the message content displayed using the following controls:

  • Search—Modify the search criteria. For more information, see "Filtering Diagnostic Logs".

  • View menu—Select the columns to display in the table. Click on a particular column to sort contents up or down.

  • Show menu—Group messages by type or ID, or view them in chronological order.

  • View Related Messages—View messages related to those selected on the list.

  • Broaden Target Scope—Broaden the scope of messages displayed. You can broaden the scope to include all messages for the domain, WebLogic Server, or Farm.

  • Refresh menu—Specify an automatic or manual refresh rate.

To view the contents of a generated log file:

  • Click the log file icon associated with a message to view the contents of that log file.

  • Click Target Log Files... to display the Log Files page and view or download the contents of all generated log files.

For more information, see "Viewing and Searching Log Files" in Oracle Fusion Middleware Administrator's Guide.

Filtering Diagnostic Logs

By default, the Log Messages page displays a summary of diagnostic messages logged over the last hour.

To filter diagnostic logs:

  1. Filter the messages that are displayed by updating the search criteria using the following fields:

    • Date Range—Set the date range to one of the following:

      • Most Recent—Set the amount of time to define the duration.

      • Time Interval—Set the start and end dates to define the interval.

    • Message Types—Select the message types that you want to display.

    • Add Fields—Add other message fields to your search criteria, such as Message ID, Component, and so on.

  2. Click Search once you have set the fields, as desired.

    The messages area is updated with the filtered results.

For more information, see "Viewing and Searching Log Files" in Oracle Fusion Middleware Administrator's Guide.

Logging Oracle WSM Debug Messages

To debug Oracle WSM, pass one of the following properties when starting WebLogic Server, as required. For more information, see "Starting and Stopping Servers" in Managing Server Startup and Shutdown for Oracle WebLogic Server.

Note:

Enabling one or more of these properties may negatively impact performance for very large messages. When enabled, Oracle WSM creates temporary buffers which will result in additional load on the Java garbage collector.

Table 16-2 Startup Properties for Logging Oracle WSM Debug Messages

Startup Property Description

-Dxml.debug.verify=true

Logs the sequence of bytes produced during a signature verification failure. Verification errors are output to stderr and the diagnostic log file when the log level is set to at least ERROR.

-Dxml.debug.digest=true

Verifies that the sequence of bytes produced during signature generation canonicalization and signature verification match. Verification errors are output to stderr and the diagnostic log file when the log level is set to at least FINE.

-Dxml.debug.decrypt

Logs the sequence of bytes produced following a decryption failure before XML parsing. Verification errors are output to stderr and the diagnostic log file.


Using Message Logs for Web Services

Message logs enable you to access the contents of the SOAP message requests and responses for ADF and WebCenter Web services and clients. Messages logs are stored in a log file separate from the diagnostic messages, by default.

The following sections describe how to view and manage message log files:

Configuring Message Logs

You configure message logs for a Web service or client in one of the following ways:

  • Attach a policy that contains a logging assertion to the Web service or client.

    There is one predefined logging assertion template: oracle/security_log_template, described in "oracle/security_log_template". This template is configured to log the entire SOAP message for the Web service request and response. By default, all predefined Web service security policies use this logging assertion to capture the entire SOAP message before and after the primary security assertion is executed. By default, the log assertion is not enforced. You must enable it in order for the SOAP message to be logged in message logs, as described in "Enabling or Disabling Assertions Within a Policy". It is recommended that the logging assertion be enabled for debugging and auditing purposes only.

  • Attach the oracle/log_policy policy to the Web service or client. For more information, see "oracle/log_policy".

  • Create your own logging policy or assertion template to further refine the elements of the SOAP message that are logged for the Web service request and response.

    For example, you may wish to view only the SOAP body of the request message. To create a new policy, following the procedure described in "Creating Web Service Policies". You may wish to create a copy of the oracle/security_log_template assertion template and configure it for use in the new policy. For more information about creating a new assertion template, see "Creating an Assertion Template".

Viewing Message Logs

You can view the message log files for an ADF and WebCenter Web service endpoint from the Log Messages page.

To view message logs for a Web service endpoint:

Navigate to the Web Service Endpoint page, as described in "Viewing the Details for a Web Service Endpoint", and in the Quick Links section of the Web Services Endpoint page (top right), click Message Logs.

The Log Messages page is displayed, similar to Figure 16-7. For more details about the contents of the Log Messages page, see "Viewing Diagnostic Logs".

Filtering Message Logs

By default, the Log Messages page displays a summary of SOAP messages logged over the last hour. You can filter the messages that are displayed by updating the search criteria. The process is the same as for diagnostic logs; for more information, see "Filtering Diagnostic Logs".

By default, the Component and Module message fields are included as part of the Search criteria for message logs. The Component field is set to the WebLogic Server name; the Module field is set to oracle.wsm.msg.logging, which is the name of the message logging component.

Reviewing Sample Logs

The following sections provide excerpts from sample logs, demonstrating how to diagnose specific problems using the log entries.

Sample Log: Oracle WSM Policy Manager Not Available

The following sample log excerpt indicates that the Oracle WSM Policy Manager is down. To resolve this issue, restart the wsm-pm application, as described in "Starting and Stopping Applications Using" in Oracle Fusion Middleware Administrator's Guide.

2009-02-16 16:21:28,029 [[ACTIVE] ExecuteThread: '4' for queue:
 'weblogic.kernel.Default (self-tuning)'] 
 ERROR policymgr.PolicyManagerModelBean logp.251 - 
 Service lookup failed with URL:t3://host.example.com:7001/wsm-pm
 oracle.wsm.policymanager.PolicyManagerException: WSM-02118 : 
 The query service cannot be created.
...

Sample Log: Security Keystore Not Configured

The following sample log excerpt indicates that an Oracle WSM security policy with message protection was applied, but the keystore was not configured. To resolve this security fault, configure the keystore, as described in "Configuring Keystores for Message Protection".

Feb 16, 2009 5:29:56 PM oracle.wsm.common.logging.WsmMessageLogger logSevere 
 SEVERE: The specified Keystore file /scratch/sbollapa/stage131/user_projects/domains/sai131_domain/config/fmwconfig/default-keystore.jks 
 cannot be found; it either does not exist or its path is not included in the 
 application classpath.
 Feb 16, 2009 5:29:56 PM oracle.wsm.common.logging.WsmMessageLogger logSevere
 SEVERE: Keystore is not properly configured in jps config.
 Feb 16, 2009 5:29:56 PM oracle.wsm.common.logging.WsmLogUtil log
 SEVERE: failure in OWSM Agent processRequest, category=security,
 function=agent.function.client, application=default, composite=pe3test3,
 modelObj=Service1, + policy=null, policyVersion=null, assertionName=null
 oracle.wsm.common.sdk.WSMException: WSM-00101 : The specified Keystore file 
 /scratch/sbollapa/stage131/user_projects/domains/sai131_domain/config/fmwconfig/default-keystore.jks cannot be found; 
 it either does not exist or its path is not included in the application classpath.
...

Sample Log: Certificate Not Available

The following sample log excerpt indicates that an Oracle WSM security policy with message protection was applied that required a security certificate that was not available in the keystore. To resolve this security fault, configure the keystore with a certificate, as described in "Obtaining a Trusted Certificate and Importing it into the Keystore".

[2009-04-15T04:07:02.821-07:00] [jrfServer] [ERROR] [WSM-000062]
 [oracle.wsm.resources.security] [tid: [ACTIVE].ExecuteThread: '0' for 
queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] 
 [ecid: 0000I2dTFG7DScT6uBe9UH19tRyv000000,0:1] [WEBSERVICE_PORT.name:
 NonCAAsCAMessageProtectionPolicyPort] [APP: jaxwsservices] 
 [J2EE_MODULE.name: NonCAAsCAMessageProtectionPolicy] [WEBSERVICE.name:
 NonCAAsCAMessageProtectionPolicyService] [J2EE_APP.name: jaxwsservices] 
 [arg: oracle.wsm.security.SecurityException: WSM-00062 : 
 The path to the certificate used for the signature is invalid.] 

[2009-04-15T04:07:02.810-07:00] [jrfServer] [NOTIFICATION] []
 [oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor] 
 [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default
 (self-tuning)'] [userId: <anonymous>] 
[ecid: 0000I2dTFG7DScT6uBe9UH19tRyv000000,0:1] 
[WEBSERVICE_PORT.name: NonCAAsCAMessageProtectionPolicyPort] 
[APP: jaxwsservices] [J2EE_MODULE.name: NonCAAsCAMessageProtectionPolicy]
 [WEBSERVICE.name: NonCAAsCAMessageProtectionPolicyService] [J2EE_APP.name:
 jaxwsservices] Certificate path validation failed for signing certificate

[2009-04-15T04:07:02.821-07:00] [jrfServer] [ERROR] [WSM-00006]
 [oracle.wsm.resources.security] [tid: [ACTIVE].ExecuteThread: '0' for queue:
 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] 
[ecid: 0000I2dTFG7DScT6uBe9UH19tRyv000000,0:1] [WEBSERVICE_PORT.name:
 NonCAAsCAMessageProtectionPolicyPort] [APP: jaxwsservices] 
[J2EE_MODULE.name: NonCAAsCAMessageProtectionPolicy] [WEBSERVICE.name:
 NonCAAsCAMessageProtectionPolicyService] [J2EE_APP.name: jaxwsservices] 
[arg: oracle.wsm.security.SecurityException: WSM-00062 : The path to the
 certificate used for the signature is invalid.] Error in receiving the request:
 oracle.wsm.security.SecurityException: WSM-00062 : The path to the certificate
 used for the signature is invalid.

Configuring Log Files for a Web Service

To further organize your logging data, you can configure the log files for a Web service. You can configure log files for SOA, ADF, and Web Center services.

The following table defines the default log files that are relevant to Oracle WSM.

Table 16-3 Default Log Files for Oracle WSM

Default Log File Description

odl-handler

Logs general diagnostic data for the Java EE components in the server.

owsm-message-handler

Logs SOAP messages as per Oracle WSM logging policies.


The following procedure describes how to set the log level for diagnostic logs at the WebLogic Server and Web service endpoint levels.

For more information about using Fusion Middleware Control or WLST to set the log levels, see "Setting the Level of Information Written to Log Files" in Oracle Fusion Middleware Administrator's Guide.

To configure the log files for a Web service:

  1. Navigate to the WebLogic Server for which you want to configure a logger.

    1. In the navigator pane, expand WebLogic Domain.

    2. Expand the domain.

    3. Select the desired server from the list.

      The WebLogic Server home page is displayed.

  2. From the WebLogic Sever menu, select Logs > Log Configuration.

    The Log Configuration page is displayed.

  3. Select the Log Files tab.

    The current list of log files is displayed, as shown in Figure 16-8. The Log Configuration page shows the currently configured log path, file format, and rotation policy.

    Figure 16-8 Current Log Files

    Description of Figure 16-8 follows
    Description of "Figure 16-8 Current Log Files"

  4. If you wish to edit the log policy configuration, select the log file in the list and click Edit Configuration . . ..

    The Edit Log File page is displayed.

    Figure 16-9 Edit Log File Page

    Description of Figure 16-9 follows
    Description of "Figure 16-9 Edit Log File Page"

  5. Edit the log file information, as required.

    Table 16-4 Fields in Edit Log File Page

    Field Description

    Log Path

    Path to the log file. This field is required.

    Log File Format

    Format of the log file. Valid values are text or XML.

    Log Level

    Default log level for the logger. Select a log level from the list. Valid values include:

    • INCIDENT_ERROR:1 (SEVERE+100)

    • ERROR:1 (SEVERE)

    • WARNING:1 (WARNING)

    • NOTIFICATION:1 (INFO)

    • NOTIFICATION:16 (CONFIG)

    • TRACE:1 (FINE)

    • TRACE:16 (FINER)

    • TRACE:32 (FINEST)

    Use Default Attributes

    Flag that specifies whether to use default attributes for the logger.

    Supplemental Attributes

    Supplemental attributes required.

    Loggers to Associate

    Components to associate with the logger.

    Rotation Policy

    Specify whether you wish to rotate log files based on file size of length of time. For more information, see "Configuring Log File Rotation" in Oracle Fusion Middleware Administrator's Guide.

    If Size Based is selected as the rotational policy, Maximum Log Files Size is a required field. If Time Based is selected as the rotational policy, Frequency is a required field.


  6. Click OK to edit the log file configuration.