Managing the Worklist Service 22-19 [oracle.webcenter.worklist.config] [tid: pool-1-daemon-thread-15] [userId: Luke] [ecid: 0000I0n7GBZFk3FLN2o2ye19lrBX00000L,0:1:6] [APP: WorklistV2.0] TaskServiceSOAPClient: soapFault:[[ env:Fault xmlns:ns0=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-sece xt-1.0.xsdxmlns:env=http:schemas.xmlsoap.orgsoapenvelope faultcodens0:FailedAuthenticationfaultcode faultstringFailedAuthentication : The security token cannot be authenticated or authorized.faultstring faultactor env:Fault ]] In the diagnostic logs of the Oracle SOA Suites managed server: [2009-03-23T04:52:07.909-07:00] [soa_server1] [ERROR] [WSM-00008] [oracle.wsm.resources.security] [tid: [ACTIVE].ExecuteThread: 2 for queue: weblogic.kernel.Default self-tuning] [userId: anonymous] [ecid: 0000I0nB64fFk3FLN2o2ye19lrBX00000O,0:1:3:1] [WEBSERVICE_PORT.name: TaskQueryServicePortSAML] [APP: soa-infra] [J2EE_MODULE.name: integrationservicesTaskQueryService] [WEBSERVICE.name: TaskQueryService] [J2EE_APP.name: soa-infra] Web service authentication failed. Solution The same users must exist in identity stores of both managed servers. For information, see the section Setting Security for the Worklist Service in Oracle Fusion Middleware Developers Guide for Oracle WebCenter. This can be easily accomplished with a common LDAP identity store. A useful check is to validate that you can log in to the Oracle SOA Suites BPEL Worklist application with the user ID for which the Worklist service is unavailable. That is, try accessing the integration Worklist application at: http:host:portintegrationworklistapp. Where the host and port are the same as those used in the Worklist connection for the task flow application.

22.5.2.2 Shared User Directory Does Not Include the weblogic User

Problem BPEL Web services cannot respond to requests received from the Worklist service because the shared user directory does not include the weblogic user. Solution Ensure that you have tried the solution provided in Users Mismatch in Identity Stores . If that solution did not resolve the issue, then try the solution described in this section. If Oracle SOA Suite is connected to a shared user directory LDAP, and the user weblogic does not exist in the identity store, then the following step assigns the BPMWorkflowAdmin role to a valid user in the identity store. Use WLST to revoke an application role from SOAAdmin and grant it to a member of the external identity store. This can be done by running the following WLST command from the SOA_ORACLE_HOME . For example: cd SOA_ORACLE_HOMEcommonbin wlst.sh 22-20 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter connectweblogic,weblogic, soa host : soa administration port revokeAppRoleappStripe=soa-infra, appRoleName=BPMWorkflowAdmin, principalClass=oracle.security.jps.service.policystore.ApplicationRole, principalName=SOAAdmin grantAppRoleappStripe=soa-infra, appRoleName=BPMWorkflowAdmin, principalClass=weblogic.security.principal.WLSUserImpl, principalName=user In this example, the LDAP identity store has a user named user. If the user to which you want to grant the BPMWorkflowAdmin role does not exist in the LDAP identity store, then you must restart the Oracle SOA Suites managed server to make this change effective.

22.5.2.3 Issues with the wsm-pm Application

Problem Issue with the wsm-pm application on either the Worklist services managed server, or the Oracle SOA Suites managed server, or on both. Solution The wsm-pm application manages the Web service security policies that control the SAML authentication in the Worklist service. To validate the wsm-pm application, log in to the wsm-pm applications validation page as a user with administrative rights. Use this format for validation: http:host:portwsm-pmvalidator. If there are no issues with this application, then accessible policies must display. If policies do not display, then investigate the related logged information on the server whose wsm-pm application is failing.

22.5.2.4 Clocks are Out of Sync for More Than Five Minutes

Due to security reasons, the Web service security interaction between the Worklist services managed server and that of the Oracle SOA Suite BPEL must take place with a time difference of less than five minutes. That is, the clocks on both host machines must have a time difference of less than five minutes, otherwise authentication fails. The SAML assertion uses the NotBefore condition to verify this. Problem Clocks of the Worklist services managed server and the Oracle SOA Suite BPELs managed server are out of sync for more than five minutes. Solution Ensure that the current time is not set to earlier than the SAML assertions clockskew, which is 300 seconds by default. Either match the time on the client and service machines, or configure the agent.clock.skew property in seconds in the policy-accessor-config.xml file. This file is located in the DOMAIN_HOMEconfigfmwconfig directory.

22.5.2.5 Worklist Service Timed Out or is Disabled

Problem The Worklist service cannot obtain a query result from the Oracle SOA Suite BPEL server within a defined period.