16-4 Oracle Fusion Middleware Security and Administrators Guide for Web Services ■ Key or Credential Store Error After an Application Invokes Web Service ■ Trust Certificate Error After Application Invokes Web Service ■ SAML Assertion Error Appears During Identity Propagation ■ Policy Access Error After an Application Invokes Web Service ■ Unable to Access User in Credential Store ■ Authorization Error After an Application Invokes Web Service ■ Timestamp Error After an Application Invokes Web Service ■ Multiple Authentication Security Policy Error After an Application Invokes Web Service Unable to Connect to the Policy Manager The following errors appear when you attempt to connect the Policy Manager: ■ WSM-06157: The repository database is not configured correctly or not running. ■ WSM-06160: The policy manager application has not been deployed or is not running. ■ WSM-06161: The policy manager application has not been deployed. ■ WSM-06162: The policy manager application is not running or is not configured correctly. ■ WSM-06159: Cannot connect to the policy manager due to credential issue. Problem The problem may be: ■ The Policy Manager is down. You can determine if the Policy Manager is down as follows: ■ The state of the Policy Manager in the General area of the Oracle WSM Policy Manager home page, as described in Diagnosing Problems with Oracle WSM Policy Manager on page 16-1 is shown as shutdown. ■ The status of the wsm-pm internal application on the Farm home page in Enterprise Manager is Down, as shown in Figure 16–4 . To access the Farm home page, select Farm_em_domain in the Navigator pane, or select Home from the Farm menu in the left-hand corner of the page. Diagnosing Problems 16-5 Figure 16–4 Oracle WSM Policy Manager Shutdown Farm Page ■ An error dialog box similar to the following displays when you attempt to access the Oracle WSM policy management pages in Enterprise Manager. This error information is also written to the diagnostic log file, as described in Reviewing Sample Logs on page 16-21. Figure 16–5 Error Message—Oracle WSM Policy Manager Unavailable ■ The Policy Manager is targeted to an SSL server. Oracle Web Services Manager WSM supports an auto-discovery feature that it uses to locate and connect to an Oracle WSM Policy Manager within the same WebLogic domain. If the domain includes an SSL-configured server that has a Policy Manager deployed, the auto-discovery logic will connect to that Policy Manager and will not try to connect to any Policy Managers deployed on non-SSL servers. To ensure that the secure connection is maintained, the auto-discovery logic will not attempt to connect to a Policy Manager on a non-SSL server, even if the SSL-enabled server goes down. Therefore, even though there is a Policy Manager running, because it is running on a non-SSL enabled server, it is ignored and an error message is displayed. ■ The credential required to access the Policy Manager is invalid or is not authorized. ■ The repository may not be configured correctly. Solution If the Policy Manager is down: Restart the wsm-pm application as described in Starting and Stopping Applications in Oracle Fusion Middleware Administrators Guide. If the Policy Manager is targeted to an SSL Server: 16-6 Oracle Fusion Middleware Security and Administrators Guide for Web Services ■ Verify that the wsm-pm Policy Manager application is targeted to an SSL server. You can do so using the WebLogic Server Administration Console as described in Target an Enterprise application to a server in the Oracle WebLogic Server Administration Console Help. ■ Verify that SSL has been configured correctly and that there are no SSL certificate issues. For additional information, see Configuring Keystores for SSL on page 10-22. ■ If the SSL-enabled server is down, restart it, and the Policy Manager application, as described in Starting and Stopping Oracle Fusion Middleware in Oracle Fusion Middleware Administrators Guide. ■ If you want to use the Policy Manager on the non-SSL enabled server, untarget the Policy Manager application from the SSL-enabled server. For information about targeting applications to a server, see Managing Deployed Applications in Deploying Applications to Oracle WebLogic Server. To change the target server using the WebLogic Server Administration Console, see Change target servers in Oracle WebLogic Server Administration Console Help. If there is a credential issue when attempting to access the Policy Manager: By default, the Oracle WSM run time uses the OracleSystemUser account. If you are not using the default user accounts, you need to modify the configuration as described in Modifying the Default User on page 14-23. If there is a problem with the repository configuration: ■ Verify that the database and MDS schema are setup correctly. This configuration is performed as part of the installation process. For more information, see Oracle Fusion Middleware Repository Creation Utility Users Guide. ■ Verify that the JDBC configuration is correct. The JDBC configuration is defined when you create the domain using the Oracle Fusion Middleware Configuration Wizard. For more information, see Creating Domains Using the Configuration Wizard. Key or Credential Store Error After an Application Invokes Web Service After an application invokes a Web service, a key store or credential store error such as the following appears: ■ WSM-00056: The key alias_name is not retrieved ■ WSM-00256: The property Keystore Sign Alias is not set Problem The problem may be: ■ The alias for the signature key or encryption key in the Oracle WSM keystore configuration does not exist in the Oracle WSM keystore. ■ The signature key, encryption key, or Oracle WSM keystore password is not synchronized between the keystore file and the keystore configuration for Oracle WSM. That is, at least one of the passwords does not have identical values in both locations. Solution To verify the alias for the signature key and encryption key in the Oracle WSM keystore configuration exist in the Oracle WSM keystore file: Diagnosing Problems 16-7 1. Use Fusion Middleware Control to identify the alias for the signature key and encryption key in the Oracle WSM keystore configuration by performing the procedure in Configuring the Oracle WSM Keystore on page 10-10. 2. Verify the aliases identified in step 1 exist in the Oracle WSM keystore file. To do so, use the keytool -list command on the Oracle WSM keystore file, as described in step 4 of Generating Private Keys and Creating the Java Keystore on page 10-9. For detailed information about using the keytool utility, see the keytool - Key and Certificate Management Tool document at the following URL: http:download.oracle.comjavase6docstechnotestoolswind owskeytool.html ■ Ensure each alias is synchronized in both the keystore file and the Oracle WSM keystore configuration in the credential store. If they are not, you can edit the alias in the Oracle WSM keystore configuration by performing the procedure described in Configuring the Oracle WSM Keystore on page 10-10. You can edit the alias in the Oracle WSM keystore file using the keytool -changealias command. ■ If the alias for the signature key or encryption key does not exist in the Oracle WSM keystore file, add it as described in Generating Private Keys and Creating the Java Keystore on page 10-9. To ensure that the signature key, encryption key, and Oracle WSM keystore file passwords are each synchronized in the keystore file and the keystore configuration for Oracle WSM:

1. Use keytool to reset the passwords in the Oracle WSM keystore file. Because the

passwords are not visible, resetting them is the only method to ensure that they have identical respective values in both locations. ■ Use the keytool -storepasswd command to reset the Oracle WSM keystore file password. ■ Use the keytool -keypasswd command to reset the signature key password and encryption key password. Note: If you are unable to locate the document at the above URL, you can access it by searching for it on the Search Java SE Technical Documentation Web page at: http:download.oracle.comjavasesearch.html Note: Before you edit an alias, be sure that doing so will not affect any other Web service. Note: If you make any changes to the Oracle WSM keystore file using keytool, you must restart all Managed Servers in the domain. Note: After resetting passwords in the Oracle WSM keystore file using keytool, you must restart all Managed Servers in the domain. 16-8 Oracle Fusion Middleware Security and Administrators Guide for Web Services 2. Use Fusion Middleware Control to reset the passwords in the Oracle WSM keystore configuration to the same respective values you set in step 1, as described in Configuring the Oracle WSM Keystore on page 10-10. Trust Certificate Error After Application Invokes Web Service After an application invokes a Web service, a trust certificate error such as the following appears: WSM-00138: The path to the certificate is invalid due to exception Problem The problem may be, if the Web service is advertising its certificate in the Web Services Description Language WSDL, the client may not be configured correctly to trust that certificate or its issuer. Solution To verify the client is configured to trust the Web services certificate advertised in the WSDL or its issuer: 1. Verify the client keystore has either the certificate of the Web service or the certificate of its issuer. Use the keytool –list command to identify the certificates in the client keystore. If either of the certificates is missing from the client keystore, use the keytool –importcert command to add them. Refer to the keytool - Key and Certificate Management Tool document on the Java SE Technical Documentation Web site for more information about using keytool. You can access this document at the following URL: http:download.oracle.comjavase6docstechnotestoolswind owskeytool.html 2. If the certificate is not published in the service’s WSDL, verify that the value for the keystore.recipient.alias override property of the client policy is identical to the alias of the certificate in the Oracle WSM keystore file. For more information, see Attaching Client Policies Permitting Overrides on page 8-21. SAML Assertion Error Appears During Identity Propagation After an application attempts to propagate a user’s identity by calling a different application using Oracle SOA, InvalidSecurityToken, FailedAuthentication, and SAML assertion issuer related errors appear. Problem The problem may be: ■ The SAML issuer name for the SAML token is not configured or is configured incorrectly. ■ The subject.precedence configuration override is set incorrectly. ■ A user is not logged in on the client. The following error is a symptom of this problem: Diagnosing Problems 16-9 WSM-00263: Failed to create SAML token as anonymous user principal found in Subject Solution To troubleshoot the SAML issuer name configuration: Verify that the SAML Issuer Name that the client is using is among the issuers configured in the Oracle WebLogic Server domain. To do so, perform the steps described in Adding an Additional SAML Assertion Issuer Name on page 10-47. If the SAML Issuer Name that the client is using is not configured as an issuer in the Oracle WebLogic Server domain, Oracle recommends changing the issuer name on the client by updating its saml.issuer.name override to one of the issuers configured in the domain. If you cannot change the issuer name on the client, you can add its issuer name to the Oracle WebLogic Server domain by performing the steps in the Adding an Additional SAML Assertion Issuer Name on page 10-47. To troubleshoot the subject.precedence configuration override: 1. Set the subject.precedence override value in your current client policy to false to change the identity to a different user. By default, the subject.precedence override is set to true. 2. Set the appropriate Credential Store Framework key override on the client policy that contains the user name and password of the user you want to send to the service. If an entry for this user does not exist in the Credential Store Framework, you must add it. For more information, see Configuring the Credential Store on page 10-16 3. Ensure the appropriate Web Services Identity Permission is set for the client application by performing the steps in Configuring SAML Web Service Clients for Identity Switching on page 10-47. If you encountered the WSM-00263: Failed to create SAML token as anonymous user principal found in Subject error: Ensure the client has been authenticated before invoking the Web service. If the Web service is invoked from a Web application, ensure that you have logged into the Web application as an authenticated user, not as a guest user. Policy Access Error After an Application Invokes Web Service After an application attempts to invoke a Web service, a policy access error such as the following appears: ■ WSM-06156: The policy URI is missing, empty or contains invalid characters. ■ WSM-06158: The referenced policy does not exist in the repository. ■ WSM-02017: The document was not found in the repository. Note: If you make any changes to the issuers configured in the Oracle WebLogic Server domain, you must restart the Managed Server where Oracle WSM is deployed. 16-10 Oracle Fusion Middleware Security and Administrators Guide for Web Services Problem The problem may be: ■ The policy URI is missing or the policy name is misspelled. ■ The Policy Manager is down ■ The policy does not exist in the repository ■ The policy attachment is not in effect due to a cache delay. Solution To diagnose and solve policy access issues: 1. Verify that the Policy Manager is running as described in Diagnosing Problems with Oracle WSM Policy Manager on page 16-1 and Unable to Connect to the Policy Manager on page 16-4. 2. Verify that the mds-owsm datasource connection is reachable and available. For more information, see Understanding and Managing Data Sources in Oracle Fusion Middleware Administrators Guide. 3. Verify that the policy exists in the Oracle WSM repository by viewing the contents of the repository using the Policy Manager Validator page. For details about accessing the Validator page and viewing the contents of the repository, see Diagnosing Problems with Oracle WSM Policy Manager on page 16-1. 4. If the policy exists in the repository, verify that the policy URI is consistent with the policy URI in the repository. 5. If the policy does not exist in the Oracle WSM repository, do one of the following: ■ For predefined policies: – Verify that the repository has been upgraded with all of the latest predefined policies using the upgradeWSMPolicyRepository command as described in Upgrading the Oracle WSM Policies in the Repository on page 17-6. – Reset the contents of the repository using the resetWSMPolicyRepository command as described in Rebuilding the Oracle WSM Repository on page 17-8. ■ For a custom policy: – Import it into the repository as described in Importing Web Service Policies on page 7-7. For information on creating a custom policy, see Creating Web Service Policies on page 7-4. 6. Check if the user is in a role that has the right permission granted. To modify any roles or permissions, refer to Modify the User’s Group or Role on page 14-25. 7. Verify the policy accessor and cache delay. The amount of time it takes for a policy attachment to take effect is determined by the Oracle WSM policy accessor and policy cache property settings. By default, this delay can be up to a maximum of 11 minutes. To reduce the amount of the delay, if necessary, you can tune the following cache property settings: ■ Policy Accessor cache.refresh.initial, default 600000 milliseconds 10 minutes cache.refresh.repeat, default 600000 milliseconds 10 minutes