16-10 Oracle Fusion Middleware Security and Administrators Guide for Web Services Problem The problem may be: ■ The policy URI is missing or the policy name is misspelled. ■ The Policy Manager is down ■ The policy does not exist in the repository ■ The policy attachment is not in effect due to a cache delay. Solution To diagnose and solve policy access issues: 1. Verify that the Policy Manager is running as described in Diagnosing Problems with Oracle WSM Policy Manager on page 16-1 and Unable to Connect to the Policy Manager on page 16-4. 2. Verify that the mds-owsm datasource connection is reachable and available. For more information, see Understanding and Managing Data Sources in Oracle Fusion Middleware Administrators Guide. 3. Verify that the policy exists in the Oracle WSM repository by viewing the contents of the repository using the Policy Manager Validator page. For details about accessing the Validator page and viewing the contents of the repository, see Diagnosing Problems with Oracle WSM Policy Manager on page 16-1. 4. If the policy exists in the repository, verify that the policy URI is consistent with the policy URI in the repository. 5. If the policy does not exist in the Oracle WSM repository, do one of the following: ■ For predefined policies: – Verify that the repository has been upgraded with all of the latest predefined policies using the upgradeWSMPolicyRepository command as described in Upgrading the Oracle WSM Policies in the Repository on page 17-6. – Reset the contents of the repository using the resetWSMPolicyRepository command as described in Rebuilding the Oracle WSM Repository on page 17-8. ■ For a custom policy: – Import it into the repository as described in Importing Web Service Policies on page 7-7. For information on creating a custom policy, see Creating Web Service Policies on page 7-4. 6. Check if the user is in a role that has the right permission granted. To modify any roles or permissions, refer to Modify the User’s Group or Role on page 14-25. 7. Verify the policy accessor and cache delay. The amount of time it takes for a policy attachment to take effect is determined by the Oracle WSM policy accessor and policy cache property settings. By default, this delay can be up to a maximum of 11 minutes. To reduce the amount of the delay, if necessary, you can tune the following cache property settings: ■ Policy Accessor cache.refresh.initial, default 600000 milliseconds 10 minutes cache.refresh.repeat, default 600000 milliseconds 10 minutes Diagnosing Problems 16-11 ■ Policy Cache cache.tolerance, default is 60000 milliseconds 1 minute For details about tuning these properties, see Configuring Platform Policy Properties on page 14-15. Unable to Access User in Credential Store When Oracle WSM attempts to access a user in the credential store, an error such as the following occurs: WSM-00015: The user name is missing Problem Oracle WSM cannot locate the user name in the credential store. This can be caused by any of the following: ■ The credential map oracle.wsm.security does not exist in the credential store. ■ The user is not listed in the map used by Oracle WSM. ■ The csf key for the entry does not exist in the credential store. Solution Verify that the credential map oracle.wsm.security exists in the credential store. Oracle WSM only reads from this credential store map. To determine if the oracle.wsm.security credential map exists in the credential store, refer to the procedure in Configuring the Credential Store on page 10-16. If your application uses a credential map other than oracle.wsm.security, ensure that any users that Oracle OWSM needs to access are duplicated in the oracle.wsm.security credential map. Authorization Error After an Application Invokes Web Service After an application attempts to invoke a Web service, an error such as the following appears: java.security.AccessControlException: access denied oracle.wsm.security.WSFunctionPermission Problem Generally this is not really a problem rather intended behavior; that is, the system was unable to authorize the user for the action that the user is attempting. To debug check the calling server diagnostic log for the authorization error. The error may look similar to the following: 2011-01-06T22:15:43.691-08:00] [SalesServer_2] [ERROR] [] [oracle.jbo.server.svc.ServicePermissionCheckInterceptor_w2f8f5_Impl] [tid: [ACTIVE].ExecuteThread: 7 for queue: weblogic.kernel.Default self-tuning] [userId: FMW_APPS_CRM_SELFSERVICE_ADF_APPID] [ecid: 004aIPwzJDGE8TQRyaI7T00001WJ00EJ8f,0:1:3:1:11:0x5f5e189:6:1] [WEBSERVICE_PORT.name: PartnerServiceSoapHttpPort] [APP: SalesAppV2.0] [J2EE_MODULE.name: partnerCenterCorePublicModel] [WEBSERVICE.name: PartnerService] [J2EE_APP.name: SalesApp_V2.0] [URI: partnerCenterCorePublicModelPartnerService] [[ java.security.AccessControlException: access denied oracle.wsm.security.WSFunctionPermission 16-12 Oracle Fusion Middleware Security and Administrators Guide for Web Services http:xmlns.oracle.comappspartnerMgmtpartnerCenterPartnerServiceupdatePartne r invoke at java.security.AccessControlContext.checkPermissionAccessControlContext.java:323 at java.security.AccessController.checkPermissionAccessController.java:546 at oracle.jbo.server.svc.ServicePermissionCheckInterceptor.checkPermissionServicePer missionCheckInterceptor.java:103 at sun.reflect.NativeMethodAccessorImpl.invoke0Native Method Solution Pay careful attention to the following information in the log, which is shown in bold text in the example above. 1. The application stripe name – which is SalesAppV2.0 in the above log. Make sure it matches what you configured for your application. For information about how to configure the stripe name, see Configuring the Servlet Filter and the EJB Interceptor in Oracle Fusion Middleware Application Security Guide. 2. The permission grant, which is comprised of the following: a. Resource name , which is http:xmlns.oracle.comappspartnerMgmtpartnerCenterPar tnerServiceupdatePartner in the above log. b. Action, which is invoke in the above log. Both of these pieces of information must be specified correctly in your permission grant. For more information, see How Authorization Permissions Are Determined on page 11-61. If your application uses an LDAP-based authenticator and stores all roles in the LDAP, ensure that Oracle WSM can access the users and roles as described in Modifying the Default User on page 14-23. Timestamp Error After an Application Invokes Web Service After an application invokes a Web service, a timestamp or clockSkew error such as the following occurs: WSM-00060: Error validating timestamp Problem The problem will either manifest itself as a timestamp validation or clockSkew error as shown below: Caused By: FAULT CODE: InvalidSecurityToken FAULT MESSAGE: Found invalid condition on or after in SAML assertion. Current Time:Fri Feb 11 22:16:42 IST 2011, clockSkew:300000 milli seconds, NotOnOrAfter Time:Fri Feb 11 14:21:42 IST 2011. This problem usually happens if your server and client clocks are more than five minutes apart after they are converted to the same time zone. Solution Change your client or server clock in one of the following ways so that they are within five minutes, both set to the correct time: Diagnosing Problems 16-13 ■ Adjust the clockSkew as described in Tuning Web Service Security Policy Enforcement on page 14-20. ■ Set the system clock ■ Use an ntp server to maintain the time Multiple Authentication Security Policy Error After an Application Invokes Web Service After an application invokes a Web service, a multiple authentication policy error such as the following appears: WSM-01778: Attaching multiple authentication security policies is not supported. Only one authentication security policy can be attached to a policy subject. Problem More than one authentication policy was attached to a subject. This can happen if you have two policy sets that each attach an authentication policy to the same resource type, such as a Web service. For example, if you have two policy sets defined in the Oracle WSM repository for your domain and one defines the policy scope as Domaindomain_name and the other as Domain . The following listing illustrates an example of this scenario. wls:soa_domainserverConfig displayPolicySetdefault-domain-ws-domain_gpa Policy Set Details: Name: default-domain-ws-domain_gpa Type of Resources: Web Service Endpoint Scope of Resources: Domainfusion_domain_gpa Description: Global policy attachments for Web Service Endpoint resources. Enabled: true Policy Reference: security : oraclewss_saml_or_username_token_service_policy, enabled=true wls:soa_domainserverConfig displayPolicySetdefault-domain-ws-domain Policy Set Details: Name: default-domain-ws-domain Type of Resources: Web Service Endpoint Scope of Resources: Domain Description: Global policy attachments for Web Service Endpoint resources. Enabled: true Policy Reference: security : oraclewss_saml_or_username_token_service_policy, enabled=true. In this example, there are two policy sets with different names pointing to same resource type on the domain. Solution To verify if you have multiple policy sets attempting to attach authentication policies: 1. Use the listPolicySets command to display a list of the policy sets in the domain. For more information about this command, see Displaying a List of Policy Sets Using WLST on page 9-2. 2. Use the displayPolicySet command to view the contents of each of the policy sets and view the attached policies and the type and scope of resources. For 16-14 Oracle Fusion Middleware Security and Administrators Guide for Web Services information about using this command, see Viewing the Configuration of a Policy Set , Using WLST on page 9-3. 3. If a conflict is found, do one of the following: ■ Delete one of the policy sets as described in Deleting a Policy Set on page 9-17. ■ Disable one of the policy sets as described in Enabling and Disabling a Policy Set on page 9-15. Diagnosing Policy Attachment Issues Using WLST To ensure that there are no conflicts between directly-attached policies and policies attached globally using policy sets, use the following WLST commands: ■ listWebServices detail=true — Displays a list of the Web services in a domain including endpoint configuration, the effective set of policies attached to each endpoint, the secure status of the endpoint, and if the endpoint has a valid configuration. For information about using this command, see Viewing the Web Services in a Domain Using WLST on page 6-2. ■ listWebServiceClients detail=true — Displays a list of the Web service clients in a domain including endpoint configuration, the effective set of policies attached to each endpoint, the secure status of the endpoint, and if the endpoint has a valid configuration. For information about using this command, see Viewing Web Service Clients , Using WLST on page 6-10 If your configuration includes policies attached globally using policy sets, you can view information about the policy sets using the following commands: ■ listPolicySets — Displays a list of the policy sets in the repository. For information about using this command, see Displaying a List of Policy Sets Using WLST on page 9-2. ■ displayPolicySet — Displays the configuration of a specific policy set. For information about using this command, see Viewing the Configuration of a Policy Set , Using WLST on page 9-3. To view the effective policies for an endpoint using Fusion Middleware Control, see Viewing the Policies That are Attached to a Web Service on page 8-1. Sample Valid Configuration Output with Globally Attached Policies The following example shows sample output from the listWebServicesdetail=true command for a valid configuration. The globally attached policy is shown in bold text. jrfServer_domainjrfServerjaxws-sut-no-policy: moduleName=jaxws-service, moduleType=web, serviceName=TestService enableTestPage: true enableWSDL: true TestPort http:host.oracle.com:1234jaxws-serviceTestService enable: true enableREST: false Note: An endpoint is considered secure if the policies attached to it either directly, or externally using a policy set enforce authentication, authorization, or message protection behaviors. Diagnosing Problems 16-15 enableSOAP: true maxRequestSize: -1 loggingLevel: NULL global security: oraclewss11_message_protection_service_policy, enabled=true policysetsglobalall-domains-default-web-service-policies: Domain Attached policy or policies are valid; endpoint is secure. Sample Valid Configuration Output with Directly Attached Policies Only The following example shows sample output from the listWebServicesdetail=true command for a valid configuration. The directly attached policy is shown in bold text. jrfServer_domainjrfServerjaxws-sut: moduleName=jaxws-sut-service, moduleType=web, serviceName=TestService enableTestPage: true enableWSDL: true TestPort http:host.oracle.com:1234jaxws-sut-serviceTestService enable: true enableREST: false enableSOAP: true maxRequestSize: -1 loggingLevel: NULL management: oraclelog_policy, enabled=true security: oraclewss_username_token_service_policy, enabled=true Attached policy or policies are valid; endpoint is secure. Diagnosing Problems Using Logs Oracle Fusion Middleware components, including Web services, generate log files containing messages that record all types of events, including startup and shutdown information, errors, warning messages, access information on HTTP requests, and so on. Each log message includes specific information such as time, component ID, and user to assist you in pinpointing and diagnosing problems that arise. You can review log messages to diagnose problems with specific components, such as Web services. There are two categories of log files that you can reference to assist in diagnosing problems with Web services: ■ Diagnostic logs —Enable you to access diagnostic data about specific feature components in Oracle Fusion Middleware. For more information, see Using Diagnostic Logs for Web Services on page 16-16. There is a set of predefined diagnostic loggers. You can configure your own diagnostic logger, as described in Configuring Log Files for a Web Service on page 16-23. ■ Message logs —Enable you to view elements of the SOAP message request. You control message log creation using policies. For more information, see Using Message Logs for Web Services on page 16-20. For more information about logging in Oracle Fusion Middleware, see Managing Log Files and Diagnostic Data in Oracle Fusion Middleware Administrators Guide. The following sections describe how to use diagnostic and message logs to diagnose problems. A set of sample logs is provided at the end of this section. 16-16 Oracle Fusion Middleware Security and Administrators Guide for Web Services ■ Using Diagnostic Logs for Web Services ■ Using Message Logs for Web Services ■ Reviewing Sample Logs Using Diagnostic Logs for Web Services Diagnostic logs enable you to access diagnostic data about specific feature components in Oracle Fusion Middleware. The following sections describe how to view and manage diagnostic log files: ■ Setting the Log Level for Diagnostic Logs ■ Viewing Diagnostic Logs ■ Filtering Diagnostic Logs ■ Logging Oracle WSM Debug Messages Setting the Log Level for Diagnostic Logs You set the logging level for Web service and Oracle WSM components at the WebLogic Server level, using the Log Configuration page. In addition, you can override the log levels set at the server level for a specific Web service endpoint from the Web Service Endpoint page. The logging level set at the Web service endpoint level must be finer grained than the level set at the WebLogic Server level. Otherwise, the logging level set at the WebLogic Server level will be used. The following procedures describe how to set the log level for diagnostic logs at the WebLogic Server and Web service endpoint levels. For more information, see Setting the Level of Information Written to Log Files in Oracle Fusion Middleware Administrators Guide. To set the log level for diagnostics logs at the WebLogic Server level: 1. Navigate to the WebLogic Server for which you want to configure a logger.

a. In the navigator pane, expand WebLogic Domain.

b. Expand the domain. c. Select the desired server from the list. The WebLogic Server home page is displayed.

2. From the WebLogic Sever menu, select Logs Log Configuration.

The Log Configuration page is displayed.

3. Select the Log Levels tab.

The list of loggers is displayed, as shown in Figure 16–6 . The Log Levels page shows the name of the logger, the current logging level, which you can edit, and the associated log file for example, olh-handler. For information about configuring the log files, see Configuring Log Files for a Web Service on page 16-23. Diagnosing Problems 16-17 Figure 16–6 Log Levels Page

4. Expand Root Logger.

5. Expand oracle.

6. Set the logging level for one or more of the following components:

■ oracle.webservices—Web service components. ■ oracle.wsm—Oracle WSM components. You can fine tune the logging level by expanding either of the above components and specifying the logging level at the subcomponent level. To change the logging level for a logger, navigate to the logger in the Logger Name column and select the desired logging level from the Oracle Diagnostic Logging Level Java Level dropdown menu. For example, select TRACE:32 from the dropdown menu associated with the oracle.wsm logger. By default, the logging levels are inherited from the parent and set to NOTIFICATION: 1 INFO for the Web service and Oracle WSM components and subcomponents.

7. Click Apply to store the new logging level.

To set the log level for diagnostic logs at the Web service endpoint level: 1. Navigate to the Web Service Endpoint page, as described in Viewing the Details for a Web Service Endpoint on page 6-7.

2. Click the Configuration tab.

16-18 Oracle Fusion Middleware Security and Administrators Guide for Web Services

3. Set the Logging Level field to one of the following settings: Severe, Warning,

Information, Configuration, Fine, Finer, Finest or NULL. Viewing Diagnostic Logs You can view the diagnostic log files for an ADF and WebCenter Web service endpoint from the Log Messages page. To view diagnostic logs for a Web service endpoint: Navigate to the Web Service Endpoint page, as described in Viewing the Details for a Web Service Endpoint on page 6-7, and in the Quick Links section of the Web Services Endpoint page top right, click Diagnostic Logs. The Log Messages page is displayed, as shown in the following figure. Figure 16–7 Log Messages Page Click on a message in the message area to view more details at the bottom of the page. If desired, you can export a message to a text, XML, or CSV file by selecting the messages on the list and clicking Export Messages to File. You can control the message content displayed using the following controls: ■ Search —Modify the search criteria. For more information, see Filtering Diagnostic Logs on page 16-19. Note: You can also set the log level at the Web service endpoint using the setWebServiceConfiguration WLST command. Set the loggingLevel property of the itemProperties argument to one of the following settings: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, or NULL. For details about using this command, see Using WLST in Configuring the Web Service Endpoint on page 6-12. Note: You can view a summary of all faults incurred by the Web services in your application. For more information, see Monitoring the Performance of Web Services on page 13-1. Diagnosing Problems 16-19 ■ View menu —Select the columns to display in the table. Click on a particular column to sort contents up or down. ■ Show menu —Group messages by type or ID, or view them in chronological order. ■ View Related Messages —View messages related to those selected on the list. ■ Broaden Target Scope —Broaden the scope of messages displayed. You can broaden the scope to include all messages for the domain, WebLogic Server, or Farm. ■ Refresh menu —Specify an automatic or manual refresh rate. To view the contents of a generated log file: ■ Click the log file icon associated with a message to view the contents of that log file. ■ Click Target Log Files... to display the Log Files page and view or download the contents of all generated log files. For more information, see Viewing and Searching Log Files in Oracle Fusion Middleware Administrators Guide. Filtering Diagnostic Logs By default, the Log Messages page displays a summary of diagnostic messages logged over the last hour. To filter diagnostic logs: 1. Filter the messages that are displayed by updating the search criteria using the following fields: ■ Date Range —Set the date range to one of the following: – Most Recent—Set the amount of time to define the duration. – Time Interval—Set the start and end dates to define the interval. ■ Message Types —Select the message types that you want to display. ■ Add Fields —Add other message fields to your search criteria, such as Message ID, Component, and so on.

2. Click Search once you have set the fields, as desired.

The messages area is updated with the filtered results. For more information, see Viewing and Searching Log Files in Oracle Fusion Middleware Administrators Guide. Logging Oracle WSM Debug Messages To debug Oracle WSM, pass one of the following properties when starting WebLogic Server, as required. For more information, see Starting and Stopping Servers in Managing Server Startup and Shutdown for Oracle WebLogic Server. Note: Enabling one or more of these properties may negatively impact performance for very large messages. When enabled, Oracle WSM creates temporary buffers which will result in additional load on the Java garbage collector.