Monday, August 27, 2012

OWSM Security Errors

Problem
You have just started using OWSM 11g and you are testing out a policy, but you start to get a whole bunch of errors.
Like this one:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Header/>
   <env:Body>
      <env:Fault xmlns:ns0="http://schemas.oracle.com/owsm/policy-enforcement-2007-06">
         <faultcode>ns0:GenericFault</faultcode>
         <faultstring>GenericFault : generic error</faultstring>
         <faultactor/>
      </env:Fault>
   </env:Body>
</env:Envelope>
Or this one:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Header/>
   <env:Body>
      <env:Fault xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <faultcode>ns0:FailedCheck</faultcode>
         <faultstring>FailedCheck : failure in security check</faultstring>
         <faultactor/>
      </env:Fault>
   </env:Body>
</env:Envelope>


Analysis
These errors have two main sources; the former is typically a configuration issue with your overall OWSM system. The latter is means that either something is missing from the payload or that a specific policy has been configured differently than expected.

The first place to look for all of these errors is in the diagnostic log. Located at: 
<middleware_home>\user_projects\domains\<domain>\servers\<server>\logs\soa_server1-diagnostic.log

Errors like this can be :

Caused by: java.io.FileNotFoundException: D:\Oracle\Middleware\user_projects\domains\local_domain\config\fmwconfig\default-keystore.jks

...
Caused by: oracle.wsm.common.sdk.WSMException: GenericFault : generic error
                at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.initialize(SecurityScenarioExecutor.java:489)
                at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.init(SecurityScenarioExecutor.java:312)
                at oracle.wsm.security.policy.scenario.executor.Wss11UsernameWithCertsScenarioExecutor.init(Wss11UsernameWithCertsScenarioExecutor.java:113)
                at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:256)
                at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:279)
                at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.init(WSPolicyRuntimeExecutor.java:162)
                at oracle.wsm.policyengine.impl.PolicyExecutionEngine.getPolicyExecutor(PolicyExecutionEngine.java:137)
                at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:101)
                at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:975)
                at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:460)
                at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
                ... 34 more
Or This:
Caused by: oracle.wsm.security.policy.scenario.policycompliance.PolicyComplianceException: WSM-00092 : The <EncryptedKey> element is missing in the request.
at oracle.wsm.security.policy.scenario.policycompliance.impl.ComplianceEngine.preDecryptionCompliance(ComplianceEngine.java:223)
at oracle.wsm.security.policy.scenario.policycompliance.impl.ComplianceEngine.checkCompliance(ComplianceEngine.java:385)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verifyRequest(Wss11X509TokenProcessor.java:877)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:839)

This particular error is common when using the oracle/wss11_username_token_with_message_protection_service_policy since it is using symmetric signing and encryption. If this is goal then verify that your information is being encrypted to the endpoint. However to use asymmetric signing and encryption create your policy like oracle/wss10_username_token_with_message_protection_service_policy.
UPDATE: For more information take a look at 1478750.1

Comments and questions are welcome.




No comments: