You can troubleshoot common problems when deploying the
patterns in the IBM® SOA
Policy Gateway Pattern.
Failure to connect to DataPower during deployment
Try
the following solutions:
- Check with the DataPower® Administrator
that the user and password are valid:
- In DataPower, validate
the user exists by going to .
- Check that the account exists.
- Check that user is privileged to use the XML Management Interface;
for example, the system admin.
- The DataPower Administrator
might need to check if the user account is enabled in the user agent
settings; for example, the Basic Authentication Settings.
- Check that the DataPower Host
Name is correct
- Check that the DataPower XML
Management Interface is enabled.
- Review the SSL Connection Failure steps below to validate that
the Certificates are correctly installed both in the DomainZipFile.zip and
on the DataPower appliance.
Troubleshooting failure of Mutual Authentication client
authentication
Try the following solutions:
- Check that the correct certificates were in the DomainZipFile.zip.
- Check that the Crytpo Profile on the XML Management Interface
Port has Validation Credentials with all the certificates in the Chain.
- Check that the passwords for the Client Public Key and Client
Public Certificate are correct.
Troubleshooting failure of server authentication
Try
the following solutions:
- Check that all of the certificates in the chain are present in
the yourDataPowerHostName directory
of the DominZipFile.zip file you are using.
- Check that the SSL Proxy Profile has a reverse crypto profile
that contains the Identification Credentials with the Certificate
Chain.
Troubleshooting an error for the domain already existing
Try
the following solution:
- On the DataPower Control
Panel, open the Application Domains. Check if the Domain already exists.
Troubleshooting a port overlap error for the sample
application
If one of the sample services is unavailable, check
if the ports in your domain conflict with other domains.
Try the
following solutions:
- Sign into DataPower and
switch to the sample domain. Then, open the Control Panel and click
the XML Firewall icon. Check that the XML Firewalls are all in Up
state.
- Search for HTTP Front Side Handler. Check that the single HTTP
Front Side handler is in Up state.
Troubleshooting the failure to connect to an SCP
Try
the following solutions:
- Check that the SCP Host name is correct.
- Check that the SCP user is correct.
- Check that the SCP password is correct.
- Manually test the SCP from a Node in the IBM Workload
Deployer or IBM PureApplication
System environment
with the supplied information.
Troubleshooting the failure to retrieve the DomainZipFile.zip file
from SCP or debug missing artifacts
Try the following solutions:
- Check that the DomainZipFile.zip exists in
the URI.
- Check that the file mentioned in the log failure exists in the
correct location in the DomainZipFile.zip file.
In particular, ensure that the certificates required are located in
the correct directory.
Troubleshooting promotion failure
There are
many problems that can arise in a promotion including failure to connect
to Governance Master during deployment.
Try the following solutions:
- Check the parameters:
- Check the user of the Governance Master WSRRCELL.
- Check the password for the user of the Governance Master WSRR
Cell.
- Check the host name of the WSRR Governance Master Cell.
- Check the CELL name of the WSRR Governance Master Cell.
- Check the signer certificate exchange:
- Go to the Cell Default Trust Store of the Governance Master cell
and make sure that there is a certificate entry for the Dmgr or the
Standalone server of the runtime environment, SOA Policy Gateway Basic Runtime or SOA Policy Gateway Advanced Runtime,
exist.
- Go to each Runtime Environment, SOA Policy Gateway Basic Runtime or SOA Policy Gateway Advanced Runtime,
and check the CellDefaultTrust store (for the ND environment case)
or the NodeDefaultTrustStore (for WSRR Standalone servers) to make
sure that there is a certificate for the Dmgr of the Governance Master.
- Export the LTPA keys from both cells using the same password,
and check that they are the same (for example, the bytes).
- Make sure that the promotion properties file contains server sections
with the appropriate host and port, and user and password information.
This Information can be found in the ServiceRegistry console for the
Governance Master:
- Go to the GovernanceMasterDMgrHost or ServiceRegistry and switch
to the Configurations perspective. In the Actions section, find Promotion and
open the promotion properties file. For each environment there should
be XML elements for each server in the staging WSRR node or cluster.
If a production cluster or node exists, there should be server:port
entries for each, and in addition there should be user and password
information.
- Check that the Service Version and SOAP Endpoint both have Classification
for staging and Production.
- In the Service Registry Console, select the SOA Governance perspective.
Open the Service Version, and select the Classifications tab. Staging
and Production must be enabled.
Troubleshooting customized CLI failures
Try
the following solutions:
- Check the defaultLog for error messages in the DataPower Domain.
- Enable the CLI debugging and check those logs prior to any additional
runs of the CLI.
Troubleshooting SSL failures due to missing DataPower certificates
If
the correct hostname for your DataPower Certificates
directory was not provided in the DomainZipFile.zip file,
the script packages will fail to connect to the WSRR Server if Mutual
or Server Authentication is enabled on the DataPower host.
Troubleshooting WSRR/DataPower connection issues
If
you see that the status of the WSDL in a Web Service Proxy is in Down
or Synchronizing state that never changes to Okay, check the following:
- Check that the Crypto Certificate is valid for the WSRR Server
(WSRRSVR).
- Check that DataPower has
the correct DNS set up to recognize the Hostname of the WSRR Server
or Dmgr.
- If the DNS is incorrect, a temporary work around is to change
the URL in the WSRR Server definition to point directly to the IP
by substituting the IP for the HostName in the URL.
- Go to the WSRR Subscription and do a manual synchronize:
- Check the default.log for errors related
to the connectivity of the WSRR Server.
- Make sure that the certificates required match those in the Identification
Credentials for the Crypto Profile of the DataPower Appliances XMLManagement Interface
SSL Proxy Profile.