Troubleshooting Web services security is best done by reviewing the configurations with assembly tools so that you can match up the client and server request and the response configurations. These configurations must match. A client request sender configuration must match a server request receiver configuration. For encryption to successfully occur, the public key of the receiver must be exported to the sender and this key must be configured properly in the encryption information. For authentication, you must specify the method used by the client in the login mapping of the server. Also, you must correctly specify the actor URI at each point in the configuration with the same URI string. The following includes a list of generic troubleshooting steps that you can perform.
Steps for this task
Type the previous three lines as one continuous line.
Errors when securing Web services
"CWWSI5061E: The SOAP Body is not signed" error message displays
Solution:
This error usually occurs whenever the SOAP security handler does not load properly, and does not sign the SOAP body not to be signed. The SOAP security handler is typically the first validation that occurs on the server-side, so a multitude of problems can cause this message to display. The error might be caused by invalid actor URI configurations. You can configure the actor Universal Resource Identifier (URI) at the following locations within the assembly tool:
The actor information on both the client and the server must refer to the same string. When the actor fields on the client and the server match, the request or response is acted upon instead of being forwarded downstream. The actor fields might be different when you have Web services acting as a gateway to other Web services. However, in all other cases, verify that the actor information matches on the client and server. When the Web services implementation is acting as a gateway and it does not have the same actor configured as the request passing through the gateway, this Web services implementation does not process the message from the client. Instead, it sends the request downstream. The downstream process that contains the correct actor string processes the request. The same situation occurs for the response. Therefore, it is important that you verify that the appropriate client and server actor fields are synchronized.
Additionally, the error can appear when you do not specify that the body is signed in the client configuration. To sign the body part of the message using the Web service client editor in the assembly tool, click Security Extensions > Request Sender Configuration > Integrity and select the message parts to sign.
"CWWSI5075E: No security token found that satisfies any one of the authentication methods" error message displays
Verify that the client and server login configuration information matches in the security extensions. Also, verify that the client has a valid login binding and that the server has a valid login mapping in the security bindings. You can check this information by looking at the following locations in the assembly tool:
Also, make sure that the actor URI specified on the client and server matches. You can configure the actor URI at the following locations within the assembly tool:
"CWWSI5094E: No UsernameToken of trusted user was found or the login failed for the user while the TrustMode is BasicAuth" error message displays
Solution:
"CWSCJ0053E: Authorization failed for /UNAUTHENTICATED..." error message displays
The following authorization error occurs with UNAUTHENTICATED as the security name: CWSCJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Home)com/ibm/wssvt/tc/pli/ejb/Beneficiary findBeneficiaryBySsNo(java.lang.String):2 securityName: /UNAUTHENTICATED;accessID: null is not granted any of the required roles: AgentRole
This situation occurs because a login configuration is not being configured or Web services Security is not configured from a client to a server. When the request arrives at the server and authentication information is not received, the UNAUTHENTICATED user is set on the thread. Authorization returns this error if there are any roles assigned to the resource except for the special "Everyone" role, which supports access by anyone.
"WSWS3243I: Info: Mapping Exception to WebServicesFault." error message is displayed when you specify the value type local name and the URI for a token consumer or the token generator
"Invalid URI: The format of the URI could not be determined" error message might display when you use a Microsoft .NET client that accesses a Web service for WebSphere Application Server
Invalid URI: The format of the URI could not be determined.
System.UriFormatException at System.Uri.Parse() at System.Uri..ctor(String uriString, Boolean dontEscape) at System.Uri..ctor(String uriString) at Microsoft.Web.Services2.SoapInputFilter.CanProcessHeader(XmlElement header, SoapContext context) at Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope) at Microsoft.Web.Services2.InputStream.GetRawContent() at Microsoft.Web.Services2.InputStream.get_Length() at System.Xml.XmlScanner..ctor(TextReader reader, XmlNameTable ntable) at System.Xml.XmlTextReader..ctor(String url, TextReader input, XmlNameTable nt) at System.Xml.XmlTextReader..ctor(TextReader input) at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
Solution: This error occurs because Microsoft .Net Web Services Enhancements (WSE) Version 2.0 Service Pack 3 does not support a relative URI value for the ActorURI attribute. WSE Version 2.0 Service Pack 3 supports an absolute Uniform Resource Identifier (URI) for this attribute only. To interoperate with a Microsoft .NET client, you must configure this attribute as an absolute URI. An example of an absolute URI is: abc://myWebService. An example of a relative URI is: myWebService.
"WSEC6664E: Null is not allowed to PKIXBuilderParameters. The configuration of TrustAnchor and CertStoreList are not correct" exception displays
Possible cause:
The certificate path setting is not configured properly.
Possible solution:
If you select the Dedicated signing information option, select both a trust anchor and a certificate store from the configurations that are provided in the drop-down lists.
"WSE567: The incoming Username token must contain both a nonce and a creation time for the replay detection feature" Microsoft .NET error displays
Scenario:
WSE567: The incoming Username token must contain both a nonce and a creation time for the replay detection feature.
Cause:
By default, the Microsoft .NET Web service validates the nonce and the timestamp for the username token. However, it is optional for you to configure the nonce and timestamp properties for a Web service client that is using WebSphere Application Server.
Solution:
For more information about configuring token generators, see Configuring token generators with an assembly tool.
Related tasks
Configuring the client for identity assertion: specifying the method
Configuring the client for identity assertion: collecting the authentication
method
Configuring the server to handle identity assertion authentication
Configuring the server to validate identity assertion authentication
information
Configuring the client security bindings using an assembly tool
Configuring the security bindings on a server acting as a client using
the administrative console
Configuring the server security bindings using an assembly tool
Configuring the server security bindings using the administrative console
Configuring token generators with an assembly tool
Troubleshooting by task
Troubleshooting by component
Related reference
Installation problems