SOA Request Fails with WSM-00279 and "Unable to dispatch request to http://YOUROIMHOST:14000/reqsvc/reqsvc due to oracle.j2ee.ws.client.jaxws.JRFSOAPFaultException" with "The security token cannot be authenticated" (Doc ID 1598492.1)

Last updated on NOVEMBER 03, 2016

Applies to:

Identity Manager - Version 11.1.2.0.0 and later
Oracle SOA Suite - Version 11.1.1.6.0 and later
Information in this document applies to any platform.

Symptoms

OIM Requests are failing and show Status "Request Failed" while the corresponding SOA composite instances show the RequestWSPartnerLink is Faulted with remoteFaults showing FailedAuthentication : The security token cannot be authenticated.

 

When viewing the request from the Track Requests page in OIM, if you select the "Request Failed" link shown in the task's Status, you see an IAM-2050126 error containing FailedAuthentication : The security token cannot be authenticated.:

IAM-2050126 : Invalid outcome com.oracle.bpel.client.BPELFault: faultName: {{http://schemas.oracle.com/bpel/extension}selectionFailure} remoteFault}messageType: {{http://schemas.oracle.com/bpel/extension}RuntimeFaultMessage} parts: {{ summary=<summary>FailedAuthentication : The security token cannot be authenticated.</summary> ,detail=<detail>oracle.j2ee.ws.client.jaxws.JRFSOAPFaultException: Client received SOAP Fault from server : FailedAuthentication : The security token cannot be authenticated.</detail> , code=<code>{http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws-wssecurity-secext-1.0.xsd}FailedAuthentication</code>} received from SOA for the request id xxx.

 

The soa_server1-diagnostic log ($DOMAIN_HOME/servers/<serverName>/logs/<serverName>-diagnostic.log) shows a WSM-00279 error for the RequestWSPartnerLink component - which also shows FailedAuthentication : The security token cannot be authenticated.:

[2015-02-06T10:53:42.450-05:00] [soa_server1] [ERROR] [WSM-00279] [oracle.wsm.resources.security] [tid: orabpel.invoke.pool-4.thread-1] [userId: weblogic_idm] [ecid: xxx] [APP: soa-infra] [composite_instance_id: 1] [composite_name: DefaultRequestApproval!3.0] [component_name: RequestWSPartnerLink] [WSM_POLICY_NAME: oracle/wss_username_token_client_policy] The following Fault Message is received at the client side from the service:- [[
FailedAuthentication : The security token cannot be authenticated..

The client side policy is:-
oracle/wss_username_token_client_policy.

The service endpoint url is:-
http://YOUROIMHOST:YOUROIMPORT/reqsvc/reqsvc.

Keystore properties:-
 {}.

Properties found in the message context (Partial list):-
{csf-key=OIMAdmin}.                                        <===******The csf-key used to call the request service is specified here (OIMAdmin in this case)!!*****

 PolicyReference OverrideProperty:
[]

Policy configuration properties (some of these may be overridden by the properties passed in the PolicyReference or message context, for details about the order of precedence of properties consult documentation):-
{csf-key=basic.credentials, role=ultimateReceiver}.

Other related information:-
{oracle.integration.platform.common.subject=Subject:
Principal: WLSAdmins
Principal: OIMAdministrators
Principal: weblogic_idm
Principal: authenticated-role
Principal: ApplicationRolesoa-infra/BPMWorkflowCustomize,uname:cn=BPMWorkflowCustomize,cn=Roles,cn=soa-infra,cn=IAM,cn=JPSContext,cn=jpsroot,guid:E83217D0ED8011E2BF50C1B102FFCE96
Principal: ApplicationRolesoa-infra/SOAOperator,uname:cn=SOAOperator,cn=Roles,cn=soa-infra,cn=IAM,cn=JPSContext,cn=jpsroot,guid:E7EBE710ED8011E2BF50C1B102FFCE96
Principal: ApplicationRolesoa-infra/BPMOrganizationAdmin,uname:cn=BPMOrganizationAdmin,cn=Roles,cn=soa-infra,cn=IAM,cn=JPSContext,cn=jpsroot,guid:E84578C0ED8011E2BF50C1B102FFCE96
Principal: ApplicationRolesoa-infra/SOADesigner,uname:cn=SOADesigner,cn=Roles,cn=soa-infra,cn=IAM,cn=JPSContext,cn=jpsroot,guid:E850C360ED80

 

Note that the csf-key used to call the RequestWSPartnerLink is specified in the error message in the SOA diagnostic log.  In this case, the csf-key was OIMAdmin  - but depending upon the version of OIM, the  requestwskey csf-key might also be used.

Similar (less detailed) errors can be seen in the SOA Servers *.out log file:

 

Changes

 A change to the Oracle Identity Manager System Administrator password or the password as entered in the CSF key can cause this issue. 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms