My Oracle Support Banner

Unexpected OWSM Exception In Fault Handling With Kerberos Message Protection Policy (Doc ID 2200862.1)

Last updated on FEBRUARY 06, 2024

Applies to:

Oracle Web Services Manager - Version 12.2.1.0.0 and later
Information in this document applies to any platform.

Symptoms

An OWSM Exception in fault handling when using a Kerberos Message Protection policy.

When using any of the Kerberos policies such as oracle/wss11_kerberos_token_with_message_protection_basic128_client/server_policy or oracle/wss11_kerberos_token_with_message_protection_basic128_client/server_policy, the problem can occur.

If the server returns a fault, the following exception occurs:

[osb_server1] [ERROR] [OSB-387022]
[oracle.osb.security.api.security] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid:
<ECID>] [APP: Service Bus Framework Starter Application] [partition-name: DOMAIN] [tenant-name: GLOBAL]
[FlowId: <FLOWID>] An error occurred during web service security inbound request processing [error-code:SecurityHeaderUnmarshallingError, message-id: <MESSAGE-ID>, proxy: Project4/ProxyService2, operation: execute][[
--- Error message:
java.lang.IllegalArgumentException: oracle.security.xmlsec.keys.KeyInfoData required
at oracle.security.xmlsec.dsig.XSKeyInfo.addKeyInfoData(XSKeyInfo.java:385)
at oracle.wsm.security.policy.scenario.processor.KerberosTokenProcessor.build(KerberosTokenProcessor.java:352)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor$2.run(KerberosSecurityScenarioExecutor.java:236)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor.send(KerberosSecurityScenarioExecutor.java:233)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor.sendFault(KerberosSecurityScenarioExecutor.java:367)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:662)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:44)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:526)

The policy is not processing the fault correctly, as it is looking for it to be signed, which is is not, nor should it be.

A Request and response with a non-fault case work, so the Kerberos configuration itself should be fine.

This used to work for OSB 11.1.1.7.0 and it still works fine for valid responses. There seems to be a different handling for faults.

Setup:
============================
[JSE-Client] --Usernametoken--> [WLS] --Kerberos--> [OSB]


Test case:
1. A JSE-Client calls WLS with username token -> that works fine
2. WLS calls OSB with Kerberos -> that works fine
3. OSB generates a fault ("Received fatal alert: protocol_version" because of a stopped application)-> that works with default Oracle policies but not the Kerberos policies

STEPS
-----------------------
The issue can be reproduced at will with the following steps:

1. Attach the oracle/wss11_kerberos_token_with_message_protection_basic128_server_policy to a service.
2. Attach copy of the OWSM policy oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy to an OSB service.
3. Notice when OSB generates a fault, the error occurs.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.