Unexpected OWSM Exception In Fault Handling With Kerberos Message Protection Policy

(Doc ID 2200862.1)

Last updated on NOVEMBER 16, 2016

Applies to:

Oracle Web Services Manager - Version and later
Information in this document applies to any platform.


An OWSM Exception in fault handling when using a Kerberos Message Protection policy.

When using any of the Kerberos policies such as oracle/wss11_kerberos_token_with_message_protection_basic128_client/server_policy or oracle/wss11_kerberos_token_with_message_protection_basic128_client/server_policy, the problem can occur.

If the server returns a fault, the following exception occurs:

[osb_server1] [ERROR] [OSB-387022]
[oracle.osb.security.api.security] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid:
29bb1255-83ba-4e05-a07f-560211e9171a-00001569,0:1] [APP: Service Bus Framework Starter Application] [partition-name: DOMAIN] [tenant-name: GLOBAL]
[FlowId: 0000LOldvDH7u1f_TXl3ic1NaFcV00000A] An error occurred during web service security inbound request processing [error-code:SecurityHeaderUnmarshallingError, message-id: a8da846.4e9df282.0.1562d910be0.N7ff9, proxy: Project4/ProxyService2, operation: execute][[
--- Error message:
java.lang.IllegalArgumentException: oracle.security.xmlsec.keys.KeyInfoData required
at oracle.security.xmlsec.dsig.XSKeyInfo.addKeyInfoData(XSKeyInfo.java:385)
at oracle.wsm.security.policy.scenario.processor.KerberosTokenProcessor.build(KerberosTokenProcessor.java:352)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor$2.run(KerberosSecurityScenarioExecutor.java:236)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor.send(KerberosSecurityScenarioExecutor.java:233)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor.sendFault(KerberosSecurityScenarioExecutor.java:367)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:662)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:44)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:526)

The policy is not processing the fault correctly, as it is looking for it to be signed, which is is not, nor should it be.

A Request and response with a non-fault case work, so the Kerberos configuration itself should be fine.

This used to work for OSB and it still works fine for valid responses. There seems to be a different handling for faults.

[JSE-Client] --Usernametoken--> [WLS] --Kerberos--> [OSB]

Test case:
1. A JSE-Client calls WLS with username token -> that works fine
2. WLS calls OSB with Kerberos -> that works fine
3. OSB generates a fault ("Received fatal alert: protocol_version" because of a stopped application)-> that works with default Oracle policies but not the Kerberos policies

The issue can be reproduced at will with the following steps:

1. Attach the oracle/wss11_kerberos_token_with_message_protection_basic128_server_policy to a service.
2. Attach copy of the OWSM policy oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy to an OSB service.
3. Notice when OSB generates a fault, the error occurs.


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms