My Oracle Support Banner

After Updating the JDK and/or Applying a WebLogic Patch, Approved Requests Do Not Complete OIM Logs show ERRORS: WSM-07618, WSM-07602, WSM-07501 and OWS-04086 with "Algorithm constraints check failed on disabled signature algorithm: MD5withRSA" (Doc ID 2448737.1)

Last updated on OCTOBER 21, 2019

Applies to:

Identity Manager - Version 11.1.2.1.0 to 11.1.2.3.0 [Release 11g]
Information in this document applies to any platform.

Symptoms

Approved requests do not complete.

The OIM diagnostic logs show errors like:

[[ERROR] [WSM-07618] [oracle.wsm.resources.enforcement] [tid: x] [userId: <UID>] [ecid: ..] [APP: oim#11.1.2.0.0] [J2EE_APP.name: oim_11.1.2.0.0] [J2EE_MODULE.name: workflowservice] [WEBSERVICE.name: CallbackService] [WEBSERVICE_PORT.name: CallbackServicePort] [WSM_POLICY_NAME: oracle/wss11_saml_or_username_token_with_message_protection_service_policy] Failed to execute the assertion "WS-Security 1.1 Saml with certificates" in the conditional policy. FailedAuthentication : The security token cannot be authenticated.[[
oracle.wsm.common.sdk.WSMException: FailedAuthentication : The security token cannot be authenticated.
at oracle.wsm.security.policy.scenario.executor.Wss11SamlWithCertsScenarioExecutor.receiveRequest(Wss11SamlWithCertsScenarioExecutor.java:138)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:832)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:425)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.executeAssertion(XORPolicyExecutor.java:1465)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.executePossibleMatchingAssertionsList(XORPolicyExecutor.java:239)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.processRequest(XORPolicyExecutor.java:182)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.execute(XORPolicyExecutor.java:152)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeXorAssertion(WSPolicyRuntimeExecutor.java:386)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:338)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:291)
at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1059)
...
Caused by: oracle.wsm.security.SecurityException: WSM-00062 : The path to the certificate used for the signature is invalid.
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verifyRequest(Wss11X509TokenProcessor.java:1174)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:990)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:945)
at oracle.wsm.security.policy.scenario.executor.Wss11SamlWithCertsScenarioExecutor.receiveRequest(Wss11SamlWithCertsScenarioExecutor.java:102)
... 50 more
Caused by: oracle.wsm.security.SecurityException: WSM-00138 : The path to the certificate is invalid.
..........
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled signature algorithm: MD5withRSA
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:355)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
at oracle.wsm.security.jps.WsmKeyStore.validateCertificatePath(WsmKeyStore.java:611)
... 54 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled signature algorithm: MD5withRSA
at sun.security.util.DisabledAlgorithmConstraints.checkConstraints(DisabledAlgorithmConstraints.java:200)
at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:140)
at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:261)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
... 58 more

]]

... [ERROR] [WSM-07602] [oracle.wsm.resources.enforcement] [tid: x] [userId: <UID>] [ecid: ....] [APP: oim#11.1.2.0.0] [J2EE_APP.name: oim_11.1.2.0.0] [J2EE_MODULE.name: workflowservice] [WEBSERVICE.name: CallbackService] [WEBSERVICE_PORT.name: CallbackServicePort] [WSM_POLICY_NAME: oracle/wss11_saml_or_username_token_with_message_protection_service_policy] Failure in WS-Policy Execution due to exception.

[
....[ERROR] [WSM-07501] [oracle.wsm.resources.enforcement] [tid: x] [userId: <UID>] [ecid: ...] [APP: oim#11.1.2.0.0] [J2EE_APP.name: oim_11.1.2.0.0] [J2EE_MODULE.name: workflowservice] [WEBSERVICE.name: CallbackService] [WEBSERVICE_PORT.name: CallbackServicePort] [WSM_POLICY_NAME: oracle/wss11_saml_or_username_token_with_message_protection_service_policy] Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.service, application=oim_11.1.2.0.0, composite=null, modelObj=CallbackService, policy=oracle/wss11_saml_or_username_token_with_message_protection_service_policy, policyVersion=null, assertionName={http://schemas.oracle.com/ws/2006/01/securitypolicy}wss11-saml-with-certificates.

[

... [ERROR] [OWS-04086] [oracle.webservices.service] [tid: x] [userId: <UID>] [ecid: ...] [APP: oim#11.1.2.0.0] oracle.fabric.common.PolicyEnforcementException: FailedAuthentication : The security token cannot be authenticated.[[
at oracle.fabric.common.AbstractSecurityInterceptor.processResult(AbstractSecurityInterceptor.java:180)
at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:95)
at oracle.integration.platform.common.InterceptorChainImpl.processRequest(InterceptorChainImpl.java:129)
at oracle.integration.platform.common.mgmt.InterceptorChainManager.processRequest(InterceptorChainManager.java:276)
at oracle.j2ee.ws.server.mgmt.runtime.SuperServerInterceptorPipeline.handleRequest(SuperServerInterceptorPipeline.java:165)
at oracle.j2ee.ws.server.provider.management.AbstractProviderInterceptorPipeline.executeRequestInterceptorChain(AbstractProviderInterceptorPipeline.java:576)
at oracle.j2ee.ws.server.provider.ProviderProcessor.executeInterceptorRequestChain(ProviderProcessor.java:921)
at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:233)
at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:195)
at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:487)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
...
Caused by: oracle.wsm.common.sdk.WSMException: FailedAuthentication : The security token cannot be authenticated.
at oracle.wsm.security.policy.scenario.executor.Wss11SamlWithCertsScenarioExecutor.receiveRequest(Wss11SamlWithCertsScenarioExecutor.java:138)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:832)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:425)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.executeAssertion(XORPolicyExecutor.java:1465)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.executePossibleMatchingAssertionsList(XORPolicyExecutor.java:239)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.processRequest(XORPolicyExecutor.java:182)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.execute(XORPolicyExecutor.java:152)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeXorAssertion(WSPolicyRuntimeExecutor.java:386)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:338)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:291)
at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1059)
...
Caused by: oracle.wsm.security.SecurityException: WSM-00062 : The path to the certificate used for the signature is invalid.
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verifyRequest(Wss11X509TokenProcessor.java:1174)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:990)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:945)
at oracle.wsm.security.policy.scenario.executor.Wss11SamlWithCertsScenarioExecutor.receiveRequest(Wss11SamlWithCertsScenarioExecutor.java:102)
... 50 more
Caused by: oracle.wsm.security.SecurityException: WSM-00138 : The path to the certificate is invalid.
.....


Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled signature algorithm: MD5withRSA
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:355)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
at oracle.wsm.security.jps.WsmKeyStore.validateCertificatePath(WsmKeyStore.java:611)
... 54 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled signature algorithm: MD5withRSA
at sun.security.util.DisabledAlgorithmConstraints.checkConstraints(DisabledAlgorithmConstraints.java:200)
at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:140)
at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:261)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
... 58 more

]]
[ERROR] [OWS-04115] [oracle.webservices.service] [tid: x] [userId: <UID>] [ecid: ...] [APP: oim#11.1.2.0.0] An error occurred for port: {http://wls.ws.workflowservice.platform.iam.oracle/}CallbackServicePort: oracle.fabric.common.PolicyEnforcementException: FailedAuthentication : The security token cannot be authenticated..

 

Changes

 The JDK was updated (commonly performed as part of the WebLogic Server patching process).

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.