My Oracle Support Banner

When Using An OSB Business Service With an OWSM Client Policy, Attempting to Override the csf-key Results in OSB-387254 Error (Doc ID 2589728.1)

Last updated on FEBRUARY 16, 2021

Applies to:

Oracle Web Services Manager - Version 12.2.1.3.0 and later
Oracle Service Bus - Version 12.2.1.3.0 and later
Information in this document applies to any platform.

Symptoms

When attempting to invoke an OSB business service with an OWSM client policy attached, the following error occurs:

ERROR
-----------

[OSB-387254]Failed to validate the Override Value "csf-key" due to the following error: Failed to load the Keystore due to the following exception: java.security.PrivilegedActionException: com.bea.wli.sb.security.CredentialManagementException: Failed to load the Keystore due to the following exception: oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to load the keystore.. Please refer OWSM documentation on Setting up the Keystore for Message Protection.
oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to load the keystore.
at oracle.security.jps.internal.keystore.ldap.KeyStoreDataManager.getKeyStore(KeyStoreDataManager.java:1052)
at oracle.security.jps.internal.keystore.ldap.LdapKeyStoreServiceImpl.getKeyStore(LdapKeyStoreServiceImpl.java:285)
at oracle.security.jps.internal.keystore.ldap.LdapKeyStoreServiceImpl.getKeyStore(LdapKeyStoreServiceImpl.java:306)
at com.bea.alsb.security.owsm.sdkadapter.WsmKeyStore$2.run(WsmKeyStore.java:97)
at com.bea.alsb.security.owsm.sdkadapter.WsmKeyStore$2.run(WsmKeyStore.java:94)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.alsb.security.owsm.sdkadapter.WsmKeyStore.getKSSKeyStore(WsmKeyStore.java:94)
at com.bea.alsb.security.owsm.sdkadapter.WsmKeyStore.(WsmKeyStore.java:52)
at com.bea.alsb.security.owsm.sdkadapter.OWSMCredentialsManager.initKeyStore(OWSMCredentialsManager.java:163)
at com.bea.alsb.security.owsm.sdkadapter.OWSMCredentialsManager.validateKeystoreAlias(OWSMCredentialsManager.java:112)
at com.bea.wli.sb.security.wss.wsm.OWSMPolicyManager.validatePolicyOverrides(OWSMPolicyManager.java:801)
at com.bea.wli.sb.security.wss.wsm.OWSMPolicyManager.validatePolicyAttachment(OWSMPolicyManager.java:872)
at com.bea.wli.sb.test.services.service.wss.WssHandler.validate(WssHandler.java:292)
at com.bea.wli.sb.test.services.service.wss.WssHandler.validate(WssHandler.java:129)

As well, a runtime error can appear in the logs of the server after invoking the business service:

oracle.wsm.common.sdk.WSMException: WSM-00015 : The user name is missing.
at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.sendRequest(WssUsernameTokenScenarioExecutor.java:248)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:708)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:44)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:526)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:438)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:385)
at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:175)
at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1334)
at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:583)
at oracle.j2ee.ws.common.wsm.SecurityAgentTube.processRequest(SecurityAgentTube.java:215)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019)
at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:813)
at com.sun.xml.ws.api.server.ThreadLocalContainerResolver$2$1.run(ThreadLocalContainerResolver.java:112)
at com.oracle.webservices.impl.disi.client.DISIServiceDelegate$1.execute(DISIServiceDelegate.java:47)
at com.sun.xml.ws.api.server.ThreadLocalContainerResolver$2.execute(ThreadLocalContainerResolver.java:107)
at com.sun.xml.ws.api.pipe.Engine.addRunnable(Engine.java:96)
at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:424)
at com.sun.xml.ws.client.Stub.processAsync(Stub.java:573)
at com.sun.xml.ws.client.dispatch.DispatchImpl.access$1000(DispatchImpl.java:107)
at com.sun.xml.ws.client.dispatch.DispatchImpl$DispatchAsyncInvoker.do_run(DispatchImpl.java:648)
at com.sun.xml.ws.client.AsyncInvoker.run(AsyncInvoker.java:86)
at com.sun.xml.ws.client.AsyncResponseImpl.run(AsyncResponseImpl.java:90)
at com.sun.xml.ws.client.dispatch.DispatchImpl.invokeAsync(DispatchImpl.java:242)
at com.oracle.webservices.impl.disi.client.DispatcherRequestImpl.request(DispatcherRequestImpl.java:62)
at com.bea.wli.sb.service.disi.handlerchain.handlers.OutboundDISIHandler$1.run(OutboundDISIHandler.java:174)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAs(JpsSubject.java:208)
...

If the default key is used (basic.credentials) for holding the credentials, the process works correctly.
The error occurs when a custom csf-key is set up in the environment for the credentials to be used and an attempt is made to use that key as a policy override.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.