When Using An OSB Business Service With an OWSM Client Policy, Attempting to Override the csf-key Results in OSB-387254 Error
(Doc ID 2589728.1)
Last updated on FEBRUARY 06, 2024
Applies to:
Oracle Web Services Manager - Version 12.2.1.3.0 and laterOracle Service Bus - Version 12.2.1.3.0 and later
Information in this document applies to any platform.
Symptoms
When attempting to invoke an OSB business service with an OWSM client policy attached, the following error occurs:
ERROR
-----------
[OSB-387254]Failed to validate the Override Value "csf-key" due to the following error: Failed to load the Keystore due to the following exception: java.security.PrivilegedActionException: com.bea.wli.sb.security.CredentialManagementException: Failed to load the Keystore due to the following exception: oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to load the keystore.. Please refer OWSM documentation on Setting up the Keystore for Message Protection.
oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to load the keystore.
at oracle.security.jps.internal.keystore.ldap.KeyStoreDataManager.getKeyStore(KeyStoreDataManager.java:1052)
at oracle.security.jps.internal.keystore.ldap.LdapKeyStoreServiceImpl.getKeyStore(LdapKeyStoreServiceImpl.java:285)
at oracle.security.jps.internal.keystore.ldap.LdapKeyStoreServiceImpl.getKeyStore(LdapKeyStoreServiceImpl.java:306)
at com.bea.alsb.security.owsm.sdkadapter.WsmKeyStore$2.run(WsmKeyStore.java:97)
at com.bea.alsb.security.owsm.sdkadapter.WsmKeyStore$2.run(WsmKeyStore.java:94)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.alsb.security.owsm.sdkadapter.WsmKeyStore.getKSSKeyStore(WsmKeyStore.java:94)
at com.bea.alsb.security.owsm.sdkadapter.WsmKeyStore.(WsmKeyStore.java:52)
at com.bea.alsb.security.owsm.sdkadapter.OWSMCredentialsManager.initKeyStore(OWSMCredentialsManager.java:163)
at com.bea.alsb.security.owsm.sdkadapter.OWSMCredentialsManager.validateKeystoreAlias(OWSMCredentialsManager.java:112)
at com.bea.wli.sb.security.wss.wsm.OWSMPolicyManager.validatePolicyOverrides(OWSMPolicyManager.java:801)
at com.bea.wli.sb.security.wss.wsm.OWSMPolicyManager.validatePolicyAttachment(OWSMPolicyManager.java:872)
at com.bea.wli.sb.test.services.service.wss.WssHandler.validate(WssHandler.java:292)
at com.bea.wli.sb.test.services.service.wss.WssHandler.validate(WssHandler.java:129)
As well, a runtime error can appear in the logs of the server after invoking the business service:
oracle.wsm.common.sdk.WSMException: WSM-00015 : The user name is missing.
at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.sendRequest(WssUsernameTokenScenarioExecutor.java:248)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:708)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:44)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:526)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:438)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:385)
at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:175)
at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1334)
at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:583)
at oracle.j2ee.ws.common.wsm.SecurityAgentTube.processRequest(SecurityAgentTube.java:215)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019)
at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:813)
at com.sun.xml.ws.api.server.ThreadLocalContainerResolver$2$1.run(ThreadLocalContainerResolver.java:112)
at com.oracle.webservices.impl.disi.client.DISIServiceDelegate$1.execute(DISIServiceDelegate.java:47)
at com.sun.xml.ws.api.server.ThreadLocalContainerResolver$2.execute(ThreadLocalContainerResolver.java:107)
at com.sun.xml.ws.api.pipe.Engine.addRunnable(Engine.java:96)
at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:424)
at com.sun.xml.ws.client.Stub.processAsync(Stub.java:573)
at com.sun.xml.ws.client.dispatch.DispatchImpl.access$1000(DispatchImpl.java:107)
at com.sun.xml.ws.client.dispatch.DispatchImpl$DispatchAsyncInvoker.do_run(DispatchImpl.java:648)
at com.sun.xml.ws.client.AsyncInvoker.run(AsyncInvoker.java:86)
at com.sun.xml.ws.client.AsyncResponseImpl.run(AsyncResponseImpl.java:90)
at com.sun.xml.ws.client.dispatch.DispatchImpl.invokeAsync(DispatchImpl.java:242)
at com.oracle.webservices.impl.disi.client.DispatcherRequestImpl.request(DispatcherRequestImpl.java:62)
at com.bea.wli.sb.service.disi.handlerchain.handlers.OutboundDISIHandler$1.run(OutboundDISIHandler.java:174)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAs(JpsSubject.java:208)
...
If the default key is used (basic.credentials) for holding the credentials, the process works correctly.
The error occurs when a custom csf-key is set up in the environment for the credentials to be used and an attempt is made to use that key as a policy override.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Cause |
Solution |
References |