Recently, I integrated a secured web service with Oracle SOA and faced following error when I tried to test the web service call. I used OWSM policy 'oracle/wss10_message_protection_client_policy' to sign the request message.
Error:
<Feb 03, 2016 10:30:56 AM CST> <Error> <oracle.webservices.service> <OWS-04086> <javax.xml.rpc.soap.SOAPFaultException: oracle.fabric.common.FabricInvocationException: Unable to invoke endpoint URI "https://abc.xyz.com/WebService" successfully due to: oracle.fabric.common.PolicyEnforcementException: WSM-00276 : Validation failed for the identity published in the WSDL endpoint "https://abc.xyz.com/WebService".
Caused By: oracle.wsm.security.SecurityException: WSM-00138 : The path to the certificate is invalid.
Validation failed for the certificate "Subject DN:- CN=dummy_key, OU=abc, O=XYZ, C=US, Serial Number:- 1430987244, Issuer DN:- CN=dummy_key, OU=abc, O=XYZ, C=US"
Certificates in cert path used for validation are:-
"Subject DN:- CN=dummy_key, OU=abc, O=XYZ, C=US, Issuer DN:- CN=dummy_key, OU=abc, O=XYZ, C=US"
at oracle.integration.platform.blocks.soap.WebServiceEntryBindingComponent.generateSoapFaultException(WebServiceEntryBindingComponent.java:1279)
Fix:
Imported additional(intermediate/identity) certificates(X509) associated with secured web service into SOA's Keystore as trusted certificates and rebooted server(s).
Notes:
I enabled WSSE debug flags in Weblogic Server setDomainEnv.sh to find out exact cause. Don't forget to disable the flags, otherwise you will confront excessive logging issue.
EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES} -Dweblogic.wsee.verbose=* -Dssl.debug=true"
export EXTRA_JAVA_PROPERTIES
Error:
<Feb 03, 2016 10:30:56 AM CST> <Error> <oracle.webservices.service> <OWS-04086> <javax.xml.rpc.soap.SOAPFaultException: oracle.fabric.common.FabricInvocationException: Unable to invoke endpoint URI "https://abc.xyz.com/WebService" successfully due to: oracle.fabric.common.PolicyEnforcementException: WSM-00276 : Validation failed for the identity published in the WSDL endpoint "https://abc.xyz.com/WebService".
Caused By: oracle.wsm.security.SecurityException: WSM-00138 : The path to the certificate is invalid.
Validation failed for the certificate "Subject DN:- CN=dummy_key, OU=abc, O=XYZ, C=US, Serial Number:- 1430987244, Issuer DN:- CN=dummy_key, OU=abc, O=XYZ, C=US"
Certificates in cert path used for validation are:-
"Subject DN:- CN=dummy_key, OU=abc, O=XYZ, C=US, Issuer DN:- CN=dummy_key, OU=abc, O=XYZ, C=US"
at oracle.integration.platform.blocks.soap.WebServiceEntryBindingComponent.generateSoapFaultException(WebServiceEntryBindingComponent.java:1279)
Fix:
Imported additional(intermediate/identity) certificates(X509) associated with secured web service into SOA's Keystore as trusted certificates and rebooted server(s).
Notes:
I enabled WSSE debug flags in Weblogic Server setDomainEnv.sh to find out exact cause. Don't forget to disable the flags, otherwise you will confront excessive logging issue.
EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES} -Dweblogic.wsee.verbose=* -Dssl.debug=true"
export EXTRA_JAVA_PROPERTIES
great post !! can you please elaborate on "importing intermediate cert to SOA key store". Is it to the OWSM default-keystore.jks file?
ReplyDeletepls share more details on "importing intermediate cert to SOA keystore. Is it the OWSM config/fmwconfig/default-keystore.jks keystore?
ReplyDeleteIt could be default-keystore.jks or any Custome keystore located in fmwconfig folder.
DeleteFollow below steps to find out the keystore which is configured for specific domain.
Go to EM Console --> Weblogic Domain --> Right click on Domain --> Security --> Security Provider Configuration.