ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/webserv/wssectrb.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Troubleshoot: Web services security</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h4><a name="wssectrb"></a>Troubleshoot: Web services security</h4>

<p>These Web services are developed and implemented based on the Web Services for Java 2 platform, Enterprise Edition (J2EE) specification. This topic discusses problems that you might encounter when you are securing Web services:</p>

<ul>
<li><a href="#failure">Authentication challenge or authorization failure is displayed</a></li> 
<li><a href="#wss">Web services security enabled application fails to start</a></li> 
<li><a href="#interoperate">Applications with Web services security enabled cannot interoperate between WebSphere Application Server - Express Version 5.1 and Version 5.0.2</a></li>
</ul>

<p><a name="failure"></a><strong>Authentication challenge or authorization failure is displayed</strong></p>

<p>You might encounter an authentication challenge or an authorization failure if a thread switch occurs. For example, an application might create a new thread or a raw socket connection to a servlet might open. A thread switch is not recommended by the Java 2 Platform, Enterprise Edition (J2EE) specification because the security context information is stored in thread local. When a thread switch occurs, the authenticated identity is not passed from thread local to the new thread. As a result, WebSphere Application Server considers the identity to be unauthenticated. If you must create a new thread, you must propagate the security context to the new thread. However, this process is not supported by WebSphere Application Server.</p>

<p><a name="wss"></a><strong>Web services security enabled application fails to start</strong></p>

<p>When a Web services security-enabled application fails to start, you might receive an error message similar to the following: </p>

<pre>
[6/19/03 11:13:02:976 EDT] 421fdaa2 KeyStoreKeyLo E WSEC5156E: An exception
while retrieving the key from KeyStore object: 
java.security.UnrecoverableKeyException: Given final block not properly padded
</pre>

<p>The cause of the problem is that the keypass value or password provided for a particular key in the key store is invalid. The key store values are specified in the <tt>KeyLocators</tt> elements of one of following binding files: <tt>ws-security.xml, ibm-webservices-bnd.xmi</tt> or <tt>ibm-webservicesclient-bnd.xmi</tt>. Verify that the keypass values for keys specified in the <tt>KeyLocators</tt> elements are correct.</p>

<p><a name="interoperate"></a><strong>Applications with Web services security enabled cannot interoperate between WebSphere Application Server - Express Version 5.1 and Version 5.0.2</strong></p>

<p>Applications with Web services security enabled cannot interoperate between WebSphere Application Server Version 5.1 and Version 5.0.2. When applications attempt to interoperate, a &quot;digest mismatch&quot; error is displayed. An error exists in the cannonicalization algorithm for XML digital signature, which is fixed in Version 5.1. For Web services security to interoperate between WebSphere Application Server Version 5.1 and Version 5.0.2, you must update your Version 5.0.2 application server. To update your Version 5.0.2 server, access the <a href="http://www-306.ibm.com/software/webservers/appserv/was/support/" target="_blank">WebSphere Application Server Support Web site</a> <img src="www.gif" width="19" height="15" alt="Link outside Information Center" border="0"> and download the latest cumulative fix for WebSphere Application Server, Version 5.0.2.</p>

<p>For more information, see <a href="wssectrbtips.htm">Troubleshooting tips: Web services security</a>.</p>

</body>
</html>