Troubleshooting tips: Web services security

Troubleshoot Web services security by reviewing the configurations in WebSphere Studio Development Client for iSeries so that you can match up the client and server request and the response configurations. These configurations must match. A client request sender configuration must match a server request receiver configuration.

For encryption to successfully occur, the public key of the receiver must be exported to the sender and this key must be configured properly in the encryption information. For authentication, you must specify the method used by the client in the login mapping of the server. Also, you must correctly specify the actor URI at each point in the configuration with the same URI string. The following includes a list of generic troubleshooting steps that you can perform. A listing of specific symptoms and solutions is provided after these steps.

  1. Verify that the client security extensions and server security extensions match on each downstream call for the following senders and receivers:

  2. Verify that when the Add Created Time Stamp option is enabled on the client-side that the server has the Add Received Time Stamp option configured. You must configure the security extensions in the WebSphere Studio Development Client for iSeries.

  3. Verify that the client security bindings and the server security bindings are correctly configured. When the client authentication method is signature, make sure that the server has a login mapping. For example, when the client uses the public key cn=Bob,o=IBM,c=US to encrypt the body, verify that this Subject is a personal certificate in the server key store so that it can decrypt the body with the private key. You can configure the security bindings using either WebSphere Studio Development Client for iSeries or the WebSphere administrative console.

  4. For messages that might provide information about the problem, check the /QIBM/UserData/WebASE51/ASE/instance/logs/instance/SystemOut.log file, where instance is the name of your instance.

  5. Enable trace for Web services security by using the following trace specification:

    com.ibm.xml.soapsec.*=all=enabled:com.ibm.ws.webservices.*=all=enabled:
    com.ibm.wsspi.wssecurity.*=all=enabled:com.ibm.ws.security.*=all=enabled:
    SASRas=all=enabled

    Note: Type the previous three lines as one continuous line.

Specific symptoms: