101 lines
9.6 KiB
HTML
101 lines
9.6 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
|
|
|
<title>Troubleshooting tips: Web services security</title>
|
|
</head>
|
|
|
|
<BODY>
|
|
<!-- Java sync-link -->
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
|
|
|
<h5><a name="wssectrbtips">Troubleshooting tips: Web services security</A></h5>
|
|
|
|
<p>Troubleshoot Web services security by reviewing the configurations in WebSphere Studio Development Client for iSeries so that you can match up the client and server request and the response configurations. These configurations must match. A client request sender configuration must match a server request receiver configuration.</p>
|
|
|
|
<p>For encryption to successfully occur, the public key of the receiver must be exported to the sender and this key must be configured properly in the encryption information. For authentication, you must specify the method used by the client in the login mapping of the server. Also, you must correctly specify the actor URI at each point in the configuration with the same URI string. The following includes a list of generic troubleshooting steps that you can perform. A listing of specific symptoms and solutions is provided after these steps.</p>
|
|
|
|
<ol>
|
|
<li>Verify that the client security extensions and server security extensions match on each downstream call for the following senders and receivers:
|
|
<ul>
|
|
<li>Request sender and request receiver</li>
|
|
<li>Response sender and response receiver </li>
|
|
</ul><p></p></li>
|
|
|
|
<li><p>Verify that when the <strong>Add Created Time Stamp</strong> option is enabled on the client-side that the server has the <strong>Add Received Time Stamp</strong> option configured. You must configure the security extensions in the WebSphere Studio Development Client for iSeries.</p></li>
|
|
|
|
<li><p>Verify that the client security bindings and the server security bindings are correctly configured. When the client authentication method is signature, make sure that the server has a login mapping. For example, when the client uses the public key <tt>cn=Bob,o=IBM,c=US</tt> to encrypt the body, verify that this Subject is a personal certificate in the server key store so that it can decrypt the body with the private key. You can configure the security bindings using either WebSphere Studio Development Client for iSeries or the WebSphere administrative console.</p></li>
|
|
|
|
<li><p>For messages that might provide information about the problem, check the /QIBM/UserData/WebASE51/ASE/<em>instance</em>/logs/<em>instance</em>/SystemOut.log file, where <em>instance</em> is the name of your instance.</p></li>
|
|
|
|
<li><p>Enable trace for Web services security by using the following trace specification:</p>
|
|
|
|
<pre>com.ibm.xml.soapsec.*=all=enabled:com.ibm.ws.webservices.*=all=enabled:
|
|
com.ibm.wsspi.wssecurity.*=all=enabled:com.ibm.ws.security.*=all=enabled:
|
|
SASRas=all=enabled</pre>
|
|
|
|
<p><strong>Note:</strong> Type the previous three lines as one continuous line.</p></li>
|
|
</ol>
|
|
|
|
<p>Specific symptoms:</p>
|
|
<ul>
|
|
<li><p><strong>Symptom:</strong> <tt>WSEC5061E: The SOAP Body is not signed.</tt></p>
|
|
<p><strong>Solution:</strong> This error usually occurs whenever the SOAP security handler does not load properly, and does not sign the SOAP body not to be signed. The SOAP security handler is typically the first validation that occurs on the server-side, so a multitude of problems can cause this message to display. The error might be caused by invalid actor URI configurations. You can configure the actor Universal Resource Identifier (URI) at the following locations within the WebSphere Studio Development Client for iSeries:</p>
|
|
<ul>
|
|
<li>In the Web Services Client Editor (for client configurations):
|
|
<ul>
|
|
<li>Click <strong>Security Extensions</strong> --> <strong>Client Service Configuration Details</strong> and indicate the actor information in the <strong>ActorURI</strong> field.</li>
|
|
<li>Click <strong>Security Extensions</strong> --> <strong>Request Sender Configuration</strong> --> <strong>Details</strong> and indicate the actor information in the <strong>Actor</strong> field.</li>
|
|
</ul><p></p></li>
|
|
<li>In the Web Services Editor (for server configurations):
|
|
<ul>
|
|
<li>Click <strong>Security Extensions</strong> --> <strong>Server Service Configuration</strong>. Verify that the actor URI has the same actor string as the client-side.</li>
|
|
<li>Click <strong>Security Extensions</strong> --> <strong>Response Sender Service Configuration Details</strong> --> <strong>Details</strong> and indicate the actor information in the <strong>Actor</strong> field.</li>
|
|
</ul></li>
|
|
</ul>
|
|
|
|
<p>The actor information on both the client and the server must refer to the same string. When the actor fields on the client and the server match, the request or response is acted upon instead of being forwarded downstream. The actor fields might be different when you have Web services acting as a gateway to other Web services. However, in all other cases, verify that the actor information matches on the client and server. When the Web services implementation is acting as a gateway and it does not have the same actor configured as the request passing through the gateway, this Web services implementation does not process the message from the client. Instead, it sends the request downstream. The downstream process that contains the correct actor string processes the request. The same situation occurs for the response. Therefore, it is important that you verify that the appropriate client and server actor fields are synchronized.</p>
|
|
|
|
<p>Additionally, the error can appear when you do not specify that the body is signed in the client configuration. To sign the body part of the message using the Web Service Client Editor. Click <strong>Security Extensions</strong> --> <strong>Request Sender Configuration</strong> --> <strong>Integrity</strong> and select the message parts to sign.</p></li>
|
|
|
|
<li><p><strong>Symptom:</strong> <tt>WSEC5075E: No security token found that satisfies any one of the authentication methods.</tt></p>
|
|
<p><strong>Solution:</strong> Verify that the client and server login configuration information matches in the security extensions. Also, verify that the client has a valid login binding and that the server has a valid login mapping in the security bindings. You can check this information by looking at the following locations in the WebSphere Studio Development Client for iSeries:</p>
|
|
<ul>
|
|
<li>In the Web Services Client Editor (for client configurations):
|
|
<ul>
|
|
<li>Click <strong>Security Extensions</strong> --> <strong>Request Sender Configuration</strong> --> <strong>Login Configuration</strong>. Verify the authentication method.</li>
|
|
<li>Click <strong>Port Binding</strong> --> <strong>Security Request Sender Binding Configuration</strong> --> <strong>Login Binding</strong>. Verify the authentication method and other parameters.</li>
|
|
</ul><p></p></li>
|
|
<li>In the Web Services Editor (for server configurations):
|
|
<ul>
|
|
<li>Click <strong>Security Extensions</strong> --> <strong>Request Receiver Service Configuration Details</strong> --> <strong>Login Configuration</strong>. Verify the authentication method.</li>
|
|
<li>Click <strong>Binding Configurations</strong> --> <strong>Request Receiver Binding Configuration Details</strong> --> <strong>Login Mapping</strong>. Verify the authentication method and other parameters.</li>
|
|
</ul></li>
|
|
</ul>
|
|
|
|
<p>Also, make sure that the actor URI specified on the client and server matches. You can configure the actor URI at the following locations in WebSphere Studio Development Client for iSeries:</p>
|
|
|
|
<ul>
|
|
<li>In the Web Services Client Editor (for client configurations):
|
|
<ul>
|
|
<li>Click <strong>Security Extensions</strong> --> <strong>Client Service Configuration Details</strong>, and indicate the actor information in the <strong>ActorURI</strong> field.</li>
|
|
<li>Click <strong>Security Extensions</strong> --> <strong>Request Sender Configuration section >
|
|
Details</strong>, and indicate the actor information in the <strong>Actor</strong> field.</li>
|
|
</ul><p></p></li>
|
|
<li>In the Web Services Editor (for server configurations):
|
|
<ul>
|
|
<li>Click <strong>Security Extensions</strong> --> <strong>Server Service Configuration</strong> section. Make sure that the <strong>Actor URI</strong> field has the same actor string as the client side.</li>
|
|
<li>Click <strong>Security Extensions</strong> --> <strong>Response Sender Service Configuration Details</strong> --> <strong>Details</strong> and indicate the actor information in the <strong>Actor</strong> field.</li>
|
|
</ul></li>
|
|
</ul><p></p></li>
|
|
|
|
<li><p><strong>Symptom:</strong> <tt>WSEC5094E: No UsernameToken of trusted user was found or the login failed for the user while the TrustMode is BasicAuth.</tt></p>
|
|
|
|
<p><strong>Solution:</strong> This situation occurs when you have IDAssertion configured in the login configuration as the authentication method. On the sending Web service, configure a trusted basic authentication entry in the login binding. Then, on the server side, verify that the trusted ID evaluator has a property set that contains the user name of this basic authentication entry. To configure the client for identity assertion, see <a href="wsseccfidautcl.htm">Configure identity assertion authentication for a Web services client</a>. To configure the server for identity assertion, see <a href="wsseccfidautsv.htm">Configure the server for Web services identity assertion authentication</a></p>.</li>
|
|
</ul>
|
|
|
|
</body>
|
|
</html>
|