Web services gateway troubleshooting tips

What kind of error are you encountering?

 

Error: Invalid AuthMethod Signature

If you select 'Digital Signature' for 'Identification' when you are specifying the security settings that are applied between the service requester (the client) and the gateway, you may see the following error, when you click 'Apply Changes'

WSGW0009E: Failed to deploy service. Exception: Error change service properties...
 com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC0105E: LoginConfig: AuthMethod  Signature is not valid.
This problem only occurs when you set 'Identification' to 'Digital Signature'. The problem is caused by a mismatch between the request bindings and the response bindings. For example, you may have set 'Request Sender' Signing Info on the Request bindings instead of 'Request Receiver', or 'Response Receiver' on Respond bindings instead of 'Response Sender'. To fix the problem, in the Security bindings section, set matching Request and Response bindings. For instructions on setting these parameters, see

 

Error: Unable to build a valid CertPath: java.security.cert.CertPathBuilder

An error similar to the following appears when you run the secured Web services via Gateway using LTPA authentication method with a certificate store defined

[10/23/03 12:31:40:393 CDT] 78a54799 enterprise    I  
com.ibm.ws.webservices.engine.enterprise  
TRAS0014I: The following exception was  logged WebServicesFault  
faultCode: {http://schemas.xmlsoap.org/ws/2003/06/secext}InvalidSecurityToken  
faultString: WSEC5085E: Unable to build a valid CertPath:  
java.security.cert.CertPathBuilderException: 
PKIXCertPathBuilderImpl could not  build a valid CertPath.; 
internal cause is: java.security.cert.CertPathValidatorException: 
The certificate issued by CN=Int  CA2, OU=TRL, O=IBM, ST=Kanagawa, C=JP is not trusted; 
internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error

This problem occurs when one of the defined certificate stores on the Web services gateway administrative client is missing the certificate path.

To correct this problem,

  1. Add the certificate path to the certificate store configuration. For example, if you are using the sample certificate store from WAS, the path will be

    X509 Certificate Path: /usr/WebSphere/AppServer/etc/ws-security/samples/intca2.cer
    

  2. Run the client again.

 

Error: Failed authentication

An error similar to the following appears when you run secured Web services applications via Gateway

[10/3/03 21:35:48:597 CDT]   33c558 enterprise    I 
com.ibm.ws.webservices.engine.enterprise  TRAS0014I: The following exception was 
logged WebServicesFault
 faultCode: {http://schemas.xmlsoap.org/ws/2003/06/secext}FailedAuthentication
 faultString: WSEC5078E: Login failed: javax.security.auth.login.LoginException: 
java.lang.NullPointerException
       at com.ibm.wsspi.wssecurity.auth.module.WSSecurityMappingModule._login(WSSecur
ityMappingModule.java:152)

The problem occurs when the Web services gateway does not enable global security and there is no LDAP user registry information to authenticate the incoming user login.

To correct this problem, enable global security on the Web services gateway appserver using the same LDAP user registry that the deployment manager uses.

Note that Before enabling the security on the Web services gateway, you need to uninstall the Web services gateway channels and applications (for example, wsgw.ear, wsgwsoaphttp1.ear), and then re-install them after security is enabled.

 

Error: WSEC5078E: Login failed: com.ibm.websphere.security.auth.WSLoginFailedException... AuthenLoginModule: Authentication failed reason = 2

An error similar to the following appears when you run the secured Web Services applications via Gateway

WSEC5078E: Login failed: com.ibm.websphere.security.auth.WSLoginFailedException: 
AuthenLoginModule: Authentication failed reason = 2

This problem occurs when single sign on is enabled and the same password is used on both the deployment manager and the Web services gateway server. The login fails even though the deployment manager and the Web services gateway server are both enabled with security, with the same LDAP user registry and with the same LTPA password. The problem occurs because the key that is generated and passed between the services is randomly generated, and is therefore different for each server even though the same password is used.

To correct this problem, export the key from one cell and import to another.

For current information available from IBM Support on known problems and their resolution, see IBM Support page.

IBM Support has documents that can save you time gathering information needed to resolve this problem. Before opening a PMR, see IBM Support page.

 

See Also

Request receiver binding collection
Response sender binding collection
Request sender binding collection
Response receiver binding collection