Web services security troubleshooting tips


Review configurations in the Assembly Toolkit.

A client request sender configuration must match a server request receiver configuration. The public key of the receiver must be exported to the sender and this key must be configured properly in the encryption information.

For authentication, specify the method used by the client in the login mapping of the server. Also, correctly specify the actor URI at each point in the configuration with the same URI string.

Troubleshooting steps include...

  1. Verify that the client security extensions and server security extensions match on each downstream call for the following senders and receivers:

  2. Verify that when the Add Created Time Stamp option is enabled on the client-side that the server has the Add Received Time Stamp option configured. You must configure the security extensions in the Assembly Toolkit

  3. Verify that the client security bindings and the server security bindings are correctly configured. When the client authentication method is signature, make sure that the server has a login mapping. When the client uses the public key cn=Bob,o=IBM,c=US to encrypt the body, verify that this Subject is a personal certificate in the server key store so that it can decrypt the body with the private key. You can configure the security bindings using either the Assembly Toolkit or the WAS administrative console.

  4. Check $WAS_HOME/logs/server/SystemOut.log

  5. Enable trace for Web services security by using the following trace specification... com.ibm.xml.soapsec.*=all=enabled:com.ibm.ws.webservices.*=all=enabled... com.ibm.wsspi.wssecurity.*=all=enabled:com.ibm.ws.security.*=all=enabled... SASRas=all=enabled

    Type the previous three lines as one continuous line.


See Also

Troubleshooting by component: What is not working?
Configuring the client for identity assertion: specifying the method
Configuring the client for identity assertion: Collecting the authentication method
Configuring the server to handle identity assertion authentication
Configuring the server to validate identity assertion authentication information
Configuring the client security bindings using the Assembly Toolkit
Configuring the security bindings on a server acting as a client using the administrative console
Configuring the server security bindings using the Assembly Toolkit
Configuring the server security bindings using the administrative console
Troubleshooting installation problems