TroubleShoot: JAX-WS PolicySet and Bindings problems with WebSphere traditional

How can I see what policy and bindings are attached to my application without the admin console?

Avoid Trouble: The information in this section is intended to show you how to see the policy and bindings that are currently attached to an application. Altering the files referenced in this section with anything but the administrative console or the wsadmin tool is not supported.

If you used the administrative console to attach policy and bindings to your application, at runtime, the application server reads files on the file system to determine the policy attachment. You can read these same files to determine the policy and binding attachment for your application. If you read through the 'Package JAX-WS Policy and Binding Data for Analysis' section on the Collect data tab, you'll see that one of the directories that you zip is:



(cellRoot)/applications/(earName)/deployments/(appName)/META-INF

If a policy and bindings are attached to an application, there will be a policy attachments file in this directory. If application specific bindings are attached to the application, the directory containing the application specific binding will also be in this directory.

One or both of the following files will exist in this directory if a policy is attached to the application:


• policyAttachments.xml
• clientPolicyAttachments.xml
policyAttachments.xml will be in the directory if there is an attachment for a provider application. clientPolicyAttachments.xml will be in the directory if there is an attachment for a client application.

Here is an example of a clientPolicyAttachments.xml that shows a client attached to the ATwoWayUnt policy and is using the default bindings:



<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <psa:PolicySetAttachment xmlns:psa="http://www.ibm.com/xmlns/prod/websphere/200605/policysetattachment&quot; xmlns:ps="http://www.ibm.com/xmlns/prod/websphere/200605/policyset"&gt; <psa:PolicySetReference name="ATwoWayUnt" id="1806"> <psa:Resource pattern="WebService:/HelloSvcClient.war:{http://hsamples}HelloService"/> </psa:PolicySetReference> </psa:PolicySetAttachment>


Here is an example of a clientPolicyAttachments.xml that shows a client that is attached to the "WSSecurity default" policy and is using a the myClientBinding application specific binding:



<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <psa:PolicySetAttachment xmlns:psa="http://www.ibm.com/xmlns/prod/websphere/200605/policysetattachment&quot; xmlns:ps="http://www.ibm.com/xmlns/prod/websphere/200605/policyset"&gt; <psa:PolicySetReference name="WSSecurity default" id="com.ibm.ast.ws.local.qos.policyset.id1"> <psa:PolicySetBinding name="myClientBinding"/> <psa:Resource pattern="WebService:/echoSvc.war{http://esamples}EchoService"/> </psa:PolicySetReference> </psa:PolicySetAttachment>


Here is an example of a clientPolicyAttachments.xml that shows a client attached to the ATwoWayUnt policy and is using the "Client sample" general bindings:



<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <psa:PolicySetAttachment xmlns:psa="http://www.ibm.com/xmlns/prod/websphere/200605/policysetattachment&quot; xmlns:ps="http://www.ibm.com/xmlns/prod/websphere/200605/policyset"&gt; <psa:PolicySetReference name="ATwoWayUnt" id="1806"> <psa:PolicySetBinding scope="domain" name="Client sample"/> <psa:Resource pattern="WebService:/HelloSvcClient.war:{http://hsamples}HelloService"/> </psa:PolicySetReference> </psa:PolicySetAttachment>

I attached WS-Security policy and bindings to my client application, but no Security headers are in my SOAP message

If you think that a policy and bindings should be attached to your client application, but there appears to be no policy in effect at runtime, see The policy or bindings that is in effect does not appear to be what is configured later in this document.




I attached WS-Security policy and bindings to my provider application, but the provider is acting as if there is no policy attached

When no WS-Security policy is in effect for a provider application, unsecured messages will pass without error and secured messages will result in a MustUnderstand failure:

Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security

If you think that a policy and bindings should be attached to your provider application, but there appears to be no policy in effect at runtime, see The policy or bindings that is in effect does not appear to be what is configured later in this document.




The policy or bindings that is in effect does not appear to be what is configured

You can use this troubleshooting procedure to troubleshoot the following problems:
• You think policy A should be attached, but it appears that policy B is in effect at runtime.
• You think that a policy is attached, but no policy appears to be in effect at runtime.
Do the following:


• If your application was deployed with an assembly tool, such as IBM® Rational® Application Developer for WebSphere® Software (RAD):

If you run into this condition and you have deployed your application with an an assembly tool, such as IBM® Rational® Application Developer for WebSphere® Software (RAD), the first thing that you should do is check to see if the publishing settings in your application server definition in RAD is set to 'Run server with resources on Server'. Do the following in your assembly tool: Window > Show view > Servers In the Servers pane, right click on the server > Open On the right, expand 'Publishing settings for WebSphere Application Server' If it is currently set to 'Run server with resources within the workspace', do the following: Change the setting to 'Run server with resources on Server' Click File > Save After changing to 'Run server with resources on Server', you must uninstall, then re-install the application. Just doing a redeploy will not fix the issue. Do the following: In the Servers pane, right click on the server > Add and Remove... In the Configured section on the right, select your application Click Remove Click Finish In the Servers pane, right click on the server > Add and Remove... In the Available section on the left, select your applicaiton Click Add Click Finish You can now go back and reattach your policy and bindings to your application in the administrative console. If you already have 'Run server with resources on Server' set and you know that you installed the application after choosing this setting, proceed to the next section.

• If your application was not deployed with an assembly tool:

If your application was not deployed with an assembly tool, or you completed the assembly tool section above without relief, do the following: In the administrative console, view the policy and bindings attachment for your application: For a provider navigate to Services > Service providers > (appName) For a client, navigate to Services > Service clients > (appName) Look at your attachment checkmarks on the panel and ensure that the attachments conform to this rule obtained from the Attaching a policy set to a service artifact topic in the Knowledge Center: Avoid trouble: Do not select all of the entries on the panel. The artifacts are Service, Endpoint and Operation. Only select the top-level parent of all artifacts that have the same attachment. For example, if all endpoints and operations are attached to the same endpoint, only select the Service entry. If you have more than one endpoint in your service, and the endpoints have different policies and all operations within each endpoint have the same policy, only select the parent endpoint for each set of operations that have the same policy attachment. If your attachments do not conform to the rules shown above, fix them, save the updates, restart your application and retest. If your attachments appear to conform, go back and view your attachments through the Applications path to see if you notice anything amiss there: Navigate to Applications > Application Types > WebSphere enterprise applications > (appName) Navigate the client or provider page: For a provider click Service provider policy sets and bindings For a client, click Service client policy sets and bindings

• If your issue is with a WS-Security policy, check the trace for a policy/binding load failure:

From a trace that was gathered using the WebSphere traditional WS-Security trace specification from MustGather: Web Services Security (WS-Security) problems with WebSphere Application Server, do the following: Search for the string Exception caught in loadCustom() If you find that string in the trace, note the exception, for instance: [1/30/17 20:33:43:891 UTC] 00000070 WSSecurityBin 3 Exception caught in loadCustom(). Error while loading PolicySet Bindings. Exception is: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS7328E: Did not find a token generator for the supporting token of type [http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof…]. Fix the error that is causing loadCustom to fail then retest. There is additional debug information about the loadCustom error in the I created a general binding by copying my app specific binding on the file system and now my app won't runtopic later in this document.

• If none of the items above solve your problem, see the section titled How can I see what policy and bindings are attached to my application without the admin console? earlier in this document.