Troubleshooting
Problem
This document contains troubleshooting information for the Policy Manager component in the WebSphere® Application Server traditional. The Policy Manager processes JAX-WS PolicySets and Bindings.
Resolving The Problem
< /div>
This document contains troubleshooting information for Policy Manager problems in the WebSphere® Application Server traditional. The Policy Manager processes JAX-WS PolicySets and Bindings. This can help address common issues with this component before calling IBM support and save you time.
Tab navigation
- Troubleshoot- selected tab,
- Collect data
Tab navigation
- WebSphere traditional- selected tab,
- policyAttachments.xml
- clientPolicyAttachments.xml
How can I see what policy and bindings are attached to my application without the admin console?
Avoid Trouble: The information in this section is intended to show you how to see the policy and bindings that are currently attached to an application. Altering the files referenced in this section with anything but the administrative console or the wsadmin tool is not supported.(cellRoot)/applications/(earName)/deployments/(appName)/META-INF |
One or both of the following files will exist in this directory if a policy is attached to the application:
Here is an example of a clientPolicyAttachments.xml that shows a client attached to the ATwoWayUnt policy and is using the default bindings:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <psa:PolicySetAttachment xmlns:psa="http://www.ibm.com/xmlns/prod/websphere/200605/policysetattachment" xmlns:ps="http://www.ibm.com/xmlns/prod/websphere/200605/policyset"> <psa:PolicySetReference name="ATwoWayUnt" id="1806"> <psa:Resource pattern="WebService:/HelloSvcClient.war:{http://hsamples}HelloService"/> </psa:PolicySetReference> </psa:PolicySetAttachment> |
Here is an example of a clientPolicyAttachments.xml that shows a client that is attached to the "WSSecurity default" policy and is using a the myClientBinding application specific binding:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <psa:PolicySetAttachment xmlns:psa="http://www.ibm.com/xmlns/prod/websphere/200605/policysetattachment" xmlns:ps="http://www.ibm.com/xmlns/prod/websphere/200605/policyset"> <psa:PolicySetReference name="WSSecurity default" id="com.ibm.ast.ws.local.qos.policyset.id1"> <psa:PolicySetBinding name="myClientBinding"/> <psa:Resource pattern="WebService:/echoSvc.war{http://esamples}EchoService"/> </psa:PolicySetReference> </psa:PolicySetAttachment> |
Here is an example of a clientPolicyAttachments.xml that shows a client attached to the ATwoWayUnt policy and is using the "Client sample" general bindings:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <psa:PolicySetAttachment xmlns:psa="http://www.ibm.com/xmlns/prod/websphere/200605/policysetattachment" xmlns:ps="http://www.ibm.com/xmlns/prod/websphere/200605/policyset"> <psa:PolicySetReference name="ATwoWayUnt" id="1806"> <psa:PolicySetBinding scope="domain" name="Client sample"/> <psa:Resource pattern="WebService:/HelloSvcClient.war:{http://hsamples}HelloService"/> </psa:PolicySetReference> </psa:PolicySetAttachment> |
I attached WS-Security policy and bindings to my client application, but no Security headers are in my SOAP message
When no policy is in effect for a client application, no Security header will appear in the SOAP message. If the partner provider is secured, you will get a SOAPFault in response.- You think policy A should be attached, but it appears that policy B is in effect at runtime.
- You think that a policy is attached, but no policy appears to be in effect at runtime.
- If your application was deployed with an assembly tool, such as IBM® Rational® Application Developer for WebSphere® Software (RAD):
- Window > Show view > Servers
- In the Servers pane, right click on the server > Open
- On the right, expand 'Publishing settings for WebSphere Application Server'
- If it is currently set to 'Run server with resources within the workspace', do the following:
- Change the setting to 'Run server with resources on Server'
- Click File > Save
- After changing to 'Run server with resources on Server', you must uninstall, then re-install the application. Just doing a redeploy will not fix the issue. Do the following:
- In the Servers pane, right click on the server > Add and Remove...
- In the Configured section on the right, select your application
- Click Remove
- Click Finish
- In the Servers pane, right click on the server > Add and Remove...
- In the Available section on the left, select your applicaiton
- Click Add
- Click Finish
- You can now go back and reattach your policy and bindings to your application in the administrative console.
- If you already have 'Run server with resources on Server' set and you know that you installed the application after choosing this setting, proceed to the next section.
- If your application was not deployed with an assembly tool:
- In the administrative console, view the policy and bindings attachment for your application:
- For a provider navigate to Services > Service providers > (appName)
- For a client, navigate to Services > Service clients > (appName)
- Look at your attachment checkmarks on the panel and ensure that the attachments conform to this rule obtained from the Attaching a policy set to a service artifact topic in the Knowledge Center:
- Avoid trouble: Do not select all of the entries on the panel. The artifacts are Service, Endpoint and Operation. Only select the top-level parent of all artifacts that have the same attachment. For example, if all endpoints and operations are attached to the same endpoint, only select the Service entry. If you have more than one endpoint in your service, and the endpoints have different policies and all operations within each endpoint have the same policy, only select the parent endpoint for each set of operations that have the same policy attachment.
- If your attachments do not conform to the rules shown above, fix them, save the updates, restart your application and retest.
- If your attachments appear to conform, go back and view your attachments through the Applications path to see if you notice anything amiss there:
- Navigate to Applications > Application Types > WebSphere enterprise applications > (appName)
- Navigate the client or provider page:
- For a provider click Service provider policy sets and bindings
- For a client, click Service client policy sets and bindings
- If your issue is with a WS-Security policy, check the trace for a policy/binding load failure:
- Search for the string Exception caught in loadCustom()
- If you find that string in the trace, note the exception, for instance:
- Fix the error that is causing loadCustom to fail then retest.
- If none of the items above solve your problem, see the section titled How can I see what policy and bindings are attached to my application without the admin console? earlier in this document.
I attached WS-Security policy and bindings to my provider application, but the provider is acting as if there is no policy attached
When no WS-Security policy is in effect for a provider application, unsecured messages will pass without error and secured messages will result in a MustUnderstand failure:Must Understand check failed for headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security |
The policy or bindings that is in effect does not appear to be what is configured
You can use this troubleshooting procedure to troubleshoot the following problems:If you run into this condition and you have deployed your application with an an assembly tool, such as IBM® Rational® Application Developer for WebSphere® Software (RAD), the first thing that you should do is check to see if the publishing settings in your application server definition in RAD is set to 'Run server with resources on Server'. Do the following in your assembly tool: |
If your application was not deployed with an assembly tool, or you completed the assembly tool section above without relief, do the following: |
From a trace that was gathered using the WebSphere traditional WS-Security trace specification from MustGather: Web Services Security (WS-Security) problems with WebSphere Application Server, do the following:
|
Note:
This document uses the term WebSphere traditional to refer to WebSphere Application Server v9.0 traditional, WebSphere Application Server v8.5 full profile, WebSphere Application Server v8.0 and earlier, WebSphere classic, traditional WebSphere, traditional WAS and tWAS.
[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services (for example: SOAP or UDDI or WSGW or WSIF)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF013","label":"Inspur K-UX"}],"Version":"9.0;8.5;8.0","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg22008834