Troubleshooting
Problem
Resolving The Problem
Troubleshooting topics:
OverviewThis topic contains errors related to keystores, keys and certificates that are used in your WS-Security configuration. You may see these messages in SOAP response messages, SystemOut.log, SystemErr.log, FFDC or trace.log.
Some of the issues in this topic require a WS-Security trace to determine the root cause of the problem. The instructions to obtain a WS-Security trace are in the 'Collecting data manually' section of the Collect data tab. If a trace string different than what is on the Collect data is required for a specific problem, that trace string will be noted in the steps to diagnose the problem. In most cases, it is best to obtain a WS-Security trace from application server startup.
CWWSS5003E: The c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks key store cannot be read because an IOException error occurred.: java.net.MalformedURLException: unknown protocol: c ocurred while running action
The keystore does not exist.
CWWSS5003E: The c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks key store cannot be read because an IOException error occurred.: java.io.IOException: Keystore was tampered with, or password was incorrect
CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' keystore. The following exception occurred: java.security.UnrecoverableKeyException ocurred while running action:
The password may be incorrect for a private key. If it is, you will also see entries like the following in a WS-Security trace:
KeyStoreManag 3 UnrecoverableKeyException encountered. Key password is probably incorrect. KeyStoreManag E CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' keystore. The following exception occurred: java.security.UnrecoverableKeyException: Cannot recover key |
CWWSS5312E: The Application Server cannot retrieve the 'gateway-public' key from the '/apps/ki01/e8-was85-pt02/AppServer/etc/ShowcaseKeyStore-tpt.jks' keystore. The following exception occurred: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
[1/27/17 13:05:40:213 EDT] 000000d0 KeyStoreManag 3 There is no cached key information with the keystore [/opt/keys/keystore.jks] and the alias [my-public]. So a new key information is created. [1/27/17 13:05:40:213 EDT] 000000d0 KeyStoreManag > createKeyInformation(KeyStore keyStore, String alias[my-public], char[] keyPassword[not null], String keyName[my-public])boolean isHWKeyStoreRef[false]) Entry [1/27/17 13:05:40:261 EDT] 000000d0 KeyStoreManag E CWWSS5312E: The Application Server cannot retrieve the 'my-public' key from the '/opt/keys/keystore.jks' keystore. The following exception occurred: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:478) at java.security.KeyStore.getEntry(KeyStore.java:1314) at com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager.createKeyInformation(KeyStoreManager.java:568) |
By far the most likely cause of this error is that you configured a public key where a private key is required:
Private keys are required for Signature Generators and Encryption Consumers.
CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' keystore. The following exception occurred: java.security.UnrecoverableEntryException: requested entry requires a password (JAX-WS)
KeyStoreManag E CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' keystore. The following exception occurred: java.security.UnrecoverableEntryException: requested entry requires a password at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:443) at java.security.KeyStore.getEntry(KeyStore.java:1241) at com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager.createKeyInformation(KeyStoreManager.java:459) at com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager.getKeyInformation(KeyStoreManager.java:384) at com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager.getKeyInformation(KeyStoreManager.java:326) at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.resolveKeyInfo(X509ConsumeLoginModule.java:479) at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.login(X509ConsumeLoginModule.java:234) at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invoke(CommonTokenConsumer.java:265) at com.ibm.ws.wssecurity.wssapi.CommonContentConsumer.invokeTokenConsumer(CommonContentConsumer.java:567) at com.ibm.ws.wssecurity.wssapi.CommonContentConsumer.getKey(CommonContentConsumer.java:270) at com.ibm.ws.wssecurity.keyinfo.KeyInfoConsumer.getKey(KeyInfoConsumer.java:190) at com.ibm.ws.wssecurity.dsig.SignatureConsumer.callKeyInfoConsumer(SignatureConsumer.java:1042) at com.ibm.ws.wssecurity.dsig.SignatureConsumer.invoke(SignatureConsumer.java:254) |
For more information on where you must configure private keys vs public keys in the WS-Security bindings, see the Callback handler settings for JAX-WS topic in the Knowledge Center.
CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' keystore. The following exception occurred: java.lang.IllegalArgumentException: password can't be null (JAX-WS)
Same reason as the error above above. Different JDK levels can produce different exception types with different text, but the meaning is the same.
WSEC5184E: The key with alias "myKey" of keystore "c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks" cannot be recovered (the password could be wrong): java.security.UnrecoverableEntryException: requested entry requires a password (JAX-RPC)
Same reason as the error above except the stack will be different since it's the JAX-RPC runtime.
CWWSS6800E: The entry with alias 'anyKey' of keystore 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' cannot be found: entry=null
An alias is configured that does not exist in the keystore.
CWWSS7073E: The key is not retrieved.
A public key is configured where a private key is required. You may see something like this in a trace:
[1/25/16 15:34:36:976 CST] 00000068 WSSObjectComm 3 Signing key or encrypting key is null. [1/25/16 15:34:36:976 CST] 00000068 WSSecurityGen E CWWSS5514E: An exception while processing WS-Security message: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS7073E: The key is not retrieved. The exception is: at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:59) at com.ibm.ws.wssecurity.wssapi.WSSObjectCommonContentGenerator.getKey(WSSObjectCommonContentGenerator.java:240) at com.ibm.ws.wssecurity.keyinfo.WSSObjectKeyInfoGenerator.getKey(WSSObjectKeyInfoGenerator.java:151) |
CWWSS5003E: The c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks key store cannot be read because an IOException error occurred.: java.io.IOException: Invalid keystore format
The configured keystore type is incorrect.
CWWSS6809E: The X509 certificate owned by CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP, which is created from the binary in the message is different from the X509 certificate owned by EMAILADDRESS=myx509root@us.ibm.com, CN=myx509root, OU=AIM, O=IBM, ST=TX, C=US, which is acquired from the keystore Path: g:\w\wl3wse\wssec\keys\myx509.ks.
The certificate configured in the X.509 token consumer is different than the one that was used to sign the message. When you get this message, you most likely configured a certificate on the X.509 token consumer when you shouldn't have. You should only configure a certificate on an X.509 token consumer if you want to restrict the consumer to accepting a single certificate.
CWWSS6811E: The key identifier QZOb+ZiiTuY= retrieved from the message is different from the key identifier iC3nl51GBjj0DnIxHQWiYhC3Xvw= acquired from the keystore Path: g:\w\wl3wse\wssec\keys\myx509.ks.
The message does not contain a copy of the certificate to verify the signature (like a BinarySecurityToken). When the certificate to verify the signature is not in the message, the certificate to verify the signature is configured on the X.509 token consumer. In this case, a KeyId was put in the message to identify the certificate that was used to sign the message. This error means that the KeyId calculated for the certificate configured on the X.509 token consumer does not match the one that was received in the message. They must match before the signature will be verified.
CWWSS7315E: Caught an exception attempting to create default configuration objects. The following exception occurred: java.security.AccessControlException: Access denied (java.io.FilePermission c:\WebSphere\AppServer\profiles\fvtTest\etc\ws-security\samples\intca2.cer read)].
If you get an error like this, but you know that the file in the message exists, you may have to disable Java 2 security.
SAMLResponse could not be verified.com.ibm.wsspi.wssecurity.core.SoapSecurityException: Fail to decrypt EncryptedKey
The WS-Security runtime is used to validate SAML Assertions for the SAML Web Single Sign-on TAI component. When you get this error, check a WS-Security trace for this entry:
EncryptedData 3 Fail to decrypt EncryptedKey:null |
If you find this, it means that the sso_<id>.sp.keyName property is not specified for the decrypting key.
If you get a com.ibm.wsspi.wssecurity.core.SoapSecurityException: Fail to decrypt EncryptedKey error associated with a web service, also check the trace for EncryptedKey:null. If you find this, then the key name in the callback handler of the token consumer associated with decryption (your inbound encryption part) does not have a value.
CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler
The certificate being validated is self-signed and isn't in the configured trust store. See the Trace analysis tab for information on how to debug this issue.
CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by EMAILADDRESS=test_it@us.ibm.com, CN=test_it, OU=AIM, O=IBM, ST=TX, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
The certificate being validated is not self-signed and its issuer, or one of its subsequent issuers (the one shown in the message) isn't in the configured trust store. See the Trace analysis tab for information on how to debug this issue.
Was this topic helpful?
Document Information
Modified date:
25 October 2019
UID
swg21972079