Securing Web Services
Troubleshooting Security Problems
This chapter provides information to help you identify causes of SOAP security problems in InterSystems IRIS. It discusses the following topics:
Information Needed for Troubleshooting
To troubleshoot SOAP problems, you typically need the following information:
This section discusses possible security-related errors in InterSystems IRIS web services and web clients:
If you have just generated the InterSystems IRIS web service or client, it might not yet be configured to recognize WS-Security headers. In this case, you receive a generic error like the following when you try to execute a web method:
Add the following to the web service or client and recompile it:
This generic error can also be caused by calling the web method incorrectly (for example, referring to a return value when the web method does not have one).
This item does not apply if you are using WS-Policy.
In other cases, you might receive the following security error when you try to execute a web method:
ERROR #6454: No supported policy alternative in configuration
The inbound message might have failed validation. If so, the SOAP log indicates this. For example:
08/05/2011 14:40:11 *********************
Input to Web client with SOAP action = http://www.myapp.org/XMLEncr.DivideWS.Divide
<?xml version='1.0' encoding='UTF-8' standalone='no' ?>
<faultstring>The security token could not be authenticated or authorized</faultstring>
Items to Check in the Event of Security Errors
When you retrieve a stored InterSystems IRIS credential set, make sure that you type its name correctly.
Make sure that you are using the appropriate certificate.
If you are using it for encryption, you use the certificate of the entity to whom you are sending the message. Encryption uses the public key of this certificate.
If you are using it for signing, you use your own certificate, and you sign with the associated private key. In this case, make sure that you have loaded the private key and that you have correctly specified the password for the private key file.
Make sure that the certificates are signed by a certificate authority that is trusted by InterSystems IRIS.
In the case of an authentication failure, identify the user in the <UsernameToken>
, and examine the roles to which that user belongs.