How To Fix WSS021 - Message expired (&1 &2 &3 )

Certainly! Here's a detailed explanation for the SAP error message WSS021: Message expired (&1 &2 &3):

Error Message
WSS021: Message expired (&1 &2 &3)

Cause
This error occurs in the SAP Web Services Security (WS-Security) context. It indicates that a security token or message timestamp has expired. Specifically, the SOAP message or security token contains a timestamp that is outside the allowed validity period defined by the system's security policy.
Common causes include:

The client system's clock is not synchronized with the server's clock, causing the timestamp to appear expired.
The message was delayed in transit and arrived after the allowed validity period.
The validity period configured for the security token or message timestamp is too short.
Replay protection settings reject the message because the timestamp is considered old.


Explanation
In WS-Security, messages often include a timestamp to prevent replay attacks and ensure message freshness. SAP checks the timestamp against the current system time and a configured validity window. If the timestamp is older than the allowed window, SAP rejects the message with this error.

Solution


Check and synchronize system clocks:

Ensure that the client and server system clocks are synchronized, preferably using NTP (Network Time Protocol).
Time differences between client and server should be minimal (usually within a few minutes).



Adjust validity period settings:

Increase the allowed time window for message validity in the WS-Security configuration.
This can be done in the SAP system profile parameters or in the WS-Security policy settings.
Parameters to check include:

wssec:Timestamp/Expires element in the SOAP header.
SAP profile parameters like icm/keep_alive_timeout or specific WS-Security token validity settings.





Check message transmission delays:

Investigate network delays or middleware that might delay message delivery.
Ensure that messages are sent and received promptly.



Review replay protection settings:

If replay protection is enabled, verify that it is configured correctly.
Sometimes, disabling or relaxing replay protection temporarily can help identify the issue.



Check SAP Notes and documentation:

Look for SAP Notes related to WS-Security timestamp issues.
For example, SAP Note 1684840 or others related to WS-Security timestamp validation.




Related Information


WS-Security Timestamp:

The <wsu:Timestamp> element in the SOAP header contains <wsu:Created> and <wsu:Expires> timestamps. SAP validates these against the current time.


SAP Web Service Security Configuration:

The security policy defines how long a message is valid. Adjusting these policies can help.


SAP Notes and KBAs:

Search for SAP Notes with keywords like "WSS021", "Message expired", "WS-Security timestamp".


Transaction / Tools:  

Use transaction STRUST to manage certificates and security policies.
Use SOAMANAGER to configure web service security policies.




Summary



Aspect
Details




Cause
WS-Security message timestamp expired due to clock skew, short validity period, or delay


Solution
Synchronize clocks, increase validity period, check network delays, adjust replay protection


Related Info
WS-Security timestamp, SAP Notes, SOAMANAGER, STRUST, NTP synchronization




If you provide more context (e.g., which scenario or interface you are using), I can help tailor the solution further.