comments (not for humans)
Making WSS4J work with WSE 2.0 and X509 tokens were quite easy, but after upgrading to WSE 3.0, things suddenly went bad. I kept getting error messages like "Illegal key size" and similar on the java side. In this blog entry you will find a working configuration for WSE 3.0 and WSS4J.

Update 2007-10-18: Configuration for WSS4J client to WSE3.0 service available here.
Update 2008-04-19: I've added a new post on how to create your own certificates for use with WSE3.0 and WSS4J here: WSE and WSS4J: Issuing working certificates using Windows Certification Authority

Versions
The software I used was:
  • Wss4j 1.5.0 with Axis 1.4 running on jakarta-tomcat-4.1.27
  • VS2005.NET with WSE 3.0

Setup
I ran the web service on axis and the client on .NET. I used the alice and bob certificates supplied in the interop folder in the wss4j zip file. These are from a Gartner WSS interoperability show(?).

WSS4J configuration
Below is the important parts from the deployment .wsdd-file for the web service. The test.PWCallback class is a simple class returning the password of the private key in the keystore. I used the same crypto.properties as the one supplied as wsstest.properties in the interop-folder. As you can see I have specified which algorithms to use for the session key and ecrypted session key (RSA15 and AES128).
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass" value="test.PWCallback"/>
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="signaturePropFile" value="crypto.properties" />
<parameter name="decryptionPropFile" value="crypto.properties" />
<parameter name="encryptionPropFile" value="crypto.properties" />
<parameter name="decryptionUser" value="alice" />
<parameter name="encryptionUser" value="alice" />
<parameter name="user" value="bob"/>
<parameter name="encryptionKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="decryptionKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="signatureKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
</handler>
</requestFlow>

<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="Signature Timestamp Encrypt"/>
<parameter name="passwordCallbackClass" value="test.PWCallback"/>
<parameter name="signaturePropFile" value="crypto.properties" />
<parameter name="encryptionPropFile" value="crypto.properties" />
<parameter name="encryptionPropFile" value="crypto.properties" />
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="encryptionKeyIdentifier" value="DirectReference" />
<parameter name="decryptionKeyIdentifier" value="DirectReference" />
<parameter name="encryptionUser" value="alice" />
<parameter name="decryptionUser" value="alice" />
<parameter name="user" value="bob"/>
<parameter name="signatureUser" value="alice" />
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<parameter name="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
</handler>
</responseFlow>


.NET configuration
You have to specify which key algorithms WSE should use in the app.config/web.config. The excerpt below is from the microsoft.web.services3 xml element in the app.config/web.config.
<tokenIssuer>
<statefulSecurityContextToken enabled="false" />
</tokenIssuer>
<security>
<binarySecurityTokenManager>
<add valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
<sessionKeyAlgorithm name="AES128" />
<keyAlgorithm name="RSA15" />
</add>
</binarySecurityTokenManager>
<x509 skiMode="ThumbprintSHA1" verifyTrust="false" />
<securityTokenManager>
<add localName="EncryptedKey" type="Microsoft.Web.Services3.Security.Tokens.EncryptedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="http://www.w3.org/2001/04/xmlenc#">
<keyAlgorithm name="AES128"/>
</add>
<add localName="DerivedKeyToken" type="Microsoft.Web.Services3.Security.Tokens.DerivedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="http://schemas.xmlsoap.org/ws/2005/02/sc">
<keyAlgorithm name="AES128"/>
</add>
<add localName="SecurityContextToken" type="Microsoft.Web.Services3.Security.Tokens.SecurityContextTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="http://schemas.xmlsoap.org/ws/2005/02/sc">
<keyAlgorithm name="AES128"/>
</add>

</securityTokenManager>
</security>

My policy file looked like this:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
<extension name="mutualCertificate10Security" type="Microsoft.Web.Services3.Design.MutualCertificate10Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="x509">
<mutualCertificate10Security establishSecurityContext="false" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
<clientToken>
<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=Alice, OU=OASIS Interop Test Cert, O=OASIS" findType="FindBySubjectDistinguishedName" />
</clientToken>
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=Bob, OU=OASIS Interop Test Cert, O=OASIS" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="" encryptBody="false" />
</protection>
</mutualCertificate10Security>
<requireActionHeader />
</policy>
</policies>

As you can see I have used the mutualCertificate10Security, and not the mutualCertificate11Security which is automatically suggested by WSE 3.0 policy configurator. I had to do this to make it work.
Matt

How to generate cert?

I know we can use makecert.exe to create a test cert, but what to use in production?
Do you generate a request for an authority somewhere (Verisign? Windows Certificate Manager?)
What kind of cert is to be used?

Thanks,
Matt Meyer
Erlend

Re: How to generate cert?

For this test I used the certificates bundled with WSS4J. I guess you can use Windows Certificate Manager as long as you manage to use the certificates with java keystores. OpenSSL would be another alternative.
Vijay Pandey

Help to use wss4j for userNameforCertificate policy

hello
I have a user name for certificate policy in web service and I need to build a java client using wss4j.

My .Net policy looks like
<policy name="STEPPolicySignBeforeEncryptAndEncryptSignature">
<compressionAssertion compressionMode="GZip" threshold="0"/>
<usernameForCertificateSecurity establishSecurityContext="false" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature" requireDerivedKeys="true" ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="CurrentUser" storeName="My" findValue="CN=STepCertficate" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
</protection>
</usernameForCertificateSecurity>
<requireActionHeader />
</policy>

Can you please tell me how to generate corresponding policy with wss4j and steps that I should follow to talk to wse 3.0 client using wss4j
Erlend

Re: Help to use wss4j for userNameforCertificate policy

I don't know if there is any way to generate such a policy. You will probably have to write one yourself. I would start of with my policies, get that up an running, and then try to migrate that policy into yours one step at the time, while keeping it working. The first thing you need to do, is to find a way to create a certificate that can be used with both WSS4J and WSE 3.0. If you find a good solution, please let me know.
Vijay Pandey

Can you

Hello Erlend

Can you send your example of PWCallback class with some comments like which key you need to insert into soap Header. I have been able to export certificates from windows keystore which is used by wse 3.0 to Java keystore using keyTool.exe available in bin folder of Java sdk. So basically I have been able to setup certificates but if you can send me your PWCallback class you used for your java client and client policy file (*.wssdd file) of your client, it would be very
helpful to me.

You can send me at vijaypandeyait@gmail.com I will surely update you about procedure if I am able to do it.

Thanks Erlend
José Ferreiro

WSS4J work with WSE

Hello Erlend,

You wrote in your message "Making WSS4J work with WSE 2.0 and X509 tokens were quite easy".

I will start now to write a .net Client which has to connect to a secure web service wrote in Java (Axis 1.4 and WSS4J 1.5, tomcat 5.0.28). The secure java client it is working (signing and encrypting the soap body message). I generated the keys and certificates using the keytool from Java (format jks). I also set up my own CA with OpenSSL.

Well I have a fully secured web service working in Java using the signature and encryption (client side and server side).

I would like now to develop a secure .net client using the same mechanism, that is to say signing the messages and encrypting them to access the secure service in Java.

May I ask you the following questions to you? ("Making WSS4J work with WSE 2.0 and X509 tokens were quite easy")

Is this possible to be done using .net 1.1 and WSE 2.0?
If yes, where do you advice to start reading examples and looking for first examples?
Or do you recommend another configuration?

Which solution will you do if you will be at my place to develop a secure .net client accessing the secure web service written in Java Axis as explained before.

I will appreciate so much your answer.

Kind regards from Switzerland.
Thank you Erlend.


Doug

Errors in WSS4J configuration?

There are a bunch of things that look wrong in the WSS4J configuration.


<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
Shouldn\'t this be WSDoAllSender
<parameter name="passwordCallbackClass" value="test.PWCallback"/>
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="signaturePropFile" value="crypto.properties" />
<parameter name="decryptionPropFile" value="crypto.properties" />
<parameter name="encryptionPropFile" value="crypto.properties" />
<parameter name="decryptionUser" value="alice" />
Shouldn\'t the encrypt user anddecrypt user be different for public key operations?
<parameter name="encryptionUser" value="alice" />
<parameter name="user" value="bob"/>
<parameter name="encryptionKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="decryptionKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="signatureKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
</handler>
</requestFlow>
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
Shouldn\'t this be WSDoAllReceiver?
<parameter name="action" value="Signature Timestamp Encrypt"/>
<parameter name="passwordCallbackClass" value="test.PWCallback"/>
<parameter name="signaturePropFile" value="crypto.properties" />
<parameter name="encryptionPropFile" value="crypto.properties" />
Did you mena to make on of these the decryptionPropFile?
<parameter name="encryptionPropFile" value="crypto.properties" />
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="encryptionKeyIdentifier" value="DirectReference" />
<parameter name="decryptionKeyIdentifier" value="DirectReference" />
<parameter name="encryptionUser" value="alice" />
Again shouldn\'t encrypt and decrypt be different?
<parameter name="decryptionUser" value="alice" />
<parameter name="user" value="bob"/>
<parameter name="signatureUser" value="alice" />
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<parameter name="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
</handler>
</responseFlow>

I haven\'t tested this but if bob is your client and alice is your server I would think it should be:
request:
bob - signatureUser
alice - encryptUser

response:
alice - signatureUser
bob- encryptUser
Erlend

RE: WSS4J work with WSE

I think you should just starting installing WSE2.0 in Visual Studio and open up the WSE properties for your project. The Wizard there is quite easy to follow.
Erlend

RE: Errors in WSS4J configuration?

Yes, I guess there are some things that are wrong. However they don't matter much as these settings are probably not used. I did not have time to filter the configuration for unneeded entries when writing this blog entry. The main thing is that this configuration works.
Thank you for the comment though.
Doug

WSE2.0?

Interesting so it works with those config files.

You mentioned that you had WSE 2.0 and wss4j working.
I'm having trouble with that scenario. I can get a signed and encrypted resquest from an Axis 1.4/wss4j client to be accepted by a ASP.NET/WSE2.0 SP3 service. However if I try to sign and/or encrypt the response it fails.

Encypting the response fails in the WSE policy with a "Could not find a security token.". It should be trying to use the certificate that was sent in the request but it seems to be failing to find it even though it successfully used it to verify the signature.

Signing the response fails in the validation on the Axis/wss4j side:
- Verification successful for URI "#Timestamp..."
- Verification successful for URI "#Id..."
Exception in thread "main" org.apache.ws.security.WSSecurityException: WSHandler: Check Signature confirmation: stored SV vector not empty
at org.apache.handler.WSHandler.checkSignatureConfirmation
(WSHandler.java:318)

Did you sign/encrypt the request and response with WSE2.0? If so did you have any such problems or have any idea how to fix them?

Thanks!
LukasJ

example files

I'm trying to run this configuration
axis1 client
wse3 server
Signing is running, but encryption doesn't work due to
WSE590: Failed to resolve the following Key Info on the wse3 side
When I run wse3 client all is fine, the xml is almost similar.

wse3
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=Server1</X509IssuerName>
<X509SerialNumber>1160551545</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</wsse:SecurityTokenReference>
</KeyInfo>
wss4j
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Server1</ds:X509IssuerName>
<ds:X509SerialNumber>1160551545</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>

I found
http://support.microsoft.com/kb/922779
but it didn't help me.
Any suggestion? Thanx in advance
Erlend

Re: example files

I had a similar issue once. Maybe it does not find your certificates when doing the decryption. Try installing all certificates in the Local_machine certificate store, and in your web.config under <Microsoft.web.services3> <Security> try setting the x509 element to <x509 storeLocation="LocalMachine" skiMode="ThumbprintSHA1" />
Erlend

Re: WSE2.0?

It's hard to say as I don't have my WSE2.0 enviroment any more. But I can give you a few pointers:
Check that the same elements are included, signed and encrypted for response and request (timestamps etc.). Check that you are using the same certificate identifier. Check that you are signing and encrypting in the same order as in Axis.
LukasJ

example files

I did it at the end with following configuration. I used certs generated by keytool, i didn't notice that these have version 1.
Config snippets follows:

WSE3 config

<security>
<binarySecurityTokenManager>
<add valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
<sessionKeyAlgorithm name="AES128" />
<keyAlgorithm name="RSA15" />
</add>
</binarySecurityTokenManager>
<x509 skiMode="ThumbprintSHA1" allowTestRoot="true" verifyTrust="false" />
<!--<x509 allowTestRoot="true" verifyTrust="false" />-->
<securityTokenManager>
<add type="Microsoft.Web.Services3.Security.Tokens.EncryptedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="http://www.w3.org/2001/04/xmlenc#" localName="EncryptedKey">
<keyAlgorithm name="AES128" />
</add>
<add type="Microsoft.Web.Services3.Security.Tokens.DerivedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="http://schemas.xmlsoap.org/ws/2005/02/sc" localName="DerivedKeyToken">
<keyAlgorithm name="AES128" />
</add>
<add type="Microsoft.Web.Services3.Security.Tokens.SecurityContextTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="http://schemas.xmlsoap.org/ws/2005/02/sc" localName="SecurityContextToken">
<keyAlgorithm name="AES128" />
</add>
</securityTokenManager>
</security>


<mutualCertificate10Security establishSecurityContext="false" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=Bob, OU=OASIS Interop Test Cert, O=OASIS" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="" encryptBody="false" />
</protection>
</mutualCertificate10Security>
<requireActionHeader />


wss4j

<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<parameter name="adminPassword" value="admin"/>
<parameter name="enableNamespacePrefixOptimization" value="false"/>
<parameter name="disablePrettyXML" value="true"/>
<parameter name="sendMultiRefs" value="true"/>
<parameter name="sendXsiTypes" value="true"/>
<parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/>
<parameter name="sendXMLDeclaration" value="true"/>

<requestFlow>

<handler type="java:org.apache.axis.message.addressing.handler.AddressingHandler"/>
<!-- <handler type="java:org.apache.axis.message.addressing.handler.AddressingHandler">
<parameter name="referencePropertyNames" value="{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}ReplyTo;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}MessageID"/>
</handler>-->


<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >

<parameter name="passwordCallbackClass" value="cz.monetplus.test_interoperability.PWCallback"/>

<parameter name="action" value="Timestamp Signature Encrypt"/>

<parameter name="signaturePropFile" value="sec.properties" />
<parameter name="user" value="myclient1"/>
<parameter name="signatureUser" value="myclient1"/>
<parameter name="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
<!-- <parameter name="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}MessageID;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}Action;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}From" />-->
<parameter name="signatureKeyIdentifier" value="DirectReference" />

<parameter name="precisionInMilliseconds" value="false" />

<parameter name="encryptionPropFile" value="sec.properties" />
<parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier"/>
<parameter name="encryptionUser" value="myserver1" />
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<parameter name="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<parameter name="enableSignatureConfirmation" value="false" />
</handler>

</requestFlow>

<responseFlow>

<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="passwordCallbackClass" value="cz.monetplus.test_interoperability.PWCallback"/>
<parameter name="enableSignatureConfirmation" value="false" />
<parameter name="signaturePropFile" value="sec.properties" />
</handler>

<handler type="java:org.apache.axis.message.addressing.handler.AddressingHandler"/>
<!-- <parameter name="referencePropertyNames" value="{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}MessageID;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}Action;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}RelatesTo"/>
</handler>-->

</responseFlow>
</globalConfiguration >
</deployment>
LukasJ

Axis2 WSE3

Has anybody tried interoperability between Axis2 and WSE3. I tried it before trying wse3-axis cooperation, but i ended with not knowing how to set enableNamespacePrefixOptimization in Axis2. Can anybody help?
MPollmeier
Hi there,

thanks for this article and other comments, but I had to try very hard to finally get things working. My question is: why do I have to use <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier> ?
If I use DirectReference, as mentioned everywhere, WSE complains. Here is the exception, sorry for the german info texts, it's the microsoft style :(

------------------------------------

Unhandled Exception: Microsoft.Web.Services3.ResponseProcessingException: WSE910: An error happened during the processing of a response message, and you can find the error in the inner exception. You can also find the response message in the Response property. ---> System.Security.Cryptography.CryptographicException: WSE600: Unable to unwrap a symmetric key using the private key of an X.509 certificate. Please check if the account 'MP\Michael' has permissions to read the private key of certificate with subject name 'CN=Alice, OU=OASIS Interop Test Cert, O=OASIS' and thumbprint '6E0E88F36EBB8744D470F62F604D03EA4EBE5094'. ---> System.Security.Cryptography.CryptographicException: WSE593: Unable to decrypt the key. Please check if the process has the right permission to access the private key. ---> System.Security.Cryptography.CryptographicException: Ungültiger Schlüssel

----------------------------------

If someone else has the same problems, here are the important parts of my Axis2 services.xml:

<parameter name="InflowSecurity">
<action>
<items>Signature Encrypt Timestamp</items>
<passwordCallbackClass>test.PWCallback</passwordCallbackClass>
<signaturePropFile>reverseTest1ServerSecurity.properties</signaturePropFile>
<decryptionPropFile>reverseTest1ServerSecurity.properties</decryptionPropFile>
<enableSignatureConfirmation>false</enableSignatureConfirmation>
<!--
<encryptionSymAlgorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm>
-->
</action>
</parameter>

<parameter name="OutflowSecurity">
<action>
<items>Signature Encrypt Timestamp</items>
<!-- <user>81b07c40-6c12-434a-bc76-d26b03b2a746</user>
<encryptionUser>MP Client dotNet</encryptionUser>-->
<user>bob</user>
<encryptionUser>alice</encryptionUser>
<passwordCallbackClass>test.PWCallback</passwordCallbackClass>
<signaturePropFile>reverseTest1ServerSecurity.properties</signaturePropFile>
<encryptionPropFile>reverseTest1ServerSecurity.properties</encryptionPropFile>
<enableSignatureConfirmation>false</enableSignatureConfirmation>
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
<encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
<!--
<encryptionSymAlgorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm>
<encryptionKeyTransportAlgorithm>http://www.w3.org/2001/04/xmlenc#rsa-1_5</encryptionKeyTransportAlgorithm>
-->
</action>
</parameter>


----------------------------------

And the used WSE 3.0 policy:

<policy name="x509">
<mutualCertificate10Security establishSecurityContext="false" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
<clientToken>
<x509 storeLocation="CurrentUser" storeName="My" findValue="CN=Alice, OU=OASIS Interop Test Cert, O=OASIS" findType="FindBySubjectDistinguishedName" />
</clientToken>
<serviceToken>
<x509 storeLocation="CurrentUser" storeName="My" findValue="CN=Bob, OU=OASIS Interop Test Cert, O=OASIS" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="" encryptBody="false" />
</protection>
</mutualCertificate10Security>
<requireActionHeader />
</policy>
Erlend

RE: MPollmeier

You can try to set the permissions for the private key. Use winhttpcertcfg.exe which is included with WSE:
winhttpcertcfg -g -c LOCAL_MACHINE\My -s Alice -a MP\Michael

Please, let me know if that works for you.
MPollmeier

RE: RE: MPollmeier

Thanks for your reply, but winhttpcertcfg complains:
Error: Unable to find or obtain a context for requested certificate

However, I don\\\'t think that this is the problem. I used WseCertificate3 to ensure that I have all permissions for the certificate\\\'s file.
Matter of fact is that the wse client SIGNED and encrypted the request, wss4j verified all. The error says that wse cannot DECRYPT the response. For both cases, it needs it\\\'s private key, of course. So as the client can sign the request, I am quite sure that the user has all permissions it needs...

As mentioned, I solved the problem by using SKIKeyIdentifier for the response\\\'s encryptionKeyIdentifier. I am just interested why wse acts like this...
Ferreiro

c# client

Hello,

I successfully developped the .net client accessing the java web service.
I am not trying to implement WSE 3.0, but I am finding difficulties.

I sucessfully generate the proxy using wsdl.exe tool
But I don\\\'t know how to add the policy and all the others things in the client code.

I also sucessfully have my X509 certificate installed in the windows.

Erlend could you give me some guidelines to continue?
Thank you in advance

Erlend

Re: C# client

Enable WSE 3.0 for you project by right clicking and checking: "Enable this project for Web Services enhancements" and "Enable microsoft web services enhancement soap factory protocol", and then clicking ok.
Add a web reference to your web service by right clicking your project, selecting "Add web reference...", entering your wsdl Url, and entering a sensible name in the "Web reference name"-box (as an example consider Erlend.Services). This will create the soap client, and it will be accessible as [i]ProjectNamespace[/i].Erlend.Services.[i]ServiceName[/i] (italic parts are placeholders).
If WSE was enabled the service will also be available as [i]ProjectNamespace[/i].Erlend.Services.[i]ServiceName[/i]Wse, and this decorated serviceclient contains a method called SetPolicy(String) which you can use to set the policy the client should use.
anonymous
Hello Erlend,
Thank you so much.
I succeed to generate the proxy class using
Everything works fine without WSE 3.0. (This is for your information).

When I enable WSE 3.0 and I add the policy file to be handled. The C# client finds the policy as expected.

But it fails to load the X509 certificate. Basically this line makes problem in relationship with the
storeLocation and findValue.

<serviceToken> <x509 storeLocation="LocalMachine" storeName="My" findValue="CN=Bob, OU=OASIS Interop Test Cert, O=OASIS" findType="FindBySubjectDistinguishedName" /> </serviceToken>


Well I generate my own certificates and export them to PKCS12 (portable format - file extension is [i].pfx[/i])

I successfully import them in the windows store.
I am also able to see them (a certificate for the client with private and public key, public key for the server certificate) with the WSE 3.0 Certificate TOOL.
This there everything seems fine.

They are stored under the store Current User / Personal.

The problem is that the C# client cannot find the certificate.

I have some thing like this:


<serviceToken> <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=TIR Secretariat" findType="FindBySubjectDistinguishedName" /> </serviceToken>

and it fails here.
I also gave read rights to the current user logged in windows and ASPNET user for the folder where the RSA keys are stored.

Well, I would like to ask you if you may tell me more about your store. Where do you see your certificates in the store?

I don't know why I cannot load the certificates...

I will appreciate so much your help with !

Kind regards.
José
Erlend

Re:

As I understand from your description your generated certificate, you know how to change storeLocation and storeName to address the certificate. You can use mmc.exe with the "certificates"-snapin to verify the location of your certificates. To actually set permissions on the private key of the certificate, I suggest you use the winhttpcertcfg.exe tool available in the samples folder of WSE. It's pretty easy to understand if you look at the command line options. Also you can try to set storeLocation on the <x509>-element under <microsoft.web.services3> in your web.config.
Ferreiro

Java Keystore

Hello Erlend,
I completed all the steps to have a .net client using wse 3.0 to access a axis 1.4 + wss4j server.

Without security everything is working fine.
I added the security in the .net and java side.

Actually I am able to send a soap message from .net to Java server.
The .net soap message corresponds trace shows that the .net client used the same algorithms for encoding, etc, etc...

But the java server when it receives a request it cannot process it and displays the following error.


<ns2:stackTrace xmlns:ns2=\"http://xml.apache.org/axis/\">Server Error at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:474) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at javax.servlet.http.HttpServlet.service(HttpServlet.java:709) at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595)</ns2:stackTrace>


I am thinking that the server cannot assimilate the keys.

Currently, I generated the keys in the java side with keytool.
I exported the key of the client to the pfx format and stored it succesfull in Windows. I am also able to sign the message as I am able to send a soap message from the client.

Then my java store is jks format and the windows key store is pfx. I am doubting is this is the source of the error.

May I ask you what is your java keystore configuration?
Is it pfx or is it jks format.

Thank you for your answer.
I am nearly at the end!!!


Erlend

Re: Java Keystore

You may be right. It may have to do with the keys and identification. Try looking at what type of keyidentification (SKImode) and the hashing algorithm used to generate the identifier of the keys in the keystore.
Ferreiro

MustUnderstand

Hello Erlend,

Well,

I checked your hint and I think I have no problem there. Keys are SHA1RSA then I think it is ok.

I found some exception in the handlers (WSS4J).

Now I have this exception.

Althoug I tried all the handler in this blog. I couldn't find a configuration it may work. I am wondering where the problem may come.

Don't think is related to the keys, don't think is related to the built in message in .net.

I guess the server don't like the packet form the server for some reason but I Ignore why.

Here is the trace of the mistake:

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><soapenv:Fault><faultcode>soapenv:MustUnderstand</faultcode><faultstring>Did not understand &quot;MustUnderstand&quot; header(s):{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring><detail><ns1:stackTrace xmlns:ns1="http://xml.apache.org/axis/">
at org.apache.axis.handlers.soap.MustUnderstandChecker.invoke(MustUnderstandChecker.java:96)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
</ns1:stackTrace><ns2:hostname xmlns:ns2="http://xml.apache.org/axis/">JF-trewd</ns2:hostname></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>


and the key is this part

<faultcode>soapenv:MustUnderstand</faultcode>

I strongly think it is related with the signature part in the soap or similar...

Do you have an idea Erlend?
Erlend

Re: MustUnderstand

Well, it's hard to tell and I can't access my solution right now. What kind of style are you using in your wsdd. The service should use the following when communicating with .NET:
provider="java:RPC" style="wrapped" use="literal"
tom
I had a very tough time solving the same problem, the solution was to select the correct store location in the security tab in the WSE3 settings dialog.
Ferreiro

MustUnderstand

Hello Tom,

I am spending also a lot of time on this and I am so near... :-(
I mean with the MustUndersand fault. It is still not working
May you send me your configurations settings in the Axis server side deploy.wsdd?
And also the policy and web.config.

Although I understant very well the configurations I would like to see which
one did you use. This will help me.

My e-mail is jose.ferreiro[AT]gmail.com

Thank you in advance.

ERLEND
------

provider="java:RPC" style="wrapped" use="literal"
I don't think the mistake comes from here as the .net client is properly communicating
with the java server when no security is applied to the soap enveloppe.
Thank you for your suggestion
Erlend

Re: MustUnderstand

Have you tried to use the .NET policy exactly as described in my original post (compared the XML)? Check the <protection>-element and all attributes. I just tried it here, and it works fine on my setup.
Are you using the same versions of Axis and WSS4J as I was using or are you using newer versions?
Ferreiro

Re: MustUnderstand

I am a bit busy now writting documents.
I will try again and let you know (because I really want the interop between .net and java) and give you the feedback.

I think I will try to do with the keys of Bob and ALICE.
Like your example exactly the same.

Thank you for all your support.

Ferreiro

MustUnderstand

hello erlend.

Would you aggree to send me your projects (.net client and java (with wss4j+axis jar,) + the certificates you used, in order that everything is strictly the same as your test)?
I may download them also from a ftp server.

My e-mail is jose.ferreiro[AT]gmail.com

This would be great.
Thank you and kind regards
Rasmus

wss4j version problem

I'm trying to call WSE 3.0 from AXIS2, and have the following problem:

AXIS2 (or WSS4J-1.5.1) uses this namespace value to identify Thumbprint:
http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.0#ThumbprintSHA1

WSE 3.0 expects this namespace value
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1

The result is that I get the follwing error (sorry for the long line):
Microsoft.Web.Services3.Security.SecurityFault: Referenced security token could not be retrieved ---&gt; System.Exception: WSE590: Failed to resolve the following Key Info &lt;KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;&lt;wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;&lt;wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.0#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"&gt;Dr4NgDubJCiGQhVauoDNPa/Vx7A=&lt;/wsse:KeyIdentifier&gt;&lt;/wsse:SecurityTokenReference&gt;&lt;/KeyInfo&gt;.


Does anyone have the same problem and perhaps a solution to it?
David

WSS4J Client and .NET 2.0 Service

Hi all.

I'm trying to develop a service using .NET 2.0 and WSE 3.0 with Certificates and connect to that service using a Java client enabled with WSS4J 1.5.1 and Axis 1.4. Unfortunately, whenever I run my client I receive an AxisFault: "WSDoAllReceiver: Request does not contain required Security header." What follows is my entire process to get to where I am. If anyone has any more suggestions for me I would [i]really[/i] appreciate them.

Here's my situation with the certificates. I have generated two certs using makecert.exe and they are viewable with certmgr.msc (storeLocation=LocalMachine, storeName=My). One is the client certificate, and the other is the server certificate (aliased as "client" and "server," respectively).

I needed to register these certs in a Java keystore. I chose to use the wss4j.keystore. I exported the client and server certificates to .cer (Base-64 Encoded) files and ran keytool.exe with the following parameters for each of them:


"%JAVA_HOME%\bin\keytool" -import -alias server -file WSE2QuickStartServer.cer -keystore "D:\Program Files\Apache Software Foundation\wss4j\keys\wss4j.keystore" -storepass security

"%JAVA_HOME%\bin\keytool" -import -alias client -file WSE2QuickStartClient.cer -keystore "D:\Program Files\Apache Software Foundation\wss4j\keys\wss4j.keystore" -storepass security


This successfully registered them in the wss4j.keystore as "trustedCertEntry" entries. Next I wrote the wsdd file and the properties file along with it.

CURRENT WSDD FILE
==================================================
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass" value="TEST.Test"/>
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="signaturePropFile" value="crypto.properties" />
<parameter name="decryptionPropFile" value="crypto.properties" />
<parameter name="encryptionPropFile" value="crypto.properties" />
<parameter name="decryptionUser" value="server" />
<parameter name="encryptionUser" value="client" />
<parameter name="user" value="server"/>
<parameter name="encryptionKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="decryptionKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="signatureKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
</handler>
</requestFlow>
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="Signature Timestamp Encrypt"/>
<parameter name="passwordCallbackClass" value="TEST.Test"/>
<parameter name="signaturePropFile" value="crypto.properties" />
<parameter name="encryptionPropFile" value="crypto.properties" />
<parameter name="encryptionPropFile" value="crypto.properties" />
<parameter name="signatureKeyIdentifier" value="SKIKeyIdentifier" />
<parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier" />
<parameter name="decryptionKeyIdentifier" value="SKIKeyIdentifier" />
<parameter name="encryptionUser" value="server" />
<parameter name="decryptionUser" value="client" />
<parameter name="user" value="server"/>
<parameter name="signatureUser" value="client" />
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<parameter name="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
</handler>
</responseFlow>
</globalConfiguration >
</deployment>


crypto.properties FILE
====================================
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.file=D:\\Program Files\\Apache Software Foundation\\wss4j\\keys\\wss4j.keystore


Java File TEST.Test:
====================================

public class Test implements CallbackHandler {
public static void main(String[] args) {
try
{
EngineConfiguration configuration = new FileProvider("deployment.wsdd");
SecureInvoiceServiceLocator locator = new SecureInvoiceServiceLocator(configuration);
org.example.invoices.SecureInvoiceServiceSoap soap = locator.getSecureInvoiceServiceSoap();
MessageElement[] results = soap.viewInvoices().get_any(); // Exception always thrown on call to viewInvoices().
for (int i = 0; i < results.length; i++) {
System.out.println(results[i].getElementName());
}
}
catch (Exception e)
{
System.err.println(e.toString());
e.printStackTrace();
}
}

public void handle (Callback[] callbacks) throws UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
pc.setPassword("security");
} else {
throw new UnsupportedCallbackException(
callbacks[i],
"Unrecognized Callback");
}
}
}
}


Here are my Web Service configuration files...

Web.config FILE - Microsoft.Web.Services3 element
===================================
<microsoft.web.services3>
<diagnostics>
<trace enabled="true" input="InputTrace.webinfo" output="OutputTrace.webinfo" />
</diagnostics>
<tokenIssuer>
<statefulSecurityContextToken enabled="false" />
</tokenIssuer>
<policy fileName="wse3policyCache.config" />
<security>
<binarySecurityTokenManager>
<add valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
<sessionKeyAlgorithm name="AES128" />
<keyAlgorithm name="RSA15" />
</add>
</binarySecurityTokenManager>
<x509 skiMode="ThumbprintSHA1" verifyTrust="false" />
<securityTokenManager>
<add localName="EncryptedKey" type="Microsoft.Web.Services3.Security.Tokens.EncryptedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="http://www.w3.org/2001/04/xmlenc#">
<keyAlgorithm name="AES128"/>
</add>
<add localName="DerivedKeyToken" type="Microsoft.Web.Services3.Security.Tokens.DerivedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="http://schemas.xmlsoap.org/ws/2005/02/sc">
<keyAlgorithm name="AES128"/>
</add>
<add localName="SecurityContextToken" type="Microsoft.Web.Services3.Security.Tokens.SecurityContextTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="http://schemas.xmlsoap.org/ws/2005/02/sc">
<keyAlgorithm name="AES128"/>
</add>
</securityTokenManager>
</security>
</microsoft.web.services3>



ws3policyCache.config FILE
======================================
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
<extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="mutualCertificate11Security" type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="CertPolicy">
<mutualCertificate11Security establishSecurityContext="true" renewExpiredSecurityContext="true" requireSignatureConfirmation="true" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
</policies>


If anyone can see something I'm doing wrong or needs more information, let me know. Remember I'm doing a Java client to a .NET Service, not the other way around. My contact information is triskelia[AT]gmail[DOT]com if you want to get in contact with me directly.

Thanks!

David
David

Major Mistakes

After messing with it yesterday, I found I made some major mistakes. I changed my WSDD file significantly to make sure the request was actually sending things, not receiving things. Also I exported the certificates as .pfx files so they would be their own keystores with the private key.

So far I have got the client actually talking to the web service, but the WS is still throwing faults:

Microsoft.Web.Services3.Security.SecurityFault: Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message.

I know this means it was expecting a wsa:Action tag in the SOAP but I don't know how to configure this. Any ideas? Do I absolutely need this information or is there a way I can turn off this requirement in WSE 3.0?

Here are the relevant files:

WSDD
=====================
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="passwordCallbackClass" value="TEST.Test"/>
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="signaturePropFile" value="crypto.properties" />
<parameter name="decryptionPropFile" value="crypto.properties" />
<parameter name="encryptionPropFile" value="crypto.properties" />
<parameter name="encryptionUser" value="0219023d-ae5a-407a-bac9-7338371dd996" />
<parameter name="user" value="0219023d-ae5a-407a-bac9-7338371dd996"/>
<parameter name="encryptionKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="decryptionKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="signatureKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
</handler>
</requestFlow>
</globalConfiguration >
</deployment>


If you need to know anything else, let me know. My contact information is triskelia[AT]gmail[DOT]com if you want to get in contact with me directly.

Thanks,

David
Erlend

Re: Major Mistakes

Hi David. Good to hear you are getting closer. There is usually an assertion in the wse3policyCache.config file called "<requireActionHeader/>". Try removing it and see if that helps.
Re: Major Mistakes
Hi Erlend. Thanks for the advice; I am not able to access my project right now but I will try that tomorrow. I was able to put something in the Java client's WSDD to make that error subside for now though...so I may get the same new error if I try removing the <requireActionHeader /> element.

Here's the new exception I'm getting on the Java client side: "Security Token could not be retrieved. Failed to resolve the following KeyInfo."

I'm not sure where to go from here. Any ideas on common causes for this? Tomorrow is the earliest I can post any file content you may need to solve this problem and/or if you need more info.

Thanks!
David

Re: Major Mistakes

One thing I should also mention is that the certificates I'm using are the ones that were generated by the Setup.bat file in the \Program Files\Microsoft WSE\v3.0\Samples directory. Will this be a problem for interoperability?
Erlend

Re: Re: Major Mistakes

I don't think that should be a problem, but I would suggest you start out using the same keys that I did, and the see if you can get that up and running. When you have it running, you can then start using different keys and see if it still works.
posthumecaver

Did anybody tried the vice versa

Hello everybody,

I think this whole configuration is for wss4j service (server side) and .Net is the client side?

Did anybody tried .Net as service side and wss4j as client side (or what are you using to call .Net other then wss4j).

I am trying this scenario and I am stuck at the following problem.

I am actually trying with Rampart but it is already using wss4j under it.

Here is the java side configuration.

<axisconfig name="AxisJava2.0">

<!--Signature and Encryption : Using the request's certificate-->
<module ref="addressing" />
<module ref="rampart" />

<parameter name="OutflowSecurity">
<action>
<items>Timestamp Signature Encrypt</items>
<user>client</user>
<encryptionUser>server</encryptionUser>
<passwordCallbackClass>de.mgi.networking.ws.callback.PWCBHandler</passwordCallbackClass>
<signaturePropFile>client.properties</signaturePropFile>
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
<encryptionKeyIdentifier>X509KeyIdentifier</encryptionKeyIdentifier>
<encryptionSymAlgorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm>
<encryptionKeyTransportAlgorithm>http://www.w3.org/2001/04/xmlenc#rsa-1_5</encryptionKeyTransportAlgorithm>
<timeToLive>360</timeToLive>
</action>
</parameter>

<parameter name="InflowSecurity">
<action>
<items>Timestamp Signature Encrypt</items>
<passwordCallbackClass>de.mgi.networking.ws.callback.PWCBHandler</passwordCallbackClass>
<signaturePropFile>client.properties</signaturePropFile>
</action>
</parameter>

org.apache.axis2.AxisFault: System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE841: An error occured processing an outgoing fault response. ---> System.Web.Services.Protocols.SoapException: Microsoft.Web.Services3.Security.SecurityFault: Referenced security token could not be retrieved ---> System.Exception: WSE590: Failed to resolve the following Key Info <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIBvDCCAWqgAwIBAgIQEaQhQ30QV6pLkeNybtapjTAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA3MDQwMzA5NTYzOVoXDTM5MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUV1NFMlF1aWNrU3RhcnRTZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM+0zjiY2WXCSGj25J7vEnfX9huUh1C5g4ntezAhW8kV7e4r0LDWRtrmkA+OZvMHoTwZdqqYgphsXEzb6aSfojgH8TvIzbFkExUJncuKQTd38llMgEEYGlBKwCV5JxV6nFJsqct25DyFZcZoPXKP5yy85VDKkefXL00QrCrlEymhAgMBAAGjSzBJMEcGA1UdAQRAMD6AEBLkCS0GHR1PAI1hIdwWZGOhGDAWMRQwEgYDVQQDEwtSb290IEFnZW5jeYIQBjdsAKoAZIoRz7jUqlw19DAJBgUrDgMCHQUAA0EADuFRqyYQ6kZYIzPZPcDryRg823B2tybuDt6cOqF2OxlWCNp32y5s9uUgsqvfDvhnRD7NBy6RinFfSF2nt1FqLg==</wsse:KeyIdentifier></wsse:SecurityTokenReference></KeyInfo>.
--- Ende der internen Ausnahmestapelüberwachung ---
bei Microsoft.Web.Services3.Security.EncryptedKey.LoadXml(XmlElement element)
bei Microsoft.Web.Services3.Security.EncryptedKey..ctor(XmlElement element)
bei Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element)
bei Microsoft.Web.Services3.Security.Security.CreateFrom(SoapEnvelope envelope, String localActor, String serviceActor)
bei Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope)
bei Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope)
bei Microsoft.Web.Services3.WseProtocol.FilterRequest(SoapEnvelope requestEnvelope)
bei Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)
bei System.Web.Services.Protocols.SoapServerProtocol.Initialize()
bei System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)
--- Ende der internen Ausnahmestapelüberwachung ---
--- Ende der internen Ausnahmestapelüberwachung ---
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:271)
at org.apache.axis2.description.OutInAxisOperationClient.execute(OutInAxisOperation.java:202)
at de.mgi.networking.axis2.clientwse.SecureTestStub.SetMDWMapping(SecureTestStub.java:144)
at de.mgi.networking.ws.test.MetroJavaTest.CallWithWse(MetroJavaTest.java:66)
at de.mgi.networking.ws.test.MetroJavaTest.main(MetroJavaTest.java:47)

Peter

CryptographicException

Hello,
After I follow your suggestion and run .NET client, then it throw following exception:

Unhandled Exception: System.Security.Cryptography.CryptographicException: Object
contains only the public half of a key pair. A private key must also be provide

I use \\\'bob\\\' for server side and alice for client side.
WSS4J:
<code>
requestFlow>
<handler type=\\\"java:org.apache.ws.axis.security.WSDoAllReceiver\\\">
<parameter name=\\\"passwordCallbackClass\\\" value=\\\"com.vtcmobile.PasswordProvider\\\"/>
<parameter name=\\\"action\\\" value=\\\"Signature Encrypt Timestamp\\\"/>
<parameter name=\\\"signaturePropFile\\\" value=\\\"crypto.properties\\\" />
<parameter name=\\\"decryptionPropFile\\\" value=\\\"crypto.properties\\\" />
<parameter name=\\\"encryptionPropFile\\\" value=\\\"crypto.properties\\\" />
<parameter name=\\\"decryptionUser\\\" value=\\\"alice\\\" />
<parameter name=\\\"encryptionUser\\\" value=\\\"alice\\\" />
<parameter name=\\\"user\\\" value=\\\"bob\\\"/>
<parameter name=\\\"encryptionKeyIdentifier\\\" value=\\\"X509KeyIdentifier\\\" />
<parameter name=\\\"decryptionKeyIdentifier\\\" value=\\\"X509KeyIdentifier\\\" />
<parameter name=\\\"signatureKeyIdentifier\\\" value=\\\"X509KeyIdentifier\\\" />
<parameter name=\\\"encryptionSymAlgorithm\\\" value=\\\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\\\" />
</handler>
</requestFlow>
<responseFlow>
<handler type=\\\"java:org.apache.ws.axis.security.WSDoAllSender\\\" >
<parameter name=\\\"action\\\" value=\\\"Signature Encrypt Timestamp\\\"/>
<parameter name=\\\"passwordCallbackClass\\\" value=\\\"com.vtcmobile.PasswordProvider\\\"/>
<parameter name=\\\"signaturePropFile\\\" value=\\\"crypto.properties\\\" />
<parameter name=\\\"encryptionPropFile\\\" value=\\\"crypto.properties\\\" />
<parameter name=\\\"encryptionPropFile\\\" value=\\\"crypto.properties\\\" />
<parameter name=\\\"signatureKeyIdentifier\\\" value=\\\"DirectReference\\\" />
<parameter name=\\\"encryptionKeyIdentifier\\\" value=\\\"DirectReference\\\" />
<parameter name=\\\"decryptionKeyIdentifier\\\" value=\\\"DirectReference\\\" />
<parameter name=\\\"encryptionUser\\\" value=\\\"alice\\\" />
<parameter name=\\\"decryptionUser\\\" value=\\\"alice\\\" />
<parameter name=\\\"user\\\" value=\\\"bob\\\"/>
<parameter name=\\\"signatureUser\\\" value=\\\"alice\\\" />
<parameter name=\\\"encryptionSymAlgorithm\\\" value=\\\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\\\" />
<parameter name=\\\"encryptionKeyTransportAlgorithm\\\" value=\\\"http://www.w3.org/2001/04/xmlenc#rsa-1_5\\\" />
</handler>
</responseFlow>
</code>
.NET config:
<code>
<policy name=\\\"x509\\\">
<mutualCertificate10Security establishSecurityContext=\\\"false\\\" renewExpiredSecurityContext=\\\"false\\\" requireSignatureConfirmation=\\\"false\\\" messageProtectionOrder=\\\"SignBeforeEncrypt\\\" requireDerivedKeys=\\\"false\\\" ttlInSeconds=\\\"300\\\">
<clientToken>
<x509 storeLocation=\\\"CurrentUser\\\" storeName=\\\"My\\\" findValue=\\\"CN=Alice, OU=OASIS Interop Test Cert, O=OASIS\\\" findType=\\\"FindBySubjectDistinguishedName\\\" />
</clientToken>
<serviceToken>
<x509 storeLocation=\\\"CurrentUser\\\" storeName=\\\"AddressBook\\\" findValue=\\\"CN=Bob, OU=OASIS Interop Test Cert, O=OASIS\\\" findType=\\\"FindBySubjectDistinguishedName\\\" />
</serviceToken>
<protection>
<request signatureOptions=\\\"IncludeSoapBody\\\" encryptBody=\\\"true\\\" />
<response signatureOptions=\\\"IncludeSoapBody\\\" encryptBody=\\\"true\\\" />
<fault signatureOptions=\\\"\\\" encryptBody=\\\"false\\\" />
</protection>
</mutualCertificate10Security>

</policy>
</code>
Erlend

Re: CryptographicException

Sounds to me like you either:
- Only installed the certificate, not the private key. You have to install the .pfx-files, not the .cer files
- You have not yet granted the user running your application acccess to the keys using the winhttpcertcfg.exe tool
Wonchana

Non-EnglishCharacter Problem

Hi Erlend i tried to config my application follow your example.My application work well with english character data input and output but when i tried to input non-english character(I used Thai character) i got exception from axis server like this

HTTP/1.1 100 Continue

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/xml;charset=utf-8
Transfer-Encoding: chunked
Date: Thu, 04 Oct 2007 08:56:34 GMT
Connection: close

267
<?xml version=\"1.0\" encoding=\"utf-8\"?><soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><soapenv:Body><soapenv:Fault><faultcode>soapenv:Server.generalException</faultcode><faultstring>WSDoAllReceiver: security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: The signature verification failed</faultstring><detail><ns1:hostname xmlns:ns1=\"http://xml.apache.org/axis/\">HIMENO_FUMI</ns1:hostname></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>
0

And When output data is non-english character i got this Exception frome C#.net Client

[XmlException: \'\', hexadecimal value 0x14, is an invalid character. Line 1, position 385.]
System.Xml.XmlTextReaderImpl.Throw(Exception e) +87
System.Xml.XmlTextReaderImpl.Throw(String res, String[] args) +77
System.Xml.XmlTextReaderImpl.ThrowInvalidChar(Int32 pos, Char invChar) +185
System.Xml.XmlTextReaderImpl.ParseText(Int32& startPos, Int32& endPos, Int32& outOrChars) +1900537
System.Xml.XmlTextReaderImpl.ParseText() +130
System.Xml.XmlTextReaderImpl.ParseElementContent() +511
System.Xml.XmlTextReaderImpl.Read() +26
System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace) +435
System.Xml.XmlLoader.ParsePartialContent(XmlNode parentNode, String innerxmltext, XmlNodeType nt) +200
System.Xml.XmlElement.set_InnerXml(String value) +37
Microsoft.Web.Services3.Security.EncryptedData.Decrypt(XmlElement encryptedElement) +549
Microsoft.Web.Services3.Security.EncryptedData.Decrypt() +122
Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element) +1277
Microsoft.Web.Services3.Security.Security.CreateFrom(SoapEnvelope envelope, String localActor, String serviceActor) +666
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope) +300
Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope) +1928
Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClientMessage message, String messageContentType) +2231

[ResponseProcessingException: WSE910: An error happened during the processing of a response message, and you can find the error in the inner exception. You can also find the response message in the Response property.]
Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClientMessage message, String messageContentType) +2336
Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessage(SoapClientMessage message, Int32 bufferSize) +49
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) +446
System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) +204
ThaiLocalTestService.ThaiLocalTestServiceWse.thaiGreeting() +31
_Default.Button1_Click(Object sender, EventArgs e) +15
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +105
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +107
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +5102


I am trying to look around internet but I found notting.
I need your advice. Thank.

oh The software I used was
Wss4j 1.5.0 with Axis 1.4 running on jakarta-tomcat-5.5 and VS2005.NET with WSE 3.0.
Lavi

Completely lost.

First of all, thank your for all your comments, after reading all your post, I began to get an image of all the stuff involved in this problem.

I have several problems..
I\'m trying to connect to a webservice (I think wss4j) at

http://www.meteocatserveis.com/axis/services/TempsPresent?wsdl

this service requires login & psw. I tried to connect using regular proceeding but no success at all, all I got was the
WSDoAllReceiver: Request does not contain required Security header error.

I copypasted (sorry, I really have no idea where to begin) and generated a username policy (including in the ppolicy text the usr and psw. but now I get this error:

WSDoAllReceiver: security processing failed (actions number mismatch)

I have to point that I have no access to the server so, unless I can get some info from wsdl or similar, I can help you help me no more.

Please, I\'m really in a hurry... anybody can help me?
what have I to do?
please drop a mail to pere.morata@gmail.com if you can...

th
Erlend

Re:Completely lost

Have you tried to remove the <requireActionHeader /> element from your WSE policy config? Are you using the same certificates? Also try changing the signatureOptions and encryptBody attributes.
Erlend

New post with java client and wse 3.0 service

http://erlend.oftedal.no/blog/?id=61
ahurtado
NOTE: This configuration does not support \'establishSecurityContext=\"true\"\' because axis-1 does not support this at this time. I will try rampart + axis2 for interoperate with wse3
Ferreiro

Java Version

Hi Erlend,
Which [b]Java version[b] did you use?

Thank you.
Erlend

Re: Java Version

Unfortunately I don't have the enviroment anymore. I would guess some flavour of 1.4, but I don't really remember.
Ferreiro

WSDL file

Hello Erlend,

You said above:

I ran the web service on axis and the client on .NET. I used the alice and bob certificates supplied in the interop folder in the wss4j zip file. These are from a Gartner WSS interoperability show(?).

But, by chance, do you still remember which web service did you test?

To be more specific, did you test the web service using the wsdl file that is also in the interop folder (It is labelled as [i]PING.WSDL[/i])?
Maybe may you remember about which wsdl file did you use?

Thank you for your answer!


Erlend

Re: WSDL file

I don't have it anymore, but it was some sort of stock service. The wsdl file was generated on the fly by axis on tomcat.
Ferreiro

Soap Body from .net client not encrypted

Hello Erlend,

I tried the configuration you proposed.
It works well for the java client but the dotnet client is not working.
I analyzed the soap message and I noticed that the Soap body is sent without beeing encrypted.

Do you have any idea?

Thank you.
Erlend

Re: Soap Body from .net client not encrypted

Hi Ferreiro. How did you setup your .NET client? You have to apply the policy to the client. You do that by enabled WSE for the project, (re)adding the webrefence, and then using the <ServiceName>Wse class instead of the <ServiceName> class. So if you named the service MyWebService, then the class is named MyWebServiceWse. This class has a method called SetPolicy which you can use to apply the chosen policy from your .policy file.
Ferreiro

success

Hello Erlend,

Finally I succeed to make working a .net 2.0 + WSE 3.0 client accessing an axis 1.4 + wss4j web service with my own wsdl file and [i]bob[/i] and [i]alice[/i] certificates.
I would like to thank you for your article. It help me a lot to understand many things.

Nevertheless I have still to solve the certificates issue.

Thank you Erlend
Ferreiro

Certificates

Erlend,

Do you have some tips for the certificates ( jks -> pfx )?

Thank you.
Erlend

Re: Certificates

Hi Ferreiro
Please check my new blogpost http://erlend.oftedal.no/blog/?blogid=68
Erlend
Ferreiro

Gartner show keys

[i]Thank you Erlend[/i] for your link to the blogpost about jks -> pfx!

More info about the Gartner WSS interoperability show here:
http://xml.coverpages.org/InteropWSS-Gartner2005.html

Best Regards
Ferreiro

Personal Information Exchange (PFX)

Hello erlend,
I just would like to let you know that I succeed to generate a pfx (PKCS #12) certificate from the java keystore(jks).
I also post a little blog with some snapshots.
http://magnot.blogspot.com/2008/04/secure-web-services-interoperability.html
[i]You are also metionned in the blog for your work in this blog![/i]
Best regards
Jose Ferreiro
Erlend

Re: Personal Information Exchange (PFX)

Thanks, Jose.
Ravi

Web Services Enhancements 1.0 and Java Interoperability

Hello Friends,
I\'m implementing x509 certificate in .net 2.0 services application using WSE3.0
and java client.I want to know Web Services Enhancements 3.0 is
Java Interoperable or not.

Erlend

Re: Web Services Enhancements 1.0 and Java Interoperability

It's interoperable with java at least if using Axis/WSS4J or Axis2/Rampart.
Ravi

Object contains only the public half of a key pair. A private key must also be provided.

Hello Eriend,

Thanks for your response.
I'M trying to implement the WSE3.0 in .Net Client and .Net Server(Before implementing in Java Client) but I am
facing "Object contains only the public half of a key pair. A private key must also be provided." Error. do you have
any idea on this.
Ferreiro

Object contains only the public half of a key pair. A private key must also be provided.

Hello Ravi,

Please look at my post, the snapshot with the title: client pfx certificate (please note the private key)

http://magnot.blogspot.com/2008/04/secure-web-services-interoperability.html

The thing is that a certificate is composed of two pairs: [i]the public key[/i] and the [i]private key[/i].

Please note that you should keep confidential your private key.

[i]Hope this helps![/i]

Jose Ferreiro
Ravi

WSE101: An asynchronous operation raised an exception.

Thanks alot for your response Jose, I had overcome with that error, as i menctioned earlier that i am implementing x509 certificate using WSE3.0 in .net services and .net client( this is for testing purpose). Actually i need to implment x509 certificate in .Net services and Java client. But during my test case itself I,e., .net services and .net client I am getting an error stating "WSE101: An asynchronous operation raised an exception." and my inner exception is "The remote server returned an error: (401) Unauthorized." Jose can you help me is getting out of it.
Thanks in advance

Regards,
Ravi
Ferreiro

WSE101: An asynchronous operation raised an exception.




Hello,

Try to look at the samples from [i]Web Services Enhancements (WSE) 3.0 for Microsoft .NET[/i] that you installed in your computer. There should be a folder labelled [i]samples[/i].

Look at the snapshot in the blog I wrote labelled secured dotnet client http://magnot.blogspot.com/2008/04/secure-web-services-interoperability.html

If laterly you would like to achieve interoperability you should proceed as Erlend explained above and use
mutualCertificate10Security I guess.

For my test case I did the other way around, that is to say my web service server side is written in java.
I would like to remember that I used Axis 1.4.

You may also would like to consider this option described also in Erlend's blog
http://erlend.oftedal.no/blog/?id=61
This means that the java client will be written using Axis2.
You may find the related cerficates in
http://apache.mirror.testserver.li/ws/wss4j/1_5_3/wssj4-bin-1.5.3.zip

unzip it and under <drive>:\wss4j-bin-1.5.3\wss4j\interop\keys you will see the used certificates for the
shown example!


Hope this helps!

Jose Ferreiro
Ferreiro

WSE101: An asynchronous operation raised an exception.

Ravi,

Sorry in this post Erlend explains the configuration using Axis 1.4 and wss4j.
http://erlend.oftedal.no/blog/?id=61

It is also possible to achieve interop using Rampart/Axis2/WCF, but this is another story...

José
Ravi

How i can encrypt the secure data

Hello Jose,

Thanks alot,I Successfully implemented x509 using wse3.0 for .Net services and .Net Client(Now i need to implment for .netServices and Java client). Can you guide me how i am encrypt the secure data passing between .Net services and .Net client

Regards,
Ravi
Ferreiro

How i can encrypt the secure data

Hello Ravi,

You need to choose a web services framework for java.
Either Axis 1.4 (I choose this one) or Axis2.
In addition you will need to add the encryption provided by wss4j library from Apache.

I will suggest you to develop a java client that can \\\"talk/communicate\\\" with a non secure .net server side service.

You may write the client using the examples with axis 1.4.
After that you will apply the security layer (signature + encryption [+timestamp-mandatory to interoperate with dotnet]).

I will suggest you to use Eclipse as IDE and to get familiar with ant task available in the axis 1.4 framework!

Finally, Erlend explains here how to achive interoperability with the keys/certificates http://erlend.oftedal.no/blog/?blogid=68.

Hope this helps from a start!

Jose Ferreiro


Shaji Nair

C# WSE client to JAVA webservice

http://wseincsharp.blogspot.com/2008/02/c-wse-client-to-java-webservice.html
Ferreiro

Arrays

Hi Erlend,

Do you exchange arrays of objects in your wsdl?
If you have an example that it illustrates this, that is to say a wsdl, I will appreciate some help from your side. Any [i]info[/i] is welcome.

Always with the same configuration (Java server side and clients [java and dotnet]).

Thank you in advance.

Jeff Constantin

WSE 3.0 Client and Axis2 Server

Eriend,

Have you tried to make a WSE3.0 client talk to an Axis2 server using the Rampart security ( certificates )? If yes, did you get it to work? If not, what were the problems? Axis2 Client to Server is easy but I don't know .NET very well.

Thanks,

Jeff
Erlend

Re: WSE 3.0 Client and Axis2 Server

No, unfortunately not, but maybe this can help:
http://shellysaunders.co.uk/Portals/2/WS-SecurityInteropCXF.pdf
anonymous

WSE 3.0

Is it possible to implement a simple WSE3.0 security in a Web application using X.509 Certificates?
ahurtado
yes, use the metro project
Siva

.NET Client configuration problem

I have developed webservices in java and enabled the
security for this services. My client is in .NET ,when client
connection i
am getting the below error.


Caused by: org.apache.ws.security.WSSecurityException: The
signature or
decryption was invalid; nested exception is:
java.lang.Exception: alias is null

Friends kindly help me to solve this problem.

.NET client app.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<client>


<endpoint address="http://127.0.0.1:8081/policyServer/services/HelloWorld/"
bindingConfiguration="JavaInterop" behaviorConfiguration="ClientCertBehavior" binding="customBinding"
contract="ServiceReference1.HelloWorldPortType" name="HelloWorldHttpSoap11Endpoint">
<identity>
<dns value="YALAMANCHILI" />


</identity>
</endpoint>


</client>

<bindings>
<customBinding>
<binding name="JavaInterop">
<security defaultAlgorithmSuite="Basic128Rsa15" allowSerializedSigningTokenOnReply="true"
authenticationMode="MutualCertificate" requireDerivedKeys="false"
securityHeaderLayout="Lax" includeTimestamp="true" messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<issuedTokenParameters keyType="AsymmetricKey">
<issuer address="" binding="customBinding" bindingConfiguration="JavaInterop" />
<issuerMetadata address="">
<identity>
<certificateReference x509FindType="FindByIssuerName" isChainIncluded="false" />
</identity>
</issuerMetadata>
</issuedTokenParameters>
<localClientSettings detectReplays="false" />
<secureConversationBootstrap defaultAlgorithmSuite="Basic128Rsa15"
allowSerializedSigningTokenOnReply="true" authenticationMode="MutualCertificate"
requireDerivedKeys="false" securityHeaderLayout="Lax" messageProtectionOrder="EncryptBeforeSign">
<issuedTokenParameters keyType="AsymmetricKey" />
</secureConversationBootstrap>
</security>
<textMessageEncoding messageVersion="Default" />
<httpTransport />
</binding>
</customBinding>
</bindings>


<behaviors>
<endpointBehaviors>
<behavior name="ClientCertBehavior">
<clientCredentials>
<clientCertificate findValue="f1 88 d8 95 76 76 5b be 74 53 90 92 fc cf 16 e0 67 5e 4d 34" storeLocation="CurrentUser"
storeName="My" x509FindType="FindByThumbprint" />
<serviceCertificate>
<defaultCertificate findValue="d4 79 bc 17 94 3a 3c 14 a1 a2 1f c7 ba b7 a7 3e 08 1b 0a 8d" storeLocation="CurrentUser"
storeName="My" x509FindType="FindByThumbprint" />
<authentication certificateValidationMode="None" revocationMode="NoCheck" />
</serviceCertificate>
<peer>
<peerAuthentication certificateValidationMode="None" />
<messageSenderAuthentication certificateValidationMode="None"
revocationMode="NoCheck" />
</peer>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>

</system.serviceModel>
</configuration>

Java service.. services.xml
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>Timestamp Encrypt Signature</items>
<passwordCallbackClass>com.test.ws.PasswordCallBackHandler</passwordCallbackClass>
<decryptionPropFile>service.properties</decryptionPropFile>
<signaturePropFile>service.properties</signaturePropFile>
<enableSignatureConfirmation>false</enableSignatureConfirmation>
</action>
</parameter>

<parameter name="OutflowSecurity">
<action>
<items>Timestamp Encrypt Signature</items>
<user>kiwiservice</user>
<encryptionUser>kiwiclient</encryptionUser>
<encryptionPropFile>service.properties</encryptionPropFile>
<passwordCallbackClass>com.test.ws.PasswordCallBackHandler</passwordCallbackClass>
<signaturePropFile>service.properties</signaturePropFile>
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>

</action>
</parameter>


Thanks
------
Siva kumar
Erlend

Re: .NET Client configuration problem

I'm not quite sure what the problem could be, as I'm not too familiar with WCF. But it seems to me you didn't set any decryptionUser or encryptionUser in your java services.xml config. Also make sure you give the keys proper aliases when importing them into the java keystore. The alias in the keystore should be the same as the name specified for encryptionUser/decryptionUser for the different keys.
Siva

Re:.NET Client configuration problem

Hi Erlend,
Thanks for your response, the encryption and decryption are configured in service.properties:
service.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=client
org.apache.ws.security.crypto.merlin.file=service.jks

It seems to be miss configuration in app.config, is it possible to post the source code of above example or kindly provide me another sample code or documents if you had regarding this issue.

Thanks in Advance
-------------------
Siva kumar



Comments closed for this post