Re: Error: "Key Reference Info is mismatch with policy"?

Kaushalye Kapuruge Wed, 08 Aug 2007 03:45:06 -0700

Hi Jamie,

In Rampart/C v 0.90, we had implemented it in such a way that user canspecify different policies for incoming and outgoing messages. But afterthat we changed it to be compatible with other implementations, mainlydue to the interoperability between different policy frameworks. I alsoagree with you, having such a flexibility in configurations can beuseful. So we will try to introduce this behavior in Rampart/C.BTW, I'd like to know if possible, which kind of framework you have usedto deploy services? Is it Axis2/Java + Rampart/Java or any otherimplementation. (This feature is not in Rampart/J though).

Cheers,
Kaushalye


Jamie Lyon wrote:

Unfortunately the service I am interacting with requires that the
timestamp is included when sending a message to it, but does not send a
timestamp in the response. So yes, an optional timestamp is a
requirement for interaction, without it I cannot do any communication at
all.

A workaround for the IncludeTimestamp case would be perfectly
acceptable, I don't (at least currently) require anything else to be
optional.

If there's a simple way of doing this temporarily, that will be fine.

Thanks,
Jamie

-----Original Message-----
From: Manjula Peiris [mailto:[EMAIL PROTECTED]
Sent: 08 August 2007 16:37
To: Apache AXIS C Developers List
Subject: RE: Error: "Key Reference Info is mismatch with policy"?

Hi Jamie,

Please see my comments inline.


On Wed, 2007-08-08 at 09:48 +0100, Jamie Lyon wrote:

Excellent, that's fixed that problem.

You will have to excuse my simple questions; I've not used ws-policy
before.

Is it possible to specify that the client has to include a timestamp

in

the sent message, but may or may not receive one back?

In the current implementation it is not possible. Because
<sp:Includetimestamp> assertion is common for both sending and

recieving

messages.

Having <sp:IncludeTimestamp/> returns "[info] [rampart][shp]

Timestamp

is not in the message", and modifying it to <sp:IncludeTimestamp
wsp:Optional="true"/> still comes up with the same error.

In our current Security policy implementation we are not supporting
wsp:Optional scenarios yet. Considerable amount of work need to be

done

to support this.

Is this a frequent scenario?  We haven't encountered this when we are
interoping with other implementations. If it is a common scenario then
we can give a fix just for <sp:IncludeTimestamp> case.


Thanks.
Manjula.

Thanks,
Jamie

-----Original Message-----
From: Manjula Peiris [mailto:[EMAIL PROTECTED]
Sent: 08 August 2007 11:22
To: Apache AXIS C Developers List
Subject: Re: Error: "Key Reference Info is mismatch with policy"?

Hi Jamie,

Please check the value of <sp:IncludeToken> attribute in the
<sp:InitiatorToken> element. If it is ,

http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always

To

Recipient then the certificate used to signed the message is sent

only

by

the client to server. The Client should not see it  attached as a
<BinarySecurityToken> in the recieved message. If you want this
<BinarySecurityToken> element to be in the recieved message of the

client

please change the <sp:IncludeToken>  attribute to

http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always

If this does not work please send the policy file you are using.

Thanks
-Manjula.


On Tue, 2007-08-07 at 16:26 +0100, Jamie Lyon wrote:

Hi,



I'm writing a client to an existing service in Axis2/C. Can

anyone

shed any light as to what could cause the above error message

"Key

Reference Info is mismatch with policy"? It appears to me as

though

it's saying that the namespace or something in the received

message

is

not matching what is in the policy.xml. You can see the context

of

the

message in the snippet of the debug log below.



The situation seems odd however, since as you can see from the

sent

log,

the message sent by the client is perfectly fine. The namespaces,

tokens

etc... all seem to match that which is received back from the

server.

I have attached the sent and received messages, and below is a

snippet

of the debug log:

[Tue Aug  7 16:13:02 2007] [info]  [rampart][shp] Process

security

header

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

Security for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

BinarySecurityToken for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

Signature for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

SignedInfo for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

CanonicalizationMethod for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

SignatureMethod for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

Reference for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

Transforms for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

Transform for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

DigestMethod for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

DigestValue for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

SignatureValue for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

KeyInfo for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

SecurityTokenReference for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

Reference for EncryptedKey

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

Security for Signature

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

BinarySecurityToken for Signature

[Tue Aug  7 16:13:02 2007] [info]  [rampart][axiom] Checking

node

Signature for Signature

[Tue Aug  7 16:13:02 2007] [info]  [rampart][shp] Processing

Signature

element.

[Tue Aug  7 16:13:02 2007] [info]  [Rampart][shp]Key Reference

Info

is

mismatch with policy

[Tue Aug  7 16:13:02 2007] [info]  [rampart][rampart_in_handler]

Security Header processing failed.

[Tue Aug  7 16:13:02 2007] [debug] engine.c(292) Axis2 engine

receive

completed!

[Tue Aug  7 16:13:02 2007] [error]

autogen/axis2_DataService.cpp(1236)

returnNode is NULL: Error code: 2 :: NULL paramater was passed

when a

non

NULL parameter was expected


Thanks,

Jamie

---------------------------------------------------------------------

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--
http://kaushalye.blogspot.com/
http://wso2.org/


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Error: "Key Reference Info is mismatch with policy"?

Reply via email to