Thank you very much. I need the header signed. When I change it to <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Header/> </sp:SignedParts> I get a NullPointerException because I need a namespace included. What namespace should I add? My result soap header needs to look like this
<soapenv:Header> <wsse:Security xmlns:wsse=" <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1 .0.xsd> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1. 0.xsd" soapenv:mustUnderstand="1"><wsse:BinaryS ecurityToken xmlns:wsu=" <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- 1.0.xsd> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1 .0.xsd" EncodingType=" <http://docs.oasis-open.org/w> http://docs.oasis-open.org/w ss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=" <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof ile-1.0#X509v3" wsu:Id="CertId-5042131">MIIDTDCCArWgAwIBAgIBBTANBgkqhkiG9w0BAQQFADBwMQswCQYD VQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xGz AZBgNVBAoTEk5vbWFkIFNvZnR3YXJlIEx0ZDEMMAoGA1UECxMDTlBTMRQwEgYDVQQDEwtXZWJTZX J2aWNlczAeFw0wNzA3MjUxMTIyMjJaFw0wODA3MjQxMTIyMjJaMGQxCzAJBgNVBAYTAlVTMQsw CQYDVQQIEwJOSjEPMA0GA1UEBxMGTmV3YXJrM*********************rest of certificate id **********</wsse:BinarySecurityToken> <ds:Signature xmlns:ds=" <http://www.w3.org/2000/09/xmldsig> http://www.w3.org/2000/09/xmldsig#"; Id="Signature-24430720"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=" <http://www.w3.org/2001/10/xml-exc-c14n#> http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm=" <http://www.w3.org/2000/09/xmldsig#rsa-sha1> http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod> <ds:Reference URI="#id-19475765"> <ds:Transforms> <ds:Transform Algorithm=" <http://www.w3.org/2001/10/xml-exc-c14n#> http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm=" <http://www.w3.org/2000/09/xmldsig#sha1> http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod> <ds:DigestValue>AGcqQst2YH+aiHx+FPrIvl5oEtY=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> BFlqCgd6xiu57hahZ2GoeAgIbKdmrmvCnvoxuQhSXXXOdyMWMOBUSVY59e8WWyyjVEUMn4s2gDpF ORoRvlTzen6pMojPLEdD0KbBa9RATyINBtN9qxZmj8Qgs6eYzKXzeuan5+1mLV11MANbV8cjSIx0 nfm16bYcct0tBVBjWcc= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-1777337"> <wsse:SecurityTokenReference xmlns:wsu=" <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- 1.0.xsd> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1 .0.xsd" wsu:Id="STRId-18753567"><w sse:Reference URI="#CertId-5042131" ValueType=" <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile- 1.0#X509v3> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1 .0#X509v3"></wsse:Reference ></wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> _____ From: Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] Sent: Thursday, October 18, 2007 4:23 PM To: [email protected] Subject: Re: Rampart signature Hi Tirtza, It seems something like this would will work for you. You have to specify what should be signed within the <sp:SignedParts></sp:SignedParts>. <wsp:Policy wsu:Id="MutualCertificate10Sign_IPingService_policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsa=" <http://schemas.xmlsoap.org/ws/2004/08/addressing> http://schemas.xmlsoap.org/ws/2004/08/addressing";> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp=" <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRe cipient"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=" <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:AsymmetricBinding> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body/> </sp:SignedParts> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy> "> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> </wsp:Policy> </sp:Wss10> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust10> <ramp:RampartConfig xmlns:ramp=" http://ws.apache.org/rampart/policy";> <ramp:user>XXX</ramp:user> <ramp:passwordCallbackClass> com.wso2.interop.wcf.wss10.WSS10Client</ramp:passwordCallbackClass> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin "> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property > <ramp:property name="org.apache.ws.security.crypto.merlin.file ">keys/sec.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp :property> </ramp:crypto> </ramp:signatureCrypto> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> Regards, Nandana On 10/18/07, Tirtza Bernstein <[EMAIL PROTECTED]> wrote: It look slike you are using axis1. I need a solution for axis2. I have Rampart set up properly I just need a policy.xml which will allow me to send a client certificate. (no encryption and no timestamp) Does anyone have a policy.xml that defines this? _____ From: Senthivel U S [mailto:[EMAIL PROTECTED] Sent: Thursday, October 18, 2007 1:17 PM To: [email protected] Subject: RE: Rampart signature Hi, Couple of days back I had the same problem but I could not make it using rampart but solved the problem. Find below the working code. I have created the stub using wsdl with Eclipse IDE. URL endPointURL = new URL("http:// "); EngineConfiguration config = new FileProvider("client_deploy.wsdd"); Service service = new Service(config); TestSoapStub stub = new TestSoapStub(endPointURL, service); stub._setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE); stub._setProperty(WSHandlerConstants.SIG_PROP_FILE, "client_crypto.properties"); stub._setProperty(WSHandlerConstants.USER, "client"); stub._setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,"com.unistream.client .ServiceSecurityHandler"); stub._setProperty(WSHandlerConstants.SIG_KEY_ID,"DirectReference"); stub.login(userID,password); client.deploy.wsdd file (just copy the same contents) <deployment xmlns="http://xml.apache.org/axis/wsdd/"; xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/> <globalConfiguration > <requestFlow > <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > </handler> </requestFlow > </globalConfiguration > </deployment> client_crypto.properties file (just copy the same contents and change the keystore.password, keystore.alias, alias.password, merlin.file according to ur spec) org.apache.ws.security.crypto.provider=org.apache.ws.security.components.cry pto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=xyzabc org.apache.ws.security.crypto.merlin.keystore.alias=client org.apache.ws.security.crypto.merlin.alias.password= xyzabc org.apache.ws.security.crypto.merlin.file=client.jks If you find any other better solution, please let me know. Regards, -senthil _____ From: Tirtza Bernstein [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 17, 2007 7:54 PM To: [email protected] Subject: Rampart signature I am using Axis2-1.3 and Rampart 1.3. I am the client and my requests need to be signed. My axis.client.xml includes the following <module ref="rampart" /> <parameter name="OutflowSecurity"> <action> <items>Signature</items> <user>wally</user> <signaturePropFile>crypto.properties</signaturePropFile> <passwordCallbackClass>net.idt.svp.security.PWCallback</passwordCallbackClas s> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> </action> </parameter> <parameter name="InflowSecurity"> <action> <items>Signature</items> <signaturePropFile>crypto.properties</signaturePropFile> </action> </parameter> My crypto.properties org.apache.ws.security.crypto.provider=org.apache.ws.security.components.cry pto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.file=J:\svp_prime\trunk\security\test.j ks org.apache.ws.security.crypto.merlin.keystore.password=pswd My Client includes the following: _serviceClient.getOptions().setTo(new org.apache.axis2.addressing.EndpointReference(targetEndpoint)); _serviceClient.getOptions().setUseSeparateListener(useSeparateListener); StAXOMBuilder builder = new StAXOMBuilder("resources/policy.xml"); Policy clientPolicy = PolicyEngine.getPolicy(builder.getDocumentElement()); _serviceClient.getOptions().setProperty(RampartMessageData.KEY_RAMPART_POLIC Y, clientPolicy); _serviceClient.engageModule("rampart"); My problem is that I have no clue how to set up the policy.xml. Rampart's examples do not include an example of pure signature only (no timestamp). Can someone supply me with an example? Thanks.
