The error message indicates that the server doesn't know the client's certificate... did you add the CA that signed the client's certificate OR the client certificate itself to the server's keystore?
-----Original Message----- From: Thorsten Deelmann [mailto:[email protected]] Sent: Sunday, December 14, 2008 4:08 PM To: [email protected] Subject: Axis2/Rampart Signature Validation Hi all, I've got the following Signature of a SOAP-Header built with Rampart: <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-30721078"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <ds:Reference URI="#Id-6935595"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>zo9esKQnicy3e5eQidwJBZs1c4E=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-13983828"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>jGS8NoS39F6SNr9YWjSmXmeOYAA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>tRIOHs2UgyJLwTj2hRh4QOeoc1I=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-27120092"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse curity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec urity-utility-1.0.xsd" wsu:Id="STRId-3996874"> <wsse:Reference URI="#EncKeyId-urn:uuid:EC1EA7F6B5126BB58312292966622658" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1 .0#EncryptedKey"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> But when when the SignatureProcessor tries to verify it, I get the following stack trace: org.apache.axis2.AxisFault: The signature or decryption was invalid at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault (RampartReceiver.java:166) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:9 5) at org.apache.axis2.engine.Phase.invoke(Phase.java:317) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:163) at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostReques t(HTTPTransportUtils.java:275) at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:133) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 74) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87 4) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc essConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint .java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow erWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:689) at java.lang.Thread.run(Unknown Source) Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(S ignatureProcessor.java:419) at org.apache.ws.security.processor.SignatureProcessor.handleToken(Signatur eProcessor.java:85) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity Engine.java:311) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity Engine.java:228) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity Engine.java:181) at org.apache.rampart.RampartEngine.process(RampartEngine.java:138) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:9 2) ... 21 more Does anyone have an idea? If not: How can i disable the verification of the signature with Rampart? Thank, Thorsten -- Thorsten Deelmann
