Hi Ashen, Few things you need to pay attention while getting this client working.
1) As [1] suggests you need to generate a new key pair in client's key store for user. The existing keys in the sample are expired. Therefore please use a new key store and add a new key pair in order to get this working. Also you need to import the public certificate of the particular user to IS key store as described in [1] 2) You need to configure correct policy in client (client.properties file) ie you need to uncomment following and comment the existing policy ( sts-policy-ut.xml) path.policy.sts=sts-policy-signonly.xml After uncommenting please build the sample and try the scenario. It should be working properly once you follow these steps. [1] https://docs.wso2.com/display/IS510/Accessing+Claim+Aware+Services+using+STS+Secured+with+Non-repudiation On Mon, Jan 16, 2017 at 7:11 PM, Ashen Weerathunga <as...@wso2.com> wrote: > Hi, > > I also tried the STS client with non-repudiation. But gives the following > error. Is there any configs need to be changed in the sample? > > org.apache.rahas.TrustException: Error in obtaining token from : " > https://localhost:9443/services/wso2carbon-sts" > at org.apache.rahas.client.STSClient.requestSecurityToken( > STSClient.java:174) > at org.apache.rahas.client.STSClient.requestSecurityToken( > STSClient.java:182) > at org.wso2.carbon.identity.samples.sts.Client.run(Client.java:130) > at org.wso2.carbon.identity.samples.sts.Client.main(Client.java:94) > Caused by: org.apache.axis2.AxisFault: Must Understand check failed for > header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > wssecurity-secext-1.0.xsd : Security > at org.apache.axis2.engine.AxisEngine.checkMustUnderstand( > AxisEngine.java:105) > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:171) > at org.apache.axis2.description.OutInAxisOperationClient.handleResponse( > OutInAxisOperation.java:364) > at org.apache.axis2.description.OutInAxisOperationClient.send( > OutInAxisOperation.java:421) > at org.apache.axis2.description.OutInAxisOperationClient.executeImpl( > OutInAxisOperation.java:229) > at org.apache.axis2.client.OperationClient.execute( > OperationClient.java:165) > at org.apache.axis2.client.ServiceClient.sendReceive( > ServiceClient.java:555) > at org.apache.rahas.client.STSClient.requestSecurityToken( > STSClient.java:165) > ... 3 more > > Thanks, > Ashen > > On Fri, Jan 6, 2017 at 12:12 AM, Gayan Gunawardana <ga...@wso2.com> wrote: > >> Steps and sample can be found from [1],[2]. Issue seems to be a problem >> of default keystore. When I trace the request and response from tcpmon >> found below issue. >> >> >> *Request* >> <?xml version='1.0' encoding='UTF-8'?> >> <soapenv:Envelope xmlns:soapenv="http://www.w3.o >> rg/2003/05/soap-envelope"> >> <soapenv:Header xmlns:wsa="http://schemas.xmls >> oap.org/ws/2004/08/addressing"> >> <wsse:Security xmlns:wsse="http://docs.oasis- >> open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >> soapenv:mustUnderstand="true"> >> <wsu:Timestamp xmlns:wsu="http://docs.oasis-o >> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >> wsu:Id="Timestamp-1"> >> <wsu:Created>2017-01-05T08:35:31.570Z</wsu:Created> >> <wsu:Expires>2017-01-05T08:40:31.570Z</wsu:Expires> >> </wsu:Timestamp> >> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-o >> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- >> 200401-wss-soap-message-security-1.0#Base64Binary" ValueType=" >> http://docs.oasis-open.org/wss/2004/01/oasis-2004 >> 01-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-F1F5AE821BB8A9B >> 28714836053316591">MIIBlzCCAQCgAwIBAgIEUVqxuDANBgkqhkiG9w0BA >> QUFADAQMQ4wDAYDVQQDEwVhZG1pbjAeFw0xMzA0MDIxMDIzNTJaFw0xMzA3M >> DExMDIzNTJaMBAxDjAMBgNVBAMTBWFkbWluMIGfMA0GCSqGSIb3DQEBAQUAA >> 4GNADCBiQKBgQCTx+Xh1YkBdaeMW36Z0QqR9vmnBAccIH+9rYaMaXV1m5pWU >> FHsT9utjEX23c4vkJ8O3Hpgh56/BUfzStb09UuONBU6BHVAe3uTDmLE42T3s >> /OaBsrUq3cPSmLCS8+J65ItdlT4jWjhJHIehyjU+IyvN3IWd63lowWleqk5n >> a4tbQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGcrYWf2NvDiG3jnUxYP4cDaM >> D586xyzk0mROI2VVDpK3oFQn6mqj3wgnjPMq3Eb8TIIuludo7c6OBzSEACoG >> d/fObcCJsdXI4FXeAVQBSOx91vtz3khMbmFsVJRS3HE8vRhxjQAjCmsAPHcy >> 8ZezuTuKHs1J1U9SS64Ox1FIfoY</wsse:BinarySecurityToken> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" >> Id="Signature-2"> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod Algorithm=" >> http://www.w3.org/2001/10/xml-exc-c14n#" /> >> <ds:SignatureMethod Algorithm="http://www.w3.org/2 >> 000/09/xmldsig#rsa-sha1" /> >> <ds:Reference URI="#Id-100433527"> >> <ds:Transforms> >> <ds:Transform Algorithm="http://www.w3.org/2 >> 001/10/xml-exc-c14n#" /> >> </ds:Transforms> >> <ds:DigestMethod Algorithm="http://www.w3.org/2 >> 000/09/xmldsig#sha1" /> >> <ds:DigestValue>qdHksp42FlO9WVg6HKledVDda18=</ds: >> DigestValue> >> </ds:Reference> >> <ds:Reference URI="#Timestamp-1"> >> <ds:Transforms> >> <ds:Transform Algorithm="http://www.w3.org/2 >> 001/10/xml-exc-c14n#" /> >> </ds:Transforms> >> <ds:DigestMethod Algorithm="http://www.w3.org/2 >> 000/09/xmldsig#sha1" /> >> <ds:DigestValue>E6aaITdDYeveyle1XmVeWmfbYAE=</ds: >> DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> <ds:SignatureValue>aWwbjN8BbgE >> I3pFwET9De9/UhYKeGC3Ndx0VSXEPMhtxYS3n4Q0ZuG2eX8ZobgcMPmYjs1g >> AoxF09sf7fdzmrSMW+Gt8Wn+N05gLh8u4fNY7Bi4DBM1YNW11pqxWpX8LG19 >> prh0KbwkuJIIKQCuP08Zaku+HHgPvis6OPHhdObY=</ds:SignatureValue> >> <ds:KeyInfo Id="KeyId-F1F5AE821BB8A9B28714836053316652"> >> <wsse:SecurityTokenReference xmlns:wsu=" >> http://docs.oasis-open.org/wss/2004/01/oasis-2004 >> 01-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-F1F5AE821BB8A9B2 >> 8714836053316663"> >> <wsse:Reference >> URI="#CertId-F1F5AE821BB8A9B28714836053316591" >> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-2004 >> 01-wss-x509-token-profile-1.0#X509v3" /> >> </wsse:SecurityTokenReference> >> </ds:KeyInfo> >> </ds:Signature> >> </wsse:Security> >> <wsa:To>http://localhost:9762/services/wso2carbon-sts</wsa:To> >> <wsa:ReplyTo> >> <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressin >> g/role/anonymous</wsa:Address> >> </wsa:ReplyTo> >> <wsa:MessageID>urn:uuid:c514e93f-6a96-4640-8304-400320f95d5a >> </wsa:MessageID> >> <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/ >> Issue</wsa:Action> >> </soapenv:Header> >> <soapenv:Body xmlns:wsu="http://docs.oasis-o >> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >> wsu:Id="Id-100433527"> >> <wst:RequestSecurityToken xmlns:wst="http://schemas.xmls >> oap.org/ws/2005/02/trust"> >> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/ >> trust/Issue</wst:RequestType> >> <wsp:AppliesTo xmlns:wsp="http://schemas.xmls >> oap.org/ws/2004/09/policy"> >> <wsa:EndpointReference xmlns:wsa="http://schemas.xmls >> oap.org/ws/2004/08/addressing"> >> <wsa:Address>https://localhost:10443/services/echo >> </wsa:Address> >> </wsa:EndpointReference> >> </wsp:AppliesTo> >> <wst:Lifetime> >> <wsu:Created>2017-01-05T08:35:31.256Z</wsu:Cr29ceated> >> <wsu:Expires>2017-01-05T08:40:31.256Z</wsu:Expires> >> </wst:Lifetime> >> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml >> -token-profile-1.1#SAMLV2.0</wst:TokenType> >> <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/Bea >> rer</wst:KeyType> >> <wst:Claims xmlns:wsp="http://schemas.xmls >> oap.org/ws/2005/02/trust" wsp:Dialect="http://wso2.org/claims"> >> <wsid:ClaimType xmlns:wsid="http://schemas.xml >> soap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/givenname" /> >> <wsid:ClaimType xmlns:wsid="http://schemas.xml >> soap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/emailaddress" >> /> >> </wst:Claims> >> </wst:RequestSecurityToken> >> </soapenv:Body> >> </soapenv:Envelope> >> >> >> >> *Response *<?xml version='1.0' encoding='UTF-8'?> >> <soapenv:Envelope xmlns:soapenv="http://www.w3.o >> rg/2003/05/soap-envelope"> >> <soapenv:Header xmlns:wsa="http://schemas.xmls >> oap.org/ws/2004/08/addressing"> >> <wsse:Security xmlns:wsse="http://docs.oasis- >> open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >> soapenv:mustUnderstand="true"> >> <wsu:Timestamp xmlns:wsu="http://docs.oasis-o >> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >> wsu:Id="Timestamp-11"> >> <wsu:Created>2017-01-05T08:35:31.867Z</wsu:Created> >> <wsu:Expires>2017-01-05T08:40:31.867Z</wsu:Expires> >> </wsu:Timestamp> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" >> Id="Signature-12"> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod Algorithm=" >> http://www.w3.org/2001/10/xml-exc-c14n#"/> >> <ds:SignatureMethod Algorithm="http://www.w3.org/2 >> 000/09/xmldsig#rsa-sha1"/> >> <ds:Reference URI="#Id-1962192193"> >> <ds:Transforms> >> <ds:Transform Algorithm="http://www.w3.org/2 >> 001/10/xml-exc-c14n#"/> >> </ds:Transforms> >> <ds:DigestMethod Algorithm="http://www.w3.org/2 >> 000/09/xmldsig#sha1"/> >> <ds:DigestValue>h5oo0fYSZXjhsCDyzJF2XFTbjEg=</ds: >> DigestValue> >> </ds:Reference> >> <ds:Reference URI="#Timestamp-11"> >> <ds:Transforms> >> <ds:Transform Algorithm="http://www.w3.org/2 >> 001/10/xml-exc-c14n#"/> >> </ds:Transforms> >> <ds:DigestMethod Algorithm="http://www.w3.org/2 >> 000/09/xmldsig#sha1"/> >> <ds:DigestValue>0SnksGqgO8yrwWLuJUUEw52habw=</ds: >> DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> <ds:SignatureValue>Pzwh9XSrKLMpze42EcGfYZweb+Th4FxX4rRt2+ >> axHQRlt/p+A8YMwYUicKF93+a7RDiOhOdUOaoanIoN/CQaYtSskQZzK+LaqP >> 9o1kcJCLulPgkGeYiC/fb3AilOuKKS+s5JWMchfgw2ebLgYTO43AalYwCtqN >> f/VMycIpb30B4=</ds:SignatureValue> >> <ds:KeyInfo Id="KeyId-649751EC57E04F21D3148360533186817"> >> <wsse:SecurityTokenReference xmlns:wsu=" >> http://docs.oasis-open.org/wss/2004/01/oasis-2004 >> 01-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-649751EC57E04F21 >> D3148360533186918"> >> <wsse:KeyIdentifier EncodingType="http://docs.oasi >> s-open.org/wss/2004/01/oasis-200401-wss-soap-message-securi >> ty-1.0#Base64Binary" ValueType="http://docs.oasis-o >> pen.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 >> ">a/jhNus21KVuoFx65LmkW2O/l10=</wsse:KeyIdentifier> >> </wsse:SecurityTokenReference> >> </ds:KeyInfo> >> </ds:Signature> >> </wsse:Security> >> <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/ >> role/anonymous</wsa:To> >> <wsa:MessageID>urn:uuid:8904e3e1-9aea-4271-bac1-c99c52ce641f >> </wsa:MessageID> >> <wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/addressing >> /fault</wsa:Action> >> <wsa:RelatesTo>urn:uuid:c514e93f-6a96-4640-8304-400320f95d5a >> </wsa:RelatesTo> >> </soapenv:Header> >> <soapenv:Body xmlns:wsu="http://docs.oasis-o >> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >> wsu:Id="Id-1962192193"> >> <soapenv:Fault xmlns:axis2ns11="http://www.w3 >> .org/2003/05/soap-envelope"> >> <soapenv:Code> >> <soapenv:Value>axis2ns11:Sender</soapenv:Value> >> <soapenv:Subcode> >> <soapenv:Value xmlns:axis2ns12="http://docs.o >> asis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >> ">axis2ns12:FailedCheck</soapenv:Value> >> </soapenv:Subcode> >> </soapenv:Code> >> <soapenv:Reason> >> <soapenv:Text xml:lang="en-US">The signature or decryption >> was invalid (The provided certificate is invalid); nested exception is: >> java.security.cert.CertificateExpiredException: NotAfter: Mon Jul 01 >> 15:53:52 IST 2013</soapenv:Text> >> </soapenv:Reason>11 >> <soapenv:Detail/>32 >> </soapenv:Fault> >> </soapenv:Body> >> </soapenv:Envelope> >> >> Similar kind of issue reported in [1] as well. >> >> >> >> >> >> *[1] >> https://docs.wso2.com/display/IS510/Accessing+Claim+Aware+Services+using+STS+Secured+with+Non-repudiation >> <https://docs.wso2.com/display/IS510/Accessing+Claim+Aware+Services+using+STS+Secured+with+Non-repudiation>[2]https://github.com/wso2/product-is/tree/v5.1.0/modules/samples/sts/sts-client >> <https://github.com/wso2/product-is/tree/v5.1.0/modules/samples/sts/sts-client>[3] >> https://wso2.org/jira/si/jira.issueviews:issue-html/WSAS-957/WSAS-957.html >> <https://wso2.org/jira/si/jira.issueviews:issue-html/WSAS-957/WSAS-957.html>* >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: ga...@wso2.com >> Mobile: +94 (71) 8020933 >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Ashen Weerathunga* > Software Engineer > WSO2 Inc.: http://wso2.com > lean.enterprise.middleware > > Email: as...@wso2.com > Mobile: +94716042995 <94716042995> > LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga > <http://lk.linkedin.com/in/ashenweerathunga>* > <http://wso2.com/signature> > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev