Hi Hasintha, Thanks for providing the solution. It worked fine after changing the *path.policy.sts* property to *sts-policy-signonly.xml *in the client.properties file.
In the default sample it was sts-policy-ut.xml. Even though it worked for UsernameToken scenario, it needs to be changed for Non-repudiation scenario. I think it's better if we can mention it in the docs clearly. I created a doc Jira to track it [1]. [1] https://wso2.org/jira/browse/DOCUMENTATION-4150 Thanks, Ashen On Mon, Jan 16, 2017 at 9:33 PM, Hasintha Indrajee <hasin...@wso2.com> wrote: > Hi Ashen, > > Few things you need to pay attention while getting this client working. > > 1) As [1] suggests you need to generate a new key pair in client's key > store for user. The existing keys in the sample are expired. Therefore > please use a new key store and add a new key pair in order to get this > working. Also you need to import the public certificate of the particular > user to IS key store as described in [1] > > 2) You need to configure correct policy in client (client.properties file) > ie you need to uncomment following and comment the existing policy ( > sts-policy-ut.xml) > path.policy.sts=sts-policy-signonly.xml > > After uncommenting please build the sample and try the scenario. It should > be working properly once you follow these steps. > > [1] https://docs.wso2.com/display/IS510/Accessing+Claim+ > Aware+Services+using+STS+Secured+with+Non-repudiation > > > On Mon, Jan 16, 2017 at 7:11 PM, Ashen Weerathunga <as...@wso2.com> wrote: > >> Hi, >> >> I also tried the STS client with non-repudiation. But gives the following >> error. Is there any configs need to be changed in the sample? >> >> org.apache.rahas.TrustException: Error in obtaining token from : " >> https://localhost:9443/services/wso2carbon-sts"; >> at org.apache.rahas.client.STSClient.requestSecurityToken(STSCl >> ient.java:174) >> at org.apache.rahas.client.STSClient.requestSecurityToken(STSCl >> ient.java:182) >> at org.wso2.carbon.identity.samples.sts.Client.run(Client.java:130) >> at org.wso2.carbon.identity.samples.sts.Client.main(Client.java:94) >> Caused by: org.apache.axis2.AxisFault: Must Understand check failed for >> header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse >> curity-secext-1.0.xsd : Security >> at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisE >> ngine.java:105) >> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:171) >> at org.apache.axis2.description.OutInAxisOperationClient.handle >> Response(OutInAxisOperation.java:364) >> at org.apache.axis2.description.OutInAxisOperationClient.send(O >> utInAxisOperation.java:421) >> at org.apache.axis2.description.OutInAxisOperationClient.execut >> eImpl(OutInAxisOperation.java:229) >> at org.apache.axis2.client.OperationClient.execute(OperationCli >> ent.java:165) >> at org.apache.axis2.client.ServiceClient.sendReceive(ServiceCli >> ent.java:555) >> at org.apache.rahas.client.STSClient.requestSecurityToken(STSCl >> ient.java:165) >> ... 3 more >> >> Thanks, >> Ashen >> >> On Fri, Jan 6, 2017 at 12:12 AM, Gayan Gunawardana <ga...@wso2.com> >> wrote: >> >>> Steps and sample can be found from [1],[2]. Issue seems to be a problem >>> of default keystore. When I trace the request and response from tcpmon >>> found below issue. >>> >>> >>> *Request* >>> <?xml version='1.0' encoding='UTF-8'?> >>> <soapenv:Envelope xmlns:soapenv="http://www.w3.o >>> rg/2003/05/soap-envelope"> >>> <soapenv:Header xmlns:wsa="http://schemas.xmls >>> oap.org/ws/2004/08/addressing"> >>> <wsse:Security xmlns:wsse="http://docs.oasis- >>> open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >>> soapenv:mustUnderstand="true"> >>> <wsu:Timestamp xmlns:wsu="http://docs.oasis-o >>> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >>> wsu:Id="Timestamp-1"> >>> <wsu:Created>2017-01-05T08:35:31.570Z</wsu:Created> >>> <wsu:Expires>2017-01-05T08:40:31.570Z</wsu:Expires> >>> </wsu:Timestamp> >>> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-o >>> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-2 >>> 00401-wss-soap-message-security-1.0#Base64Binary" ValueType=" >>> http://docs.oasis-open.org/wss/2004/01/oasis-2004 >>> 01-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-F1F5AE821BB8A9B >>> 28714836053316591">MIIBlzCCAQCgAwIBAgIEUVqxuDANBgkqhkiG9w0BA >>> QUFADAQMQ4wDAYDVQQDEwVhZG1pbjAeFw0xMzA0MDIxMDIzNTJaFw0xMzA3M >>> DExMDIzNTJaMBAxDjAMBgNVBAMTBWFkbWluMIGfMA0GCSqGSIb3DQEBAQUAA >>> 4GNADCBiQKBgQCTx+Xh1YkBdaeMW36Z0QqR9vmnBAccIH+9rYaMaXV1m5pWU >>> FHsT9utjEX23c4vkJ8O3Hpgh56/BUfzStb09UuONBU6BHVAe3uTDmLE42T3s >>> /OaBsrUq3cPSmLCS8+J65ItdlT4jWjhJHIehyjU+IyvN3IWd63lowWleqk5n >>> a4tbQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGcrYWf2NvDiG3jnUxYP4cDaM >>> D586xyzk0mROI2VVDpK3oFQn6mqj3wgnjPMq3Eb8TIIuludo7c6OBzSEACoG >>> d/fObcCJsdXI4FXeAVQBSOx91vtz3khMbmFsVJRS3HE8vRhxjQAjCmsAPHcy >>> 8ZezuTuKHs1J1U9SS64Ox1FIfoY</wsse:BinarySecurityToken> >>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >>> Id="Signature-2"> >>> <ds:SignedInfo> >>> <ds:CanonicalizationMethod Algorithm=" >>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>> <ds:SignatureMethod Algorithm="http://www.w3.org/2 >>> 000/09/xmldsig#rsa-sha1" /> >>> <ds:Reference URI="#Id-100433527"> >>> <ds:Transforms> >>> <ds:Transform Algorithm="http://www.w3.org/2 >>> 001/10/xml-exc-c14n#" /> >>> </ds:Transforms> >>> <ds:DigestMethod Algorithm="http://www.w3.org/2 >>> 000/09/xmldsig#sha1" /> >>> <ds:DigestValue>qdHksp42FlO9WV >>> g6HKledVDda18=</ds:DigestValue> >>> </ds:Reference> >>> <ds:Reference URI="#Timestamp-1"> >>> <ds:Transforms> >>> <ds:Transform Algorithm="http://www.w3.org/2 >>> 001/10/xml-exc-c14n#" /> >>> </ds:Transforms> >>> <ds:DigestMethod Algorithm="http://www.w3.org/2 >>> 000/09/xmldsig#sha1" /> >>> <ds:DigestValue>E6aaITdDYeveyl >>> e1XmVeWmfbYAE=</ds:DigestValue> >>> </ds:Reference> >>> </ds:SignedInfo> >>> <ds:SignatureValue>aWwbjN8BbgE >>> I3pFwET9De9/UhYKeGC3Ndx0VSXEPMhtxYS3n4Q0ZuG2eX8ZobgcMPmYjs1g >>> AoxF09sf7fdzmrSMW+Gt8Wn+N05gLh8u4fNY7Bi4DBM1YNW11pqxWpX8LG19 >>> prh0KbwkuJIIKQCuP08Zaku+HHgPvis6OPHhdObY=</ds:SignatureValue> >>> <ds:KeyInfo Id="KeyId-F1F5AE821BB8A9B28714836053316652"> >>> <wsse:SecurityTokenReference xmlns:wsu=" >>> http://docs.oasis-open.org/wss/2004/01/oasis-2004 >>> 01-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-F1F5AE821BB8A9B2 >>> 8714836053316663"> >>> <wsse:Reference >>> URI="#CertId-F1F5AE821BB8A9B28714836053316591" >>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-2004 >>> 01-wss-x509-token-profile-1.0#X509v3" /> >>> </wsse:SecurityTokenReference> >>> </ds:KeyInfo> >>> </ds:Signature> >>> </wsse:Security> >>> <wsa:To>http://localhost:9762/services/wso2carbon-sts</wsa:To> >>> <wsa:ReplyTo> >>> <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressin >>> g/role/anonymous</wsa:Address> >>> </wsa:ReplyTo> >>> <wsa:MessageID>urn:uuid:c514e93f-6a96-4640-8304-400320f95d5a >>> </wsa:MessageID> >>> <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/ >>> Issue</wsa:Action> >>> </soapenv:Header> >>> <soapenv:Body xmlns:wsu="http://docs.oasis-o >>> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >>> wsu:Id="Id-100433527"> >>> <wst:RequestSecurityToken xmlns:wst="http://schemas.xmls >>> oap.org/ws/2005/02/trust"> >>> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust >>> /Issue</wst:RequestType> >>> <wsp:AppliesTo xmlns:wsp="http://schemas.xmls >>> oap.org/ws/2004/09/policy"> >>> <wsa:EndpointReference xmlns:wsa="http://schemas.xmls >>> oap.org/ws/2004/08/addressing"> >>> <wsa:Address>https://localhost:10443/services/echo >>> </wsa:Address> >>> </wsa:EndpointReference> >>> </wsp:AppliesTo> >>> <wst:Lifetime> >>> <wsu:Created>2017-01-05T08:35:31.256Z</wsu:Cr29ceated> >>> <wsu:Expires>2017-01-05T08:40:31.256Z</wsu:Expires> >>> </wst:Lifetime> >>> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml >>> -token-profile-1.1#SAMLV2.0</wst:TokenType> >>> <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/Bea >>> rer</wst:KeyType> >>> <wst:Claims xmlns:wsp="http://schemas.xmls >>> oap.org/ws/2005/02/trust" wsp:Dialect="http://wso2.org/claims";> >>> <wsid:ClaimType xmlns:wsid="http://schemas.xml >>> soap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/givenname"; /> >>> <wsid:ClaimType xmlns:wsid="http://schemas.xml >>> soap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/emailaddress"; >>> /> >>> </wst:Claims> >>> </wst:RequestSecurityToken> >>> </soapenv:Body> >>> </soapenv:Envelope> >>> >>> >>> >>> *Response *<?xml version='1.0' encoding='UTF-8'?> >>> <soapenv:Envelope xmlns:soapenv="http://www.w3.o >>> rg/2003/05/soap-envelope"> >>> <soapenv:Header xmlns:wsa="http://schemas.xmls >>> oap.org/ws/2004/08/addressing"> >>> <wsse:Security xmlns:wsse="http://docs.oasis- >>> open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >>> soapenv:mustUnderstand="true"> >>> <wsu:Timestamp xmlns:wsu="http://docs.oasis-o >>> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >>> wsu:Id="Timestamp-11"> >>> <wsu:Created>2017-01-05T08:35:31.867Z</wsu:Created> >>> <wsu:Expires>2017-01-05T08:40:31.867Z</wsu:Expires> >>> </wsu:Timestamp> >>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; >>> Id="Signature-12"> >>> <ds:SignedInfo> >>> <ds:CanonicalizationMethod Algorithm=" >>> http://www.w3.org/2001/10/xml-exc-c14n#"/> >>> <ds:SignatureMethod Algorithm="http://www.w3.org/2 >>> 000/09/xmldsig#rsa-sha1"/> >>> <ds:Reference URI="#Id-1962192193"> >>> <ds:Transforms> >>> <ds:Transform Algorithm="http://www.w3.org/2 >>> 001/10/xml-exc-c14n#"/> >>> </ds:Transforms> >>> <ds:DigestMethod Algorithm="http://www.w3.org/2 >>> 000/09/xmldsig#sha1"/> >>> <ds:DigestValue>h5oo0fYSZXjhsC >>> DyzJF2XFTbjEg=</ds:DigestValue> >>> </ds:Reference> >>> <ds:Reference URI="#Timestamp-11"> >>> <ds:Transforms> >>> <ds:Transform Algorithm="http://www.w3.org/2 >>> 001/10/xml-exc-c14n#"/> >>> </ds:Transforms> >>> <ds:DigestMethod Algorithm="http://www.w3.org/2 >>> 000/09/xmldsig#sha1"/> >>> <ds:DigestValue>0SnksGqgO8yrwW >>> LuJUUEw52habw=</ds:DigestValue> >>> </ds:Reference> >>> </ds:SignedInfo> >>> <ds:SignatureValue>Pzwh9XSrKLM >>> pze42EcGfYZweb+Th4FxX4rRt2+axHQRlt/p+A8YMwYUicKF93+a7RDiOhOd >>> UOaoanIoN/CQaYtSskQZzK+LaqP9o1kcJCLulPgkGeYiC/fb3AilOuKKS+ >>> s5JWMchfgw2ebLgYTO43AalYwCtqNf/VMycIpb30B4=</ds:SignatureValue> >>> <ds:KeyInfo Id="KeyId-649751EC57E04F21D3148360533186817"> >>> <wsse:SecurityTokenReference xmlns:wsu=" >>> http://docs.oasis-open.org/wss/2004/01/oasis-2004 >>> 01-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-649751EC57E04F21 >>> D3148360533186918"> >>> <wsse:KeyIdentifier EncodingType="http://docs.oasi >>> s-open.org/wss/2004/01/oasis-200401-wss-soap-message-securit >>> y-1.0#Base64Binary" ValueType="http://docs.oasis-o >>> pen.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 >>> ">a/jhNus21KVuoFx65LmkW2O/l10=</wsse:KeyIdentifier> >>> </wsse:SecurityTokenReference> >>> </ds:KeyInfo> >>> </ds:Signature> >>> </wsse:Security> >>> <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/rol >>> e/anonymous</wsa:To> >>> <wsa:MessageID>urn:uuid:8904e3e1-9aea-4271-bac1-c99c52ce641f >>> </wsa:MessageID> >>> <wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/addressing >>> /fault</wsa:Action> >>> <wsa:RelatesTo>urn:uuid:c514e93f-6a96-4640-8304-400320f95d5a >>> </wsa:RelatesTo> >>> </soapenv:Header> >>> <soapenv:Body xmlns:wsu="http://docs.oasis-o >>> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >>> wsu:Id="Id-1962192193"> >>> <soapenv:Fault xmlns:axis2ns11="http://www.w3 >>> .org/2003/05/soap-envelope"> >>> <soapenv:Code> >>> <soapenv:Value>axis2ns11:Sender</soapenv:Value> >>> <soapenv:Subcode> >>> <soapenv:Value xmlns:axis2ns12="http://docs.o >>> asis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >>> ">axis2ns12:FailedCheck</soapenv:Value> >>> </soapenv:Subcode> >>> </soapenv:Code> >>> <soapenv:Reason> >>> <soapenv:Text xml:lang="en-US">The signature or >>> decryption was invalid (The provided certificate is invalid); nested >>> exception is: java.security.cert.CertificateExpiredException: >>> NotAfter: Mon Jul 01 15:53:52 IST 2013</soapenv:Text> >>> </soapenv:Reason>11 >>> <soapenv:Detail/>32 >>> </soapenv:Fault> >>> </soapenv:Body> >>> </soapenv:Envelope> >>> >>> Similar kind of issue reported in [1] as well. >>> >>> >>> >>> >>> >>> *[1] >>> https://docs.wso2.com/display/IS510/Accessing+Claim+Aware+Services+using+STS+Secured+with+Non-repudiation >>> <https://docs.wso2.com/display/IS510/Accessing+Claim+Aware+Services+using+STS+Secured+with+Non-repudiation>[2]https://github.com/wso2/product-is/tree/v5.1.0/modules/samples/sts/sts-client >>> <https://github.com/wso2/product-is/tree/v5.1.0/modules/samples/sts/sts-client>[3] >>> https://wso2.org/jira/si/jira.issueviews:issue-html/WSAS-957/WSAS-957.html >>> <https://wso2.org/jira/si/jira.issueviews:issue-html/WSAS-957/WSAS-957.html>* >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: ga...@wso2.com >>> Mobile: +94 (71) 8020933 >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> *Ashen Weerathunga* >> Software Engineer >> WSO2 Inc.: http://wso2.com >> lean.enterprise.middleware >> >> Email: as...@wso2.com >> Mobile: +94716042995 <94716042995> >> LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga >> <http://lk.linkedin.com/in/ashenweerathunga>* >> <http://wso2.com/signature> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <+94%2077%20189%202453> > > -- *Ashen Weerathunga* Software Engineer WSO2 Inc.: http://wso2.com lean.enterprise.middleware Email: as...@wso2.com Mobile: +94716042995 <94716042995> LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga <http://lk.linkedin.com/in/ashenweerathunga>* <http://wso2.com/signature>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
