[
https://issues.apache.org/jira/browse/RAMPART-439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15936239#comment-15936239
]
Bill Resnicow commented on RAMPART-439:
---------------------------------------
All, I think I found the problem with this. I had to add one more
configuration parameter:
org.apache.ws.security.crypto.merlin.keystore.file = "" (blank).
Prior, this parameter was not required, in the latest version of things, it
appears to be required. For PKCS11 certificate stores, it should be blank as
there is no keystore file. Once this was set, Rampart/WSS4j were able to read
the NSS PKCS11 certificate store.
I suggest adding some documentation to this effect somewhere, so I will leave
this open for a time.
> Rampart 1.7.0 not working with PKCS11 certificate store
> -------------------------------------------------------
>
> Key: RAMPART-439
> URL: https://issues.apache.org/jira/browse/RAMPART-439
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.7.0
> Environment: RHEL Linux 7
> Reporter: Bill Resnicow
>
> I have this problem when upgrading from Axis2/Rampart 1.6.0 to Axis2/Rampart
> 1.7.4. Our security provider is NSS which is the FIPS compliant PKCS11
> certificate keystore. This worked fine with Axis2/Rampart 1.6.0 but with
> 1.7.4 it does not work. The problem is that when trying to create a message
> signature for a SOAP message, Rampart fails to read the signing certificate
> from the PKCS11 certificate database. The exception is below.
> It might be an issue with Rampart or with WSS4J which was upgraded from
> 1.5.11 to 1.6.16.
> I tried changing the Rampart configuration to use a JKS keystore instead of
> the PKCS11 keystore and then it worked properly.
> The following exception occurs when processing an outbound SOAP message
> response, trying to create a signature part in the header. See the 'Caused
> by' at the end.
> 03-15-2017 13:50:05,617 ERROR
> [org.apache.axis2.receivers.AbstractMessageReceiver] (Axis2 Task) Error in
> signature with X509Token: org.apache.axis2.AxisFault: Error in signature with
> X509Token
> at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76)
> [rampart-core-1.7.0.jar:1.7.0]
> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:335)
> [axis2-kernel-1.7.4.jar:1.7.4]
> at org.apache.axis2.engine.Phase.invoke(Phase.java:308)
> [axis2-kernel-1.7.4.jar:1.7.4]
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:250)
> [axis2-kernel-1.7.4.jar:1.7.4]
> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:415)
> [axis2-kernel-1.7.4.jar:1.7.4]
> at
> org.apache.axis2.receivers.RawXMLINOutMessageReceiver.invokeBusinessLogic(RawXMLINOutMessageReceiver.java:121)
> [axis2-kernel-1.7.4.jar:1.7.4]
> at
> org.apache.axis2.receivers.AbstractMessageReceiver$AsyncMessageReceiverWorker.run(AbstractMessageReceiver.java:229)
> [axis2-kernel-1.7.4.jar:1.7.4]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> [rt.jar:1.8.0_92]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> [rt.jar:1.8.0_92]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_92]
> Caused by: org.apache.rampart.RampartException: Error in signature with
> X509Token
> at
> org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:343)
> [rampart-core-1.7.0.jar:1.7.0]
> at
> org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:250)
> [rampart-core-1.7.0.jar:1.7.0]
> at
> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:760)
> [rampart-core-1.7.0.jar:1.7.0]
> at
> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:417)
> [rampart-core-1.7.0.jar:1.7.0]
> at
> org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:88)
> [rampart-core-1.7.0.jar:1.7.0]
> at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
> [rampart-core-1.7.0.jar:1.7.0]
> at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
> [rampart-core-1.7.0.jar:1.7.0]
> ... 9 more
> Caused by: org.apache.ws.security.WSSecurityException: General security error
> (No certificates for user <myusername> were found for signature)
> at
> org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:796)
> [wss4j-1.6.16.jar:1.6.16]
> at
> org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:169)
> [wss4j-1.6.16.jar:1.6.16]
> at
> org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:340)
> [rampart-core-1.7.0.jar:1.7.0]
> ... 15 more
> Our Rampart configuration is as follows;
> org.apache.ws.security.crypto.merlin.keystore.provider = SunPKCS11-NSSfips
> org.apache.ws.security.crypto.merlin.cert.provider = (blank)
> org.apache.ws.security.crypto.merlin.load.cacerts = false
> org.apache.ws.security.crypto.merlin.keystore.type=PKCS11
> cryptoConfigProvider = org.apache.ws.security.components.crypto.Merlin
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
