Hi Colm, The client configuration file you provided worked as it is. Thank you. But I don't have client certificate in both WSP and STS truststore. I also don't have WSP certificate in client truststore either. Following two entries are referenced in client configuration file, but they seems get ignored. Otherwise if request from client to WSP and STS are signed using clientkey, but without client certificate in both WSP and STS truststore, how WSP and STS verify client signature?
<entry key="ws-security.signature.username" value="myclientkey"/> <entry key="ws-security.encryption.username" value="myservicekey" Thanks. Gina On Mon, May 28, 2012 at 6:11 AM, Colm O hEigeartaigh <[email protected]>wrote: > The certificate you are using on the client side to encrypt the message to > the STS does not match with the private key of the STS: > > Client: > > > keytool -list -keystore src/main/resources/clientstore.jks -alias > mystskey -v > Enter keystore password: > Alias name: mystskey > Creation date: 07-Oct-2011 > Entry type: trustedCertEntry > > Owner: [email protected], CN=Tom Token, O=Sample STS Key -- > NOT FOR PRODUCTION USE, L=Baltimore, ST=Maryland, C=US > > STS: > > > keytool -list -keystore src/main/resources/stsstore.jks -alias mystskey > -v > Enter keystore password: > Alias name: mystskey > Creation date: 10-Apr-2012 > Entry type: PrivateKeyEntry > Certificate chain length: 1 > Certificate[1]: > Owner: [email protected], CN=stscn, OU=SCT, O=SDL, L=wakefield, > ST=massachusetts, C=US > > Also, your client configuration should look something like this instead: > > <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItPort > " > createdFromAPI="true"> > <jaxws:properties> > <entry key="ws-security.callback-handler" > value="client.ClientCallbackHandler"/> > <entry key="ws-security.signature.username" > value="myclientkey"/> > <entry key="ws-security.encryption.username" > value="myservicekey"/> > <entry key="ws-security.signature.properties" > value="clientKeystore.properties"/> > <entry key="ws-security.encryption.properties" > value="clientKeystore.properties"/> > <entry key="ws-security.sts.client"> > <bean class="org.apache.cxf.ws.security.trust.STSClient"> > <constructor-arg ref="cxf"/> > <property name="wsdlLocation" > value="DoubleItSTSService.wsdl"/> > <property name="serviceName" value="{ > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}DoubleItSTSService"/> > <property name="endpointName" value="{ > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}DoubleItSTSPort"/> > <property name="properties"> > <map> > <entry key="ws-security.signature.username" > value="myclientkey"/> > <entry key="ws-security.callback-handler" > value="client.ClientCallbackHandler"/> > <entry key="ws-security.username" > value="alice"/> > <entry key="ws-security.signature.properties" > value="clientKeystore.properties"/> > <entry key="ws-security.encryption.properties" > value="clientKeystore.properties"/> > <entry key="ws-security.encryption.username" > value="mystskey"/> > </map> > </property> > </bean> > </entry> > </jaxws:properties> > </jaxws:client> > > Colm. >
