Hi Gina, If i recall correctly, the STS was using the SymmetricBinding. For this case, the client only needs to know the certificate of the STS (specified via ws-security.encryption.username" in the STSClient bean). It doesn't need any signature username configuration, as this is not used in the Symmetric binding.
I don't know what security policy your WSP is using and so I can't comment on the rest of it. Colm. On Thu, May 31, 2012 at 6:09 PM, Gina Choi <[email protected]> wrote: > Hi Colm, > > The client configuration file you provided worked as it is. Thank you. But > I don't have client certificate in both WSP and STS truststore. I also > don't have WSP certificate in client truststore either. Following two > entries are referenced in client configuration file, but they seems get > ignored. Otherwise if request from client to WSP and STS are signed using > clientkey, but without client certificate in both WSP and STS > truststore, how WSP and STS verify client signature? > > > <entry key="ws-security.signature.username" value="myclientkey"/> > <entry key="ws-security.encryption.username" value="myservicekey" > > > Thanks. > > Gina > On Mon, May 28, 2012 at 6:11 AM, Colm O hEigeartaigh > <[email protected]>wrote: > >> The certificate you are using on the client side to encrypt the message to >> the STS does not match with the private key of the STS: >> >> Client: >> >> > keytool -list -keystore src/main/resources/clientstore.jks -alias >> mystskey -v >> Enter keystore password: >> Alias name: mystskey >> Creation date: 07-Oct-2011 >> Entry type: trustedCertEntry >> >> Owner: [email protected], CN=Tom Token, O=Sample STS Key >> -- >> NOT FOR PRODUCTION USE, L=Baltimore, ST=Maryland, C=US >> >> STS: >> >> > keytool -list -keystore src/main/resources/stsstore.jks -alias mystskey >> -v >> Enter keystore password: >> Alias name: mystskey >> Creation date: 10-Apr-2012 >> Entry type: PrivateKeyEntry >> Certificate chain length: 1 >> Certificate[1]: >> Owner: [email protected], CN=stscn, OU=SCT, O=SDL, L=wakefield, >> ST=massachusetts, C=US >> >> Also, your client configuration should look something like this instead: >> >> <jaxws:client name="{ >> http://www.example.org/contract/DoubleIt}DoubleItPort"; >> createdFromAPI="true"> >> <jaxws:properties> >> <entry key="ws-security.callback-handler" >> value="client.ClientCallbackHandler"/> >> <entry key="ws-security.signature.username" >> value="myclientkey"/> >> <entry key="ws-security.encryption.username" >> value="myservicekey"/> >> <entry key="ws-security.signature.properties" >> value="clientKeystore.properties"/> >> <entry key="ws-security.encryption.properties" >> value="clientKeystore.properties"/> >> <entry key="ws-security.sts.client"> >> <bean class="org.apache.cxf.ws.security.trust.STSClient"> >> <constructor-arg ref="cxf"/> >> <property name="wsdlLocation" >> value="DoubleItSTSService.wsdl"/> >> <property name="serviceName" value="{ >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}DoubleItSTSService"/> >> <property name="endpointName" value="{ >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}DoubleItSTSPort"/> >> <property name="properties"> >> <map> >> <entry key="ws-security.signature.username" >> value="myclientkey"/> >> <entry key="ws-security.callback-handler" >> value="client.ClientCallbackHandler"/> >> <entry key="ws-security.username" >> value="alice"/> >> <entry key="ws-security.signature.properties" >> value="clientKeystore.properties"/> >> <entry key="ws-security.encryption.properties" >> value="clientKeystore.properties"/> >> <entry key="ws-security.encryption.username" >> value="mystskey"/> >> </map> >> </property> >> </bean> >> </entry> >> </jaxws:properties> >> </jaxws:client> >> >> Colm. >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
