The client needs to configure the HTTP conduit with the keystore that contains the certificate of the STS, e.g.:
<http:conduit name="https://localhost:.*";> <http:tlsClientParameters disableCNCheck="true"> <sec:trustManagers> <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/> </sec:trustManagers> </http:tlsClientParameters> </http:conduit> What NPE are you getting? The following policy (KeyValueToken) is not supported, but you could remove it as it is optional and see if that works: <sp:EndorsingSupportingTokens xmlns:sp=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:KeyValueToken sp:IncludeToken=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never " wsp:Optional="true"> <wsp:Policy /> </sp:KeyValueToken> <sp:SignedParts> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> </wsp:Policy> </sp: EndorsingSupportingTokens> Colm. On Fri, Jun 1, 2012 at 4:57 PM, Gina Choi <[email protected]> wrote: > Hi Colm, > > Thanks for your response. You are right. When I use Apache CXF STS, I used > SymmetricBinding and WSP is using SymmetricBinding. Now, I keep WSP the > same, but try to use ADFS2.0 as STS and the end point that I try to use is > using TransportBinding. What certificate requirement do I need to satisfy > in this case? > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler is > throwing null pointer exception. > > at > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doIssuedTokenSignature(TransportBindingHandler.java:429) > Following is content of the STS policy. > > <wsp:Policy wsu:Id="UserNameWSTrustBinding_IWSTrust13Async2_policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken> > <wsp:Policy /> > </sp:HttpsToken> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > <sp:SignedEncryptedSupportingTokens xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:UsernameToken sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssUsernameToken10 /> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SignedEncryptedSupportingTokens> > <sp:EndorsingSupportingTokens xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:KeyValueToken sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > " > wsp:Optional="true"> > <wsp:Policy /> > </sp:KeyValueToken> > <sp:SignedParts> > <sp:Header Name="To" > Namespace="http://www.w3.org/2005/08/addressing"; /> > </sp:SignedParts> > </wsp:Policy> > </sp:EndorsingSupportingTokens> > <sp:Wss11 xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > <sp:MustSupportRefThumbprint /> > <sp:MustSupportRefEncryptedKey /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust13 xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust13> > <wsaw:UsingAddressing /> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > Thanks. > > Gina > On Fri, Jun 1, 2012 at 4:20 AM, Colm O hEigeartaigh > <[email protected]>wrote: > >> Hi Gina, >> >> If i recall correctly, the STS was using the SymmetricBinding. For this >> case, the client only needs to know the certificate of the STS (specified >> via ws-security.encryption.username" in the STSClient bean). It doesn't >> need any signature username configuration, as this is not used in the >> Symmetric binding. >> >> I don't know what security policy your WSP is using and so I can't >> comment on the rest of it. >> >> Colm. >> >> >> On Thu, May 31, 2012 at 6:09 PM, Gina Choi <[email protected]> wrote: >> >>> Hi Colm, >>> >>> The client configuration file you provided worked as it is. Thank you. >>> But I don't have client certificate in both WSP and STS truststore. I also >>> don't have WSP certificate in client truststore either. Following two >>> entries are referenced in client configuration file, but they seems get >>> ignored. Otherwise if request from client to WSP and STS are signed using >>> clientkey, but without client certificate in both WSP and STS >>> truststore, how WSP and STS verify client signature? >>> >>> >>> <entry key="ws-security.signature.username" value="myclientkey"/> >>> <entry key="ws-security.encryption.username" value="myservicekey" >>> >>> >>> Thanks. >>> >>> Gina >>> On Mon, May 28, 2012 at 6:11 AM, Colm O hEigeartaigh < >>> [email protected]> wrote: >>> >>>> The certificate you are using on the client side to encrypt the message >>>> to >>>> the STS does not match with the private key of the STS: >>>> >>>> Client: >>>> >>>> > keytool -list -keystore src/main/resources/clientstore.jks -alias >>>> mystskey -v >>>> Enter keystore password: >>>> Alias name: mystskey >>>> Creation date: 07-Oct-2011 >>>> Entry type: trustedCertEntry >>>> >>>> Owner: [email protected], CN=Tom Token, O=Sample STS >>>> Key -- >>>> NOT FOR PRODUCTION USE, L=Baltimore, ST=Maryland, C=US >>>> >>>> STS: >>>> >>>> > keytool -list -keystore src/main/resources/stsstore.jks -alias >>>> mystskey >>>> -v >>>> Enter keystore password: >>>> Alias name: mystskey >>>> Creation date: 10-Apr-2012 >>>> Entry type: PrivateKeyEntry >>>> Certificate chain length: 1 >>>> Certificate[1]: >>>> Owner: [email protected], CN=stscn, OU=SCT, O=SDL, >>>> L=wakefield, >>>> ST=massachusetts, C=US >>>> >>>> Also, your client configuration should look something like this instead: >>>> >>>> <jaxws:client name="{ >>>> http://www.example.org/contract/DoubleIt}DoubleItPort"; >>>> createdFromAPI="true"> >>>> <jaxws:properties> >>>> <entry key="ws-security.callback-handler" >>>> value="client.ClientCallbackHandler"/> >>>> <entry key="ws-security.signature.username" >>>> value="myclientkey"/> >>>> <entry key="ws-security.encryption.username" >>>> value="myservicekey"/> >>>> <entry key="ws-security.signature.properties" >>>> value="clientKeystore.properties"/> >>>> <entry key="ws-security.encryption.properties" >>>> value="clientKeystore.properties"/> >>>> <entry key="ws-security.sts.client"> >>>> <bean class="org.apache.cxf.ws.security.trust.STSClient"> >>>> <constructor-arg ref="cxf"/> >>>> <property name="wsdlLocation" >>>> value="DoubleItSTSService.wsdl"/> >>>> <property name="serviceName" value="{ >>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}DoubleItSTSService"/> >>>> <property name="endpointName" value="{ >>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}DoubleItSTSPort"/> >>>> <property name="properties"> >>>> <map> >>>> <entry key="ws-security.signature.username" >>>> value="myclientkey"/> >>>> <entry key="ws-security.callback-handler" >>>> value="client.ClientCallbackHandler"/> >>>> <entry key="ws-security.username" >>>> value="alice"/> >>>> <entry key="ws-security.signature.properties" >>>> value="clientKeystore.properties"/> >>>> <entry >>>> key="ws-security.encryption.properties" >>>> value="clientKeystore.properties"/> >>>> <entry key="ws-security.encryption.username" >>>> value="mystskey"/> >>>> </map> >>>> </property> >>>> </bean> >>>> </entry> >>>> </jaxws:properties> >>>> </jaxws:client> >>>> >>>> Colm. >>>> >>> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
