Hi, I also have similar problem:
http://cxf.547215.n5.nabble.com/WebSphere-8-wss4j-and-cxf-signature-validation-td5739363.html Did you make any progress ? I tried some options: 1. Verifying certificate chain. 2. Adding Bouncy Castle as provider to WSSConfig instead of IBMJCE. 3. Avoiding xmlsec at all (unsuccsessfully). 4. Logging and wiresharking request and response. But no use. I tried to sign Body and Timestamp tag. Also noticed that Body attribute "wsu:Id" is placed before "xmlns:wsu" attribute when response message leaves web service. When the same response comes to client side their order is swapped. I am signing body and timestamp. As you already noticed "PARENT_LAST" and osgi may be problem: http://veithen.blogspot.com/2013/10/broken-by-design-websphere-stax.html Also look at this: http://blog.lodeblomme.be/2011/09/27/apache-cxf-ws-security-the-signature-or-decryption-was-invalid They say it may be problem with Linux or even Java 6. I can not debugg "verify" method because I haven't source for IBMJCE and debugger behaves very strangely evevn when Bouncy Castle is used. Cheers -- View this message in context: http://cxf.547215.n5.nabble.com/Unable-to-verify-signature-with-Apache-CXF-and-WSS4J-on-Websphere-Application-Server-8-5-tp5740358p5740804.html Sent from the cxf-user mailing list archive at Nabble.com.
