Thanks Andrew for the detailed response. I have done pretty much as you have explained. The difference being I have just one client keystore. Let me explain what I have done.
I have created the client and service keystores using the following commands: ***************************************************************************************************** keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myservicekey -keypass skpass -storepass sspass -keystore serviceKeystore.jks -dname "cn=localhost" keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myclientkey -keypass ckpass -storepass cspass -keystore clientKeystore.jks -dname "cn=clientuser" keytool -export -rfc -keystore clientKeystore.jks -storepass cspass -alias myclientkey -file MyClient.cer keytool -import -trustcacerts -keystore serviceKeystore.jks -storepass sspass -alias myclientkey -file MyClient.cer -noprompt keytool -export -rfc -keystore serviceKeystore.jks -storepass sspass -alias myservicekey -file MyService.cer keytool -import -trustcacerts -keystore clientKeystore.jks -storepass cspass -alias myservicekey -file MyService.cer -noprompt ***************************************************************************************************** In SoapUI - WS-SecurityConfigurations - Keystores I have the following: Source: path to clientKeystore.jks Status: OK Password: cspass Default Alias: myclientkey Alias Password: ckpass In SoapUI - WS-SecurityConfigurations - Truststores I have the following: Source: path to clientKeystore.jks Status: OK Password: cspass In SoapUI - Outgoing WS-SecurityConfigurations - Encryption I have the following: Keystore: clientKeystore.jks Alias: myclientkey Password: ckpass In CXF client I have the following in WSS4JOutInterceptor: <bean id="TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken Timestamp Signature Encrypt"/> <entry key="passwordType" value="PasswordDigest"/> <entry key="user" value="POC-Username"/> <entry key="signatureUser" value="myclientkey"/> <entry key="passwordCallbackClass" value="com.hp.bes.hc.caqhcore.client.security.ClientKeystorePasswordCallback"/> <entry key="signaturePropFile" value="clientKeystore.properties"/> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="encryptionPropFile" value="clientKeystore.properties"/> <entry key="encryptionUser" value="myservicekey"/> <entry key="encryptionParts" value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </map> </constructor-arg> <property name="allowMTOM" value="true"/> </bean> This works perfectly fine when tested using CXF client. All of the above has also been configured in SoapUI except. <entry key="encryptionUser" value="myservicekey"/> When I test using SoapUI, when the request goes to the server, I get the following error in the server logs: [ERROR][[ACTIVE] ExecuteThread: '23' for queue: 'weblogic.kernel.Default (self-tuning)'][2014-04-22 11:16:28,200] org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:650) - Cannot find key for alias: [myclientkey] in keystore of type [jks] from provider [SUN version 1.6] with size [2] and aliases: {myservicekey, myclientkey} Apr 22, 2014 11:16:28 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage WARNING: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid When I only secure my web service using UsernameToken Timestamp and Signature, it works fine when tested with SoapUI. I get the above error when Encrypt is also used to secure it. Regards Paul On Tuesday, April 22, 2014 10:50 AM, "Hart, Andrew B." <[email protected]> wrote: It took me quite a bit of trial and error to figure out what went where in SoapUi. I find their documentation to be lacking. I'll just tell you how I have it set up in the hope that it helps: a) Under Keystores you have the path to the keystore that contains your client public and private key. Password is the keystore password. The default client alias in the keystore, then the password for the private key. b) Under Truststores you have the path to the keystore that contains the public cert of the server. The Password is the truststore password. I left the default alias and password blank. c) Under "Incoming" the "Decrypt" keystore is the path to the keystore (a). The "Signature" is (b). The password is for the keystore. d) Under "Outgoing" the default alias is the alias for your client key in (a). If you have a signature action set up, the Keystore specified will be (a). The "alias" and "password" will be the alias for the client private key. Now to associate these configurations with SoapUi requests, there are several places to do this. You can do it globally for a particular service endpoint by double clicking on the green hourglass for the interface in the tree. In the window that comes up, select the "Service Endpoints" tab. Put the outgoing and incoming ws-configurations there, and they will apply to all operations. Or, for each request, you double click to open the request window. In the bottom left there is a menu for "Authentication and Security related settings". You can specify your incoming and outgoing profile there. You can also right click directly in the window where your request xml appears, select the "Outgoing WSS" from the context menu and then either "Apply" or "Remove All". So, it sounds like SoapUi is not finding the "Incoming" ws configuration, or your truststore. When you get the response back, look in the bottom of that window and there is the WSS log. Click on it and you should see "WS-Security processing results" there that will help you debug your problem. If I had to guess, you might have the keystore and truststore switched around in (c). Also, SoapUi caches things up. I found it difficult to trust it, so when I made changes to WS-Security configuration in SoapUi, I often closed the project and opened it back up to make sure it was using my latest changes. Hope this helped. -- Andy -----Original Message----- From: Paul Avijit [mailto:[email protected]] Sent: Monday, April 21, 2014 5:36 PM To: [email protected] Subject: CXF (WS-Security) + SoapUI Hi, I have a Web service implemented using CXF which is secured with WS-Security (X.509 Encryption). I have tested it successfully using a CXF client. I have configured WS-Security in SoapUI. But when I test using SoapUI I get the following error: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid All configuration that I have done in CXF client is present in SoapUI. I could not find in SoapUI the equivalent of the following configuration (constructor argument of WSS4JOutInterceptor) that I have in CXF client, which is resulting in the error. I know it is this configuration as when I delete this configuration from the CXF client I get the same error. <entry key="encryptionUser" value="myservicekey"/> Can anyone please let me know how to test this using SoapUI. Thanks in advance for the help to CXF experts in this mailing list. Regards Paul
