OK, so I saw your earlier message where you stated you wanted to use both a
user token and a cert, and Colm replied with "Try using 'signatureUser' for the
'myclientkey' entry".
In my setup I am only using mutual x.509 certificate authentication. I am not
sure why you need to use both UserNameToken and a certificate, since the cert
provides identification.
Given that, there has to be some mismatch between your server outbound
interceptor configuration and your SoapUi inbound configuration. You provided
your client configuration. What does your server outbound interceptor
configuration look like? Here is mine:
<bean id="Sign_Response"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="myapp.mydomain.com"/>
<entry key="SignaturePropRefId" value="propertiesRef"/> <!-- bug prior
to 1.6: the starting 'S' is capitalized -->
<entry key="encryptionPropRefId" value="propertiesRef"/>
<entry key="propertiesRef" value-ref="ConfigLoader"/>
<entry key="encryptionUser" value="useReqSigCert"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="encryptionKeyIdentifier" value="DirectReference" />
<entry key="passwordCallbackRef">
<beans:ref bean="ConfigLoader"/>
</entry>
<entry key="signatureParts"
value="{Content}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<!-- <entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> -->
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<entry key="signatureAlgorithm"
value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</map>
</constructor-arg>
</bean>
Here is one of the web pages I used:
https://sites.google.com/site/ddmwsst/ws-security-impl
In my particular case, the WSS4J (and CXF) used on the Server is constrained to
be a much earlier version than what is bundled in SoapUi. In that earlier
version of WSS4J on the server you could not have separate keystore and
truststore files, so on the server I just have one: a keystore that contains
the server public/private key pair, and the client public key. In SoapUi, I
split them out because I thought it would help me understand what was required,
and where. I have a client keystore that contains the client public/private
key, and a truststore that contains the server public key. One key thing I had
to do to get X.50 mutual certificate authentication working was to use
encryptionUser="useReqSigCert", which told the server to encrypt the server
response using the cert that was used to sign the request.
n Andy
From: Paul Avijit [mailto:[email protected]]
Sent: Tuesday, April 22, 2014 10:58 AM
To: [email protected]; Hart, Andrew B.
Subject: Re: CXF (WS-Security) + SoapUI
Thanks Andrew for the detailed response. I have done pretty much as you have
explained. The difference being I have just one client keystore. Let me explain
what I have done.
I have created the client and service keystores using the following commands:
*****************************************************************************************************
keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias
myservicekey -keypass skpass -storepass sspass -keystore serviceKeystore.jks
-dname "cn=localhost"
keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias
myclientkey -keypass ckpass -storepass cspass -keystore clientKeystore.jks
-dname "cn=clientuser"
keytool -export -rfc -keystore clientKeystore.jks -storepass cspass -alias
myclientkey -file MyClient.cer
keytool -import -trustcacerts -keystore serviceKeystore.jks -storepass sspass
-alias myclientkey -file MyClient.cer -noprompt
keytool -export -rfc -keystore serviceKeystore.jks -storepass sspass -alias
myservicekey -file MyService.cer
keytool -import -trustcacerts -keystore clientKeystore.jks -storepass cspass
-alias myservicekey -file MyService.cer -noprompt
*****************************************************************************************************
In SoapUI - WS-SecurityConfigurations - Keystores I have the following:
Source: path to clientKeystore.jks
Status: OK
Password: cspass
Default Alias: myclientkey
Alias Password: ckpass
In SoapUI - WS-SecurityConfigurations - Truststores I have the following:
Source: path to clientKeystore.jks
Status: OK
Password: cspass
In SoapUI - Outgoing WS-SecurityConfigurations - Encryption I have the
following:
Keystore: clientKeystore.jks
Alias: myclientkey
Password: ckpass
In CXF client I have the following in WSS4JOutInterceptor:
<bean id="TimestampSignEncrypt_Request"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken
Timestamp Signature Encrypt"/>
<entry key="passwordType"
value="PasswordDigest"/>
<entry key="user" value="POC-Username"/>
<entry key="signatureUser"
value="myclientkey"/>
<entry key="passwordCallbackClass"
value="com.hp.bes.hc.caqhcore.client.security.ClientKeystorePasswordCallback"/>
<entry key="signaturePropFile"
value="clientKeystore.properties"/>
<entry key="signatureAlgorithm"
value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://www.w3.org/2003/05/soap-envelope}Body"/>
<entry key="encryptionPropFile"
value="clientKeystore.properties"/>
<entry key="encryptionUser"
value="myservicekey"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://www.w3.org/2003/05/soap-envelope}Body"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<entry
key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
</map>
</constructor-arg>
<property name="allowMTOM" value="true"/>
</bean>
This works perfectly fine when tested using CXF client.
All of the above has also been configured in SoapUI except.
<entry key="encryptionUser"
value="myservicekey"/>
When I test using SoapUI, when the request goes to the server, I get the
following error in the server logs:
[ERROR][[ACTIVE] ExecuteThread: '23' for queue: 'weblogic.kernel.Default
(self-tuning)'][2014-04-22 11:16:28,200]
org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:650)
- Cannot find key for alias: [myclientkey] in keystore of type [jks] from
provider [SUN version 1.6] with size [2] and aliases: {myservicekey,
myclientkey}
Apr 22, 2014 11:16:28 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING:
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
When I only secure my web service using UsernameToken Timestamp and Signature,
it works fine when tested with SoapUI. I get the above error when Encrypt is
also used to secure it.
Regards
Paul
On Tuesday, April 22, 2014 10:50 AM, "Hart, Andrew B."
<[email protected]<mailto:[email protected]>> wrote:
It took me quite a bit of trial and error to figure out what went where in
SoapUi. I find their documentation to be lacking.
I'll just tell you how I have it set up in the hope that it helps:
a) Under Keystores you have the path to the keystore that contains your client
public and private key. Password is the keystore password. The default client
alias in the keystore, then the password for the private key.
b) Under Truststores you have the path to the keystore that contains the
public cert of the server. The Password is the truststore password. I left
the default alias and password blank.
c) Under "Incoming" the "Decrypt" keystore is the path to the keystore (a).
The "Signature" is (b). The password is for the keystore.
d) Under "Outgoing" the default alias is the alias for your client key in (a).
If you have a signature action set up, the Keystore specified will be (a).
The "alias" and "password" will be the alias for the client private key.
Now to associate these configurations with SoapUi requests, there are several
places to do this. You can do it globally for a particular service endpoint by
double clicking on the green hourglass for the interface in the tree. In the
window that comes up, select the "Service Endpoints" tab. Put the outgoing and
incoming ws-configurations there, and they will apply to all operations.
Or, for each request, you double click to open the request window. In the
bottom left there is a menu for "Authentication and Security related settings".
You can specify your incoming and outgoing profile there. You can also right
click directly in the window where your request xml appears, select the
"Outgoing WSS" from the context menu and then either "Apply" or "Remove All".
So, it sounds like SoapUi is not finding the "Incoming" ws configuration, or
your truststore. When you get the response back, look in the bottom of that
window and there is the WSS log. Click on it and you should see "WS-Security
processing results" there that will help you debug your problem. If I had to
guess, you might have the keystore and truststore switched around in (c).
Also, SoapUi caches things up. I found it difficult to trust it, so when I
made changes to WS-Security configuration in SoapUi, I often closed the project
and opened it back up to make sure it was using my latest changes.
Hope this helped.
-- Andy
-----Original Message-----
From: Paul Avijit [mailto:[email protected]<mailto:[email protected]>]
Sent: Monday, April 21, 2014 5:36 PM
To: [email protected]<mailto:[email protected]>
Subject: CXF (WS-Security) + SoapUI
Hi,
I have a Web service implemented using CXF which is secured with WS-Security
(X.509 Encryption).
I have tested it successfully using a CXF client. I have configured WS-Security
in SoapUI. But when I test using SoapUI I get the following error:
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
All configuration that I have done in CXF client is present in SoapUI. I could
not find in SoapUI the equivalent of the following configuration (constructor
argument of WSS4JOutInterceptor) that I have in CXF client, which is resulting
in the error. I know it is this configuration as when I delete this
configuration from the CXF client I get the same error.
<entry key="encryptionUser" value="myservicekey"/>
Can anyone please let me know how to test this using SoapUI. Thanks in advance
for the help to CXF experts in this mailing list.
Regards
Paul
