I could get this to work. Only changes in SoapUI configuration was required. No changes in CXF web service. Let me explain.
I have the following: 1. Server WSS4JInInterceptor configuration <bean id="UT_TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken Timestamp Signature Encrypt"/> <entry key="passwordType" value="PasswordDigest"/> <entry key="passwordCallbackRef" value-ref="myKeystorePasswordCallback"/> <entry key="signaturePropFile" value="serviceKeystore.properties"/> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <entry key="decryptionPropFile" value="serviceKeystore.properties"/> <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </map> </constructor-arg> </bean> 2. Server WSS4JOutInterceptor configuration <bean id="TimestampSignEncrypt_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> <constructor-arg> <map> <entry key="action" value="Timestamp Signature Encrypt"/> <entry key="timeToLive" value="10" /> <entry key="passwordCallbackRef" value-ref="myKeystorePasswordCallback"/> <entry key="user" value="myservicekey"/> <entry key="signaturePropFile" value="serviceKeystore.properties"/> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <entry key="encryptionPropFile" value="serviceKeystore.properties"/> <entry key="encryptionUser" value="useReqSigCert"/> <entry key="encryptionParts" value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </map> </constructor-arg> <property name="allowMTOM" value="true"/> </bean> 3. Server Keystore - contains server's private key + server's public key + client's public key 4. Client Keystore - contains client's private key + client's public key + server's public key Following are the configuration in SoapUI: 1. WS-Security Configuration - Keystore Source: path to client keystore Password - client keystore password Default Alias - alias of client's private key Alias Password - password of client's private key 2. Outgoing WS-Security Configuration - Username Timestamp Signature Keystore - client keystore Alias - alias of client's private key Password - password of client's private key Key Identifier Type - X.509 Signature Algorithm - RSA-SHA1 Parts - Timestamp (Element), Body (Element) Encryption Keystore - client keystore Alias - alias of server's public key Password - Empty (no password required for public key) Key Identifier Type - X.509 Symmetric Encoding Algorithm - Triple-DES-CBC Key Encryption Algorithm - RSA-OAEP-MGF1P Parts - Signature (Element), Body (Content) 3. Ingoing WS-Security Configuration - Decrypt Keystore - client keystore Signature Keystore - client keystore Password - password of client's private key Regards Paul On Tuesday, April 22, 2014 6:38 PM, Paul Avijit <[email protected]> wrote: Hi Andy, Whats in the servers WSS4JOutInterceptor is not important now. The issue is SoapUI is sending request to server and server is not able to decrypt the message as it cannot find the private key to decrypt. Also the server code is fine as I can test it successfully using a CXF client. Following are my CXF server configuration: <bean id="TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken Timestamp Signature Encrypt"/> <entry key="passwordType" value="PasswordDigest"/> <entry key="passwordCallbackRef" value-ref="myKeystorePasswordCallback"/> <entry key="signaturePropFile" value="serviceKeystore.properties"/> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <entry key="decryptionPropFile" value="serviceKeystore.properties"/> <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </map> </constructor-arg> </bean> <bean id="TimestampSignEncrypt_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> <constructor-arg> <map> <entry key="action" value="Timestamp Signature Encrypt"/> <entry key="timeToLive" value="10" /> <entry key="passwordCallbackRef" value-ref="myKeystorePasswordCallback"/> <entry key="user" value="myservicekey"/> <entry key="signaturePropFile" value="serviceKeystore.properties"/> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <entry key="encryptionPropFile" value="serviceKeystore.properties"/> <entry key="encryptionUser" value="useReqSigCert"/> <entry key="encryptionParts" value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </map> </constructor-arg> <property name="allowMTOM" value="true"/> </bean> Following are my CXF client configuration: <bean id="TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken Timestamp Signature Encrypt"/> <entry key="passwordType" value="PasswordDigest"/> <entry key="user" value="POC-Username"/> <entry key="signatureUser" value="myclientkey"/> <entry key="passwordCallbackClass" value="com.hp.bes.hc.caqhcore.client.security.ClientKeystorePasswordCallback"/> <entry key="signaturePropFile" value="clientKeystore.properties"/> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="encryptionPropFile" value="clientKeystore.properties"/> <entry key="encryptionUser" value="myservicekey"/> <entry key="encryptionParts" value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </map> </constructor-arg> <property name="allowMTOM" value="true"/> </bean> <bean id="TimestampSignEncrypt_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <constructor-arg> <map> <entry key="action" value="Timestamp Signature Encrypt"/> <entry key="passwordCallbackClass" value="com.hp.bes.hc.caqhcore.client.security.ClientKeystorePasswordCallback"/> <entry key="signaturePropFile" value="clientKeystore.properties"/> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <entry key="decryptionPropFile" value="clientKeystore.properties"/> <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </map> </constructor-arg> </bean> This configuration works perfectly fine when tested using CXF client. But when tested using SoapUI, when the server receives the request from SoapUI, it cannot find the private key to decrypt the message and fails with the following error: [ERROR][[ACTIVE] ExecuteThread: '23' for queue: 'weblogic.kernel.Default (self-tuning)'][2014-04-22 11:16:28,200] org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:650) - Cannot find key for alias: [myclientkey] in keystore of type [jks] from provider [SUN version 1.6] with size [2] and aliases: {myservicekey, myclientkey} Regards Paul On Tuesday, April 22, 2014 1:08 PM, "Hart, Andrew B." <[email protected]> wrote: OK, so I saw your earlier message where you stated you wanted to use both a user token and a cert, and Colm replied with "Try using 'signatureUser' for the 'myclientkey' entry". In my setup I am only using mutual x.509 certificate authentication. I am not sure why you need to use both UserNameToken and a certificate, since the cert provides identification. Given that, there has to be some mismatch between your server outbound interceptor configuration and your SoapUi inbound configuration. You provided your client configuration. What does your server outbound interceptor configuration look like? Here is mine: <bean id="Sign_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> <constructor-arg> <map> <entry key="action" value="Timestamp Signature Encrypt"/> <entry key="user" value="myapp.mydomain.com"/> <entry key="SignaturePropRefId" value="propertiesRef"/> <!-- bug prior to 1.6: the starting 'S' is capitalized --> <entry key="encryptionPropRefId" value="propertiesRef"/> <entry key="propertiesRef" value-ref="ConfigLoader"/> <entry key="encryptionUser" value="useReqSigCert"/> <entry key="signatureKeyIdentifier" value="DirectReference"/> <entry key="encryptionKeyIdentifier" value="DirectReference" /> <entry key="passwordCallbackRef"> <beans:ref bean="ConfigLoader"/> </entry> <entry key="signatureParts" value="{Content}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/> <entry key="encryptionParts" value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/> <!-- <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> --> <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </map> </constructor-arg> </bean> Here is one of the web pages I used: https://sites.google.com/site/ddmwsst/ws-security-impl In my particular case, the WSS4J (and CXF) used on the Server is constrained to be a much earlier version than what is bundled in SoapUi. In that earlier version of WSS4J on the server you could not have separate keystore and truststore files, so on the server I just have one: a keystore that contains the server public/private key pair, and the client public key. In SoapUi, I split them out because I thought it would help me understand what was required, and where. I have a client keystore that contains the client public/private key, and a truststore that contains the server public key. One key thing I had to do to get X.50 mutual certificate authentication working was to use encryptionUser="useReqSigCert", which told the server to encrypt the server response using the cert that was used to sign the request. n Andy From: Paul Avijit [mailto:[email protected]] Sent: Tuesday, April 22, 2014 10:58 AM To: [email protected]; Hart, Andrew B. Subject: Re: CXF (WS-Security) + SoapUI Thanks Andrew for the detailed response. I have done pretty much as you have explained. The difference being I have just one client keystore. Let me explain what I have done. I have created the client and service keystores using the following commands: ***************************************************************************************************** keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myservicekey -keypass skpass -storepass sspass -keystore serviceKeystore.jks -dname "cn=localhost" keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myclientkey -keypass ckpass -storepass cspass -keystore clientKeystore.jks -dname "cn=clientuser" keytool -export -rfc -keystore clientKeystore.jks -storepass cspass -alias myclientkey -file MyClient.cer keytool -import -trustcacerts -keystore serviceKeystore.jks -storepass sspass -alias myclientkey -file MyClient.cer -noprompt keytool -export -rfc -keystore serviceKeystore.jks -storepass sspass -alias myservicekey -file MyService.cer keytool -import -trustcacerts -keystore clientKeystore.jks -storepass cspass -alias myservicekey -file MyService.cer -noprompt ***************************************************************************************************** In SoapUI - WS-SecurityConfigurations - Keystores I have the following: Source: path to clientKeystore.jks Status: OK Password: cspass Default Alias: myclientkey Alias Password: ckpass In SoapUI - WS-SecurityConfigurations - Truststores I have the following: Source: path to clientKeystore.jks Status: OK Password: cspass In SoapUI - Outgoing WS-SecurityConfigurations - Encryption I have the following: Keystore: clientKeystore.jks Alias: myclientkey Password: ckpass In CXF client I have the following in WSS4JOutInterceptor: <bean id="TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken Timestamp Signature Encrypt"/> <entry key="passwordType" value="PasswordDigest"/> <entry key="user" value="POC-Username"/> <entry key="signatureUser" value="myclientkey"/> <entry key="passwordCallbackClass" value="com.hp.bes.hc.caqhcore.client.security.ClientKeystorePasswordCallback"/> <entry key="signaturePropFile" value="clientKeystore.properties"/> <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="encryptionPropFile" value="clientKeystore.properties"/> <entry key="encryptionUser" value="myservicekey"/> <entry key="encryptionParts" value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </map> </constructor-arg> <property name="allowMTOM" value="true"/> </bean> This works perfectly fine when tested using CXF client. All of the above has also been configured in SoapUI except. <entry key="encryptionUser" value="myservicekey"/> When I test using SoapUI, when the request goes to the server, I get the following error in the server logs: [ERROR][[ACTIVE] ExecuteThread: '23' for queue: 'weblogic.kernel.Default (self-tuning)'][2014-04-22 11:16:28,200] org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:650) - Cannot find key for alias: [myclientkey] in keystore of type [jks] from provider [SUN version 1.6] with size [2] and aliases: {myservicekey, myclientkey} Apr 22, 2014 11:16:28 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage WARNING: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid When I only secure my web service using UsernameToken Timestamp and Signature, it works fine when tested with SoapUI. I get the above error when Encrypt is also used to secure it. Regards Paul On Tuesday, April 22, 2014 10:50 AM, "Hart, Andrew B." <[email protected]<mailto:[email protected]>> wrote: It took me quite a bit of trial and error to figure out what went where in SoapUi. I find their documentation to be lacking. I'll just tell you how I have it set up in the hope that it helps: a) Under Keystores you have the path to the keystore that contains your client public and private key. Password is the keystore password. The default client alias in the keystore, then the password for the private key. b) Under Truststores you have the path to the keystore that contains the public cert of the server. The Password is the truststore password. I left the default alias and password blank. c) Under "Incoming" the "Decrypt" keystore is the path to the keystore (a). The "Signature" is (b). The password is for the keystore. d) Under "Outgoing" the default alias is the alias for your client key in (a). If you have a signature action set up, the Keystore specified will be (a). The "alias" and "password" will be the alias for the client private key. Now to associate these configurations with SoapUi requests, there are several places to do this. You can do it globally for a particular service endpoint by double clicking on the green hourglass for the interface in the tree. In the window that comes up, select the "Service Endpoints" tab. Put the outgoing and incoming ws-configurations there, and they will apply to all operations. Or, for each request, you double click to open the request window. In the bottom left there is a menu for "Authentication and Security related settings". You can specify your incoming and outgoing profile there. You can also right click directly in the window where your request xml appears, select the "Outgoing WSS" from the context menu and then either "Apply" or "Remove All". So, it sounds like SoapUi is not finding the "Incoming" ws configuration, or your truststore. When you get the response back, look in the bottom of that window and there is the WSS log. Click on it and you should see "WS-Security processing results" there that will help you debug your problem. If I had to guess, you might have the keystore and truststore switched around in (c). Also, SoapUi caches things up. I found it difficult to trust it, so when I made changes to WS-Security configuration in SoapUi, I often closed the project and opened it back up to make sure it was using my latest changes. Hope this helped. -- Andy -----Original Message----- From: Paul Avijit [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, April 21, 2014 5:36 PM To: [email protected]<mailto:[email protected]> Subject: CXF (WS-Security) + SoapUI Hi, I have a Web service implemented using CXF which is secured with WS-Security (X.509 Encryption). I have tested it successfully using a CXF client. I have configured WS-Security in SoapUI. But when I test using SoapUI I get the following error: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid All configuration that I have done in CXF client is present in SoapUI. I could not find in SoapUI the equivalent of the following configuration (constructor argument of WSS4JOutInterceptor) that I have in CXF client, which is resulting in the error. I know it is this configuration as when I delete this configuration from the CXF client I get the same error. <entry key="encryptionUser" value="myservicekey"/> Can anyone please let me know how to test this using SoapUI. Thanks in advance for the help to CXF experts in this mailing list. Regards Paul
