The error message seems to be referring to derivation key length. Does the message contain a security header containing a Signature and derived keys?
Colm. On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <[email protected]> wrote: > Hi, > > I've a wsdl with the following partial content: > > --cut > <sp:TransportBinding xmlns:sp="http://schemas.xmlso > ap.org/ws/2005/07/securitypolicy"> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken RequireClientCertificate="false"/> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > </wsp:Policy> > </sp:TransportBinding> > --cut > > If I call this service the response from the server gets rejected by CXF: > > --cut > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These > policy alternatives can not be satisfied: > {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite: The > signature derived key length does not match the requirement > {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256 > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx > y.java:161) > at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown Source) > at de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContr > actsByCustomerID(TestComm.java:135) > at de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestCom > m.java:128) > --cut > > If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is > accepted. > Is this a problem with the remote service or with CXF? > > AFAIK TransportBinding applies to the connection which is SSL encrypted. > If I check the SSL Certificate with "openssl s_client -showcerts -connect > [server]:443" I get: > > --cut > CONNECTED(00000003) > depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA > verify return:1 > depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization > Validation CA - SHA256 - G2 > verify return:1 > depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX > verify return:1 > --- > Certificate chain > 0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX > i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - > SHA256 - G2 > -----BEGIN CERTIFICATE----- > [...] > -----END CERTIFICATE----- > 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - > SHA256 - G2 > i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA > -----BEGIN CERTIFICATE----- > [...] > -----END CERTIFICATE----- > --- > Server certificate > subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX > issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - > SHA256 - G2 > --- > No client certificate CA names sent > --- > SSL handshake has read 3072 bytes and written 471 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-SHA384 > Session-ID: CD4B00002CD328917F89C4AF9010C5 > 145C745FD134466567345539C6AA1BE676 > Session-ID-ctx: > Master-Key: 11B433DDEF0B003A6F261390EA6D50 > F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1477495032 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --cut > > Thanks > Martin > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
