I have to consume a web service that was written in .Net and requires the security policies listed below. We develop in Java to a WAR. I created a separate project for the WSDL's Java stubs using Maven's cxf-codegen-plugin (3.1.10). It was added to the main WAR project and compiles fine. But during initial access to the service, a CXF error occurs.
The manual which came with the WSDL had the following to say about the security features in use: Transport Layer Security Third party X.509 certificate and Tokens Client X.509 certificate We received a file from the vendor which was converted into a JKS. It has two trustedCertEntry entries and one private key of X.509 type. As I understand the manual, the service does not use the user name/password type of WS security. All traffic goes over HTTPS of course, and the certificate is supposed to be used to encrypt the message content both coming and going. I have tried to configure the necessary values for CXF to work but always get the same error: Caused by: org.apache.cxf.ws.policy.PolicyException: Security configuration could not be detected. Potential cause: Make sure jaxws:client element with name attribute value matching endpoint port is defined as well as a security.signature.properties element within it. I have tried setting the necessary (AFAIK) properties via API and Spring XML configuration to no avail. I would greatly appreciate some guidance as to what CXF is looking for (and where the file is supposed to be if configuration). Currently I have the client-crypto.properties file under /WEB-INF/cxf along with the jks file. Its contents: org.apache.ws.security.crypto.merlin.keystore.file=/WEB-INF/cxf/dlsKeystore.jks org.apache.ws.security.crypto.merlin.keystore.type=JKS org.apache.ws.security.crypto.merlin.keystore.alias=1 org.apache.ws.security.crypto.merlin.keystore.password=**** org.apache.ws.security.crypto.merlin.keystore.private.password=**** org.apache.ws.security.crypto.merlin.truststore.file=/WEB-INF/cxf/dlsKeystore.jks org.apache.ws.security.crypto.merlin.truststore.type=JKS org.apache.ws.security.crypto.merlin.truststore.password=**** Things I have tried setting via API: // set up ws-security /*HashMap<String, Object> crytoProperties = new HashMap<String, Object>(); crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.file", KEYSTORE_FILE); crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.type", "JKS"); crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.alias", KEYSTORE_KEY_ALIAS); crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.password", KEYSTORE_PASSWORD); crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.private.password", KEYSTORE_KEY_PASSWORD); crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.file", KEYSTORE_FILE); crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.type", "JKS"); crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.password", KEYSTORE_PASSWORD); crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.alias", KEYSTORE_KEY_ALIAS); Map<String, Object> ctx = ((BindingProvider) port).getRequestContext(); ctx.putAll(crytoProperties);*/ // activate ws-security /*org.apache.cxf.endpoint.Client client = (org.apache.cxf.endpoint.Client) port; org.apache.cxf.endpoint.Endpoint endpoint = client.getEndpoint();*/ // add intercepters /*HashMap<String, Object> inProps = new HashMap<String, Object>(); inProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS); inProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS); inProps.put(WSHandlerConstants.SIG_PROP_FILE, WSS4J_PROPERTIES); inProps.put(WSHandlerConstants.ENC_PROP_FILE, WSS4J_PROPERTIES); endpoint.getInInterceptors().add(new WSS4JOutInterceptor(inProps)); endpoint.getInInterceptors().add(new LoggingInInterceptor()); HashMap<String, Object> outProps = new HashMap<String, Object>(); outProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS); outProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS); outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT); outProps.put(WSHandlerConstants.SIG_PROP_FILE, WSS4J_PROPERTIES); outProps.put(WSHandlerConstants.ENC_PROP_FILE, WSS4J_PROPERTIES); outProps.put(WSHandlerConstants.PW_CALLBACK_REF, "txdps.dl.bpr.common.business.VlsCxfKeystorePasswordCallback"); endpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); endpoint.getOutInterceptors().add(new LoggingOutInterceptor());*/ // set options /*HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port).getConduit(); final HTTPClientPolicy httpClientPolicy = httpConduit.getClient(); httpClientPolicy.setAllowChunking(false); // MS does not support httpClientPolicy.setAutoRedirect(true); // hopefully httpClientPolicy.setConnection(ConnectionType.KEEP_ALIVE); // maybe TLSClientParameters tlsCP = new TLSClientParameters(); String keyPassword = KEYSTORE_PASSWORD; KeyStore keyStore = KeyStore.getInstance("JKS"); Resource aamvaJks = applicationContext.getResource(KEYSTORE_FILE); keyStore.load(aamvaJks.getInputStream(), KEYSTORE_PASSWORD.toCharArray()); KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword); tlsCP.setKeyManagers(myKeyManagers); KeyStore trustStore = KeyStore.getInstance("JKS"); aamvaJks = applicationContext.getResource(KEYSTORE_FILE); trustStore.load(aamvaJks.getInputStream(), KEYSTORE_PASSWORD.toCharArray()); TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore); tlsCP.setTrustManagers(myTrustStoreKeyManagers); httpConduit.setTlsClientParameters(tlsCP);*/ Things I have tried setting via configuration (there are actually two WSDLs compiled into one external jar). <!-- ********************************************************* --> <!-- * Configure the CXF Bus * --> <!-- ********************************************************* --> <import resource="classpath:META-INF/cxf/cxf.xml" /> <cxf:bus> <cxf:features> <p:policies /> <cxf:logging /> </cxf:features> </cxf:bus> <jaxws:client id="aamva-authentication" name="{http://aamva.org/authentication/3.1.0}AuthenticationService" createdFromAPI="true" > <jaxws:properties> <entry key="ws-security.signature.properties" value="/WEB-INF/cxf/client-crypto.properties" /> <entry key="ws-security.encryption.properties" value="/WEB-INF/cxf/client-crypto.properties" /> </jaxws:properties> </jaxws:client> <jaxws:client id="aamva-vls3" name="{http://uscis.gov/uscis/services/esb/vls/3.0}VerificationOfLawfulStatusService30" createdFromAPI="true" > <jaxws:properties> <entry key="ws-security.signature.properties" value="/WEB-INF/cxf/client-crypto.properties" /> <entry key="ws-security.encryption.properties" value="/WEB-INF/cxf/client-crypto.properties" /> </jaxws:properties> </jaxws:client> WSDL policies: <wsp:Policy wsu:Id="wsHttpEndPoint_policy"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" > <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false" /> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> </wsp:Policy> </sp:TransportBinding> <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" > <wsp:Policy> <sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" > <wsp:Policy> <sp:BootstrapPolicy> <wsp:Policy> <sp:SignedParts> <sp:Body /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" /> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" /> </sp:SignedParts> <sp:EncryptedParts> <sp:Body /> </sp:EncryptedParts> <sp:TransportBinding> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false" /> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> </wsp:Policy> </sp:TransportBinding> <sp:EndorsingSupportingTokens> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" > <wsp:Policy> <sp:RequireThumbprintReference /> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> <sp:SignedParts> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" /> </sp:SignedParts> </wsp:Policy> </sp:EndorsingSupportingTokens> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefThumbprint /> </wsp:Policy> </sp:Wss11> <sp:Trust10> <wsp:Policy> <sp:MustSupportIssuedTokens /> <sp:RequireClientEntropy /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust10> </wsp:Policy> </sp:BootstrapPolicy> </wsp:Policy> </sp:SecureConversationToken> </wsp:Policy> </sp:EndorsingSupportingTokens> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy /> </sp:Wss11> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" > <wsp:Policy> <sp:MustSupportIssuedTokens /> <sp:RequireClientEntropy /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust10> <wsaw:UsingAddressing /> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>