Answer inline.
On Thu, Feb 16, 2017 at 2:02 PM, Morein, Arnie <arnold.mor...@dps.texas.gov>
wrote:
> And that is part of the confusion. What is meant by PORT NAME?
>
The Port name in the WSDL. For example, from the ws-security-examples,
system tests:
<jaxws:client name="{
http://www.example.org/contract/DoubleIt}DoubleItPlaintextPort";
createdFromAPI="true">
matches the WSDL port:
<wsdl:port name="DoubleItPlaintextPort"
binding="tns:DoubleItPlaintextBinding">
You can use wildcards as well I believe to match multiple ports.
Colm.
>
> The Interface? I have tried:
>
> { http://aamva.org/authentication/3.1.0} IAuthenticationService
>
> And the implementation (extends Service):
>
> { http://aamva.org/authentication/3.1.0} AuthenticationService
>
> Neither matches. What else could it be?
>
> I CERTAINLY hope that these jaxws:client constructs are NOT supposed to be
> every METHOD in the server?!
>
> -----Original Message-----
> From: Morein, Arnie [mailto:arnold.mor...@dps.texas.gov]
> Sent: Wednesday, February 15, 2017 4:29 PM
> To: users@cxf.apache.org
> Subject: [EXTERNAL] Problem calling WCF MS service with security
>
> I have to consume a web service that was written in .Net and requires the
> security policies listed below. We develop in Java to a WAR. I created a
> separate project for the WSDL's Java stubs using Maven's cxf-codegen-plugin
> (3.1.10). It was added to the main WAR project and compiles fine. But
> during initial access to the service, a CXF error occurs.
>
> The manual which came with the WSDL had the following to say about the
> security features in use:
>
>
> Transport Layer Security
>
> Third party X.509 certificate and Tokens Client X.509 certificate
>
> We received a file from the vendor which was converted into a JKS. It has
> two trustedCertEntry entries and one private key of X.509 type.
>
> As I understand the manual, the service does not use the user
> name/password type of WS security. All traffic goes over HTTPS of course,
> and the certificate is supposed to be used to encrypt the message content
> both coming and going.
>
> I have tried to configure the necessary values for CXF to work but always
> get the same error:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: Security
> configuration could not be detected. Potential cause: Make sure
> jaxws:client element with name attribute value matching endpoint port is
> defined as well as a security.signature.properties element within it.
>
> I have tried setting the necessary (AFAIK) properties via API and Spring
> XML configuration to no avail.
>
> I would greatly appreciate some guidance as to what CXF is looking for
> (and where the file is supposed to be if configuration). Currently I have
> the client-crypto.properties file under /WEB-INF/cxf along with the jks
> file. Its contents:
>
> org.apache.ws.security.crypto.merlin.keystore.file=/WEB-INF/
> cxf/dlsKeystore.jks
> org.apache.ws.security.crypto.merlin.keystore.type=JKS
> org.apache.ws.security.crypto.merlin.keystore.alias=1
> org.apache.ws.security.crypto.merlin.keystore.password=****
> org.apache.ws.security.crypto.merlin.keystore.private.password=****
> org.apache.ws.security.crypto.merlin.truststore.file=/WEB-
> INF/cxf/dlsKeystore.jks
> org.apache.ws.security.crypto.merlin.truststore.type=JKS
> org.apache.ws.security.crypto.merlin.truststore.password=****
>
> Things I have tried setting via API:
>
> // set up ws-security
> /*HashMap<String, Object> crytoProperties = new HashMap<String, Object>();
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.file",
> KEYSTORE_FILE);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.type",
> "JKS");
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.alias",
> KEYSTORE_KEY_ALIAS);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.password",
> KEYSTORE_PASSWORD); crytoProperties.put("org.apache.ws.security.crypto.
> merlin.keystore.private.password", KEYSTORE_KEY_PASSWORD);
>
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.file",
> KEYSTORE_FILE);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.type",
> "JKS");
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.password",
> KEYSTORE_PASSWORD);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.alias",
> KEYSTORE_KEY_ALIAS);
>
> Map<String, Object> ctx = ((BindingProvider) port).getRequestContext();
> ctx.putAll(crytoProperties);*/
>
> // activate ws-security
> /*org.apache.cxf.endpoint.Client client = (org.apache.cxf.endpoint.Client)
> port; org.apache.cxf.endpoint.Endpoint endpoint = client.getEndpoint();*/
>
> // add intercepters
> /*HashMap<String, Object> inProps = new HashMap<String, Object>();
> inProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS);
> inProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS);
> inProps.put(WSHandlerConstants.SIG_PROP_FILE, WSS4J_PROPERTIES);
> inProps.put(WSHandlerConstants.ENC_PROP_FILE, WSS4J_PROPERTIES);
>
> endpoint.getInInterceptors().add(new WSS4JOutInterceptor(inProps));
> endpoint.getInInterceptors().add(new LoggingInInterceptor());
>
> HashMap<String, Object> outProps = new HashMap<String, Object>();
> outProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS);
> outProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS);
> outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
> + " " + WSHandlerConstants.SIGNATURE + " " +
> WSHandlerConstants.ENCRYPT); outProps.put(WSHandlerConstants.SIG_PROP_FILE,
> WSS4J_PROPERTIES); outProps.put(WSHandlerConstants.ENC_PROP_FILE,
> WSS4J_PROPERTIES);
>
> outProps.put(WSHandlerConstants.PW_CALLBACK_REF,
> "txdps.dl.bpr.common.business.VlsCxfKeystorePasswordCallback");
>
> endpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps));
> endpoint.getOutInterceptors().add(new LoggingOutInterceptor());*/
>
> // set options
> /*HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port).
> getConduit();
> final HTTPClientPolicy httpClientPolicy = httpConduit.getClient();
> httpClientPolicy.setAllowChunking(false); // MS does not support
> httpClientPolicy.setAutoRedirect(true); // hopefully httpClientPolicy.
> setConnection(ConnectionType.KEEP_ALIVE); // maybe
>
> TLSClientParameters tlsCP = new TLSClientParameters(); String keyPassword
> = KEYSTORE_PASSWORD; KeyStore keyStore = KeyStore.getInstance("JKS");
> Resource aamvaJks = applicationContext.getResource(KEYSTORE_FILE);
>
> keyStore.load(aamvaJks.getInputStream(), KEYSTORE_PASSWORD.toCharArray());
> KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword);
> tlsCP.setKeyManagers(myKeyManagers);
>
> KeyStore trustStore = KeyStore.getInstance("JKS"); aamvaJks =
> applicationContext.getResource(KEYSTORE_FILE);
> trustStore.load(aamvaJks.getInputStream(), KEYSTORE_PASSWORD.toCharArray());
> TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore);
> tlsCP.setTrustManagers(myTrustStoreKeyManagers);
> httpConduit.setTlsClientParameters(tlsCP);*/
>
> Things I have tried setting via configuration (there are actually two
> WSDLs compiled into one external jar).
>
> <!-- ********************************************************* -->
> <!-- * Configure the CXF Bus * -->
> <!-- ********************************************************* -->
> <import resource="classpath:META-INF/cxf/cxf.xml" />
> <cxf:bus>
> <cxf:features>
> <p:policies />
> <cxf:logging />
> </cxf:features>
> </cxf:bus>
> <jaxws:client id="aamva-authentication"
> name="{http://aamva.org/authentication/3.1.0}AuthenticationService
> "
> createdFromAPI="true"
> >
> <jaxws:properties>
> <entry
> key="ws-security.signature.properties"
> value="/WEB-INF/cxf/client-crypto.properties" />
> <entry
> key="ws-security.encryption.properties"
> value="/WEB-INF/cxf/client-crypto.properties" />
> </jaxws:properties>
> </jaxws:client>
> <jaxws:client id="aamva-vls3"
> name="{http://uscis.gov/uscis/services/esb/vls/3.0}
> VerificationOfLawfulStatusService30"
> createdFromAPI="true"
> >
> <jaxws:properties>
> <entry
> key="ws-security.signature.properties"
> value="/WEB-INF/cxf/client-crypto.properties" />
> <entry
> key="ws-security.encryption.properties"
> value="/WEB-INF/cxf/client-crypto.properties" />
> </jaxws:properties>
> </jaxws:client>
>
> WSDL policies:
>
> <wsp:Policy wsu:Id="wsHttpEndPoint_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
> >
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
> RequireClientCertificate="false" />
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
> >
> <wsp:Policy>
> <sp:SecureConversationToken
> sp:IncludeToken="http://
> schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient"
> >
> <wsp:Policy>
> <sp:BootstrapPolicy>
> <wsp:Policy>
> <sp:SignedParts>
> <sp:Body />
> <sp:Header
> Name="To"
> Namespace="
> http://www.w3.org/2005/08/addressing"; />
> <sp:Header
> Name="From"
> Namespace="
> http://www.w3.org/2005/08/addressing"; />
> <sp:Header
> Name="FaultTo"
> Namespace="
> http://www.w3.org/2005/08/addressing"; />
> <sp:Header
> Name="ReplyTo"
> Namespace="
> http://www.w3.org/2005/08/addressing"; />
> <sp:Header
> Name="MessageID"
> Namespace="
> http://www.w3.org/2005/08/addressing"; />
> <sp:Header
> Name="RelatesTo"
> Namespace="
> http://www.w3.org/2005/08/addressing"; />
> <sp:Header
> Name="Action"
> Namespace="
> http://www.w3.org/2005/08/addressing"; />
> </sp:SignedParts>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
> <sp:TransportBinding>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
>
> RequireClientCertificate="false" />
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:EndorsingSupportingTokens>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient"
> >
> <wsp:Policy>
>
> <sp:RequireThumbprintReference />
>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> <sp:SignedParts>
> <sp:Header
> Name="To"
> Namespace="
> http://www.w3.org/2005/08/addressing"; />
> </sp:SignedParts>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11>
> <wsp:Policy>
>
> <sp:MustSupportRefThumbprint />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10>
> <wsp:Policy>
>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
> </wsp:Policy>
> </sp:BootstrapPolicy>
> </wsp:Policy>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy">
> <wsp:Policy />
> </sp:Wss11>
> <sp:Trust10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
> >
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
> <wsaw:UsingAddressing />
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
