Answer inline. On Thu, Feb 16, 2017 at 2:02 PM, Morein, Arnie <arnold.mor...@dps.texas.gov> wrote:
> And that is part of the confusion. What is meant by PORT NAME? > The Port name in the WSDL. For example, from the ws-security-examples, system tests: <jaxws:client name="{ http://www.example.org/contract/DoubleIt}DoubleItPlaintextPort" createdFromAPI="true"> matches the WSDL port: <wsdl:port name="DoubleItPlaintextPort" binding="tns:DoubleItPlaintextBinding"> You can use wildcards as well I believe to match multiple ports. Colm. > > The Interface? I have tried: > > { http://aamva.org/authentication/3.1.0} IAuthenticationService > > And the implementation (extends Service): > > { http://aamva.org/authentication/3.1.0} AuthenticationService > > Neither matches. What else could it be? > > I CERTAINLY hope that these jaxws:client constructs are NOT supposed to be > every METHOD in the server?! > > -----Original Message----- > From: Morein, Arnie [mailto:arnold.mor...@dps.texas.gov] > Sent: Wednesday, February 15, 2017 4:29 PM > To: users@cxf.apache.org > Subject: [EXTERNAL] Problem calling WCF MS service with security > > I have to consume a web service that was written in .Net and requires the > security policies listed below. We develop in Java to a WAR. I created a > separate project for the WSDL's Java stubs using Maven's cxf-codegen-plugin > (3.1.10). It was added to the main WAR project and compiles fine. But > during initial access to the service, a CXF error occurs. > > The manual which came with the WSDL had the following to say about the > security features in use: > > > Transport Layer Security > > Third party X.509 certificate and Tokens Client X.509 certificate > > We received a file from the vendor which was converted into a JKS. It has > two trustedCertEntry entries and one private key of X.509 type. > > As I understand the manual, the service does not use the user > name/password type of WS security. All traffic goes over HTTPS of course, > and the certificate is supposed to be used to encrypt the message content > both coming and going. > > I have tried to configure the necessary values for CXF to work but always > get the same error: > > Caused by: org.apache.cxf.ws.policy.PolicyException: Security > configuration could not be detected. Potential cause: Make sure > jaxws:client element with name attribute value matching endpoint port is > defined as well as a security.signature.properties element within it. > > I have tried setting the necessary (AFAIK) properties via API and Spring > XML configuration to no avail. > > I would greatly appreciate some guidance as to what CXF is looking for > (and where the file is supposed to be if configuration). Currently I have > the client-crypto.properties file under /WEB-INF/cxf along with the jks > file. Its contents: > > org.apache.ws.security.crypto.merlin.keystore.file=/WEB-INF/ > cxf/dlsKeystore.jks > org.apache.ws.security.crypto.merlin.keystore.type=JKS > org.apache.ws.security.crypto.merlin.keystore.alias=1 > org.apache.ws.security.crypto.merlin.keystore.password=**** > org.apache.ws.security.crypto.merlin.keystore.private.password=**** > org.apache.ws.security.crypto.merlin.truststore.file=/WEB- > INF/cxf/dlsKeystore.jks > org.apache.ws.security.crypto.merlin.truststore.type=JKS > org.apache.ws.security.crypto.merlin.truststore.password=**** > > Things I have tried setting via API: > > // set up ws-security > /*HashMap<String, Object> crytoProperties = new HashMap<String, Object>(); > crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.file", > KEYSTORE_FILE); > crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.type", > "JKS"); > crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.alias", > KEYSTORE_KEY_ALIAS); > crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.password", > KEYSTORE_PASSWORD); crytoProperties.put("org.apache.ws.security.crypto. > merlin.keystore.private.password", KEYSTORE_KEY_PASSWORD); > > crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.file", > KEYSTORE_FILE); > crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.type", > "JKS"); > crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.password", > KEYSTORE_PASSWORD); > crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.alias", > KEYSTORE_KEY_ALIAS); > > Map<String, Object> ctx = ((BindingProvider) port).getRequestContext(); > ctx.putAll(crytoProperties);*/ > > // activate ws-security > /*org.apache.cxf.endpoint.Client client = (org.apache.cxf.endpoint.Client) > port; org.apache.cxf.endpoint.Endpoint endpoint = client.getEndpoint();*/ > > // add intercepters > /*HashMap<String, Object> inProps = new HashMap<String, Object>(); > inProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS); > inProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS); > inProps.put(WSHandlerConstants.SIG_PROP_FILE, WSS4J_PROPERTIES); > inProps.put(WSHandlerConstants.ENC_PROP_FILE, WSS4J_PROPERTIES); > > endpoint.getInInterceptors().add(new WSS4JOutInterceptor(inProps)); > endpoint.getInInterceptors().add(new LoggingInInterceptor()); > > HashMap<String, Object> outProps = new HashMap<String, Object>(); > outProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS); > outProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS); > outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP > + " " + WSHandlerConstants.SIGNATURE + " " + > WSHandlerConstants.ENCRYPT); outProps.put(WSHandlerConstants.SIG_PROP_FILE, > WSS4J_PROPERTIES); outProps.put(WSHandlerConstants.ENC_PROP_FILE, > WSS4J_PROPERTIES); > > outProps.put(WSHandlerConstants.PW_CALLBACK_REF, > "txdps.dl.bpr.common.business.VlsCxfKeystorePasswordCallback"); > > endpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); > endpoint.getOutInterceptors().add(new LoggingOutInterceptor());*/ > > // set options > /*HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port). > getConduit(); > final HTTPClientPolicy httpClientPolicy = httpConduit.getClient(); > httpClientPolicy.setAllowChunking(false); // MS does not support > httpClientPolicy.setAutoRedirect(true); // hopefully httpClientPolicy. > setConnection(ConnectionType.KEEP_ALIVE); // maybe > > TLSClientParameters tlsCP = new TLSClientParameters(); String keyPassword > = KEYSTORE_PASSWORD; KeyStore keyStore = KeyStore.getInstance("JKS"); > Resource aamvaJks = applicationContext.getResource(KEYSTORE_FILE); > > keyStore.load(aamvaJks.getInputStream(), KEYSTORE_PASSWORD.toCharArray()); > KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword); > tlsCP.setKeyManagers(myKeyManagers); > > KeyStore trustStore = KeyStore.getInstance("JKS"); aamvaJks = > applicationContext.getResource(KEYSTORE_FILE); > trustStore.load(aamvaJks.getInputStream(), KEYSTORE_PASSWORD.toCharArray()); > TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore); > tlsCP.setTrustManagers(myTrustStoreKeyManagers); > httpConduit.setTlsClientParameters(tlsCP);*/ > > Things I have tried setting via configuration (there are actually two > WSDLs compiled into one external jar). > > <!-- ********************************************************* --> > <!-- * Configure the CXF Bus * --> > <!-- ********************************************************* --> > <import resource="classpath:META-INF/cxf/cxf.xml" /> > <cxf:bus> > <cxf:features> > <p:policies /> > <cxf:logging /> > </cxf:features> > </cxf:bus> > <jaxws:client id="aamva-authentication" > name="{http://aamva.org/authentication/3.1.0}AuthenticationService > " > createdFromAPI="true" > > > <jaxws:properties> > <entry > key="ws-security.signature.properties" > value="/WEB-INF/cxf/client-crypto.properties" /> > <entry > key="ws-security.encryption.properties" > value="/WEB-INF/cxf/client-crypto.properties" /> > </jaxws:properties> > </jaxws:client> > <jaxws:client id="aamva-vls3" > name="{http://uscis.gov/uscis/services/esb/vls/3.0} > VerificationOfLawfulStatusService30" > createdFromAPI="true" > > > <jaxws:properties> > <entry > key="ws-security.signature.properties" > value="/WEB-INF/cxf/client-crypto.properties" /> > <entry > key="ws-security.encryption.properties" > value="/WEB-INF/cxf/client-crypto.properties" /> > </jaxws:properties> > </jaxws:client> > > WSDL policies: > > <wsp:Policy wsu:Id="wsHttpEndPoint_policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/ > securitypolicy" > > > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken > RequireClientCertificate="false" /> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > <sp:EndorsingSupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/ > securitypolicy" > > > <wsp:Policy> > <sp:SecureConversationToken > sp:IncludeToken="http:// > schemas.xmlsoap.org/ws/2005/07/securitypolicy/ > IncludeToken/AlwaysToRecipient" > > > <wsp:Policy> > <sp:BootstrapPolicy> > <wsp:Policy> > <sp:SignedParts> > <sp:Body /> > <sp:Header > Name="To" > Namespace=" > http://www.w3.org/2005/08/addressing" /> > <sp:Header > Name="From" > Namespace=" > http://www.w3.org/2005/08/addressing" /> > <sp:Header > Name="FaultTo" > Namespace=" > http://www.w3.org/2005/08/addressing" /> > <sp:Header > Name="ReplyTo" > Namespace=" > http://www.w3.org/2005/08/addressing" /> > <sp:Header > Name="MessageID" > Namespace=" > http://www.w3.org/2005/08/addressing" /> > <sp:Header > Name="RelatesTo" > Namespace=" > http://www.w3.org/2005/08/addressing" /> > <sp:Header > Name="Action" > Namespace=" > http://www.w3.org/2005/08/addressing" /> > </sp:SignedParts> > <sp:EncryptedParts> > <sp:Body /> > </sp:EncryptedParts> > <sp:TransportBinding> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken > > RequireClientCertificate="false" /> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > <sp:EndorsingSupportingTokens> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ > IncludeToken/AlwaysToRecipient" > > > <wsp:Policy> > > <sp:RequireThumbprintReference /> > > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > <sp:SignedParts> > <sp:Header > Name="To" > Namespace=" > http://www.w3.org/2005/08/addressing" /> > </sp:SignedParts> > </wsp:Policy> > </sp:EndorsingSupportingTokens> > <sp:Wss11> > <wsp:Policy> > > <sp:MustSupportRefThumbprint /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust10> > <wsp:Policy> > > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust10> > </wsp:Policy> > </sp:BootstrapPolicy> > </wsp:Policy> > </sp:SecureConversationToken> > </wsp:Policy> > </sp:EndorsingSupportingTokens> > <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/ > securitypolicy"> > <wsp:Policy /> > </sp:Wss11> > <sp:Trust10 > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/ > securitypolicy" > > > <wsp:Policy> > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust10> > <wsaw:UsingAddressing /> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com