No it's fine to add it to truststore - the logging is a bit iffy there, I'll fix it in WSS4J.
As the response message is only referring to the signing cert via a SubjectKeyIdentifier it's not enough to add the CA Cert....you have to add the exact signing cert of the service into your truststore. Colm. On Fri, Jan 19, 2018 at 11:20 AM, Al Grant <bigal...@gmail.com> wrote: > I note from the log that it loads the truststore and the keystore, but only > appears to search the truststore for the server cert to verify the signing > on the response? > > DEBUG 2018-01-20 00:12:59,141 [Thread-2] > org.apache.wss4j.common.util.Loader - Trying to find > [C:\Users\AlGrant\IdeaProjects\importer\src\main\resources\keystore.jks] > using sun.misc.Launcher$AppClassLoader@18b4aac2 class loader. > DEBUG 2018-01-20 00:12:59,142 [Thread-2] > org.apache.wss4j.common.util.Loader - Trying to find > [C:\Users\AlGrant\IdeaProjects\importer\src\main\resources\keystore.jks] > using sun.misc.Launcher$AppClassLoader@18b4aac2 class loader. > DEBUG 2018-01-20 00:12:59,145 [Thread-2] > org.apache.wss4j.common.util.Loader - Trying to find > [C:\Users\AlGrant\IdeaProjects\importer\src\main\resources\keystore.jks] > using ClassLoader.getSystemResource(). > DEBUG 2018-01-20 00:12:59,147 [Thread-2] > org.apache.wss4j.common.crypto.Merlin - The KeyStore > C:\Users\AlGrant\IdeaProjects\importer\src\main\resources\keystore.jks of > type jks has been loaded > DEBUG 2018-01-20 00:12:59,148 [Thread-2] > org.apache.wss4j.common.util.Loader - Trying to find > [C:\Users\AlGrant\IdeaProjects\importer\src\main\resources\truststore.jks] > using sun.misc.Launcher$AppClassLoader@18b4aac2 class loader. > DEBUG 2018-01-20 00:12:59,151 [Thread-2] > org.apache.wss4j.common.util.Loader - Trying to find > [C:\Users\AlGrant\IdeaProjects\importer\src\main\resources\truststore.jks] > using sun.misc.Launcher$AppClassLoader@18b4aac2 class loader. > DEBUG 2018-01-20 00:12:59,153 [Thread-2] > org.apache.wss4j.common.util.Loader - Trying to find > [C:\Users\AlGrant\IdeaProjects\importer\src\main\resources\truststore.jks] > using ClassLoader.getSystemResource(). > DEBUG 2018-01-20 00:12:59,156 [Thread-2] > org.apache.wss4j.common.crypto.Merlin - The TrustStore > C:\Users\AlGrant\IdeaProjects\importer\src\main\resources\truststore.jks > of > type jks has been loaded > DEBUG 2018-01-20 00:12:59,160 [Thread-2] > org.apache.wss4j.dom.processor.TimestampProcessor - Found Timestamp list > element > DEBUG 2018-01-20 00:12:59,171 [Thread-2] > org.apache.wss4j.common.util.DateUtil - Validation of Created: Everything > is ok > DEBUG 2018-01-20 00:12:59,174 [Thread-2] > org.apache.wss4j.dom.processor.SignatureProcessor - Found signature > element > DEBUG 2018-01-20 00:12:59,176 [Thread-2] > org.apache.xml.security.algorithms.JCEMapper - Request for URI > http://www.w3.org/2000/09/xmldsig#rsa-sha1 > DEBUG 2018-01-20 00:12:59,183 [Thread-2] > org.apache.wss4j.common.crypto.Merlin - Searching keystore for cert using > Subject Key Identifier bytes > DEBUG 2018-01-20 00:12:59,184 [Thread-2] > org.apache.wss4j.common.crypto.Merlin - No SKI match found in keystore > DEBUG 2018-01-20 00:12:59,185 [Thread-2] > org.apache.wss4j.common.crypto.Merlin - Searching keystore for cert using > Subject Key Identifier bytes > DEBUG 2018-01-20 00:12:59,185 [Thread-2] > org.apache.wss4j.common.crypto.Merlin - No SKI match found in keystore > > should the server cert be added to keystore.jks instead of truststore.jks? > > > > -- > Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
