My server code is very very simple; merely a SCA Export, with a Web Service / SOAP Binding, connecting into a SCA/BPEL component. The BPEL code includes a Java snippet which then converts the incoming Business Object into UTF-8 and outputs it to the log.
In order to set WS-Security headers on the SOAP request ( my client is SoapUI ), I'm adding a Digital Signature and a Timestamp, the former via a self-signed certificate held in a Java keystone on the client.
This: -
was extremely useful in helping me set up SoapUI.
Things aren't quite working as expecting, with some rather interesting messages appearing in the WAS SystemOut.log, including: -
Caused by: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: CWWSS6810E: The runtime can not identify the key corresponding to the identifier [CN=davehay.uk.ibm.com,DC=UK,DC=IBM,DC=COM:540918370]. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@c2b4f517
CWWSS6521E
Caused by: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6001E: Key object was not obtained. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@2bcbf774
Caused by: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@41a64fd1
CWWSS6521E
Caused by: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6001E: Key object was not obtained. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@2bcbf774
Caused by: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@41a64fd1
So now I'm looking at trace strings, including: -
*=info:com.ibm.websphere.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.wssecurity.*=all:com.ibm.xml.soapsec.*=all:com.ibm.ws.webservices.trace.*=all:com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.webservices.multiprotocol.AgnosticService=all:com.ibm.ws.websvcs.utils.SecurityContextMigrator=all
thanks to this: -
This got me further, and made me realise how little I actually understand about this aspect of WAS, specifically Policy Sets and Bindings.
For the record, this is where I am now: -
Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: security.wssecurity.WSSContextImpl.s02: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: CWWSS6809E: The X509 certificate owned by CN=davehay.uk.ibm.com, DC=UK, DC=IBM, DC=COM, which is created from the binary in the message is different from the X509 certificate owned by CN=Bob, O=IBM, C=US, which is acquired from the keystore Path: C:\IBM\WebSphere\AppServer\profiles\AppSrv01//etc/ws-security/samples/enc-receiver.jceks. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@9c0b4f13
Caused by: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: CWWSS6809E: The X509 certificate owned by CN=davehay.uk.ibm.com, DC=UK, DC=IBM, DC=COM, which is created from the binary in the message is different from the X509 certificate owned by CN=Bob, O=IBM, C=US, which is acquired from the keystore Path: C:\IBM\WebSphere\AppServer\profiles\AppSrv01//etc/ws-security/samples/enc-receiver.jceks. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@9c0b4f13
which makes me think that the self-signed certificate that I'm using to sign my SOAP request needs to be in the WAS trust store.
However, the question is WHICH STORE ?
Given that I'm seeing reference to enc-receiver.jceks which is inherited from the WAS 6 WS-Security Samples code makes me think :-)
Watch this space :-)
No comments:
Post a Comment