Friday, 11 November 2016

Aide Memoire - Tinkering with WS-Security and IBM BPM Advanced 8.5.7

This is an ongoing Work-in-Progress, as I strive to understand how WS-Security works, specifically in terms of sending SOAP requests into IBM BPM Advanced 8.5.7.

My server code is very very simple; merely a SCA Export, with a Web Service / SOAP Binding, connecting into a SCA/BPEL component. The BPEL code includes a Java snippet which then converts the incoming Business Object into UTF-8 and outputs it to the log.

In order to set WS-Security headers on the SOAP request ( my client is SoapUI ), I'm adding a Digital Signature and a Timestamp, the former via a self-signed certificate held in a Java keystone on the client.

This: -


was extremely useful in helping me set up SoapUI.

Things aren't quite working as expecting, with some rather interesting messages appearing in the WAS SystemOut.log, including: -

Caused by: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: CWWSS6810E: The runtime can not identify the key corresponding to the identifier [CN=davehay.uk.ibm.com,DC=UK,DC=IBM,DC=COM:540918370]. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@c2b4f517
CWWSS6521E


Caused by: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6001E: Key object was not obtained. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@2bcbf774

Caused by: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@41a64fd1

So now I'm looking at trace strings, including: -

*=info:com.ibm.websphere.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.wssecurity.*=all:com.ibm.xml.soapsec.*=all:com.ibm.ws.webservices.trace.*=all:com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.webservices.multiprotocol.AgnosticService=all:com.ibm.ws.websvcs.utils.SecurityContextMigrator=all

thanks to this: -




This got me further, and made me realise how little I actually understand about this aspect of WAS, specifically Policy Sets and Bindings.

For the record, this is where I am now: -

Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: security.wssecurity.WSSContextImpl.s02: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: CWWSS6809E: The X509 certificate owned by CN=davehay.uk.ibm.com, DC=UK, DC=IBM, DC=COM, which is created from the binary in the message is different from the X509 certificate owned by CN=Bob, O=IBM, C=US, which is acquired from the keystore Path: C:\IBM\WebSphere\AppServer\profiles\AppSrv01//etc/ws-security/samples/enc-receiver.jceks. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@9c0b4f13

Caused by: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: CWWSS6809E: The X509 certificate owned by CN=davehay.uk.ibm.com, DC=UK, DC=IBM, DC=COM, which is created from the binary in the message is different from the X509 certificate owned by CN=Bob, O=IBM, C=US, which is acquired from the keystore Path: C:\IBM\WebSphere\AppServer\profiles\AppSrv01//etc/ws-security/samples/enc-receiver.jceks. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@9c0b4f13

which makes me think that the self-signed certificate that I'm using to sign my SOAP request needs to be in the WAS trust store.

However, the question is WHICH STORE ?

Given that I'm seeing reference to enc-receiver.jceks which is inherited from the WAS 6 WS-Security Samples code makes me think :-)

Watch this space :-)

No comments: