Hello there!
I'm trying to improve security on a application suite we have here by adding ws-security encryption. We were using just ws-security's Username Token for authentication, but now we need to encrypt message's content because some sensitive information will be added to it.
We use JBossWS (version "3.1.1.GA") running on "JBoss-4.2.3.GA" at server side and axis2c/rampartc (versions 1.6.0/1.3.0 respectively) on clients side.
Find a security token reference that is supported/implemented by both sides wasn't so easy as I expected
First try was with "RequireThumbprintReference" that's is axis2c/rampartc most used option on samples. It results on "Currently only SubjectKeyIdentifiers are supported" message on server that I've already tracked to two discutions of this site "http://community.jboss.org/message/534939#534939" and "http://community.jboss.org/message/340764#340764" with no solution.
I've tried "RequireKeyIdentifierReference" that won't work because my certs don't have Key Identifiers, what seems to be normal on cert that were not selt created/signed using keytool.
I'.ve tried "RequireEmbeddedTokenReference" which seems to be unknow to server that shows "Unkown reference element: Embedded".
And I've tried "RequireIssuerSerialReference" that resulted on message "Could not locate certificate by issuer and serial number" from server also present on a discution of this site.
I'm feeling that this could be problems regarding the relative old version of JBoss/JBossWS I'm using right now.
So... my question is: is there a JBoss/JBossWS known combination that works with "RequireIssuerSerialReference" or that accepts "RequireThumbprintReference"?
Thanks a lot and best regards,
Mauro.