Hi, I have a .Net client that's talking to a web service running on jbossws. It's a simple helloword right now for testing purposes. What I'm trying to add to this service is the following. - Authentication + Signing using a client certificate - Encryption using the servers public key I've been playing around a bit and here is how far I am right now: The jboss-wsse-server.xml file is simple and straightforward: | <?xml version="1.0" encoding="UTF-8"?> | <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | xsi:schemaLocation="http://www.jboss.com/ws-security/config | http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> | <key-store-file>WEB-INF/MyKeystore</key-store-file> | <key-store-password>####</key-store-password> | <trust-store-file>WEB-INF/MyTruststore</trust-store-file> | <trust-store-password>####</trust-store-password> | <config> | <requires> | <encryption /> | <signature/> | </requires> | </config> | </jboss-ws-security> | The policy in my .Net client like this. This is a WSE 3.0 policy file wse3policyCache.config: | <policy name="test"> | <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300"> | <clientToken> | <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=user1" findType="FindBySubjectDistinguishedName" /> | </clientToken> | <serviceToken> | <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=MyServer" findType="FindBySubjectDistinguishedName" /> | </serviceToken> | <protection> | <request signatureOptions="IncludeSoapBody" encryptBody="true" /> | <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> | <fault signatureOptions="IncludeSoapBody" encryptBody="false" /> | </protection> | </mutualCertificate11Security> | <requireActionHeader /> | </policy> | For simplicity I left out the addressing and timestamp out of the signature, because I expect that this is what jboss does. I have on the serverside a keystore and truststore. I've created priv/public keypair using sun's keytool and I exported the certificate for the clients to use. The certificates of the client are generated by a CA on windows 2003 server. I've imported the certificates into the keystore using a basic keytool -import -keystore ... -alias ... - file command. The error I get in JBoss is | 12:10:57,337 ERROR [WSSecurityDispatcher] Internal error occured handling inboun | d message: | org.jboss.ws.wsse.SecurityTokenUnavailableException: Could not locate certificat | e by key identifier | at org.jboss.ws.wsse.KeyResolver.resolveKeyIdentifier(KeyResolver.java:1 | 14) | at org.jboss.ws.wsse.KeyResolver.resolve(KeyResolver.java:87) | at org.jboss.ws.wsse.KeyResolver.resolveCertificate(KeyResolver.java:129 | ) | at org.jboss.ws.wsse.KeyResolver.resolvePrivateKey(KeyResolver.java:144) | | at org.jboss.ws.wsse.KeyResolver.resolvePrivateKey(KeyResolver.java:164) | | at org.jboss.ws.wsse.element.EncryptedKey.<init>(EncryptedKey.java:90) Is there anyone who has some experience with this? I would appreciate any help/advice I can get. Thanks in advance, Kristof Taveirne View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3976533#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...