[jboss-user] [JBossWS] - Ws-Security, Encryption, .Net -> JBoss interoperability (HEL
kristof.taveirne
do-not-reply at jboss.com
Fri Oct 6 06:19:55 EDT 2006
Hi,
I have a .Net client that's talking to a web service running on jbossws.
It's a simple helloword right now for testing purposes.
What I'm trying to add to this service is the following.
- Authentication + Signing using a client certificate
- Encryption using the servers public key
I've been playing around a bit and here is how far I am right now:
The jboss-wsse-server.xml file is simple and straightforward:
| <?xml version="1.0" encoding="UTF-8"?>
| <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation="http://www.jboss.com/ws-security/config
| http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
| <key-store-file>WEB-INF/MyKeystore</key-store-file>
| <key-store-password>####</key-store-password>
| <trust-store-file>WEB-INF/MyTruststore</trust-store-file>
| <trust-store-password>####</trust-store-password>
| <config>
| <requires>
| <encryption />
| <signature/>
| </requires>
| </config>
| </jboss-ws-security>
|
The policy in my .Net client like this.
This is a WSE 3.0 policy file wse3policyCache.config:
| <policy name="test">
| <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
| <clientToken>
| <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=user1" findType="FindBySubjectDistinguishedName" />
| </clientToken>
| <serviceToken>
| <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=MyServer" findType="FindBySubjectDistinguishedName" />
| </serviceToken>
| <protection>
| <request signatureOptions="IncludeSoapBody" encryptBody="true" />
| <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
| <fault signatureOptions="IncludeSoapBody" encryptBody="false" />
| </protection>
| </mutualCertificate11Security>
| <requireActionHeader />
| </policy>
|
For simplicity I left out the addressing and timestamp out of the signature, because I expect that this is what jboss does.
I have on the serverside a keystore and truststore.
I've created priv/public keypair using sun's keytool and I exported the certificate for the clients to use. The certificates of the client are generated by a CA on windows 2003 server. I've imported the certificates into the keystore using a basic keytool -import -keystore ... -alias ... - file command.
The error I get in JBoss is
| 12:10:57,337 ERROR [WSSecurityDispatcher] Internal error occured handling inboun
| d message:
| org.jboss.ws.wsse.SecurityTokenUnavailableException: Could not locate certificat
| e by key identifier
| at org.jboss.ws.wsse.KeyResolver.resolveKeyIdentifier(KeyResolver.java:1
| 14)
| at org.jboss.ws.wsse.KeyResolver.resolve(KeyResolver.java:87)
| at org.jboss.ws.wsse.KeyResolver.resolveCertificate(KeyResolver.java:129
| )
| at org.jboss.ws.wsse.KeyResolver.resolvePrivateKey(KeyResolver.java:144)
|
| at org.jboss.ws.wsse.KeyResolver.resolvePrivateKey(KeyResolver.java:164)
|
| at org.jboss.ws.wsse.element.EncryptedKey.<init>(EncryptedKey.java:90)
Is there anyone who has some experience with this?
I would appreciate any help/advice I can get.
Thanks in advance,
Kristof Taveirne
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3976533#3976533
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3976533
More information about the jboss-user
mailing list