[jboss-user] [JBossWS] - Ws-Security, Encryption, .Net -> JBoss interoperability (HEL

kristof.taveirne do-not-reply at jboss.com
Fri Oct 6 06:19:55 EDT 2006 

Hi,

I have a .Net client that's talking to a web service running on jbossws.
It's a simple helloword right now for testing purposes.

What I'm trying to add to this service is the following.
- Authentication + Signing using a client certificate
- Encryption using the servers public key

I've been playing around a bit and here is how far I am right now:
The jboss-wsse-server.xml file is simple and straightforward:


  | <?xml version="1.0" encoding="UTF-8"?>
  | <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
  | 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  | 	xsi:schemaLocation="http://www.jboss.com/ws-security/config 
  |    http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
  | 	<key-store-file>WEB-INF/MyKeystore</key-store-file>
  | 	<key-store-password>####</key-store-password>
  | 	<trust-store-file>WEB-INF/MyTruststore</trust-store-file>
  | 	<trust-store-password>####</trust-store-password>
  | 	<config> 
  | 		<requires>
  | 			<encryption />
  | 			<signature/>
  | 		</requires>
  | 	</config>
  | </jboss-ws-security>
  | 

The policy in my .Net client like this.
This is a WSE 3.0 policy file wse3policyCache.config:

  |   <policy name="test">
  |     <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
  |       <clientToken>
  |         <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=user1" findType="FindBySubjectDistinguishedName" />
  |       </clientToken>
  |       <serviceToken>
  |         <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=MyServer" findType="FindBySubjectDistinguishedName" />
  |       </serviceToken>
  |       <protection>
  |         <request signatureOptions="IncludeSoapBody" encryptBody="true" />
  |         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
  |         <fault signatureOptions="IncludeSoapBody" encryptBody="false" />
  |       </protection>
  |     </mutualCertificate11Security>
  |     <requireActionHeader />
  |   </policy>
  | 

For simplicity I left out the addressing and timestamp out of the signature, because I expect that this is what jboss does.

I have on the serverside a keystore and truststore.
I've created priv/public keypair using sun's keytool and I exported the certificate for the clients to use. The certificates of the client are generated by a CA on windows 2003 server. I've imported the certificates into the keystore using a basic keytool -import -keystore ... -alias ... - file command.

The error I get in JBoss is 

  | 12:10:57,337 ERROR [WSSecurityDispatcher] Internal error occured handling inboun
  | d message:
  | org.jboss.ws.wsse.SecurityTokenUnavailableException: Could not locate certificat
  | e by key identifier
  |         at org.jboss.ws.wsse.KeyResolver.resolveKeyIdentifier(KeyResolver.java:1
  | 14)
  |         at org.jboss.ws.wsse.KeyResolver.resolve(KeyResolver.java:87)
  |         at org.jboss.ws.wsse.KeyResolver.resolveCertificate(KeyResolver.java:129
  | )
  |         at org.jboss.ws.wsse.KeyResolver.resolvePrivateKey(KeyResolver.java:144)
  | 
  |         at org.jboss.ws.wsse.KeyResolver.resolvePrivateKey(KeyResolver.java:164)
  | 
  |         at org.jboss.ws.wsse.element.EncryptedKey.<init>(EncryptedKey.java:90)

Is there anyone who has some experience with this?

I would appreciate any help/advice I can get.

Thanks in advance,

Kristof Taveirne

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3976533#3976533

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3976533

More information about the jboss-user mailing list