Hallo,
I have difficulties with configuring WebLogic8.1 (sp5).
To use server-sided security handling in Soap Messages I need to generate
private keys and certificates.
I have done this with 'keytool' and openssl (twice, 1 for the server and 1 for
the client)
For the server I have stored the certificate (signed with te client's key and
certificate with openssl)
in a file truststore.jks in my deployment directory. The private key of the
server is in the file keystore.jks.
B.t.w. With the (Axis) client I have no problem, it generates a Soap Header
with all the security info, I need.
In WebLogic I have entered in the 'Keystores & SSL' Tab the keystore.jks and
the truststore.jks.
Then in Security > Realms > myrealm > Providers > Authentication >
DefaultIdentityAsserter I have added
the X509 Token Type to the 'DefaultIdentityAsserter' and in the 'General Tab'.
In the 'Details Tab' I
selected:
- 'Use Default User Name Mapper' = CHECKED
- 'Default User Name Mapper Attribute Type:' = CN-Common Name
- 'Default User Name Mapper Attribute Delimiter:' = , (comma)
- 'Base64Decoding Required' = CHECKED
My web-services.xml has a security section like this:
.....................................................................................
<security>
<signatureKey>
<name>privatekey</name>
<password>secret</password>
</signatureKey>
<spec:SecuritySpec
xmlns:spec="http://www.openuri.org/2002/11/wsse/spec";
Namespace="http://schemas.xmlsoap.org/ws/2002/07/secext";
Id="security-spec">
<spec:BinarySecurityTokenSpec
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>
</spec:BinarySecurityTokenSpec>
<spec:SignatureSpec
SignatureMethod="http://www.w3.org/2000/09/xmldsig#rsa-sha1";
SignBody="true"
CanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#";>
<spec:ElementIdentifier
LocalPart="Timestamp"
Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
/>
</spec:SignatureSpec>
</spec:SecuritySpec>
<timestamp>
<clocks-synchronized>true</clocks-synchronized>
<clock-precision>30000</clock-precision>
<enforce-precision>false</enforce-precision>
<require-signature-timestamp>true</require-signature-timestamp>
<generate-signature-timestamp>true</generate-signature-timestamp>
<inbound-expiry>600000</inbound-expiry>
<outbound-expiry>300000</outbound-expiry>
</timestamp>
</security>
.....................................................................................
But when I receive an Soap Message with sign info in it's header, my WebLogic
server throws an Exception:
.....................................................................................
[SignedInfo] : +++ Setting namespaces
({wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd,
ds=
http://www.w3.org/2000/09/xmldsig#,
xsi=http://www.w3.org/2001/XMLSchema-instance,
xsd=http://www.w3.org/2001/XMLSchema, xml=http://
www.w3.org/XML/1998/namespace,
soapenv=http://schemas.xmlsoap.org/soap/envelope/})
<!-- -- Begin c14ned SignedInfo - Verify ----->
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#id-21684929">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>H8cjg1reTyo4vNr0KDl12ikOEZ8=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-33526517">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>+7kI5+Jl0G6I5uFAbRK9szGA6f4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<!----- End c14ned SignedInfo - Verify -- -->
javax.xml.rpc.soap.SOAPFaultException: signature failed to verify
at
weblogic.xml.security.wsse.internal.Utils.handleException(Utils.java:103)
at
weblogic.xml.security.wsse.v200207.SecureInputStreamInternal.verifyStream(SecureInputStreamInternal.java:394)
at
weblogic.xml.security.wsse.v200207.SecureInputStreamInternal.handleSignature(SecureInputStreamInternal.java:299)
at
weblogic.xml.security.wsse.v200207.SecureInputStreamInternal.buildStream(SecureInputStreamInternal.java:228)
at
weblogic.xml.security.wsse.v200207.SecureInputStreamInternal.buildStream(SecureInputStreamInternal.java:184)
at
weblogic.xml.security.wsse.v200207.SecureInputStreamInternal.getSecurityElement(SecureInputStreamInternal.java:512)
at
weblogic.xml.security.wsse.SecureSoapInputStream.getSecurityElement(SecureSoapInputStream.java:366)
at
weblogic.webservice.core.handler.WSSEHandler.handleRequest(WSSEHandler.java:157)
at
weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:143)
.....................................................................................
If somebody can help me to solve this problem, I will appreciate it very much.
kind regards,
Harry van Rijn
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
