Problems with rampartc token reference...

[Mauro Brasil <ma...@piscar.com.br>]

Hello there!

I'm trying to improve security on a application suite we have here by adding
ws-security encryption. We were using just ws-security's Username Token for
authentication, but now we need to encrypt message's content because some
sensitive information will be added to it.

We use JBossWS running on "JBoss-4.2.3.GA" at server side and
axis2c/rampartc on clients side.

First problems we detected was the absense of tokenReference configuration
what led us to a clear message on server "Invalid message,
SecurityTokenRefence is empty".
Having a closer look at JBossWS configuration I've noticed that it accepts 3
types of token references, that are: directReference *(default*),
keyIdentifier and x509IssuerSerial.


I couldn't find a usable rampartc policy file configuration for first option
"directReference" and I'm not sure if it's provided at all. I've found a
reference for second option "keyIdentifier" but the addition on policy file
(through "<sp:RequireKeyIdentifierReference/>" tag) resulted again on empty
SecurityTokenReference, and the last option "x509IssuerSerial" works for
rampartc but server refuses it.

So, I would like to ask someone about the other two options
"directReference" and "keyIdentifier" token references. Does anyone know how
to config rampartc policy file to send those kind of token references?

Note.: I'm using axis2c version 1.6.0 and rampartc version 1.3.0.

Thanks a lot and best regards,
Mauro.

AW: Problems with rampartc token reference...

[Stadelmann Josef <jo...@axa-winterthur.ch>]

Hi Mauro

 

I am not yet working on a project as you do, but I have to write a security concept paper right now about how to secure our password and selectively data sent in our soap xml message body.

 

I have 100% the same issue as you have, sooner or later. So I like to add only a few words to allow more experienced developers to help you/us.

 

I think Rampart was tested!

 

What if you rerun such test using a debugger to find out how Rampart runs and was tested and in what scenarios it works or does not work?

Not an easy way, but it gives you a lot insight into even undocumented things.

 

Running tests against a certain component makes me many times understanding what is going on, even it is not documented.

 

Josef

 

Von: Mauro Brasil [mailto:mauro.brasil@piscar.com.br] 
Gesendet: Mittwoch, 2. März 2011 13:58
An: c-user@axis.apache.org
Betreff: Problems with rampartc token reference...

 

Hello there!

I'm trying to improve security on a application suite we have here by adding ws-security encryption. We were using just ws-security's Username Token for authentication, but now we need to encrypt message's content because some sensitive information will be added to it.

We use JBossWS running on "JBoss-4.2.3.GA" at server side and axis2c/rampartc on clients side.

First problems we detected was the absense of tokenReference configuration what led us to a clear message on server "Invalid message, SecurityTokenRefence is empty".
Having a closer look at JBossWS configuration I've noticed that it accepts 3 types of token references, that are: directReference (default), keyIdentifier and x509IssuerSerial. 



I couldn't find a usable rampartc policy file configuration for first option "directReference" and I'm not sure if it's provided at all. I've found a reference for second option "keyIdentifier" but the addition on policy file (through "<sp:RequireKeyIdentifierReference/>" tag) resulted again on empty SecurityTokenReference, and the last option "x509IssuerSerial" works for rampartc but server refuses it.

So, I would like to ask someone about the other two options "directReference" and "keyIdentifier" token references. Does anyone know how to config rampartc policy file to send those kind of token references?

Note.: I'm using axis2c version 1.6.0 and rampartc version 1.3.0.

Thanks a lot and best regards,
Mauro.

Re: Problems with rampartc token reference...

[Mauro Brasil <ma...@piscar.com.br>]

Hello there!

After some tests I identified that keyIdentifier is not working because my
certificates don't have this information.
I've created just self signed certificates for my solution and I couldn't
found a way to add keyIdentifier information to it what seems to be a normal
information on CA provided certificates.

This lets me with just one choice considering the 3 first pointed options:
"directReference", "keyIdentifier" and "x509IssuerSerial".
Does anyone used "directReference" on any scenario and can share a
"policy.xml" configuration file ?

Thanks and best regards,
Mauro.



2011/3/2 Mauro Brasil <ma...@piscar.com.br>

> Hello there!
>
> I'm trying to improve security on a application suite we have here by
> adding ws-security encryption. We were using just ws-security's Username
> Token for authentication, but now we need to encrypt message's content
> because some sensitive information will be added to it.
>
> We use JBossWS running on "JBoss-4.2.3.GA" at server side and
> axis2c/rampartc on clients side.
>
> First problems we detected was the absense of tokenReference configuration
> what led us to a clear message on server "Invalid message,
> SecurityTokenRefence is empty".
> Having a closer look at JBossWS configuration I've noticed that it accepts
> 3 types of token references, that are: directReference *(default*),
> keyIdentifier and x509IssuerSerial.
>
>
> I couldn't find a usable rampartc policy file configuration for first
> option "directReference" and I'm not sure if it's provided at all. I've
> found a reference for second option "keyIdentifier" but the addition on
> policy file (through "<sp:RequireKeyIdentifierReference/>" tag) resulted
> again on empty SecurityTokenReference, and the last option
> "x509IssuerSerial" works for rampartc but server refuses it.
>
> So, I would like to ask someone about the other two options
> "directReference" and "keyIdentifier" token references. Does anyone know how
> to config rampartc policy file to send those kind of token references?
>
> Note.: I'm using axis2c version 1.6.0 and rampartc version 1.3.0.
>
> Thanks a lot and best regards,
> Mauro.
>
>
>