You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-user@axis.apache.org by Raghu Udupa <ru...@easylink.com> on 2008/10/07 00:21:01 UTC
signature verification failing
Hi,
I am using axis2_http_server distributed with axis2c release as the
server. Both web services client and http_server are running on same
Linux server. Both client and server have separate AXIS2C_HOME
locations. I am trying to test the signature verification feature.
Client's policy.xml settings
Signature related settings are as below;
<rampc:RampartConfig
xmlns:rampc="http://ws.apache.org/rampart/c/policy">
<rampc:ReceiverCertificate>/usr/local/CA/svccert.pem</rampc:ReceiverCert
ificate>
<rampc:Certificate>/usr/local/CA/clientcert.pem</rampc:Certificate>
<rampc:PrivateKey>/usr/local/CA/clientkey.pem</rampc:PrivateKey>
</rampc:RampartConfig
Service.xml for the service
Signature related settings at the service are as below;
<rampc:RampartConfig
xmlns:rampc="http://ws.apache.org/rampart/c/policy">
<rampc:Certificate>/usr/local/CA/svccert.pem</rampc:Certificate>
<rampc:PrivateKey>/usr/local/CA/svckey.pem</rampc:PrivateKey>
</rampc:RampartConfig>
Certificate Generation
I used following steps to generate a pair of certificates clientcert.pem
and clientcert.key for the web services client and svccert.pem and
svccert.key for the service. I used CA.pl distributed with opnssl
package for generation of the certificate
1. Create the directory for CA and copy CA.pl and openssl.cnf files
2. Create a certificate authority -- sudo ./CA.pl -newca
3. create new key file using sudo openssl req -x509 -nodes -days
365 -newkey rsa:1024 -keyout newkey.pem -out newreq.pem
4. create a certificate request file using sudo openssl req -new
-key newkey.pem -out newreq.pem
5. sign the certificate using sudo ./CA.pl -sign
6. I repeated steps 2 through 5 to generate clientcert.pem and
svccert.pem
Separately, I also tried using CA.pl options CA.pl sudo ./CA.pl -newreq
and sudo ./CA.pl -sign to generate certificates for testing.
On both attempts as well as on other tests, I am getting OXS ERROR
[xml_signature.c:687 in oxs_xml_sig_verify_sign_part] Signature
verification failed, Digest verification failed for node Id=
#SigID-c878c702-93e6-1dd1 error.
Could you tell me what I am doing incorrectly? I appreciate your help in
resolving this issue.
Regards,
Raghu Udupa
RE: signature verification failing
Posted by Raghu Udupa <ru...@easylink.com>.
Shankar,
When I commented the body signature, the header signature verification
worked correctly. I am attaching the tcp.log. Could you let me know the
status regarding being able to sign the body part as well as, any
limitations regarding signing the body part?
Regards,
Raghu
-----Original Message-----
From: Uthaiyashankar [mailto:shankar@wso2.com]
Sent: Friday, October 17, 2008 3:00 AM
To: Apache AXIS C User List
Subject: Re: signature verification failing
Hi Raghu,
Can you disable body signature from client and service policy and
confirm whether it is working? Leave the header signing and comment only
body as follows. All your configurations seemed to be correct. There
might be bug in Rampart, we have to debug and see..
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<!--sp:Body/-->
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
Regards,
Shankar.
Raghu Udupa wrote:
> Shankar,
>
> Per your request, I am attaching a tar.gz file containing server log,
> client log as well as log from tcpmon. Right now, the whole soap body
is
> used while creating the signature. The tar gzip file contains the
> following files
>
> $ tar -tf axis2.info.tar
> axis2.client.log
> axis2.server.log
> client.policy.xml
> services.xml
> tcp.log
>
> Could you look into these log files and advise as to why signature
> verification is failing? If you need any additional information,
please
> let me know,
>
> Regards,
> Raghu
>
> -----Original Message-----
> From: Uthaiyashankar [mailto:shankar@wso2.com]
> Sent: Wednesday, October 08, 2008 12:29 AM
> To: Apache AXIS C User List
> Subject: Re: signature verification failing
>
> Hi Raghu,
>
> Can you capture the messages (Request and Reply) with tcpmon and send
> it? I need full message, not just the body... Also, the client.log
> seemed to be not full. can you clear all the logs and then send the
> request, and attach the log.
>
> Service.xml and client.policy.xml assertions are correct. It is
failing
> when validating body signature. How big the message? can you make sure
> whether full request is received by the service? you can comment body
> sign part from client policy and service.xml and send the message and
> see whether it is working.
>
> Regards,
> Shankar.
>
> Raghu Udupa wrote:
>
>> Thanks, Shankar, Samisa.
>>
>> Shankar,
>>
>> I am attaching the following
>> 1) client.log
>> 2) client.policy.xml
>> 3) server log
>> 4) service.xml
>> 5) response
>>
>> I have configured only the service.xml for the service as per axis2c
>> user manual. Does the server require a separate policy file in
>>
> addition
>
>> to service.xml? Server log also has the request in canonicalized
>>
> format.
>
>> If you need any additional information, please let me know.
>>
>> Thanks,
>> Raghu
>>
>> -----Original Message-----
>> From: Uthaiyashankar [mailto:shankar@wso2.com]
>> Sent: Tuesday, October 07, 2008 12:50 AM
>> To: Apache AXIS C User List
>> Subject: Re: signature verification failing
>>
>> Samisa Abeysinghe wrote:
>>
>>
>>> Uthaiyashankar wrote:
>>>
>>>
>>>> (5) Client policy file
>>>> (6) Server policy file
>>>>
>>>>
>>> Should not those two be the same?
>>>
>>>
>> Ideally, it has to be. However, Rampart specific configurations will
>>
> be
>
>> different. I wanted to make sure those two files are having same
>> assertions.
>>
>> Regards,
>> Shankar.
>>
>>
>>
>>> Samisa...
>>>
>>>
---------------------------------------------------------------------
>>> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: axis-c-user-help@ws.apache.org
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>
------------------------------------------------------------------------
>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-c-user-help@ws.apache.org
>>
>
>
>
>
------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-user-help@ws.apache.org
--
S.Uthaiyashankar
Software Architect
WSO2 Inc.
http://wso2.com/ - "The Open Source SOA Company"
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org
Re: signature verification failing
Posted by Uthaiyashankar <sh...@wso2.com>.
Hi Raghu,
Can you disable body signature from client and service policy and
confirm whether it is working? Leave the header signing and comment only
body as follows. All your configurations seemed to be correct. There
might be bug in Rampart, we have to debug and see..
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<!--sp:Body/-->
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
Regards,
Shankar.
Raghu Udupa wrote:
> Shankar,
>
> Per your request, I am attaching a tar.gz file containing server log,
> client log as well as log from tcpmon. Right now, the whole soap body is
> used while creating the signature. The tar gzip file contains the
> following files
>
> $ tar -tf axis2.info.tar
> axis2.client.log
> axis2.server.log
> client.policy.xml
> services.xml
> tcp.log
>
> Could you look into these log files and advise as to why signature
> verification is failing? If you need any additional information, please
> let me know,
>
> Regards,
> Raghu
>
> -----Original Message-----
> From: Uthaiyashankar [mailto:shankar@wso2.com]
> Sent: Wednesday, October 08, 2008 12:29 AM
> To: Apache AXIS C User List
> Subject: Re: signature verification failing
>
> Hi Raghu,
>
> Can you capture the messages (Request and Reply) with tcpmon and send
> it? I need full message, not just the body... Also, the client.log
> seemed to be not full. can you clear all the logs and then send the
> request, and attach the log.
>
> Service.xml and client.policy.xml assertions are correct. It is failing
> when validating body signature. How big the message? can you make sure
> whether full request is received by the service? you can comment body
> sign part from client policy and service.xml and send the message and
> see whether it is working.
>
> Regards,
> Shankar.
>
> Raghu Udupa wrote:
>
>> Thanks, Shankar, Samisa.
>>
>> Shankar,
>>
>> I am attaching the following
>> 1) client.log
>> 2) client.policy.xml
>> 3) server log
>> 4) service.xml
>> 5) response
>>
>> I have configured only the service.xml for the service as per axis2c
>> user manual. Does the server require a separate policy file in
>>
> addition
>
>> to service.xml? Server log also has the request in canonicalized
>>
> format.
>
>> If you need any additional information, please let me know.
>>
>> Thanks,
>> Raghu
>>
>> -----Original Message-----
>> From: Uthaiyashankar [mailto:shankar@wso2.com]
>> Sent: Tuesday, October 07, 2008 12:50 AM
>> To: Apache AXIS C User List
>> Subject: Re: signature verification failing
>>
>> Samisa Abeysinghe wrote:
>>
>>
>>> Uthaiyashankar wrote:
>>>
>>>
>>>> (5) Client policy file
>>>> (6) Server policy file
>>>>
>>>>
>>> Should not those two be the same?
>>>
>>>
>> Ideally, it has to be. However, Rampart specific configurations will
>>
> be
>
>> different. I wanted to make sure those two files are having same
>> assertions.
>>
>> Regards,
>> Shankar.
>>
>>
>>
>>> Samisa...
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: axis-c-user-help@ws.apache.org
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
> ------------------------------------------------------------------------
>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-c-user-help@ws.apache.org
>>
>
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-user-help@ws.apache.org
--
S.Uthaiyashankar
Software Architect
WSO2 Inc.
http://wso2.com/ - "The Open Source SOA Company"
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org
RE: signature verification failing
Posted by Raghu Udupa <ru...@easylink.com>.
Shankar,
Per your request, I am attaching a tar.gz file containing server log,
client log as well as log from tcpmon. Right now, the whole soap body is
used while creating the signature. The tar gzip file contains the
following files
$ tar -tf axis2.info.tar
axis2.client.log
axis2.server.log
client.policy.xml
services.xml
tcp.log
Could you look into these log files and advise as to why signature
verification is failing? If you need any additional information, please
let me know,
Regards,
Raghu
-----Original Message-----
From: Uthaiyashankar [mailto:shankar@wso2.com]
Sent: Wednesday, October 08, 2008 12:29 AM
To: Apache AXIS C User List
Subject: Re: signature verification failing
Hi Raghu,
Can you capture the messages (Request and Reply) with tcpmon and send
it? I need full message, not just the body... Also, the client.log
seemed to be not full. can you clear all the logs and then send the
request, and attach the log.
Service.xml and client.policy.xml assertions are correct. It is failing
when validating body signature. How big the message? can you make sure
whether full request is received by the service? you can comment body
sign part from client policy and service.xml and send the message and
see whether it is working.
Regards,
Shankar.
Raghu Udupa wrote:
> Thanks, Shankar, Samisa.
>
> Shankar,
>
> I am attaching the following
> 1) client.log
> 2) client.policy.xml
> 3) server log
> 4) service.xml
> 5) response
>
> I have configured only the service.xml for the service as per axis2c
> user manual. Does the server require a separate policy file in
addition
> to service.xml? Server log also has the request in canonicalized
format.
>
>
> If you need any additional information, please let me know.
>
> Thanks,
> Raghu
>
> -----Original Message-----
> From: Uthaiyashankar [mailto:shankar@wso2.com]
> Sent: Tuesday, October 07, 2008 12:50 AM
> To: Apache AXIS C User List
> Subject: Re: signature verification failing
>
> Samisa Abeysinghe wrote:
>
>> Uthaiyashankar wrote:
>>
>>> (5) Client policy file
>>> (6) Server policy file
>>>
>> Should not those two be the same?
>>
>
> Ideally, it has to be. However, Rampart specific configurations will
be
> different. I wanted to make sure those two files are having same
> assertions.
>
> Regards,
> Shankar.
>
>
>> Samisa...
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-c-user-help@ws.apache.org
>>
>>
>>
>>
>
>
>
>
------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-user-help@ws.apache.org
--
S.Uthaiyashankar
Software Architect
WSO2 Inc.
http://wso2.com/ - "The Open Source SOA Company"
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org
Re: signature verification failing
Posted by Uthaiyashankar <sh...@wso2.com>.
Hi Raghu,
Can you capture the messages (Request and Reply) with tcpmon and send
it? I need full message, not just the body... Also, the client.log
seemed to be not full. can you clear all the logs and then send the
request, and attach the log.
Service.xml and client.policy.xml assertions are correct. It is failing
when validating body signature. How big the message? can you make sure
whether full request is received by the service? you can comment body
sign part from client policy and service.xml and send the message and
see whether it is working.
Regards,
Shankar.
Raghu Udupa wrote:
> Thanks, Shankar, Samisa.
>
> Shankar,
>
> I am attaching the following
> 1) client.log
> 2) client.policy.xml
> 3) server log
> 4) service.xml
> 5) response
>
> I have configured only the service.xml for the service as per axis2c
> user manual. Does the server require a separate policy file in addition
> to service.xml? Server log also has the request in canonicalized format.
>
>
> If you need any additional information, please let me know.
>
> Thanks,
> Raghu
>
> -----Original Message-----
> From: Uthaiyashankar [mailto:shankar@wso2.com]
> Sent: Tuesday, October 07, 2008 12:50 AM
> To: Apache AXIS C User List
> Subject: Re: signature verification failing
>
> Samisa Abeysinghe wrote:
>
>> Uthaiyashankar wrote:
>>
>>> (5) Client policy file
>>> (6) Server policy file
>>>
>> Should not those two be the same?
>>
>
> Ideally, it has to be. However, Rampart specific configurations will be
> different. I wanted to make sure those two files are having same
> assertions.
>
> Regards,
> Shankar.
>
>
>> Samisa...
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-c-user-help@ws.apache.org
>>
>>
>>
>>
>
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-user-help@ws.apache.org
--
S.Uthaiyashankar
Software Architect
WSO2 Inc.
http://wso2.com/ - "The Open Source SOA Company"
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org
RE: signature verification failing
Posted by Raghu Udupa <ru...@easylink.com>.
Thanks, Shankar, Samisa.
Shankar,
I am attaching the following
1) client.log
2) client.policy.xml
3) server log
4) service.xml
5) response
I have configured only the service.xml for the service as per axis2c
user manual. Does the server require a separate policy file in addition
to service.xml? Server log also has the request in canonicalized format.
If you need any additional information, please let me know.
Thanks,
Raghu
-----Original Message-----
From: Uthaiyashankar [mailto:shankar@wso2.com]
Sent: Tuesday, October 07, 2008 12:50 AM
To: Apache AXIS C User List
Subject: Re: signature verification failing
Samisa Abeysinghe wrote:
> Uthaiyashankar wrote:
>> (5) Client policy file
>> (6) Server policy file
>
> Should not those two be the same?
Ideally, it has to be. However, Rampart specific configurations will be
different. I wanted to make sure those two files are having same
assertions.
Regards,
Shankar.
>
> Samisa...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-user-help@ws.apache.org
>
>
>
--
S.Uthaiyashankar
Software Architect
WSO2 Inc.
http://wso2.com/ - "The Open Source SOA Company"
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org
Re: signature verification failing
Posted by Uthaiyashankar <sh...@wso2.com>.
Samisa Abeysinghe wrote:
> Uthaiyashankar wrote:
>> (5) Client policy file
>> (6) Server policy file
>
> Should not those two be the same?
Ideally, it has to be. However, Rampart specific configurations will be
different. I wanted to make sure those two files are having same assertions.
Regards,
Shankar.
>
> Samisa...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-user-help@ws.apache.org
>
>
>
--
S.Uthaiyashankar
Software Architect
WSO2 Inc.
http://wso2.com/ - "The Open Source SOA Company"
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org
Re: signature verification failing
Posted by Samisa Abeysinghe <sa...@wso2.com>.
Uthaiyashankar wrote:
> (5) Client policy file
> (6) Server policy file
Should not those two be the same?
Samisa...
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org
Re: signature verification failing
Posted by Uthaiyashankar <sh...@wso2.com>.
Hi Raghu,
Can you attach the following to investigate the issue?
(1) Request
(2) Reply
(3) Client Log file
(4) Server Log file
(5) Client policy file
(6) Server policy file
Regards,
Shankar
Raghu Udupa wrote:
>
> Hi,
>
> I am using axis2_http_server distributed with axis2c release as the
> server. Both web services client and http_server are running on same
> Linux server. Both client and server have separate AXIS2C_HOME
> locations. I am trying to test the signature verification feature.
>
> *Client’s policy.xml settings*
>
> * *
>
> Signature related settings are as below;
>
> <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
>
> <rampc:ReceiverCertificate>/usr/local/CA/svccert.pem</rampc:ReceiverCertificate>
>
> <rampc:Certificate>/usr/local/CA/clientcert.pem</rampc:Certificate>
>
> <rampc:PrivateKey>/usr/local/CA/clientkey.pem</rampc:PrivateKey>
>
> </rampc:RampartConfig
>
> *Service.xml for the service*
>
> * *
>
> Signature related settings at the service are as below;
>
> <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
>
> <rampc:Certificate>/usr/local/CA/svccert.pem</rampc:Certificate>
>
> <rampc:PrivateKey>/usr/local/CA/svckey.pem</rampc:PrivateKey>
>
> </rampc:RampartConfig>
>
> *Certificate Generation*
>
> * *
>
> I used following steps to generate a pair of certificates
> clientcert.pem and clientcert.key for the web services client and
> svccert.pem and svccert.key for the service. I used CA.pl distributed
> with opnssl package for generation of the certificate
>
> 1. Create the directory for CA and copy CA.pl and openssl.cnf files
> 2. Create a certificate authority -- *sudo ./CA.pl –newca*
> 3. create new key file using sudo *openssl req -x509 -nodes -days
> 365 -newkey rsa:1024 -keyout newkey.pem -out newreq.pem*
> 4. create a certificate request file using sudo *openssl req -new
> -key newkey.pem -out newreq.pem*
> 5. sign the certificate using *sudo ./CA.pl –sign*
> 6. I repeated steps 2 through 5 to generate clientcert.pem and
> svccert.pem
>
> Separately, I also tried using CA.pl options CA.pl *sudo ./CA.pl
> –newreq *and *sudo ./CA.pl –sign *to generate certificates for testing.
>
> On both attempts as well as on other tests, I am getting *OXS ERROR
> [xml_signature.c:687 in oxs_xml_sig_verify_sign_part] Signature
> verification failed, Digest verification failed for node Id=
> #SigID-c878c702-93e6-1dd1 *error.
>
> Could you tell me what I am doing incorrectly? I appreciate your help
> in resolving this issue.
>
> Regards,
>
> Raghu Udupa
>
--
S.Uthaiyashankar
Software Architect
WSO2 Inc.
http://wso2.com/ - "The Open Source SOA Company"
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org