The private key for the supplied alias does not exist in the keystore

["G.Dab" <in...@cvwebdesigns.com>]

Hello,

I'm working on creating a client with CXF v3.2.7.  The WSDL I'm using has a
WS-SecurityPolicy (wsp:Policy etc.), and at first I thought I'd try
configuring the client properties via API but I've already got a cxf.xml
file for defining porxy and SSL stuff so decided to try to work this out in
Spring.

I'm currently getting the following message and error: 

 INFO org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder
- No CallbackHandler available to retrieve a password. We will now try the
crypto properties file for a private password
ERROR org.apache.wss4j.dom.message.WSSecSignature - The private key for the
supplied alias does not exist in the keystore
org.apache.wss4j.common.ext.WSSecurityException: The private key for the
supplied alias does not exist in the keystore

My jaxws:client has the following entries:

        <entry key="security.callback-handler"
             value="interop.client.KeystorePasswordCallback"/>
         <entry key="security.signature.properties"
             value="client.properties"/>

My client.properties file looks as follows:

org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.wss4j.crypto.merlin.keystore.type=jks
org.apache.wss4j.crypto.merlin.keystore.password=pzz1234
org.apache.wss4j.crypto.merlin.keystore.alias={84fb7973-5364-4a36-a7a5-7670977de474}
org.apache.wss4j.crypto.merlin.keystore.file=store.jks

The alias looks funky, but that was what I was provided by the CA.

The store.jks file resides in the root of the jar I've created.  I've also
tried placing it outside the jar in the folder that the jar resides in.  Is
CXF trying to look in the local machine's keystore?  If so, how do I get it
to look where I've specified in client.properties ?





--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html

Re: The private key for the supplied alias does not exist in the keystore

["G.Dab" <in...@cvwebdesigns.com>]

FYI - this is how I've got my http-conf:tlsClientParameters configured inside
<http-conf:conduit and the xxx have replaced the actuals 

    &lt;http-conf:tlsClientParameters>
      <sec:keyManagers keyPassword="xxxxx">
        <sec:keyStore type="jks" password="xxxx"
                      file="xxx.jks"/>
      </sec:keyManagers>
      <sec:trustManagers>
        <sec:keyStore type="jks" password="xxxx"
                      file="xxx.jks"/>
      </sec:trustManagers>
    </http-conf:tlsClientParameters>
    
    <http-conf:client Connection="close"
                  MaxRetransmits="1"
                  AllowChunking="false" 
                  ProxyServer="xxx.xxx.xxx.xxx"
                  ProxyServerPort="xxxx"/> 



--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html

Re: The private key for the supplied alias does not exist in the keystore

["G.Dab" <in...@cvwebdesigns.com>]

Colm, you so totally rock!

Finally making more progress now :)

I'm now getting the following error:

org.apache.cxf.binding.soap.SoapFault: Connection timed out: connect
        at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:221)
        at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
etc.

Is my next step to enable logging on my client?



--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html

Re: The private key for the supplied alias does not exist in the keystore

[Colm O hEigeartaigh <co...@apache.org>]

You need a private key password to access the key for signing. You can
either supply the password via a CallbackHandler, or via a
"org.apache.wss4j.crypto.merlin.keystore.private.password" entry in your
crypto properties file.

Colm.

On Wed, Feb 6, 2019 at 5:41 PM G.Dab <in...@cvwebdesigns.com> wrote:

> Thanks for responding Colm :)
>
> Lemmie ask this.  The only actions that I need to perform are add a digital
> x.509 signature and timestamp.  Is a CallbackHandler still necessary?
>
> My apologies, I'm still a novice when it comes to Java.  The
> interop.client.KeystorePasswordCallback value was just from the example off
> the WS-SecurityPolicy page, and not a class I've rolled on my own, so to
> answer your question I haven't actually created one yet.  My bad.
>
> Is the WSPasswordCallback.class found under org.apache.wss4j.common.ext in
> the wss4j-ws-security-common-2.2.2.jar a possible option to use?
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: The private key for the supplied alias does not exist in the keystore

["G.Dab" <in...@cvwebdesigns.com>]

Thanks for responding Colm :)

Lemmie ask this.  The only actions that I need to perform are add a digital
x.509 signature and timestamp.  Is a CallbackHandler still necessary?  

My apologies, I'm still a novice when it comes to Java.  The
interop.client.KeystorePasswordCallback value was just from the example off
the WS-SecurityPolicy page, and not a class I've rolled on my own, so to
answer your question I haven't actually created one yet.  My bad.

Is the WSPasswordCallback.class found under org.apache.wss4j.common.ext in
the wss4j-ws-security-common-2.2.2.jar a possible option to use?



--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html

Re: The private key for the supplied alias does not exist in the keystore

[Colm O hEigeartaigh <co...@apache.org>]

What does your CallbackHandler implementation look like? It needs to set
the private key password of the entry in there. If you turn on debug
logging as well, it may give you more information about what the problem is.

Colm.

On Tue, Feb 5, 2019 at 9:10 PM G.Dab <in...@cvwebdesigns.com> wrote:

> The keystore contains only one entry
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> {84fb7973-5364-4a36-a7a5-7670977de474}, Jan 25, 2019, PrivateKeyEntry,
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: The private key for the supplied alias does not exist in the keystore

["G.Dab" <in...@cvwebdesigns.com>]

The keystore contains only one entry

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

{84fb7973-5364-4a36-a7a5-7670977de474}, Jan 25, 2019, PrivateKeyEntry,



--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html