You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Emanuel Haisiuc <em...@gmail.com> on 2006/02/12 20:20:50 UTC
Interop / public key certificate issues
Hi!
I have the following situation: I have a WSS4J Java client trying to
connect to a .NET web service, using encryption. The .NET web service
is using WSE 2.0 SP3.
I have exported the public key coresponding to the private key used by
the .NET service to decrypt the messages and imported into the Java
keystore used by the client using the keytool -import option.
When I try to connect to the web service the folowing fault is returned:
Unable to make the call to method:
Microsoft.Web.Services2.Security.SecurityFault: The security token
could not be authenticated or authorized --->
System.Security.SecurityException: WSE537: The certificate's trust
chain could not be verified with the following reason: An internal
certificate chaining error has occurred.
.
at Microsoft.Web.Services2.Security.X509.X509CertificateChain.Verify()
at Microsoft.Web.Services2.Security.Tokens.X509SecurityToken.VerifyTrust()
at Microsoft.Web.Services2.Security.Tokens.X509SecurityToken.Verify()
at Microsoft.Web.Services2.Security.Tokens.X509SecurityTokenManager.VerifyToken(SecurityToken
securityToken)
at Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.LoadBinarySecurityToken(XmlElement
element)
--- End of inner exception stack trace ---
at Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.LoadBinarySecurityToken(XmlElement
element)
at Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.GetTokenFromXml(XmlElement
element)
at Microsoft.Web.Services2.Security.Security.LoadToken(XmlElement
element, SecurityConfiguration configuration, Int32
& tokenCount)
at Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement element)
at Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapServerMessage
message)
The setting I use for the Java client are:
the wsdd configuration file:
<handler type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="action" value="Encrypt" />
<parameter name="encryptionPropFile" value="x509encrypt.props" />
<parameter name="encryptionKeyIdentifier" value="DirectReference" />
<parameter name="encryptionUser" value="manus" />
<parameter name="passwordCallbackClass"
value="javawsx509signingclient.PWCallback" />
<parameter name="user" value="manus" />
</handler>
the x509encrypt.props:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=foobar
org.apache.ws.security.crypto.merlin.file=testpub.keystore
The keytool -list on the key store returns:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
manus, 09.02.2006, trustedCertEntry,
Certificate fingerprint (MD5): A6:7F:5A:EE:F7:87:2E:3B:A2:EE:57:3E:95:3D:3B:DD
test, 09.02.2006, trustedCertEntry,
Certificate fingerprint (MD5): 7B:57:CE:34:A9:B1:76:63:4A:4D:9F:0B:A0:21:23:EB
The certificate with the alias "manus" should be used to encrypt the
message. I've used the TCPMonitor and verified that the body of the
message is encrypted.
I encounter something similar in the following situation: .NET client
using WSE 2.0 SP3 and Java web service when the messages are signed.
I'm using the same certificate store for the Java web service as the
one mentioned above. And when I try to consume the web service from
the .NET client I get the folowing message:
WSDoAllReceiver: The certificate used for the signature is not trusted
I'm guessing that you cannot just import in the jks keystore the
certificate exported from mmc->certificates as they are.
Have anyone encountered same problems? Can you give me a hand?
Thank you!
Emanuel
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org