Re: cxf keystore security problem - org.apache.cxf.binding.soap.SoapFault: Empty username for specified action.

[Colm O hEigeartaigh <co...@apache.org>]

You need to let WSS4J know what keystore alias to use to get the private
key to sign the request. So you need to add the following to your client
WSS4JOutInterceptor configuration:

<entry key="user" value="myalias"/>

By the way, your "org.apache.ws.security.crypto.merlin.keystore.alias"
definition appears to be incorrect in your Crypto property files as well,
as there is no "aka" alias in the keystore listing you provided.

Colm.


On Tue, Apr 30, 2013 at 6:52 PM, minajagi <ch...@jpmorgan.com>wrote:

> Thanks for the reply
> I have made the changes you mentioned however I'm afraid I still don't
> understand what user should I be using use.I still get the
>
> *org.apache.cxf.binding.soap.SoapFault: Empty username for specified
> action.*
>
> You mention,
>
> "/You aren't specifying any "user" in the WSS4JOutInterceptor client spring
> configuration. Normally, you would specify a user that corresponds to the
> keystore alias. /"
>
> Can you please let me know based on the settings I have outlined above
> where
> can I get the user.When I use the keytool -list -v I don't see anything
> related to user on it.So what user should I be using?
>
> Is there a way to specify a user while creating the .jks files?I don't seem
> to have used any options and neither do I see anything on the keytool help
> that talks about a user.
>
> I'm lost at the moment.Please help.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/cxf-keystore-security-problem-org-apache-cxf-binding-soap-SoapFault-Empty-username-for-specified-act-tp5726920p5726985.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: cxf keystore security problem - org.apache.cxf.binding.soap.SoapFault: Empty username for specified action.

[Andrei Shakirin <as...@talend.com>]

Hi, 

Private key is password protected in the java keystore.
CXF needs private key for the signature, therefore password should be provided using PasswordCallback for each alias.

Regards,
Andrei.

> -----Original Message-----
> From: cvm [mailto:chetan.v.minajagi@jpmorgan.com]
> Sent: Donnerstag, 2. Mai 2013 16:54
> To: users@cxf.apache.org
> Subject: Re: cxf keystore security problem -
> org.apache.cxf.binding.soap.SoapFault: Empty username for specified action.
> 
> Pardon my ignorance.But why do I have to set the password on the client
> Callback when we are using Signature.I can understand the usage of it when
> using Usernametoken where we need to send the username/pwd combo
> and validate it on the server side but when we are using keystores and
> providing all the relevant information on the signaturePropFile why do we
> still need to set the password to the keystore password on the client callback
> handler?
> Th 2nd part of the question is what is the right way of fetching this
> password.At the moment I'm doing as follows
> 
> 
> 
> abcd123 is my keystore password.Obviously this is ok for test but in a prod
> scenario where do i go and fetch this password to be set?
> 
> 
> 
> 
> --
> View this message in context: http://cxf.547215.n5.nabble.com/cxf-
> keystore-security-problem-org-apache-cxf-binding-soap-SoapFault-Empty-
> username-for-specified-act-tp5726920p5727071.html
> Sent from the cxf-user mailing list archive at Nabble.com.

Re: cxf keystore security problem - org.apache.cxf.binding.soap.SoapFault: Empty username for specified action.

[cvm <ch...@jpmorgan.com>]

Pardon my ignorance.But why do I have to set the password on the client
Callback when we are using Signature.I can understand the usage of it when
using Usernametoken where we need to send the username/pwd combo and
validate it on the server side but when we are using keystores and providing
all the relevant information on the signaturePropFile why do we still need
to set the password to the keystore password on the client callback handler?
Th 2nd part of the question is what is the right way of fetching this
password.At the moment I'm doing as follows



abcd123 is my keystore password.Obviously this is ok for test but in a prod
scenario where do i go and fetch this password to be set?




--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-keystore-security-problem-org-apache-cxf-binding-soap-SoapFault-Empty-username-for-specified-act-tp5726920p5727071.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: cxf keystore security problem - org.apache.cxf.binding.soap.SoapFault: Empty username for specified action.

[Colm O hEigeartaigh <co...@apache.org>]

You shouldn't need to specify the CallbackHandler on the receiving
(signature verification) side, as the private key is not required.

Colm.


On Wed, May 1, 2013 at 2:19 PM, minajagi <ch...@jpmorgan.com>wrote:

> Thanks v much for the reply.I finally got it to work yesterday evening but
> didn't have the time to update this post.
> I was sending in the Owner/Issuer name on my certificate as the username
> and
> it wasn't working and when I didn't send any I used to get the Empty
> username error.Largely by trial and error and towards the end when your
> earlier reply was kind of staring me in the face I realised that I have to
> send the alias on my keystore as the username it worked.
>
> Thanks a lot for all the help and guidance.
>
> I still have a question about what is the right kind of implementation in
> the PasswordCallback Handler.
> In both client and server callbacks I am setting the password to that on
> the
> keystore.
> Why is it required at all since the authentication is happenning with
> private/public key pair on the client/server here?
> Since its not a implementation detail even if you could point me to a bit
> of
> relevant documentation,it would help.
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/cxf-keystore-security-problem-org-apache-cxf-binding-soap-SoapFault-Empty-username-for-specified-act-tp5726920p5727001.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: cxf keystore security problem - org.apache.cxf.binding.soap.SoapFault: Empty username for specified action.

[minajagi <ch...@jpmorgan.com>]

Thanks v much for the reply.I finally got it to work yesterday evening but
didn't have the time to update this post.
I was sending in the Owner/Issuer name on my certificate as the username and
it wasn't working and when I didn't send any I used to get the Empty
username error.Largely by trial and error and towards the end when your
earlier reply was kind of staring me in the face I realised that I have to
send the alias on my keystore as the username it worked.

Thanks a lot for all the help and guidance.

I still have a question about what is the right kind of implementation in
the PasswordCallback Handler.
In both client and server callbacks I am setting the password to that on the
keystore.
Why is it required at all since the authentication is happenning with
private/public key pair on the client/server here?
Since its not a implementation detail even if you could point me to a bit of
relevant documentation,it would help.





--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-keystore-security-problem-org-apache-cxf-binding-soap-SoapFault-Empty-username-for-specified-act-tp5726920p5727001.html
Sent from the cxf-user mailing list archive at Nabble.com.