You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@synapse.apache.org by Sihem <st...@yahoo.fr> on 2008/01/16 10:14:27 UTC
RE : Re: configuring rampart
Hello Ruwan,
1) I use synapse as a proxy with http transport enabled:
<proxy name="CalculatorProxy" trace="enable" transports="http">
When I use transports="https", the connection with the client does not work at all. I found no way to configure synapse in order to use http between the client and synapse and https between synapse and the web service.
When I use transports="all", I have this error:
2008-01-16 10:09:55,380 [127.0.0.1-localhost.localdomain] [main] WARN VFSTransportListener Error configuring the File/VFS transport for Service : CalculatorProxy :: Cannot find parameter : transport.vfs.FileURI for service : CalculatorProxy
2) When I start synapse, the following log lines are displayed:
2008-01-16 09:49:30,618 [127.0.0.1-localhost.localdomain] [main] DEBUG HttpCoreNIOSSLListener Loading Key Store from URL : file:/home/sihem/programs/synapse-1.1/lib/identity.jks
2008-01-16 09:49:30,632 [127.0.0.1-localhost.localdomain] [main] DEBUG HttpCoreNIOSSLListener Loading Trust Key Store from URL : file:/home/sihem/programs/synapse-1.1/lib/trust.jks
Can you confirm me that identity.jks contains synapse certificate and trust.jks contains all the certificates of authority certification trusted by synapse?
3) I copied identity.jks into glassfish/domains/domain1/config/ and I restarted glassfish. But I have still the same exception
4) In policy_3.xml, store.jks is also used:
<ramp:property name="org.apache.ws.security.crypto.merlin.file">repository/conf/sample/resources/security/store.jks</ramp:property>
Can you explain me what this file is intended to ?
You will find in attachment the synapse configuration I use.
Thank you very much for your help!
Sihem
Ruwan Linton <ru...@gmail.com> a écrit : Hi Sihem,
Are you using https to talk to GlassFish? and also have you put the trust
store (identity.jks) in to the class path of the GlassFish server?
If you did so, then can you send the policy that you are using on the
GlassFish server to engage rampart.
Can you please provide the above information so that we can help you in
resolving this issue.
Thanks,
Ruwan
On Jan 15, 2008 11:26 PM, Sihem wrote:
> Hello,
> I am trying to use WS-Security between synapse and the web service. I used
> sample 100 and the policy file named policy_3.xml. It does not work because
> I do not know how to confogure rampart.
> GlassFish returns this error to synapse:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>
> I think the error is due to the fact that some elements are not share with
> glassfish that cannot authenticate the message. I searched wsO2 for how to
> configure keystore but I found nothing that can help me.
> Can you, please, give me a little explanation on how to set a secure
> conversation between synapse and a web service ?
> Thank you by advance,
> Sihem
>
>
> ---------------------------------
> Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo!
> Mail
>
--
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"
---------------------------------
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
Re: RE : Re: configuring rampart
Posted by Ruwan Linton <ru...@gmail.com>.
Hi Sihem,
Find my comments in-line;
On Jan 16, 2008 2:44 PM, Sihem <st...@yahoo.fr> wrote:
> Hello Ruwan,
>
> 1) I use synapse as a proxy with http transport enabled:
> <proxy name="CalculatorProxy" trace="enable" transports="http">
> When I use transports="https", the connection with the client does not
> work at all.
On the client side you must set -Djavax.net.ssl.trustStore=<path to
trust.jks> and -Djavax.net.ssl.trustStorePassword=<password> for the actual
key stores used. Check samples/axis2Client/build.xml for more information.
> I found no way to configure synapse in order to use http between the
> client and synapse and https between synapse and the web service.
You could do this by pointing to the https endpoint of the server on the
endpoint definition. You will also need to import either your external
server's certificate or the certificate of the CA who signed it as a trusted
certificate entry to the trust.jks (eg/ keytool -import -alias <server_ca>
-v -trustcacerts -keystore trust.jks -file <server_ca>.der.cer)
>
> When I use transports="all", I have this error:
> 2008-01-16 10:09:55,380 [127.0.0.1-localhost.localdomain] [main] WARN
> VFSTransportListener Error configuring the File/VFS transport for Service :
> CalculatorProxy :: Cannot find parameter : transport.vfs.FileURI for
> service : CalculatorProxy
This is because transport="all" implies that the newly added VFS transport
is also used when exposing the service, and it requires an additional
service parameter to configure the file location for it to communicate. So
this is acceptable.
>
> 2) When I start synapse, the following log lines are displayed:
> 2008-01-16 09:49:30,618 [127.0.0.1-localhost.localdomain] [main] DEBUG
> HttpCoreNIOSSLListener Loading Key Store from URL :
> file:/home/sihem/programs/synapse-1.1/lib/identity.jks
> 2008-01-16 09:49:30,632 [127.0.0.1-localhost.localdomain] [main] DEBUG
> HttpCoreNIOSSLListener Loading Trust Key Store from URL :
> file:/home/sihem/programs/synapse-1.1/lib/trust.jks
>
> Can you confirm me that identity.jks contains synapse certificate and
> trust.jks contains all the certificates of authority certification trusted
> by synapse?
Yes, you are correct.
>
> 3) I copied identity.jks into glassfish/domains/domain1/config/ and I
> restarted glassfish. But I have still the same exception
Unless you are using 2-way SSL you will not need to configure anything on
your GlassFish server side in order to get the https working, I think. What
is the ws-sec provider implementation used by the GlassFish server (I don't
think Rampart can inter operate with GlassFish) and what is the policy file
you used on the GlassFish?
>
> 4) In policy_3.xml, store.jks is also used:
> <ramp:property name="org.apache.ws.security.crypto.merlin.file
> ">repository/conf/sample/resources/security/store.jks</ramp:property>
> Can you explain me what this file is intended to ?
This policy states that ws-sec/rampart should be using the above
store.jksfile for its signing and encryption purposes
Thanks,
Ruwan
> You will find in attachment the synapse configuration I use.
> Thank you very much for your help!
> Sihem
>
>
> *Ruwan Linton <ru...@gmail.com>* a écrit :
>
> Hi Sihem,
>
> Are you using https to talk to GlassFish? and also have you put the trust
> store (identity.jks) in to the class path of the GlassFish server?
>
> If you did so, then can you send the policy that you are using on the
> GlassFish server to engage rampart.
>
> Can you please provide the above information so that we can help you in
> resolving this issue.
>
> Thanks,
> Ruwan
>
> On Jan 15, 2008 11:26 PM, Sihem wrote:
>
> > Hello,
> > I am trying to use WS-Security between synapse and the web service. I
> used
> > sample 100 and the policy file named policy_3.xml. It does not work
> because
> > I do not know how to confogure rampart.
> > GlassFish returns this error to synapse:
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid certification path to requested target
> >
> > I think the error is due to the fact that some elements are not share
> with
> > glassfish that cannot authenticate the message. I searched wsO2 for how
> to
> > configure keystore but I found nothing that can help me.
> > Can you, please, give me a little explanation on how to set a secure
> > conversation between synapse and a web service ?
> > Thank you by advance,
> > Sihem
> >
> >
> > ---------------------------------
> > Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo!
> > Mail
> >
>
>
>
> --
> Ruwan Linton
> http://www.wso2.org - "Oxygenating the Web Services Platform"
>
>
> ------------------------------
> Ne gardez plus qu'une seule adresse mail ! Copiez vos mails<http://fr.rd.yahoo.com/mail/mail_taglines/trueswitch/*http://www.trueswitch.com/yahoo-fr/>vers Yahoo! Mail
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: synapse-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: synapse-user-help@ws.apache.org
>
--
Ruwan Linton
http://www.wso2.org - "Oxygenating the Web Services Platform"