Ws-Security, Encryption, .Net -> JBoss interoperability (HEL
kristof.taveirne Oct 6, 2006 6:19 AMHi,
I have a .Net client that's talking to a web service running on jbossws.
It's a simple helloword right now for testing purposes.
What I'm trying to add to this service is the following.
- Authentication + Signing using a client certificate
- Encryption using the servers public key
I've been playing around a bit and here is how far I am right now:
The jboss-wsse-server.xml file is simple and straightforward:
<?xml version="1.0" encoding="UTF-8"?> <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <key-store-file>WEB-INF/MyKeystore</key-store-file> <key-store-password>####</key-store-password> <trust-store-file>WEB-INF/MyTruststore</trust-store-file> <trust-store-password>####</trust-store-password> <config> <requires> <encryption /> <signature/> </requires> </config> </jboss-ws-security>
The policy in my .Net client like this.
This is a WSE 3.0 policy file wse3policyCache.config:
<policy name="test"> <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300"> <clientToken> <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=user1" findType="FindBySubjectDistinguishedName" /> </clientToken> <serviceToken> <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=MyServer" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeSoapBody" encryptBody="false" /> </protection> </mutualCertificate11Security> <requireActionHeader /> </policy>
For simplicity I left out the addressing and timestamp out of the signature, because I expect that this is what jboss does.
I have on the serverside a keystore and truststore.
I've created priv/public keypair using sun's keytool and I exported the certificate for the clients to use. The certificates of the client are generated by a CA on windows 2003 server. I've imported the certificates into the keystore using a basic keytool -import -keystore ... -alias ... - file command.
The error I get in JBoss is
12:10:57,337 ERROR [WSSecurityDispatcher] Internal error occured handling inboun d message: org.jboss.ws.wsse.SecurityTokenUnavailableException: Could not locate certificat e by key identifier at org.jboss.ws.wsse.KeyResolver.resolveKeyIdentifier(KeyResolver.java:1 14) at org.jboss.ws.wsse.KeyResolver.resolve(KeyResolver.java:87) at org.jboss.ws.wsse.KeyResolver.resolveCertificate(KeyResolver.java:129 ) at org.jboss.ws.wsse.KeyResolver.resolvePrivateKey(KeyResolver.java:144) at org.jboss.ws.wsse.KeyResolver.resolvePrivateKey(KeyResolver.java:164) at org.jboss.ws.wsse.element.EncryptedKey.<init>(EncryptedKey.java:90)
Is there anyone who has some experience with this?
I would appreciate any help/advice I can get.
Thanks in advance,
Kristof Taveirne