WSSecurity problem: Could not locate certificate by key iden
kosulin Aug 19, 2008 3:44 PMWe use Ws-Security over https (java 6, jboss 5.0CR1, jbossws core 3.0.2). Client is java 6 (Sun XWSS). Server uses a real production certificate, client -a self-signed one (I was told it was created with openssl, not keytool). Request is successfully validated during SSL handshake using CLIENT-CERT, and authorized with JAAS. This means on the java.security.cert level the server is able to recognize and authenticate the certificate as valid one (compared to the truststore). However, on WS-Security level we get an exception. Below is the trace. What is wrong with key identifier? Thanks.
2008-08-19 15:20:14,592 TRACE [org.jboss.ws.core.jaxws.handler.HandlerChainExecutor] (http-0.0.0.0-8443-1:) BEFORE handleRequest - org.jboss.wsf.framework.invocation.RecordingServerHandler@17a08d4
<S:Envelope xmlns:S='http://schemas.xmlsoap.org/soap/envelope/'>
<S:Header>
<wsse:Security S:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
<wsu:Timestamp wsu:Id='XWSSGID-12191736147481681242501' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<wsu:Created>2008-08-19T19:20:14Z</wsu:Created>
<wsu:Expires>2008-08-19T19:25:14Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature Id='XWSSGID-12191736146031743555814' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
<ds:Reference URI='#XWSSGID-1219173614748711119660' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
<ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>D5VC3nxO1mCHdvlx3ZlL+pKVOMo=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI='#XWSSGID-12191736147481681242501' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/>
<ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>sl1ERXikaFn0w4iWQtKnNS2dYuE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>d4zmVhrNWDjNqSQ8tHXH7iEUAKj0pmnFwkbTWdyQEiCRry4INKT4lZpVnNG6qcsKMM+fh1CPOyd4
eHCZYOZjdpFhPYEIbfBzjZuiOkrnXmwIVm43bS7bCW+R9xELJ67cgldJL03G9ntcdsOo3I/vxEGn
BRZm4siJbM2VbUrtLfE=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsu:Id='XWSSGID-12191736147371393264612' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<wsse:KeyIdentifier EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier'>VsF5XAhG06l2TVSo6RafX5b9epw=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body wsu:Id='XWSSGID-1219173614748711119660' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<ns2:GetAllStatementList xmlns:ns2='http://www.wsc.com/'>
test
0
sm0
2007
TX10000976
</ns2:GetAllStatementList>
</S:Body>
</S:Envelope>
2008-08-19 15:20:14,592 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) put: APPLICATION:org.jboss.ws.allow.expand.dom=true
2008-08-19 15:20:14,592 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) get(javax.xml.ws.handler.message.outbound): APPLICATION:javax.xml.ws.handler.message.outbound=false
2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.jaxws.handler.HandlerChainExecutor] (http-0.0.0.0-8443-1:) AFTER handleRequest - org.jboss.wsf.framework.invocation.RecordingServerHandler@17a08d4: unchanged
2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes
2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.jaxws.handler.HandlerChainExecutor] (http-0.0.0.0-8443-1:) BEFORE handleRequest - WSSecurity Handler: unchanged
2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) put: APPLICATION:org.jboss.ws.allow.expand.dom=true
2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) get(javax.xml.ws.handler.message.outbound): APPLICATION:javax.xml.ws.handler.message.outbound=false
2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) get(javax.xml.ws.addressing.context.inbound): null
2008-08-19 15:20:14,594 DEBUG [org.jboss.ws.core.soap.SOAPMessageDispatcher] (http-0.0.0.0-8443-1:) getDispatchDestination: {http://www.wsc.com/}GetAllStatementList
2008-08-19 15:20:14,594 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.keystore
2008-08-19 15:20:14,594 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.keystore
2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password
2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password
2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password
2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password
2008-08-19 15:20:14,595 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.truststore
2008-08-19 15:20:14,595 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.truststore
2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password
2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password
2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password
2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password
2008-08-19 15:20:14,596 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getFirstChild
2008-08-19 15:20:14,596 ERROR [org.jboss.ws.extensions.security.WSSecurityDispatcher] (http-0.0.0.0-8443-1:) Internal error occured handling inbound message:
org.jboss.ws.extensions.security.exception.SecurityTokenUnavailableException: Could not locate certificate by key identifier
at org.jboss.ws.extensions.security.KeyResolver.resolveKeyIdentifier(KeyResolver.java:116)
at org.jboss.ws.extensions.security.KeyResolver.resolve(KeyResolver.java:89)
at org.jboss.ws.extensions.security.KeyResolver.resolveCertificate(KeyResolver.java:131)
at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:141)
at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:161)
at org.jboss.ws.extensions.security.element.Signature.(Signature.java:60)
at org.jboss.ws.extensions.security.element.SecurityHeader.(SecurityHeader.java:87)
at org.jboss.ws.extensions.security.SecurityDecoder.decode(SecurityDecoder.java:192)
at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:105)
at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:83)
at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:41)
at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:55)
at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:295)
at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:140)
at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97)
at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:127)
at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:171)
at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:466)
at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:284)
at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:201)
at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:134)
at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:84)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:183)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:189)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:90)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:96)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:325)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
Some service config details:
--------------------------
@WebService(name = "Statements", targetNamespace = "http://www.wsc.com/", serviceName = "StatementsService", portName = "StatementsPort")
@EndpointConfig(configName = "Standard WSSecurity Endpoint")
@SOAPBinding(style = SOAPBinding.Style.DOCUMENT, parameterStyle = SOAPBinding.ParameterStyle.WRAPPED)
@MTOM(enabled = true)
@BindingType(value = "http://schemas.xmlsoap.org/wsdl/soap/http?mtom=true")
@WebContext(secureWSDLAccess = true)
@SecurityDomain("CPPortal2WSCert")
@DeclareRoles( {"statements-client"})
@RolesAllowed( {"statements-client"})
public class StatementService
------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>statements</display-name>
<servlet-name>Statements</servlet-name>
<servlet-class>com.wsc.cp.web.statements.StatementService</servlet-class>
<servlet-mapping>
<servlet-name>Statements</servlet-name>
<url-pattern>/statements</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Statements</web-resource-name>
<url-pattern>/statements</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
----------------------------------
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/ws-security/config
http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
<key-store-file>WEB-INF/cpportal2.keystore</key-store-file>
<key-store-password>password</key-store-password>
<key-store-type>jks</key-store-type>
<trust-store-file>WEB-INF/cpportal2.truststore</trust-store-file>
<trust-store-password>password</trust-store-password>
<trust-store-type>jks</trust-store-type>
<timestamp-verification createdTolerance="5" warnCreated="true" expiresTolerance="10" warnExpires="true" />
<!-- -->
<!-- -->
</jboss-ws-security>
----------------------------------
CN\=test.client=statements-client
-------------------------------------------