2 Replies Latest reply on Apr 24, 2014 4:46 AM by Petr Hunka

    WS Security - Could not locate certificate by key identifier

    Andrés Andina Newbie

      Hi everyone,

       

      I don't know if this question has been asked before (it seems so, but there was almost no answers for it). Anyway, I've the following problem:

       

      As I'm trying to use WS Security with signed request/response soap messages, therefore I've included jks keystores/truststores in both client and server side. I'm using soap-ui to test my WS with some Outgoing WS-Security Configuration. Then, I suspect the issues could be arising in the keystore/trustore (both in client and server side) and wsse.xml file in server side. I must add that I'm creating keystore/trustores through KeyTool IUI.

       

      These are the corner-stones of my client-server pair.

       

      1) Keystore/trustore in client side

       

      Both are included in the same jks. The content of this file is the following:

       

      * Client private & public key

      * Client trusted certificate (.cer file)

      * Server trusted certificate (.cer file)

       

      2) Soap-ui Outgoing WS-Security Configuration

       

      keystore: client.jks

      alias: client-private

      password: pass

      key identifier type: Subject key identifier

       

      3) Keystore/trustore in server side

       

      Same as in client side: both keystore and trustore contained in the same jks. This is placed in META-INF folder, inside an external jar (I mean, META-INF folder is not included in the project ear itself, but inside an external jar that is included into the correspondent ear).

       

      * Server private & public key

      * Server trusted certificate (.cer file)

      * Client trusted certificate (.cer file)

       

      4) wsse.xml in server side

       

      It's placed in META-INF, same folder of server side keystore/trustore jks.


      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"
                version="1.0">
        <key-store-file>META-INF/ws-keystore-truststore.jks</key-store-file>
        <key-store-password>pass</key-store-password>
        <key-store-type>JKS</key-store-type>
        <trust-store-file>META-INF/ws-keystore-truststore.jks</trust-store-file>
        <trust-store-password>pass</trust-store-password>
        <trust-store-type>JKS</trust-store-type>
        <config>
          <sign type="x509v3" alias="server-private"/>
          <encrypt type="x509v3" alias="client-public"/>
          <requires>
            <signature/>
            <encryption/>
          </requires>
        </config>
      </jboss-ws-security>
      
      

       

      This is the stacktrace I'm getting after invoking WS with security enabled.

       

      16:42:34,834 ERROR [WSSecurityDispatcher] Internal error occured handling inbound message:
      org.jboss.ws.extensions.security.exception.SecurityTokenUnavailableException: Could not locate certificate by key identifier
        at org.jboss.ws.extensions.security.KeyResolver.resolveKeyIdentifier(KeyResolver.java:116)
        at org.jboss.ws.extensions.security.KeyResolver.resolve(KeyResolver.java:89)
        at org.jboss.ws.extensions.security.KeyResolver.resolveCertificate(KeyResolver.java:131)
        at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:141)
        at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:161)
        at org.jboss.ws.extensions.security.element.Signature.<init>(Signature.java:56)
        at org.jboss.ws.extensions.security.element.SecurityHeader.<init>(SecurityHeader.java:87)
        at org.jboss.ws.extensions.security.SecurityDecoder.decode(SecurityDecoder.java:175)
        at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:219)
        at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:83)
        at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:41)
        at org.jboss.ws.core.jaxws.handler.GenericHandler.handleMessage(GenericHandler.java:55)
        at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:295)
        at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:140)
        at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97)
        at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:127)
        at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:171)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:466)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:284)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:201)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:134)
        at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:84)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
        at java.lang.Thread.run(Thread.java:595)
      16:42:34,862 ERROR [HandlerChainExecutor] Exception during handler processing
      org.jboss.ws.core.CommonSOAPFaultException: Could not locate certificate by key identifier
        at org.jboss.ws.extensions.security.WSSecurityDispatcher.convertToFault(WSSecurityDispatcher.java:100)
        at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:237)
        at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:83)
        at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:41)
        at org.jboss.ws.core.jaxws.handler.GenericHandler.handleMessage(GenericHandler.java:55)
        at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:295)
        at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:140)
        at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97)
        at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:127)
        at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:171)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:466)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:284)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:201)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:134)
        at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:84)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
        at java.lang.Thread.run(Thread.java:595)
      16:42:34,863 ERROR [SOAPFaultHelperJAXWS] SOAP request exception
      javax.xml.ws.WebServiceException: org.jboss.ws.core.CommonSOAPFaultException: Could not locate certificate by key identifier
        at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.processHandlerFailure(HandlerChainExecutor.java:276)
        at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:155)
        at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97)
        at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:127)
        at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:171)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:466)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:284)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:201)
        at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:134)
        at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:84)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
        at java.lang.Thread.run(Thread.java:595)
      Caused by: org.jboss.ws.core.CommonSOAPFaultException: Could not locate certificate by key identifier
        at org.jboss.ws.extensions.security.WSSecurityDispatcher.convertToFault(WSSecurityDispatcher.java:100)
        at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:237)
        at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:83)
        at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:41)
        at org.jboss.ws.core.jaxws.handler.GenericHandler.handleMessage(GenericHandler.java:55)
        at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:295)
        at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:140)
        ... 27 more
      
      

       

      I would like to add that I've got no JAXWS.xml file, is this mandatory?

       

      Thanks in advance,

        • 1. Re: WS Security - Could not locate certificate by key identifier
          Petr Hunka Newbie

          Hi,

           

          any luck? I have exactly the same problem with wss encryption. I even tried to setup example from book JBoss in Action - only server side, client is SoapUI, and still with no luck. I also changed keyInfo-SecurityTokenReference to IssuerSerial and SerialNumber and still nothing.. Any advice would be very appreciated..

           

          Log from JBoss 5.0.1.GE with jdk_1.6

           

          20:33:26,579 DEBUG [Init] Now I try to bind prefixes:
          20:33:26,581 DEBUG [Init] Now I try to bind ds to http://www.w3.org/2000/09/xmldsig#
          20:33:26,581 DEBUG [Init] Now I try to bind xenc to http://www.w3.org/2001/04/xmlenc#
          20:33:26,581 DEBUG [Init] Now I try to bind experimental to http://www.xmlsecurity.org/experimental#
          20:33:26,581 DEBUG [Init] Now I try to bind dsig-xpath-old to http://www.w3.org/2002/04/xmldsig-filter2
          20:33:26,581 DEBUG [Init] Now I try to bind dsig-xpath to http://www.w3.org/2002/06/xmldsig-filter2
          20:33:26,581 DEBUG [Init] Now I try to bind ec to http://www.w3.org/2001/10/xml-exc-c14n#
          20:33:26,581 DEBUG [Init] Now I try to bind xx to http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter
          20:33:26,581 DEBUG [Init] XX_init                             98 ms
          20:33:26,581 DEBUG [Init]   XX_prng                           0 ms
          20:33:26,581 DEBUG [Init]   XX_parsing                        4 ms
          20:33:26,581 DEBUG [Init]   XX_configure_i18n                 3 ms
          20:33:26,581 DEBUG [Init]   XX_configure_reg_c14n             19 ms
          20:33:26,581 DEBUG [Init]   XX_configure_reg_jcemapper        4 ms
          20:33:26,581 DEBUG [Init]   XX_configure_reg_keyInfo          7 ms
          20:33:26,581 DEBUG [Init]   XX_configure_reg_keyResolver      11 ms
          20:33:26,581 DEBUG [Init]   XX_configure_reg_prefixes         2 ms
          20:33:26,581 DEBUG [Init]   XX_configure_reg_resourceresolver 9 ms
          20:33:26,581 DEBUG [Init]   XX_configure_reg_sigalgos         24 ms
          20:33:26,581 DEBUG [Init]   XX_configure_reg_transforms       15 ms
          20:33:26,587 DEBUG [SOAPContentElement] -----------------------------------
          20:33:26,587 DEBUG [SOAPContentElement] Transitioning from XML_VALID to DOM_VALID
          20:33:26,587 DEBUG [SOAPContentElement] -----------------------------------
          20:33:26,594 DEBUG [XMLCipher] Getting XMLCipher for no transformation...
          20:33:26,594 DEBUG [XMLCipher] Constructing XMLCipher...
          20:33:26,607 DEBUG [XMLCipher] Loading encrypted key...
          20:33:26,607 DEBUG [XMLCipher] XMLCipher unexpectedly not in UNWRAP_MODE or DECRYPT_MODE...
          20:33:26,613 DEBUG [ElementProxy] setElement("ds:KeyInfo", "null")
          20:33:26,622 ERROR [WSSecurityDispatcher] Internal error occured handling inbound message:
          org.jboss.ws.extensions.security.exception.SecurityTokenUnavailableException: Could not locate certificate by issuer and serial number
          
          
          • 2. Re: WS Security - Could not locate certificate by key identifier
            Petr Hunka Newbie

            Hi all,

             

            I found issue and solution how to fix it. SoapUI is trimming IssuerName String and when JBoss do the lookup in truststore with IssuerName from message he is not able to find it. Mechanism is simple iteration and testing string equality. I show you example ->

             

            Certificate is like this (keytool -list -v -keystore wss.truststore):

            CN=test-keys, OU=corp, O=Fujitsu, C=CZ

             

            JBoss is expecting this:

            <ds:X509IssuerName>CN=test-keys, OU=corp, O=Fujitsu, C=CZ</ds:X509IssuerName>

             

            SoapUI is sending this:

            <ds:X509IssuerName>CN=test-keys,OU=corp,O=Fujitsu,C=CZ</ds:X509IssuerName>

             

            Solution is simple. You need create your own test client -> use wsrunclient from jboss, or us stubx interface or manually setup SoapUI message with correct IssuerName String.


            Cheers,

            Petr