ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » WS security Using Soap Nodes,

Post new topic  Reply to topic
 WS security Using Soap Nodes, « View previous topic :: View next topic » 
Author Message
LazyBoy
PostPosted: Sun May 03, 2009 9:29 pm    Post subject: WS security Using Soap Nodes, Reply with quote

Voyager

Joined: 04 May 2006
Posts: 78
Hi ,

Can anyone help me out where I can find documentation on WS security using soap nodes, I need to implement Username token encryption in soap header and soap message body encryption, I looked up on infocenter, but its not very clear on how to implement username token.

I also to found this developerworks article , but this doesn't talk abt username and password encryption.

http://www.ibm.com/developerworks/webservices/library/ws-security/index.html#fig6

Any one please help.
Back to top
View user's profile Send private message
LazyBoy
PostPosted: Mon May 04, 2009 7:38 am    Post subject: Reply with quote

Voyager

Joined: 04 May 2006
Posts: 78
This is my scenario:

I need to invoke a webservice provider,

The request message to service provider looks something like this:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<xenc:EncryptedKey Id="EncKeyId-18812056">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=pubcert</ds:X509IssuerName>
<ds:X509SerialNumber>78787987</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>CipherValue</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-13071600"></xenc:DataReference>
<xenc:DataReference URI="#EncDataId-12448342"></xenc:DataReference>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<xenc:EncryptedData Id="EncDataId-13071600" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>CipherValue</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<xenc:EncryptedData Id="EncDataId-12448342" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>CipherValue=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>

Please help me out guys, how do I approach this.

I am thinking of two options here,

1) Use Java compute node to build this complete message.
2) Using Soap Request node by configuring Policy set and binding.

Currently I started using Soap Nodes, evaluating if this can be achieved, I am facing few errors after creating username token using policy sets editor:


The Exception is:

'org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: Broker security manager failed to provide a username'

The SOAP nodes are built on top of the broker WS-Security layer, and this layer has returned a configuration exception, the text of which is included in the message.

A UsernameToken is required by the configuration of the WS-Security layer, but the broker security manager has not provided a username.

The WS-Security layer is trying to create a UsernameToken, and needs a username to do so. Common causes are:
1: No username has been provided in the Properties folder of the message tree passed into the node. One of IdentitySourceToken or IdentityMappedToken should be provided.
2: Identity propagation is not enabled for this node. This is controlled by the security profile associated with the node.


Now my question is can I achieve this username token encryption using soap request nodes?

But as per this link, it says it is not possible, please shower your inputs.

http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=/com.ibm.etools.mft.doc/ac56360_.htm
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon May 04, 2009 7:47 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447
That doesn't look like a Username token to me. That looks like an X.509 Certificate token.
Back to top
View user's profile Send private message
LazyBoy
PostPosted: Mon May 04, 2009 7:59 am    Post subject: Reply with quote

Voyager

Joined: 04 May 2006
Posts: 78
Hi mqjeff,

Thanks for your reply, to be honest I am really not sure whether it is username token or x509 token.

But the specs from my webservice provider it says:

For Request:

1. The soap body and username token is to be encrypted. The password type embedded in Username token is of type text.
2. No signature is added.
3. The Key Encryption Method Algorithm is "http://www.w3.org/2001/04/xmlenc#rsa-1_5".
4. The X509 certificate information is to be embedded in the element of SecurityTokenReference using X509IssuerName and X509SerialNumber.
5. The EncryptionMethod Algorithm for Encrypted key is "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
6. The EncryptionMethod Algorithm for Encrypting the body and Username Token is "http://www.w3.org/2001/04/xmlenc#aes128-cbc".

Reading first and second point i concluded it is username token, Please help me out figure out whether it is username token or x509 certificate token.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon May 04, 2009 8:41 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447
It's an X509 Token.

Do not try to treat it like a Username token. Do not try to configure Message Broker or your flow as if it was a Username token.
Back to top
View user's profile Send private message
LazyBoy
PostPosted: Mon May 04, 2009 12:23 pm    Post subject: Reply with quote

Voyager

Joined: 04 May 2006
Posts: 78
Hi mqjeff,

Thank you for your reply.

My webservice provider developer says it is an username token where the user name token is encrypted in Soap header:

<xenc:CipherData>
<xenc:CipherValue>CipherValue</xenc:CipherValue>
</xenc:CipherData>

I am confused how to go ahead with this requirment, Please help me out.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » WS security Using Soap Nodes,
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.