MQSeries.net :: View topic - Problem with SOAP Input WS-Security signature verification

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Problem with SOAP Input WS-Security signature verification

Problem with SOAP Input WS-Security signature verification

« View previous topic :: View next topic »

Author

Message

carle0051

Posted: Wed Oct 21, 2015 8:00 am Post subject: Problem with SOAP Input WS-Security signature verification

Newbie

Joined: 01 Oct 2015
Posts: 3

Hello,

I'm using IIB 10.0.0.1 and I try to implement WS-Security UsernameToken signature verification on a simple SOAP Input node but I get the following error durring SOAP message processing

CWWSS5514E: An exception while processing WS-Security message : com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6001E: Key object is not obtained

It seems that the broker cannot find the public key in the configured TrustStore in order to verify signature.

Here is some information about my test configuration :

1. My service WSDL

Code:

<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
name="TestService" targetNamespace="http://wsuichainingtest.etat.lu/TestService/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://wsuichainingtest.etat.lu/TestService/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<wsdl:documentation>
   <wsdl:appinfo source="WMQI_APPINFO">
      <MRWSDLAppInfo imported="true">
         <binding hasEncoding="false" imported="true" name="TestServiceSOAP"
            originalBindingStyle="document" />
      </MRWSDLAppInfo>
   </wsdl:appinfo>
</wsdl:documentation>

<wsdl:types>
   <xsd:schema targetNamespace="http://wsuichainingtest.etat.lu/TestService/"
      xmlns:ibmSchExtn="http://www.ibm.com/schema/extensions">
      <xsd:include schemaLocation="TestService_InlineSchema1.xsd" />
   </xsd:schema>
   <xsd:schema>
      <xsd:import namespace="http://wsuichainingtest.etat.lu/TestService/"
         schemaLocation="TestService_InlineSchema1.xsd">
      </xsd:import>
   </xsd:schema>
</wsdl:types>
<wsdl:message name="processRequest">
   <wsdl:part element="tns:process" name="parameters" />
</wsdl:message>
<wsdl:message name="processResponse">
   <wsdl:part element="tns:processResponse" name="parameters" />
</wsdl:message>
<wsdl:portType name="TestService">
   <wsdl:operation name="process">
      <wsdl:input message="tns:processRequest" />
      <wsdl:output message="tns:processResponse" />
   </wsdl:operation>
</wsdl:portType>
<wsdl:binding name="TestServiceSOAP" type="tns:TestService">
   <soap:binding style="document"
      transport="http://schemas.xmlsoap.org/soap/http" />
   <wsdl:operation name="process">
      <soap:operation soapAction="http://wsuichainingtest.etat.lu/TestService/process" />
      <wsdl:input>
         <soap:body use="literal" />
      </wsdl:input>
      <wsdl:output>
         <soap:body use="literal" />
      </wsdl:output>
   </wsdl:operation>
</wsdl:binding>
<wsdl:service name="TestService">
   <wsdl:port binding="tns:TestServiceSOAP" name="TestServiceSOAP">
      <soap:address location="http://www.example.org/" />
   </wsdl:port>
</wsdl:service>
</wsdl:definitions>

2. Example of SOAP message received by the SOAP Input node

Code:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
   <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:BinarySecurityToken wsu:Id="x509bst_20" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
MIIDijCCAnKgAwIBAAIEUlT/xjANBgkqhkiG9w0BAQUFADCBh
jEgMB4GCSqGSIb3DQEJARYRdGVzdC50ZXN0QGV0YXQubHUxCzAJBgNVBA
YTAkxVMRMwEQYDVQQIEwpMVVhFTUJPVVJHMRMwEQYDVQQHEwpMVVhFT
UJPVVJHMQ0wCwYDVQQKEwRDVElFMQ0wCwYDVQQLEwRDVElFMQ0wCwYD
VQQDEwRDVElFMB4XDTEzMTAwOTA3MDMzNFoXDTIzMTAwNzA3MDMzNFow
gYYxIDAeBgkqhkiG9w0BCQEWEXRlc3QudGVzdEBldGF0Lmx1MQswCQYDVQ
QGEwJMVTETMBEGA1UECBMKTFVYRU1CT1VSRzETMBEGA1UEBxMKTFVYRU
1CT1VSRzENMAsGA1UEChMEQ1RJRTENMAsGA1UECxMEQ1RJRTENMAsGA1
UEAxMEQ1RJRTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM
ZWXNVif+D5Co01Iq8IE8XzRF6aaPyfUrqE6vZZGAuUd+xzJia6tZdADH1yym
ZzvpzhFzR7knktJ1gsE9rnTnbqykqZgygwhopuWDT0bpR1vMpDc3bXW6KQq
W1IiJA8p7bNYnxhxpvF95blDp8mSgjaPsNfvN0rZi2O4vv8mmmtNd6+q8Vtw
wtydgXkux6f+izgQqjvYML5YjiHdedSOIT/tpLS9nnwnqkPP5kmfuhQX4zHT8u
8jkBLi+zEjhKt5KiGvP7EHaZOgwvyYE2GmRSy2aT30KzCChfVEOYZ9Q7QDI
wLycAAsOnjCduJwQERx4YJs8mxp1XugOcSV7lLHBcCAwEAATANBgkqhkiG9
w0BAQUFAAOCAQEARevnfLRwsnE2QdN2TId8uJsEDgBS73HsMhfkhi80Lhs2h
LBODsNI+Sd2EaW7ZLGpyOet0stOSNRa/TmYRy25avrZvlJZi+B217onqNfVrt
0lXroayOxxHd+sirxCuS5XsMsHDVnWO2ukv2ae3AgquETN9bK6VsFFDeVQpI
+M7WNPnfi4hvYrb0Tq9B0V2Ke2GYbxDHitPvkdUDDucbcDVNG6o8U5tkpJjKZ
LlyW4HbFF4xMyqiFOIqS9hxQedySDY+FexeMLmBhjBbaeQ9Cq/lRV69DqizJN
+iIYGmcu02x3sXq5ftRYxvtna9e5tBxLNnD78BDsupg9OiAAzIT0Yw==</wsse:BinarySecurityToken>
      <wsse:UsernameToken wsu:Id="TE-fp.gun">
         <wsse:Username>rnrpp-technical-user</wsse:Username>
         <wsse:Password Type="wsse:PasswordDigest">s89RBxLzpI1nnpoUVKkdCCxdsTY=</wsse:Password>
         <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">NzM3NDQ0MzM3MjA4Nzg2MjcyNDQ0ODUwODQ4MjQwMDk1OTc0Ng==</wsse:Nonce>
         <wsu:Created>2015-10-20T12:45:41Z</wsu:Created>
      </wsse:UsernameToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
               <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc soapenv wsa xsd ds xsi wsse wsu "/>
            </ds:CanonicalizationMethod>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#TE-fp.gun">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                     <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soapenc soapenv wsa xsd xsi wsse wsu "/>
                  </ds:Transform>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
               <ds:DigestValue>YrsxeclpfayFPAeFLwLDD/qHluI=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>GZUGAuH2SfO0msMH+fgQPuRkchdL5f/4AkddteooZb
WHE+zqQzprEiBr5WLAJj7A3Z7nxZZNULCTzzJC4wJUihK5Pu0Gjx0gvo2tNFC
qAOosNYAPDPwcL/D6J+6ixFrNrY4KHpV1CLXH+DzmRME7Ho2CN/8X0NOdC4
HPJnBqIWL9+SaCQ+BpqDHaMnRZp/vMZexvQ/H/ah4B/Q/aMhRgEwZ/Y2C7
SB3rUleMsdh3zlT9SpxZY6NqERzgRsQwbL4ZKar3BSfISkGpVFl9gCmy8Lv3N
4LLOHhiP0qIj/pwbkikyG9ZRB+AWFwE7e6a6Np4IlS9GdhxG9tkMqtLuedYjQ==</ds:SignatureValue>
         <ds:KeyInfo>
            <wsse:SecurityTokenReference>
               <wsse:Reference URI="#x509bst_20" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
            </wsse:SecurityTokenReference>
         </ds:KeyInfo>
      </ds:Signature>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#TE-fp.gun">
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
               <ds:DigestValue>YrsxeclpfayFPAeFLwLDD/qHluI=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>KMtdhAJMkfOjj41oafx5E/toyREc1f1CwWJUbkMbGT+6
k8layjE/+FJm8oZ848fHQDTLV+Y139pYz2E7QvkQ+udmGXlGHkZIcIiTbHZE
4edyXmPgGZ+L22MshJyFswHaJI/mIgXVmsZqtrWPYdp5tz5clw2ouybcDtEW
qC0EtQmzQypRVxG/rvPQui+dt2RsjmEJNJqOYu1H+lUWxQJmekf9xZHRvrL+
MhicwvpOquHgsbdn6dx14QA0loMPIF13LOov0SMZRZNw5b05sjXmHmh7Cg
QqD2mb8hMcyYdP3znD2SpDCzrannBiR/ikHZDPAOdY1OkWMhI3SNSBr51v1
A==</ds:SignatureValue>
      </ds:Signature>
   </wsse:Security>
</soapenv:Header>
<soapenv:Body>
   <out:process xmlns:out="http://wsuichainingtest.etat.lu/TestService/">
      <in>TestInput</in>
   </out:process>
</soapenv:Body>
</soapenv:Envelope>

3. My policy configuration

4. My policy binding configuration

5. My TrustStore configuration at server level

Do you see something wrong in my example that could explain this error ?

Best regards,

ganesh

Posted: Thu Oct 22, 2015 12:37 pm Post subject:

Master

Joined: 18 Jul 2010
Posts: 294

Similar error has been reported for WAS, check the below links and share with your organization's certificate authority if you think this might be the issue.

https://www01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/cwlp_wssec_cxf_issues.html

http://www-01.ibm.com/support/docview.wss?uid=swg1PM88011

carle0051

Posted: Sun Oct 25, 2015 11:55 pm Post subject:

Newbie

Joined: 01 Oct 2015
Posts: 3

Solved : the problem was due to a double Signature in the Security header. One with the KeyInfo and the other without. The Signature without KeyInfo is thus not allowed.

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Problem with SOAP Input WS-Security signature verification

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP