| Author |
Message
|
| njacobsen |
 Posted: Fri Mar 18, 2016 2:34 am Post subject: WS-Security exception: Broker can't find the certificate |
 |
|
Newbie
Joined: 18 Mar 2016
Posts: 5
|
I have a flow that's exposing a web service using SOAP nodes in IIB v9.0.0.2. I've created and linked a policy set and policy set binding that requires incoming requests to be authenticated and signed with X.509 certificates. The keystore is properly configured and contains the X.509 certificate.
Whenever I send a signed request using SoapUI, I get the below error from IIB:
ImbX509ConsumeLoginModule: Broker can't find the certificate
Where can't the broker find the certificate? In the keystore or in the request?
I've also created an IIB consumer flow that sends the request to the provider flow and I get the exact same message.
Any ideas? |
|
| Back to top |
|
 |
| Gralgrathor |
| Posted: Fri Mar 18, 2016 2:39 am Post subject: |
|
|
Master
Joined: 23 Jul 2009
Posts: 297
|
Good morning. Could you post a complete trace of the exception? I won't be suggesting a solution, but it would make it a bit easier for me to follow what's happening.
_________________
A measure of wheat for a penny, and three measures of barley for a penny; and see thou hurt not the oil and the wine. |
|
| Back to top |
|
|
| njacobsen |
| Posted: Fri Mar 18, 2016 2:41 am Post subject: |
|
|
Newbie
Joined: 18 Mar 2016
Posts: 5
|
Hi. Here's the complete stack trace:
| Code: |
CWWSS5506E: All the attempts based on each SigningInfo failed. The last exception is {0}: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: ImbX509ConsumeLoginModule: Broker can't find the certificate</faultstring><detail><Exception>org.apache.axis2.AxisFault: CWWSS5506E: All the attempts based on each SigningInfo failed. The last exception is {0}: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: ImbX509ConsumeLoginModule: Broker can't find the certificate
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:131)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler._invoke(WSSecurityConsumerHandler.java:537)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.invoke(WSSecurityConsumerHandler.java:236)
at org.apache.axis2.handlers.AbstractHandler.invoke_stage2(AbstractHandler.java:133)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:343)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:360)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:195)
at com.ibm.broker.axis2.Axis2Invoker.processInboundRequest(Axis2Invoker.java:3624)
at com.ibm.broker.axis2.Axis2Invoker.invokeAxis2(Axis2Invoker.java:3166)
at com.ibm.broker.axis2.TomcatNodeRegistrationUtil.invokeAxis2(TomcatNodeRegistrationUtil.java:669)
at com.ibm.broker.axis2.TomcatNodeRegistrationUtil.invokeAxis2(TomcatNodeRegistrationUtil.java:615)
Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5506E: All the attempts based on each SigningInfo failed. The last exception is {0}: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: ImbX509ConsumeLoginModule: Broker can't find the certificate
at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:68)
at com.ibm.ws.wssecurity.core.WSSConsumer.callSignatureConsumer(WSSConsumer.java:2884)
at com.ibm.ws.wssecurity.core.WSSConsumer.invoke(WSSConsumer.java:862)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:110)
... 11 more
Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E: The Login failed because of an exception: com.ibm.broker.axis2.MbSoapLoginException: ImbX509ConsumeLoginModule: Broker can't find the certificate
at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:137)
at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.getSoapSecurityException(CommonTokenConsumer.java:586)
at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invoke(CommonTokenConsumer.java:481)
at com.ibm.ws.wssecurity.wssapi.CommonContentConsumer.invokeTokenConsumer(CommonContentConsumer.java:679)
at com.ibm.ws.wssecurity.wssapi.CommonContentConsumer.getKey(CommonContentConsumer.java:323)
at com.ibm.ws.wssecurity.keyinfo.KeyInfoConsumer.getKey(KeyInfoConsumer.java:200)
at com.ibm.ws.wssecurity.dsig.SignatureConsumer.callKeyInfoConsumer(SignatureConsumer.java:1140)
at com.ibm.ws.wssecurity.dsig.SignatureConsumer.callKeyInfoConsumer(SignatureConsumer.java:1104)
at com.ibm.ws.wssecurity.dsig.SignatureConsumer.invoke(SignatureConsumer.java:272)
at com.ibm.ws.wssecurity.core.WSSConsumer.callSignatureConsumer(WSSConsumer.java:2924)
at com.ibm.ws.wssecurity.core.WSSConsumer.callSignatureConsumer(WSSConsumer.java:2827)
... 13 more
Caused by: ImbX509ConsumeLoginModule: Broker can't find the certificate
at com.ibm.broker.wssecurity.ImbX509ConsumeLoginModule.login(ImbX509ConsumeLoginModule.java:91)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:618)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:781)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:215)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:706)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:704)
at java.security.AccessController.doPrivileged(AccessController.java:366)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:609)
at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invoke(CommonTokenConsumer.java:457)
... 21 more
Caused by: javax.security.auth.login.LoginException: ImbX509ConsumeLoginModule: Broker can't find the certificate
at com.ibm.broker.wssecurity.ImbX509ConsumeLoginModule.login(ImbX509ConsumeLoginModule.java:71)
... 33 more
 |
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Mar 18, 2016 4:47 am Post subject: Re: WS-Security exception: Broker can't find the certificate |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| njacobsen wrote: |
The keystore is properly configured and contains the X.509 certificate.
Whenever I send a signed request using SoapUI, I get the below error from IIB:
ImbX509ConsumeLoginModule: Broker can't find the certificate
Where can't the broker find the certificate? In the keystore or in the request?
I've also created an IIB consumer flow that sends the request to the provider flow and I get the exact same message.
Any ideas? |
Can you show us the configuration you did for the keystore / truststore?
Do you have the caller's cert in the truststore? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| njacobsen |
| Posted: Fri Mar 18, 2016 5:56 am Post subject: Re: WS-Security exception: Broker can't find the certificate |
|
|
Newbie
Joined: 18 Mar 2016
Posts: 5
|
| fjb_saper wrote: |
| njacobsen wrote: |
The keystore is properly configured and contains the X.509 certificate.
Whenever I send a signed request using SoapUI, I get the below error from IIB:
ImbX509ConsumeLoginModule: Broker can't find the certificate
Where can't the broker find the certificate? In the keystore or in the request?
I've also created an IIB consumer flow that sends the request to the provider flow and I get the exact same message.
Any ideas? |
Can you show us the configuration you did for the keystore / truststore?
Do you have the caller's cert in the truststore? |
I only have one JKS keystore. I use it as both the broker's keystore and truststore. It's also this keystore I use in SoapUI for generating the signature.
The keystore contains a self-signed certificate whose key I specified in the policy set bindings. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Mar 18, 2016 6:23 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
What commands did you run to notify IIB of the keystore / truststore?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| njacobsen |
| Posted: Tue Mar 22, 2016 2:07 am Post subject: |
|
|
Newbie
Joined: 18 Mar 2016
Posts: 5
|
| fjb_saper wrote: |
| What commands did you run to notify IIB of the keystore / truststore? |
| Code: |
mqsichangeproperties IB9NODE -e default -o ComIbmJVMManager –n keystoreFile -v c:\workspaces\iibkeystore.jks
mqsichangeproperties IB9NODE -e default -o ComIbmJVMManager –n truststoreFile -v c:\workspaces\iibkeystore.jks
mqsichangeproperties IB9NODE -e default -o ComIbmJVMManager -n keystorePass -v default::keystorePass
mqsichangeproperties IB9NODE -e default -o ComIbmJVMManager -n truststorePass -v default::truststorePass
mqsisetdbparms IB9NODE -n default::keystorePass -u dummy -p password
mqsisetdbparms IB9NODE -n default::truststorePass -u dummy -p password
mqsistop IB9NODE
mqsistart IB9NODE |
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 22, 2016 4:33 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Read carefully about the policy parts for your setup.
It is possible that you got those wrong. I managed to set up signature and encryption of the body on a SOAP Request node linked to a SOAP Input - SOAP Reply and all worked as expected. But it will take you some time to understand what you need to do in the policy, how to switch between server and client roles, and how to configure it all.
To find out whether the broker really uses the jks store you intended it to:
- Make sure the broker's service id (or the id running the integration server/execution group) has full access to the keystore/truststore
- run with flag -Djavax.net.debug="true" and check the output. It should state exactly which keystore/truststore is being used, and it might not be the one you configured or intended, but it should show the attempt to use the one that's configured and why it failed to do so and which key/trust store it did revert to as a default...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| njacobsen |
| Posted: Tue Apr 12, 2016 12:36 am Post subject: |
|
|
Newbie
Joined: 18 Mar 2016
Posts: 5
|
The labs helped us find a solution for the problem. We were signing 2 message parts: the body and the timestamp. It turns out that the broker expects 2 signatures in this case.
We removed the timestamp from our policy set and then it worked... |
|
| Back to top |
|
|
|
|
