ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker (ACE) SupportSOAP Request WSS Response signature verification issue

Post new topicReply to topic
SOAP Request WSS Response signature verification issue View previous topic :: View next topic
Author Message
Zohan
PostPosted: Thu Nov 01, 2018 5:05 pm Post subject: SOAP Request WSS Response signature verification issue Reply with quote

Newbie

Joined: 03 Aug 2015
Posts: 4
Location: Netherlands

Hi,

We are using IIB10 (Fixpack capability level = 10.0.0.12 (effective level 10.0.0.7)). For one of the scenarios, we have to enable WS-Security using X.509 token and certain parts of the request are to be signed.

Request is validated by the back-end successfully. However, I am getting the following error for the response on the Soap Request Node.

- signature method is not valid.

I would post rest of the details in the next post as I cannot provide links this being my first post.

Many Thanks!
Back to top
View user's profile Send private message
Zohan
PostPosted: Thu Nov 01, 2018 5:06 pm Post subject: Cont: SOAP Request WSS Response signature verification issue Reply with quote

Newbie

Joined: 03 Aug 2015
Posts: 4
Location: Netherlands

I am getting the following error for the response on the Soap Request Node -

CWWSS5358E: The http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 signature method is not valid.

As per our back-end, we have to follow the below standards for Request -

The following algorithms are used for signing. These should therefore be correctly applied in the CanonicalizationMethod, SignatureMethod and DigestMethod (Transforms) in the message:

• Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
• Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1” of “http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”

For the response, we have the following standard -

Response messages from the service are digitally signed. As a recipient you must take into account in the development of your application that only the following algorithms are used in the response message:
•Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
•Algorithm=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”

According to this article -
https://www.ibm.com/support/knowledgecenter/en/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ac56070_.htm

the supported Digest for Signature Algorithms is only SHA1 with URI - http://www.w3.org/2000/09/xmldsig#sha1 for IIB10 v10.0.0.12.

Please let me know if you want me specify the details of my Policy Set and Policy Set Binding he as well. (To keep the post short I opted not to mention those as of now)

Kindly suggest if there is any resolution for this or we have to raise a PMR and upgrade the Product to support SHA256.

Similar issue was identified for WAS it seems (http://www-01.ibm.com/support/docview.wss?uid=swg21978836)

Many Thanks!
Back to top
View user's profile Send private message
Zohan
PostPosted: Wed Nov 07, 2018 2:53 am Post subject: Cont: SOAP Request WSS Response signature verification issue Reply with quote

Newbie

Joined: 03 Aug 2015
Posts: 4
Location: Netherlands

Update: As a work around I have removed the response signature verification and got it working.

I have a support case with IBM as well to analyze the issue. However, I am of the understanding now that IIB v10 doesn't support RSASHA256.

Feel free to correct me if I am wrong!

Many Thanks!
_________________
May the Force be with you!
Back to top
View user's profile Send private message
abhi_thri
PostPosted: Wed Nov 07, 2018 4:06 am Post subject: Reply with quote

Knight

Joined: 17 Jul 2017
Posts: 516
Location: UK

Hi Zohan...just want to check why you are keeping the effective level still at 10.0.0.7 and not at 10.0.0.12? This means your node is effectively running at fix pack 10.0.0.7 capability level, so you are missing out on Apars/features introduced between 10.0.0.8-10.0.0.12
Back to top
View user's profile Send private message
Zohan
PostPosted: Tue Nov 13, 2018 8:33 am Post subject: Reply with quote

Newbie

Joined: 03 Aug 2015
Posts: 4
Location: Netherlands

@abhi_thri,

I have requested for an update. Meanwhile, I have received a response on my support request and have been asked to implement the following -

>>>
Ws-Security engine has the below property, including it in the policy binding, will give the desired result that customer is looking for
.
<securitybinding:properties value="rsa-sha256" name="com.ibm.ws.wssecurity.dsig.SignatureAlgorithm"/>
.
Our policy editor doesn't have an option to include the above property in the policy binding. So user will have to do it manually. Following are the instructions to add this property manually in the policy xml file
.
<<<

I will try this and update the results here as well!

Many Thanks!
_________________
May the Force be with you!
Back to top
View user's profile Send private message
huwgb
PostPosted: Wed Mar 20, 2019 7:23 pm Post subject: Reply with quote

Novice

Joined: 07 May 2013
Posts: 21

I can confirm that this method worked for me in Broker 8 Fix Pack 6 (I know, out of support and all, try explaining that to the powers that be).

I added the
Code:
<securitybinding:properties value="rsa-sha256" name="com.ibm.ws.wssecurity.dsig.SignatureAlgorithm"/>

line to the PolicySetBinding directly as the last child of the <securitybinding:signingInfo> element (occurs in both inbound and outbound config).

I Changed the PolicySet CipherSuite to Basic256Sha256Rsa15 and restarted the relevant execution group and it just worked.

Note: changing the policyset or bindings via MQ Explorer undid the changes.
Back to top
View user's profile Send private message
vishysblue
PostPosted: Fri Apr 05, 2019 5:27 am Post subject: Reply with quote

Newbie

Joined: 12 Sep 2017
Posts: 5

Hi Zohan,

Can you please provide the instructions for manually adding the property to enable rsa-sha256 in the policy set binding xml file?

I have been struggling with this issue for a while now.

Thanks.

Viswa
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker (ACE) SupportSOAP Request WSS Response signature verification issue
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.