ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » WS-Security with X.509 Certificates in IBM Integration Bus

Post new topic  Reply to topic
 WS-Security with X.509 Certificates in IBM Integration Bus « View previous topic :: View next topic » 
Author Message
junaid
PostPosted: Wed Dec 11, 2019 10:07 pm    Post subject: WS-Security with X.509 Certificates in IBM Integration Bus Reply with quote

Acolyte

Joined: 29 Nov 2018
Posts: 58

Hi,
I am following steps from following link https://developer.ibm.com/integration/blog/2017/11/22/message-part-integrity-confidentiality-using-ws-security-x-509-certificates-ibm-integration-bus-v10/ . Every step done but at the end when deploying bar file getting following exception.
Quote:
BIP2087E: Integration node 'TESTNODE_JAhmed.11445' was unable to process the internal configuration message.

The entire internal configuration message failed to be processed successfully.

Use the messages following this message to determine the reasons for the failure. If the problem cannot be resolved after reviewing these messages, contact your IBM Support center. Enabling service trace may help determine the cause of the failure.

BIP4041E: Integration server 'default' received an administration request that encountered an exception.

While attempting to process an administration request, an exception was encountered. No updates have been made to the configuration of the integration server.

Review related error messages to determine why the administration request failed.

BIP3726E: Failed to setup SOAP transport for node SOAP Input.

The SOAP nodes rely on the configuration of the SOAP transport layer within the integration node, and this has not been initialised correctly. The node will not be operational until the problems have been corrected.

Determine the cause of the error and correct it. Subsequent error messages may contain more information.

BIP3728E: Configuration of WS-Security layer using policy set 'WSSecTestProviderPolicySet' and policy set binding 'WSSecTestProviderPolicySetBinding' failed.

WS-Security configuration requires correctly initialised policy set and policy set binding information in order to succeed. An error has occurred whilst attempting to use policy set 'WSSecTestProviderPolicySet' and policy set binding 'WSSecTestProviderPolicySetBinding'. Common causes are:
1: Either the policy set name or policy set binding name is missing from the node (or flow) configuration.
2: If X.509 tokens are being used, including implicit usage such as signing or encryption, the keystore and/or truststore is not be set correctly.
However, this may be an internal error, possibly due to a faulty installation. A review of the exception text may indicate a solution.

Determine the cause of the error and correct it. Subsequent error messages may contain more information.

BIP3727E: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5375E: The key information configuration has a null type. The current key information configuration string representation is com.ibm.ws.wssecurity.confimpl.PrivateGeneratorConfig$KeyInfoContentGeneratorConfImpl(className=[com.ibm.ws.wssecurity.wssapi.CommonContentGenerator], keyInfoType=[null], keyName=[gen_WSSTestX509EncryptToken_encWSSTestX509Encrypt_keyinfo], tokenGenerator=[com.ibm.ws.wssecurity.confimpl.PrivateGeneratorConfig$TokenGeneratorConfImpl(className=[com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenGenerator], type=[http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3], standAlone=[false], jaasConfig=[system.wss.generate.x509], jaasConfigProperties=[{}], userDefinedComponentsUsed=[false], callbackHandler=[com.ibm.ws.wssecurity.confimpl.PrivateCommonConfig$CallbackHandlerConfImpl(className=[com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler], keyStore=[com.ibm... (data of len 1625 truncated)

The SOAP nodes are built on top of the integration node WS-Security layer, and this layer has returned a configuration exception, the text of which is included in the message.

Determine the cause of the error and correct it. Subsequent error messages may contain more information.

BIP3701E: A Java exception was thrown whilst calling the Java JNI method 'Axis2NodeRegistrationUtil_registerInputNode'. The Java exception was 'BIP3726E: com.ibm.broker.axis2.MbSoapException: Failed to setup Axis2'. The Java stack trace was 'Frame : 0 com.ibm.broker.axis2.MbSoapException: Failed to setup Axis2
'.

Correct the error, and if necessary redeploy the flow.



I found in message part policy that Key Information Trust is selected to NA (It can not be selected after finishing policies) . I don't know the issue is due to this , there may be any other cause, may be toolkit error. Kindly provide me suggestion and solution on this

Regards,
Junaid
Back to top
View user's profile Send private message
abhi_thri
PostPosted: Thu Dec 12, 2019 1:30 am    Post subject: Re: WS-Security with X.509 Certificates in IBM Integration B Reply with quote

Knight

Joined: 17 Jul 2017
Posts: 516
Location: UK

junaid wrote:

I found in message part policy that Key Information Trust is selected to NA (It can not be selected after finishing policies) . I don't know the issue is due to this


hi...the error do suggests the same that the key info config is set as null, once that is set things should progress

Quote:
CWWSS5375E: The key information configuration has a null type. The current key information configuration string representation is com.ibm.ws.wssecurity.confimpl.PrivateGeneratorConfig$KeyInfoContentGeneratorConfImpl(className=[com.ibm.ws.wssecurity.wssapi.CommonContentGenerator], keyInfoType=[null]
Back to top
View user's profile Send private message
junaid
PostPosted: Thu Dec 12, 2019 4:28 am    Post subject: Re: WS-Security with X.509 Certificates in IBM Integration Reply with quote

Acolyte

Joined: 29 Nov 2018
Posts: 58

I have changed the server and configured the same steps. Now Exception is changed on deployment of bar file. Can you plz guide me why this exception is coming .

Quote:

BIP2087E: Integration node 'SBBROK' was unable to process the internal configuration message.

The entire internal configuration message failed to be processed successfully.

Use the messages following this message to determine the reasons for the failure. If the problem cannot be resolved after reviewing these messages, contact your IBM Support center. Enabling service trace may help determine the cause of the failure.

BIP4041E: Integration server 'default' received an administration request that encountered an exception.

While attempting to process an administration request, an exception was encountered. No updates have been made to the configuration of the integration server.

Review related error messages to determine why the administration request failed.

BIP3726E: Failed to setup SOAP transport for node SOAP Request.

The SOAP nodes rely on the configuration of the SOAP transport layer within the integration node, and this has not been initialised correctly. The node will not be operational until the problems have been corrected.

Determine the cause of the error and correct it. Subsequent error messages may contain more information.

BIP3728E: Configuration of WS-Security layer using policy set 'WSSecTestConsumerPolicySet' and policy set binding 'WSSecTestConsumerPolicySetBinding' failed.

WS-Security configuration requires correctly initialised policy set and policy set binding information in order to succeed. An error has occurred whilst attempting to use policy set 'WSSecTestConsumerPolicySet' and policy set binding 'WSSecTestConsumerPolicySetBinding'. Common causes are:
1: Either the policy set name or policy set binding name is missing from the node (or flow) configuration.
2: If X.509 tokens are being used, including implicit usage such as signing or encryption, the keystore and/or truststore is not be set correctly.
However, this may be an internal error, possibly due to a faulty installation. A review of the exception text may indicate a solution.

Determine the cause of the error and correct it. Subsequent error messages may contain more information.

BIP3701E: A Java exception was thrown whilst calling the Java JNI method 'method_com_ibm_broker_axis2_Axis2NodeRegistrationUtil_registerSyncRequestNode'. The Java exception was 'BIP3726E: com.ibm.broker.axis2.MbSoapException: Failed to setup Axis2'. The Java stack trace was 'Frame : 0 com.ibm.broker.axis2.MbSoapException: Failed to setup Axis2| @: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.<init>(Axis2NodeRegistered.java:369)| @: com.ibm.broker.axis2.Axis2NodeRegistered.<init>(Axis2NodeRegistered.java:163)| @: com.ibm.broker.axis2.Axis2EngineManager.registerNode(Axis2EngineManager.java:91)| @: com.ibm.broker.axis2.Axis2NodeRegistrationUtil.registerSyncRequestNode(Axis2NodeRegistrationUtil.java:356)|Frame : 1 com.ibm.broker.axis2.MbSoapException: Configuration using PS and binding failed| @: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.setupSOAPPipeline(Axis2NodeRegistered.java:959)| @: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.<init>(Axis2NodeRegistered.java:322)| @: com.ibm.broker.axis2.Axis2NodeRegistered.<init>(Axis2NodeRegistered.java:163)| @: com.ibm.broker.axis2.Axis2EngineManager.registerNode(Axis2EngineManager.java:91)| @: com.ibm.broker.axis2.Axis2NodeRegistrationUtil.registerSyncRequestNode(Axis2NodeRegistrationUtil.java... (data of len 3694 truncated)'.

Correct the error, and if necessary redeploy the flow.

BIP2871I: The request made by user 'iibAdmins[admin]' to 'deploy' the resource 'D:/IBM/IIBT10/workspaceLocal/BARfiles/aaaa.bar' of type 'BAR' on parent 'default' of type 'ExecutionGroup' has the status of 'FAILED'.


Back to top
View user's profile Send private message
abhi_thri
PostPosted: Thu Dec 12, 2019 5:19 am    Post subject: Reply with quote

Knight

Joined: 17 Jul 2017
Posts: 516
Location: UK

hi...check the full java error stack trace to see whether you are getting the same errors as others
Quote:
javax.xml.bind.UnmarshalException: An invalid XML character (Unicode: 0x19) was found in the element content of the document


If so please follow the suggestions listed at the comment sections of the same article
Back to top
View user's profile Send private message
junaid
PostPosted: Thu Dec 12, 2019 5:55 am    Post subject: WS-Security with X.509 Certificates in IIB Reply with quote

Acolyte

Joined: 29 Nov 2018
Posts: 58

HI, Thanks for reply. BAR file has been deployed successfully. Now the SOAP fault is coming .
Quote:

Error sending request to http "http://10.0.0.1:7800/WSSecurityTest"
<SOAP_Domain_Msg xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><Context operation="NewOperation" operationType="UNKNOWN" portType="WSSecTestService" portTypeNamespace="http://perf.ib.ibm.com/WSSecTestService/" port="WSSecTestServiceSOAP" service="WSSecTestService" fileName="WSSecTestService.wsdl"><SOAP_Version>1.1</SOAP_Version><Namespace xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"/><_XmlDeclaration Version="1.0" Encoding="utf-8"/></Context><Header/><Body><axis2ns4:Fault xmlns:axis2ns4="http://schemas.xmlsoap.org/soap/envelope/"><faultcode>axis2ns4:Server.securityException</faultcode><faultstring>CWWSS5680E: Tranforming the XPath expression *MQSIALIASuser_partALIASMQSI* produced the following exception: Error occured in an XPath transform: org.jaxen.XPathSyntaxException: Unexpected &apos;MQSIALIASuser_partALIASMQSI&apos;: com.ibm.ws.wssecurity.xml.xss4j.dsig.TransformException: Error occured in an XPath transform: org.jaxen.XPathSyntaxException: Unexpected &apos;MQSIALIASuser_partALIASMQSI&apos;</faultstring><detail><Exception>org.apache.axis2.AxisFault: CWWSS5680E: Tranforming the XPath expression *MQSIALIASuser_partALIASMQSI* produced the following exception: Error occured in an XPath transform: org.jaxen.XPathSyntaxException: Unexpected &apos;MQSIALIASuser_partALIASMQSI&apos;: com.ibm.ws.wssecurity.xml.xss4j.dsig.TransformException: Error occured in an XPath transform: org.jaxen.XPathSyntaxException: Unexpected &apos;MQSIALIASuser_partALIASMQSI&apos;
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:131)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler._invoke(WSSecurityConsumerHandler.java:537)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.invoke(WSSecurityConsumerHandler.java:236)
at org.apache.axis2.handlers.AbstractHandler.invoke_stage2(AbstractHandler.java:133)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:343)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:372)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:199)
at com.ibm.broker.axis2.Axis2Invoker.processInboundRequest(Axis2Invoker.java:3607)
at com.ibm.broker.axis2.Axis2Invoker.invokeAxis2(Axis2Invoker.java:3149)
at com.ibm.broker.axis2.TomcatNodeRegistrationUtil.invokeAxis2(TomcatNodeRegistrationUtil.java:664)
at com.ibm.broker.axis2.TomcatNodeRegistrationUtil.invokeAxis2(TomcatNodeRegistrationUtil.java:610)
Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5680E: Tranforming the XPath expression *MQSIALIASuser_partALIASMQSI* produced the following exception: Error occured in an XPath transform: org.jaxen.XPathSyntaxException: Unexpected &apos;MQSIALIASuser_partALIASMQSI&apos;: com.ibm.ws.wssecurity.xml.xss4j.dsig.TransformException: Error occured in an XPath transform: org.jaxen.XPathSyntaxException: Unexpected &apos;MQSIALIASuser_partALIASMQSI&apos;
at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:115)
at com.ibm.ws.wssecurity.util.XPathElementSelector.getElements(XPathElementSelector.java:229)
at com.ibm.ws.wssecurity.dsig.SignatureGenerator.getMessagePart(SignatureGenerator.java:918)
at com.ibm.ws.wssecurity.dsig.VerifiedPartChecker.preprocess(VerifiedPartChecker.java:395)
at com.ibm.ws.wssecurity.dsig.VerifiedPartChecker.invoke(VerifiedPartChecker.java:207)
at com.ibm.ws.wssecurity.core.WSSConsumer.checkRequiredIntegrity(WSSConsumer.java:3080)
at com.ibm.ws.wssecurity.core.WSSConsumer.invoke(WSSConsumer.java:1108)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:110)
... 11 more
Caused by: com.ibm.ws.wssecurity.xml.xss4j.dsig.TransformException: Error occured in an XPath transform: org.jaxen.XPathSyntaxException: Unexpected &apos;MQSIALIASuser_partALIASMQSI&apos;
at com.ibm.ws.wssecurity.xml.xss4j.dsig.transform.XPathTransformer.transform(XPathTransformer.java:143)
at com.ibm.ws.wssecurity.util.XPathElementSelector.getElements(XPathElementSelector.java:222)
... 17 more
</Exception></detail></axis2ns4:Fault></Body></SOAP_Domain_Msg>
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Dec 12, 2019 11:14 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Looks like a bad xml to me where some chars need to be escaped?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
junaid
PostPosted: Thu Dec 12, 2019 9:10 pm    Post subject: WS-Security with X.509 Certificates in IIB Reply with quote

Acolyte

Joined: 29 Nov 2018
Posts: 58

Hi, Thanks for replying.
Done there was problem with XPath in WS-Extension in SOAP Input of provider corrected it and now it is working. Consumer and provider are deployed and Happy flow is running.
1. Seen certificate in provider properties .
<IdentitySourceType>X.509</IdentitySourceType>
<IdentitySourceToken>0�0���A���0
 *�H��
 \x000A1 0 UGB1 0
U
IBM10 U MQESB10U Geza Geleji0
191212101805Z
391212101805Z0A1 0 UGB1 0
U
IBM10 U MQESB10U Geza Geleji0��0
 *�H��
\x00��\x000����\x00��D��D�qK6�y�����x�N�e��<a�
a�6<�
��
���9<#&\QÔ»3���Øž,�c�۠��VK S�4�O^�)Ⱦ�XLڼ�g:lP�\7�m�%V?i��祖�.��F5<�V�t�p4�D�</IdentitySourceToken>
<IdentitySourcePassword/>
<IdentitySourceIssuedBy>CN=Geza Geleji, OU=MQESB, O=IBM, C=GB</IdentitySourceIssuedBy>

2. I am unable to understand, how to compare consumer-certificate with provider.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » WS-Security with X.509 Certificates in IBM Integration Bus
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.