MQSeries.net :: View topic - Message signing and encrypting failure

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Message signing and encrypting failure

Message signing and encrypting failure

« View previous topic :: View next topic »

Author

Message

kiruthigeshwar

Posted: Mon Nov 26, 2012 12:33 am Post subject: Message signing and encrypting failure

Acolyte

Joined: 31 Oct 2012
Posts: 50

Hi All,
I defined keystore and certificate files. Also policy set and policy binding for a broker. This is Soap service which runs in the local system. Am accessing the service locally.

In policy set I've used Message level protection alone using X.509 Version 3. When I hit the service I get the following exception.

Quote:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault xmlns:axis2ns6="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>axis2ns6:FailedCheck</faultcode>
<faultstring>CWWSS5720E: A required message part [body] is not signed.</faultstring>
<detail>
<Exception>org.apache.axis2.AxisFault: CWWSS5720E: A required message part [body] is not signed.; nested exception is:
com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5720E: A required message part [body] is not signed.
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:385)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:135)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.invoke(WSSecurityConsumerHandler.java:455)
at org.apache.axis2.engine.Phase.invoke(Phase.java:379)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:328)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:245)
at com.ibm.broker.axis2.Axis2Invoker.processInboundRequest(Axis2Invoker.java:2091)
at com.ibm.broker.axis2.Axis2Invoker.invokeAxis2OverHTTP(Axis2Invoker.java:1729)
at com.ibm.broker.axis2.TomcatNodeRegistrationUtil.invokeAXIS2(TomcatNodeRegistrationUtil.java:302)
Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5720E: A required message part [body] is not signed.
at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:149)
at com.ibm.ws.wssecurity.dsig.VerifiedPartChecker.invoke(VerifiedPartChecker.java:300)
at com.ibm.ws.wssecurity.core.WSSConsumer.checkRequiredIntegrity(WSSConsumer.java:2252)
at com.ibm.ws.wssecurity.core.WSSConsumer.invoke(WSSConsumer.java:971)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:106)
... 7 more</Exception>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>

Quote:

And the URL I referred is http://www.ibm.com/developerworks/websphere/library/techarticles/1008_fan/1008_fan.html.
Please help with this. Should we have to encrypt the message we send,

lancelotlinc

Posted: Mon Nov 26, 2012 5:55 am Post subject: Re: Message signing and encrypting failure

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

kiruthigeshwar wrote:

Should we have to encrypt the message we send,

You might. But the error says that a part of the message is not SIGNED. This is not the same as ENCRYPTED.

BTW - the link you provided does not work (for me).
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER

kiruthigeshwar

Posted: Mon Nov 26, 2012 6:10 am Post subject: Re: Message signing and encrypting failure

Acolyte

Joined: 31 Oct 2012
Posts: 50

lancelotlinc wrote:

kiruthigeshwar wrote:

Should we have to encrypt the message we send,

You might. But the error says that a part of the message is not SIGNED. This is not the same as ENCRYPTED.

BTW - the link you provided does not work (for me).

Sorry remove the dot (.) at the end, after "html"

lancelotlinc

Posted: Mon Nov 26, 2012 6:12 am Post subject:

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

Ok, the link works now.

When you run this, what is the output?

Quote:

mqsireportproperties MB7BROKER -c PolicySetBindings -o PSB1_Provider -r

_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER

kiruthigeshwar

Posted: Mon Nov 26, 2012 11:00 pm Post subject:

Acolyte

Joined: 31 Oct 2012
Posts: 50

lancelotlinc wrote:

Ok, the link works now.

When you run this, what is the output?

Quote:

mqsireportproperties MB7BROKER -c PolicySetBindings -o PSB1_Provider -r

Below are the response for policy sets and policy binding.

Quote:

C:\Program Files\IBM\MQSI\6.1>mqsireportproperties MBV6BROKER -c PolicySets -o PS1 -r

ReportableEntityName=''
PolicySets
PS1=''
config=''
ws-security='<?xml version="1.0" encoding="UTF-8"?>
<policy:Policy xmlns:_0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd" xmlns:_200512="http://docs.oasis-open.org/ws-sx/ws-
securitypolicy/200512" xmlns:policy="http://schemas.xmlsoap.org/ws/2004/09/polic
y">
<_200512:AsymmetricBinding>
<policy:Policy>
<_200512:InitiatorToken>
<policy:Policy>
<_200512:X509Token _200512:IncludeToken="http://docs.oasis-open.org/ws
-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToInitiator">
<policy:Policy Name="initToken">
<_200512:WssX509V3Token10/>
</policy:Policy>
</_200512:X509Token>
<_200512:X509Token _200512:IncludeToken="http://docs.oasis-open.org/ws
-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToInitiator">
<policy:Policy Name="recipToken">
<_200512:WssX509V3Token10/>
</policy:Policy>
</_200512:X509Token>
</policy:Policy>
</_200512:InitiatorToken>
<_200512:AlgorithmSuite>
<policy:Policy>
<_200512:Basic128Rsa15/>
</policy:Policy>
</_200512:AlgorithmSuite>
<_200512:Layout>
<policy:Policy>
<_200512:Lax/>
</policy:Policy>
</_200512:Layout>
</policy:Policy>
</_200512:AsymmetricBinding>
<policy:Policy _0:Id="response:message_signature">
<_200512:SignedElements>
<_200512:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelop
e/' and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/s
oap/envelope/' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-o
pen.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()
='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200
401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']</_200512:XPath
>
<_200512:XPath>/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope
' and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap
-envelope' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.
org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Se
curity']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']</_200512:XPath>
</_200512:SignedElements>
<_200512:SignedParts>
<_200512:Body/>
<_200512:Header Namespace="http://www.w3.org/2005/08"/>
<_200512:Header Namespace="http://www.w3.org/2002/ws/addr/ns/ws-addr"/>
</_200512:SignedParts>
</policy:Policy>
<policy:Policy _0:Id="response:message_encrypt">
<_200512:EncryptedParts>
<_200512:Body/>
</_200512:EncryptedParts>
<_200512:EncryptedElements>
<_200512:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelop
e/' and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/s
oap/envelope/' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-o
pen.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()
='Security']/*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#' and local-na
me()='Signature']</_200512:XPath>
<_200512:XPath>/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope
' and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap
-envelope' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.
org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Se
curity']/*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#' and local-name()
='Signature']</_200512:XPath>
</_200512:EncryptedElements>
</policy:Policy>
</policy:Policy>
'

BIP8071I: Successful command completion.

Quote:

C:\Program Files\IBM\MQSI\6.1>mqsireportproperties MBV6BROKER -c PolicySetBindings -o PS1_Bindings -r

ReportableEntityName=''
PolicySetBindings
PS1_Bindings=''
associatedPolicySet='PS1'
config=''
ws-security='<?xml version="1.0" encoding="UTF-8"?>
<securitybinding:securityBindings xmlns:securitybinding="http://www.ibm.com/xmln
s/prod/websphere/200608/ws-securitybinding">
<securitybinding:securityBinding name="application">
<securitybinding:securityOutboundBindingConfig>
<securitybinding:signingInfo name="gen_message_signature" order="1">
<securitybinding:signingKeyInfo reference="gen_recipToken_signmessage_si
gnature_keyinfo"/>
<securitybinding:signingPartReference reference="response:message_signat
ure">
<securitybinding:transform algorithm="http://www.w3.org/2001/10/xml-ex
c-c14n#"/>
</securitybinding:signingPartReference>
</securitybinding:signingInfo>
<securitybinding:encryptionInfo name="gen_message_encrypt" order="1">
<securitybinding:keyEncryptionKeyInfo reference="gen_initToken_encmessag
e_encrypt_keyinfo"/>
<securitybinding:encryptionPartReference reference="response:message_enc
rypt"/>
</securitybinding:encryptionInfo>
<securitybinding:keyInfo classname="com.ibm.ws.wssecurity.wssapi.CommonCon
tentGenerator" name="gen_recipToken_signmessage_signature_keyinfo" type="STRREF"
>
<securitybinding:tokenReference reference="gen_responsemessage_signature
"/>
</securitybinding:keyInfo>
<securitybinding:keyInfo classname="com.ibm.ws.wssecurity.wssapi.CommonCon
tentGenerator" name="gen_initToken_encmessage_encrypt_keyinfo" type="KEYID">
<securitybinding:tokenReference reference="gen_responsemessage_encrypt"/
>
</securitybinding:keyInfo>
<securitybinding:tokenGenerator classname="com.ibm.ws.wssecurity.wssapi.to
ken.impl.CommonTokenGenerator" name="gen_responsemessage_signature">
<securitybinding:valueType localName="http://docs.oasis-open.org/wss/200
4/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
<securitybinding:jAASConfig configName="system.wss.generate.x509"/>
<securitybinding:callbackHandler classname="com.ibm.websphere.wssecurity
.callbackhandler.X509GenerateCallbackHandler">
<securitybinding:keyStore path="*MQSIBROKERSTOREPATHMQSI*" storepass="
*MQSIBROKERSTOREPWDMQSI*" type="JKS"/>
<securitybinding:key alias="servercert" keypass="*MQSIBROKERSTOREKEYPA
SSservercertMQSI*" name="CN=ServerCert,OU=TTF,O=IBM,S=TN,C=US"/>
</securitybinding:callbackHandler>
</securitybinding:tokenGenerator>
<securitybinding:tokenGenerator classname="com.ibm.ws.wssecurity.wssapi.to
ken.impl.CommonTokenGenerator" name="gen_responsemessage_encrypt">
<securitybinding:valueType localName="http://docs.oasis-open.org/wss/200
4/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
<securitybinding:jAASConfig configName="system.wss.generate.x509"/>
<securitybinding:callbackHandler classname="com.ibm.websphere.wssecurity
.callbackhandler.X509GenerateCallbackHandler">
<securitybinding:keyStore path="*MQSIBROKERSTOREPATHMQSI*" storepass="
*MQSIBROKERSTOREPWDMQSI*" type="JKS"/>
<securitybinding:key alias="clientcert" name="CN=ClientCert,OU=TTF,O=I
BM,S=TN,C=US"/>
</securitybinding:callbackHandler>
</securitybinding:tokenGenerator>
</securitybinding:securityOutboundBindingConfig>
<securitybinding:securityInboundBindingConfig/>
</securitybinding:securityBinding>
</securitybinding:securityBindings>
'

BIP8071I: Successful command completion.

kiruthigeshwar

Posted: Mon Nov 26, 2012 11:43 pm Post subject:

Acolyte

Joined: 31 Oct 2012
Posts: 50

Hi All,
Thank you for your responses. Sorry I don't know where I made mistake. It should in the creation of key values in policy set binding. I tried it again from scratch. It worked!!!!!!!!

lancelotlinc

Posted: Tue Nov 27, 2012 6:11 am Post subject:

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

V6 is end of life. You should upgrade.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER

kiruthigeshwar

Posted: Tue Nov 27, 2012 9:14 pm Post subject:

Acolyte

Joined: 31 Oct 2012
Posts: 50

lancelotlinc wrote:

V6 is end of life. You should upgrade.

Sure. We will migrate shortly.

rekarm01

Posted: Wed Nov 28, 2012 12:23 am Post subject:

Grand Master

Joined: 25 Jun 2008
Posts: 1415

lancelotlinc wrote:

V6 is end of life. You should upgrade.

More precisely, v6.0 is end of life. v6.1 is not.

steveman

Posted: Mon May 06, 2013 12:08 am Post subject:

Newbie

Joined: 05 May 2013
Posts: 1

I cannot get photoshop because I don't have the money. I'm a teen and my parents won't pay for it so is there another way to make digital signatures on photos ~without~ Photoshop?

__________
electronic signature software

smdavies99

Posted: Mon May 06, 2013 2:07 am Post subject:

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

To Admins,

Can someone please lock/delete this 'steveman' user.

Thanks
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Message signing and encrypting failure

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP