| Author |
Message
|
| PEPERO |
 Posted: Sat Jan 04, 2014 10:50 pm Post subject: Using Policy Set Bindings to implement WS-SECURITY |
 |
|
Disciple
Joined: 30 May 2011
Posts: 177
|
Hi all;
I've deployed a web service provider flow and activated the message part protection using policy set and policy set binding.
I've prepared a server keystore(wmbkeystore.jks) and a client keystore(wmbclientkeystore.jks) each of which contains a keyentry and a trustedcertentry. For simplicity i've imported the public key certificates into the keystore.
In wmbkeystore.jks :
| Quote: |
Alias name wmbcert
Creation date : Jan 1, 2014
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=WMBServer, OU=ISSW, O=IBM, ST=Char, C=US
Issuer: CN=WMBServer, OU=ISSW, O=IBM, ST=Char, C=US
Serial number: 52c445a5
Valid from: 1/1/14 4:43 PM until: 1/1/15 4:43 PM
Certificate fingerprints:
MD5: 52:5B:8D:FE:41:5B:3B:C1:E3:E7:2C:04:FC:2D:11:F8
SHA1: 4A:26:6C:A7:BA:07:E0:59:C4:BC:D4:C1:65:B1:56:86:73:1C:80:A4
Alias name wmbclientcert
Creation date : Jan 1, 2014
Entry type: trustedCertEntry
Owner: CN=WMBClient, OU=ISSW, O=IBM, ST=CHAR, C=US
Issuer: CN=WMBClient, OU=ISSW, O=IBM, ST=CHAR, C=US
Serial number: 62c546db
Valid from: 1/1/14 4:48 PM until: 1/1/15 4:48 PM
Certificate fingerprints:
MD5: F2:9F:90:61:CB:6B:DE:7E:7E:24:3C:02:86:90:CC:11
SHA1: 43:A7:FC:CB:D8:28:8C:7C:23:AD:D3:B4:C1:E5:CF:69:5A:E6:12:BA
|
When sending a message to the web service provider an error message is issued as follows :
| Quote: |
The Application Server cannot retrieve the 'wmbclientcert' key from the '/u/broker/ssl/wmbkeystore.jks' keystore
|
Listing the '/u/broker/ssl/wmbkeystore.jks' shows the 'wmbclientcert' resides as a trustedcertentry in the keystore and also the keystorepass
was double checked to be the same as was set for the keystorePass in the broker.
please help me to resolve this problem. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Jan 07, 2014 5:45 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
The stores might be cached... Did you bounce the eg / broker? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PEPERO |
| Posted: Tue Jan 07, 2014 6:49 am Post subject: |
|
|
Disciple
Joined: 30 May 2011
Posts: 177
|
| Yes but nothing was changed. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jan 07, 2014 6:59 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So the complaint doesn't seem related to the broker?
It's complaining that the client can't find it's keystore? Is the broker acting as the client and the server? |
|
| Back to top |
|
|
| PEPERO |
| Posted: Tue Jan 07, 2014 7:09 am Post subject: |
|
|
Disciple
Joined: 30 May 2011
Posts: 177
|
| The broker acts as the server and the client is an application out of the broker. The issued message shows that when the message broker is retreiving the public key of the client to encrypt the message, it couldn't. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 07, 2014 8:12 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
you need to have the public key of the partner in the truststore.
The only key you should have in the keystore is the broker's key (private + public), or any other key needed to authenticate the broker on an outbound connection.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PEPERO |
| Posted: Tue Jan 07, 2014 8:23 am Post subject: |
|
|
Disciple
Joined: 30 May 2011
Posts: 177
|
| Quote: |
you need to have the public key of the partner in the truststore.
|
For simplicity it's accumed in a single file and the broker truststore file pointer is pointing to the same file (/u/broker/ssl/wmbkeystore.jks). |
|
| Back to top |
|
|
| PEPERO |
| Posted: Thu Feb 06, 2014 3:34 am Post subject: |
|
|
Disciple
Joined: 30 May 2011
Posts: 177
|
| I've been confused since i've double checked every thing that i guessed to cause the error. Only when i import the private key of the client into the server's keystore , the encrypted message is correctly returned back (!!!?) from WMB web service provider to the client windows application. |
|
| Back to top |
|
|
| Esa |
| Posted: Thu Feb 06, 2014 3:57 am Post subject: Re: Using Policy Set Bindings to implement WS-SECURITY |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
| PEPERO wrote: |
| Quote: |
The Application Server cannot retrieve the 'wmbclientcert' key from the '/u/broker/ssl/wmbkeystore.jks' keystore
|
|
So the client is running on an application server, which tries to access the broker's keystore... 
| PEPERO wrote: |
| Only when i import the private key of the client into the server's keystore , the encrypted message is correctly returned back |
sounds logical if the client and server are using the same keystore. |
|
| Back to top |
|
|
| PEPERO |
| Posted: Sat Feb 08, 2014 2:12 am Post subject: |
|
|
Disciple
Joined: 30 May 2011
Posts: 177
|
This is not the case. The webservice provider resides on an WMB v.7.0.1 under ZSERIES IBM mainfram server and the client is an application running under the windows os.
On the other hand if the client needs to use it's private key from the same keystore file , the returned message has not to be encrypted becaue it needs the private key to decrypt the message , but it has. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sat Feb 08, 2014 8:42 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Are you trying to implement one way authentication or two way authentication?
Remember that there are two kinds of stores in question:
keystore - where an app holds it's private key and any ca certs necessary for that key
truststore - where an app holds the ca certs or public keys of any entities that it trusts.
The client needs the broker's public key in the client's local truststore either way - or a CA cert from the CA that has signed the broker's public key.
If you are doing two-way, then you need the client's public key in the broker's truststore. |
|
| Back to top |
|
|
| PEPERO |
| Posted: Sat Feb 08, 2014 9:32 am Post subject: |
|
|
Disciple
Joined: 30 May 2011
Posts: 177
|
In this scenario the webservice provider tries to sign and encrypt the response message for the client. When i request only signing the response message using the policy set binding, the message is signed ,logically using the private key of the server, but when i request the server to encrypt the message ,in which case it must normally refer to the keystore for the public key of the client for encryption, the server issues an error code of CWWSS5312E.
I've used a self signed certificate and for simplicity, i'm using a single file for keystore and truststore at the server. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Feb 08, 2014 8:22 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
So does the server have the client cert in its truststore?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PEPERO |
| Posted: Sat Feb 08, 2014 9:10 pm Post subject: |
|
|
Disciple
Joined: 30 May 2011
Posts: 177
|
Of Course. Looking at the first Quote above for alias wmbclientcert in the wmbkeystore.jks server keystore file shows this (trustedCertEntry entry type).  |
|
| Back to top |
|
|
| nukalas2010 |
| Posted: Wed May 24, 2017 10:33 pm Post subject: |
|
|
Master
Joined: 04 Oct 2010
Posts: 220
Location: Somewhere in the World....
|
Dears,
Sorry to pull out the old post, but I am also having exactly the same issue and would like to know how you got it fixed if it's done.
Thanks, |
|
| Back to top |
|
|
|
|
