MQSeries.net :: View topic - Problem verifying signature with WMB7

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Problem verifying signature with WMB7

Problem verifying signature with WMB7

« View previous topic :: View next topic »

Author

Message

jborella

Posted: Mon Jan 13, 2014 5:02 am Post subject: Problem verifying signature with WMB7

Apprentice

Joined: 04 Jun 2009
Posts: 26

I have a SOAP Input node receiving some data. I put the data on a queue and send a reply to the SOAP client whether all went well, using a SOAP Reply Node.

The data exchanged with the client are to be signed in a WS-Security header.

I can't get the signature handling to work. I've read the documentation and tried the address book sample with ws-security, but run into the same problem no matter what I try. I've managed to sign the response to the client and verify it, but I can't even get the broker up and running when I enable signature verification on the request.

The following is my latest attempt (stripped for signing the response for simplicity).
I use the following policy:

Code:

<policy:Policy xmlns:_0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:_200512="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512" xmlns:policy="http://schemas.xmlsoap.org/ws/2004/09/policy">
<_200512:AsymmetricBinding>
<policy:Policy>
<_200512:RecipientToken>
<policy:Policy>
<_200512:X509Token _200512:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
<policy:Policy Name="reqToken">
<_200512:WssX509V3Token10/>
</policy:Policy>
</_200512:X509Token>
</policy:Policy>
</_200512:RecipientToken>
<_200512:AlgorithmSuite>
<policy:Policy>
<_200512:Basic128Rsa15/>
</policy:Policy>
</_200512:AlgorithmSuite>
<_200512:Layout>
<policy:Policy>
<_200512:Strict/>
</policy:Policy>
</_200512:Layout>
</policy:Policy>
</_200512:AsymmetricBinding>
<_200512:Wss11>
<policy:Policy>
<_200512:RequireSignatureConfirmation/>
</policy:Policy>
</_200512:Wss11>
<policy:Policy _0:Id="request:reqSignature">
<_200512:SignedParts>
<_200512:Body/>
</_200512:SignedParts>
</policy:Policy>
</policy:Policy>

I use the following binding:

Code:

<securitybinding:securityBindings xmlns:securitybinding="http://www.ibm.com/xmlns/prod/websphere/200710/ws-securitybinding">
<securitybinding:securityBinding name="application">
<securitybinding:securityOutboundBindingConfig/>
<securitybinding:securityInboundBindingConfig>
<securitybinding:signingInfo name="con_reqSignature">
<securitybinding:signingKeyInfo reference="con_reqToken_signreqSignature_keyinfo"/>
<securitybinding:signingPartReference reference="request:reqSignature">
<securitybinding:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</securitybinding:signingPartReference>
</securitybinding:signingInfo>
<securitybinding:keyInfo classname="com.ibm.ws.wssecurity.wssapi.CommonContentConsumer" name="con_reqToken_signreqSignature_keyinfo">
<securitybinding:tokenReference reference="con_requestreqSignature"/>
</securitybinding:keyInfo>
<securitybinding:tokenConsumer classname="com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer" name="con_requestreqSignature">
<securitybinding:valueType localName="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
<securitybinding:jAASConfig configName="system.wss.consume.x509"/>
<securitybinding:callbackHandler classname="com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallbackHandler">
<securitybinding:keyStore path="*MQSITRUSTSTOREPATHMQSI*" storepass="*MQSITRUSTSTOREPWDMQSI*" type="JKS"/>
<securitybinding:key alias="Any" name="Any"/>
<securitybinding:certPathSettings>
<securitybinding:trustAnchorRef reference="TrustStore"/>
<securitybinding:certStoreRef reference="BrokerStore"/>
</securitybinding:certPathSettings>
</securitybinding:callbackHandler>
</securitybinding:tokenConsumer>
<securitybinding:trustAnchor name="TrustStore">
<securitybinding:keyStore path="*MQSITRUSTSTOREPATHMQSI*" storepass="*MQSITRUSTSTOREPWDMQSI*" type="JKS"/>
</securitybinding:trustAnchor>
<securitybinding:certStoreList>
<securitybinding:collectionCertStores name="BrokerStore" provider="IBMCertPath"/>
</securitybinding:certStoreList>
</securitybinding:securityInboundBindingConfig>
</securitybinding:securityBinding>
</securitybinding:securityBindings>

When i apply the policy and binding to my flow and try deploying, I get the following error message:

Code:

CWWSS7281E: Token Consumer token type [http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3] does not match signature token type defined in the policy.'

Can anyone tell me, what I'm doing wrong?

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Problem verifying signature with WMB7

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP