| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| WMB WS Security and SOAPUI to validate signature |
« View previous topic :: View next topic » |
| Author |
Message
|
| tony2nd |
 Posted: Tue Apr 12, 2016 4:11 pm Post subject: WMB WS Security and SOAPUI to validate signature |
 |
|
Novice
Joined: 07 Apr 2014
Posts: 17
|
I have a flow with a SOAPInput node that will receive signed requests. The node should validate the signature. I am using SOAPUI to create the request.
This is the error I am receiving:
CWWSS5358E: The http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 signature method is not valid.
I am sorry this is a long post, I hope someone can help me.
This is the message:
| Code: |
<soapenv:Envelope xmlns:iis="http://www.bbt.com/ns/IISIWire" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/></soapenv:Header>
<soapenv:Body>
<iis:IISIWireSubmitRequest>
<iis:ChannelInd>FIS</iis:ChannelInd>
<iis:IISIMessage>SGVsbG8gV29ybGQ=</iis:IISIMessage>
</iis:IISIWireSubmitRequest>
</soapenv:Body>
</soapenv:Envelope>
|
This is the result:
| Code: |
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault xmlns:axis2ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>axis2ns1:UnsupportedAlgorithm</faultcode>
<faultstring>CWWSS5358E: The http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 signature method is not valid.</faultstring>
<detail>
<Exception>org.apache.axis2.AxisFault: CWWSS5358E: The http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 signature method is not valid.
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:131)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler._invoke(WSSecurityConsumerHandler.java:543)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.invoke(WSSecurityConsumerHandler.java:242)
at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:380)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:188)
at com.ibm.broker.axis2.Axis2Invoker.processInboundRequest(Axis2Invoker.java:3196)
at com.ibm.broker.axis2.Axis2Invoker.invokeAxis2(Axis2Invoker.java:2865)
at com.ibm.broker.axis2.TomcatNodeRegistrationUtil.invokeAXIS2(TomcatNodeRegistrationUtil.java:474)
Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5358E: The http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 signature method is not valid.
at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:150)
at com.ibm.ws.wssecurity.dsig.SignatureConsumer.checkSignedInfo(SignatureConsumer.java:454)
at com.ibm.ws.wssecurity.dsig.SignatureConsumer.checkSignature(SignatureConsumer.java:346)
at com.ibm.ws.wssecurity.dsig.SignatureConsumer.invoke(SignatureConsumer.java:249)
at com.ibm.ws.wssecurity.core.WSSConsumer.callSignatureConsumer(WSSConsumer.java:2911)
at com.ibm.ws.wssecurity.core.WSSConsumer.callSignatureConsumer(WSSConsumer.java:2815)
at com.ibm.ws.wssecurity.core.WSSConsumer.invoke(WSSConsumer.java:859)
at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:110)
... 8 more</Exception>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
|
The SOAPUI http log:
| Code: |
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "POST /IISIWireSubmit HTTP/1.1[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "Accept-Encoding: gzip,deflate[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "Content-Type: text/xml;charset=UTF-8[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "SOAPAction: ""[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "Content-Length: 2363[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "Host: wil-ftmdevwas02:7810[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "Connection: Keep-Alive[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "<soapenv:Envelope xmlns:iis="http://www.bbt.com/ns/IISIWire" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> " <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ds:Signature Id="SIG-92" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="iis soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id-91"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="iis" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>1eKDeqGKFPQP+jKq6zfAVoFD8po=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Dtu/dFVVxms643VX07e6Rcx7gGYtl/rv/iKjlcxk8RL5mxyYDfN4eHKhWSh0hWhZL1704hYHk9QV[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "mBMO9Gz0DYCa67/+rQI/5T8PyQvjn1SJeyPKu8I2s8my83whoq5Ba0C1jalEqbzli1z5/shjHNG7[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "tdi5Vv4fs3wbWenfKvbiPhtx86F18rET3L7dMsZ0wYIE3nLAue5gJaQ+nA5BHqiU8/Mshey3EjfF[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "9dWynn06P1DAdk0ZdpK4NyU+Au3che9GhzPdY5C+WDnXpvlJKulzfkpVSjKVFpZtqo7FlLOcUwf2[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "aPpECEuYT1cNt9XmzMZk9M0nOQbI+XVo4F95QQ==</ds:SignatureValue><ds:KeyInfo Id="KI-99A06C61C1C0CF6D361460491053672140"><wsse:SecurityTokenReference wsu:Id="STR-99A06C61C1C0CF6D361460491053672141"><wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">G44vhWS6xNlabde2J/Vn1g3wmbo=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> " <soapenv:Body wsu:Id="id-91" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> " <iis:IISIWireSubmitRequest>[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> " <iis:ChannelInd>FIS</iis:ChannelInd>[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> " <iis:IISIMessage>SGVsbG8gV29ybGQ=</iis:IISIMessage>[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> " </iis:IISIWireSubmitRequest>[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> " </soapenv:Body>[\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:>> "</soapenv:Envelope>"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "HTTP/1.1 500 Internal Server Error[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "Server: Apache-Coyote/1.1[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "Content-Type: text/xml;charset=UTF-8[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "Content-Length: 2456[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "Date: Tue, 12 Apr 2016 19:57:33 GMT[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "Connection: close[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><soapenv:Fault xmlns:axis2ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>axis2ns1:UnsupportedAlgorithm</faultcode><faultstring>CWWSS5358E: The http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 signature method is not valid.</faultstring><detail><Exception>org.apache.axis2.AxisFault: CWWSS5358E: The http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 signature method is not valid.
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:131)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler._invoke(WSSecurityConsumerHandler.java:543)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler.invoke(WSSecurityConsumerHandler.java:242)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:380)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:188)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.broker.axis2.Axis2Invoker.processInboundRequest(Axis2Invoker.java:3196)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.broker.axis2.Axis2Invoker.invokeAxis2(Axis2Invoker.java:2865)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.broker.axis2.TomcatNodeRegistrationUtil.invokeAXIS2(TomcatNodeRegistrationUtil.java:474)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5358E: The http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 signature method is not valid.
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:150)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.ws.wssecurity.dsig.SignatureConsumer.checkSignedInfo(SignatureConsumer.java:454)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.ws.wssecurity.dsig.SignatureConsumer.checkSignature(SignatureConsumer.java:346)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.ws.wssecurity.dsig.SignatureConsumer.invoke(SignatureConsumer.java:249)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.ws.wssecurity.core.WSSConsumer.callSignatureConsumer(WSSConsumer.java:2911)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.ws.wssecurity.core.WSSConsumer.callSignatureConsumer(WSSConsumer.java:2815)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.ws.wssecurity.core.WSSConsumer.invoke(WSSConsumer.java:859)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]at com.ibm.ws.wssecurity.handler.WSSecurityConsumerBase.invoke(WSSecurityConsumerBase.java:110)
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "[0x9]... 8 more
[\r][\n]"
Tue Apr 12 15:57:33 EDT 2016:DEBUG:<< "</Exception></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>"
|
The SOAPUI WS-Security Configuration:
| Code: |
The SOAPUI WS-Security Configuration:
Keystores
Source: D:\WSSecurity\keyStore.jks
Status: OK
Password: 123456
Truststores
Source: D:\WSSecurity\trustStore.jks
Status: OK
Password: 123456
Outgoing WS-Security Configurations
Name: FIS_OUT
Signature
Keystore: keyStore.jks
Alias: myalias
Password: myAliasPassword
Key Identifier Type: Subject Key Identifier
Signature Algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Signature Canonicalization: default
Digest Algorithm: default
|
How I created the private key in keyStore, self-signed the certificate, exported the public key, imported the public key to trustStore:
| Code: |
keytool -genkey -alias myalias -keyalg RSA -sigalg SHA256withRSA -keypass myAliasPassword -keystore keyStore.jks -storepass 123456 -dname "cn=myalias"
keytool -selfcert -alias myalias -keystore keyStore.jks -storepass 123456 -keypass myAliasPassword
keytool -export -alias myalias -file key.rsa -keystore keyStore.jks -storepass 123456 -sigalg SHA256withRSA
keytool -import -alias myalias -file key.rsa -keystore trustStore.jks -storepass 123456 -sigalg SHA256withRSA
keytool -v -list -alias myalias -keystore keyStore.jks
Alias name: myalias
Creation date: Apr 5, 2016
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=myalias
Issuer: CN=myalias
Serial number: 57042e22
Valid from: 4/5/16 5:29 PM until: 7/4/16 5:29 PM
Certificate fingerprints:
MD5: 42:B8:02:49:3B:29:C6:16:2D:F9:0B:BA:3E:42:33:4E
SHA1: A7:67:73:FF:D9:C0:D8:23:C1:18:B1:F3:DE:AA:BA:D6:9C:A4:A8:FD
keytool -v -list -alias myalias -keystore trustStore.jks
Alias name: myalias
Creation date: Apr 5, 2016
Entry type: trustedCertEntry
Owner: CN=myalias
Issuer: CN=myalias
Serial number: 57042e22
Valid from: 4/5/16 5:29 PM until: 7/4/16 5:29 PM
Certificate fingerprints:
MD5: 42:B8:02:49:3B:29:C6:16:2D:F9:0B:BA:3E:42:33:4E
SHA1: A7:67:73:FF:D9:C0:D8:23:C1:18:B1:F3:DE:AA:BA:D6:9C:A4:A8:FD
|
|
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Apr 13, 2016 4:09 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
When troubleshooting any kind of communication between two programs, you have to examine both sides.
With WS-Security in Broker, this includes knowing how you have configured the security policies, and how you have added the certificates to the broker.
The error seems fairly straight forward to me - one side or the other doesn't like the signing algorithm you have used. First step is to figure out which side.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| tony2nd |
| Posted: Wed Apr 13, 2016 5:32 am Post subject: |
|
|
Novice
Joined: 07 Apr 2014
Posts: 17
|
The policy set and binding:
| Code: |
Broker Policy Set:
FIS_Policy
WS-Security
Authentication Tokens
X.509 authentication tokens
FIS_Request/Request/1.0/x.509 Version 3
Message Level Protection
Message level protection checked
Tokens
Asymmetric tokens
initToken/Initiator/1.0/X.509 Version 3
recipToken/Recipient/1.0/x.509 Version 3
Algorithms
Basic128Sha256Rsa15 (I have tried almost all of them)
Message Part Protection
App_signparts_request/Signature/Request/Yes
Qname
app_signparts_request/ / http://schemas.xmlsoap.org/ws/2004/08/addressing
app_signparts_request/ / http://www.w3.org/2005/08/addressing
Xpath
app_signparts_request/ Envelope, Header, Security, Signature
FIS_Bindings
Authentication tokens
Authentications X.509 tokens
Request:FIS_Request/'N/A'/'N/A'/TrustAny
Message Part Policy
Message Part signature policies
Request:app_signparts_request/recipToken/'N/A'/'N/A'
Key Information
recipToken/CN=myalias/myalias/TrustAny
|
Broker changes:
| Code: |
mqsichangeproperties CGICINDYBK -e default -o ComIbmJVMManager -n truststoreFile -v D:\WSSecurity\trustStore.jks
mqsichangeproperties CGICINDYBK -e default -o ComIbmJVMManager -n truststoreType -v JKS
mqsichangeproperties CGICINDYBK -e default -o ComIbmJVMManager -n truststorePass -v brokerTruststore::password
mqsichangeproperties CGICINDYBK -e default -o ComIbmJVMManager -n keystoreFile -v D:\WSSecurity\keyStore.jks
mqsichangeproperties CGICINDYBK -e default -o ComIbmJVMManager -n keystoreType -v JKS
mqsichangeproperties CGICINDYBK -e default -o ComIbmJVMManager -n keystorePass -v brokerKeystore::password
mqsistop CGICINDYBK
mqsisetdbparms CGICINDYBK -n brokerTruststore::password -u temp -p 123456
mqsisetdbparms CGICINDYBK -n brokerKeystore::password -u temp -p 123456
mqsistart CGICINDYBK
|
About the signature method:
I created myalias using keytool with -sigalg SHA256withRSA
On SOAPUI I selected
Signature Algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
With IBM Key management I see that myalias has:
Signature Algorithm: SHA256withRSA
I am not sure what broker's Algorithm Suite to select:
Basic256Sha256Rsa15
Basic192Sha256Rsa15
Basic128Sha256Rsa15
or any other
I have tried almost all of them getting the same error. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
