take a look at Rampart configuration parameters available at http://ws.apache.org/rampart/rampartconfig-guide.html specifically these 2 attributes need to be specified
user The user's name Set username of UsernameToken to be used <user> bob</user> userCertAlias The user's cert alias Set alias of the key to be used to sign <userCertAlias> bob</userCertAlias> //then create the java keystores * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". * Execute: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) with a password value of "changeit" for both the certificate and the keystore itself. keytool -certreq [-v] [-protected] [-alias <alias>] [-sigalg <sigalg>] [-file <csr_file>] [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-providerName <name>] [-providerClass <provider_class_name> [-providerArg <arg>]] ... (you'll want to specify the csr_file) this is a sample Receiver defined in axis2.xml notice the keystore filename and the keypassword which you specifed above <parameter name="keystore" locked="false"> <KeyStore> <Location>identity.jks</Location> <Type>JKS</Type> <Password>password</Password> <KeyPassword>password</KeyPassword> </KeyStore> </parameter> <parameter name="truststore" locked="false"> <TrustStore> <Location>trust.jks</Location> <Type>JKS</Type> <Password>password</Password> </TrustStore> </parameter>--> HTH Martin ______________________________________________ Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. > Date: Tue, 7 Oct 2008 06:48:56 +0530 > From: [EMAIL PROTECTED] > To: axis-user@ws.apache.org > Subject: Re: Rampart Username and signed certificate > > What is the exception that you get? > > Samisa... > > RonnieMJ wrote: > > I'm pretty new to WS, and especially the security piece, but I'm using > > rampart 1.4 using policy files to try to function as a client to an existing > > (external to my company) web service. > > > > I know that I need to send both a usernameToken and sign the header with a > > certificate. I've been able to do EITHER, but so far haven't been able to > > do both. > > > > I've tried it about 20 different ways, but my most recent attempt is: > > > > > > <wsp:Policy wsu:Id="SigAndUName" > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> > > <wsp:All> > > <sp:AsymmetricBinding > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > > <wsp:Policy> > > <sp:InitiatorToken> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> > > <wsp:Policy> > > > > <sp:WssX509V3Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:InitiatorToken> > > <sp:RecipientToken> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> > > <wsp:Policy> > > > > <sp:WssX509V3Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:RecipientToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic128Rsa15/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Lax/> > > </wsp:Policy> > > </sp:Layout> > > <sp:OnlySignEntireHeadersAndBody/> > > <sp:SupportingTokens> > > <wsp:Policy> > > <sp:UsernameToken > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" > > /> > > </wsp:Policy> > > </sp:SupportingTokens> > > </wsp:Policy> > > </sp:AsymmetricBinding> > > > > > > <sp:Wss10 > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier /> > > <sp:MustSupportRefIssuerSerial /> > > </wsp:Policy> > > </sp:Wss10> > > > > > > <sp:SignedParts > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > > <sp:Body/> > > </sp:SignedParts> > > > > <ramp:RampartConfig > > xmlns:ramp="http://ws.apache.org/rampart/policy"> > > <ramp:user>user</ramp:user> > > <ramp:encryptionUser>user</ramp:encryptionUser> > > > > <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass> > > > > <ramp:signatureCrypto> > > <ramp:crypto > > provider="org.apache.ws.security.components.crypto.Merlin"> > > <ramp:property > > name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property> > > <ramp:property > > name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property> > > <ramp:property > > name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property> > > <ramp:property > > name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property> > > </ramp:crypto> > > </ramp:signatureCrypto> > > </ramp:RampartConfig> > > > > </wsp:All> > > </wsp:Policy> > > > > > > > > I expect the final header output to be something like: > > <SOAP-ENV:Header > > > <wsse:Security > > > <wsse:UsernameToken > > > <wsse:Username >XXX</wsse:Username> > > </wsse:UsernameToken> > > <wsse:BinarySecurityToken > > >binaryTokenHere</wsse:BinarySecurityToken> > > <ds:Signature > > > <ds:SignedInfo > > > <ds:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > <ds:SignatureMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > <ds:Reference > > > <ds:Transforms > > > <ds:Transform /> > > </ds:Transforms> > > <ds:DigestMethod /> > > <ds:DigestValue </ds:DigestValue> > > </ds:Reference> > > <ds:Reference > > > <ds:Transforms > > > <ds:Transform > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue </ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue </ds:SignatureValue> > > <ds:KeyInfo > > > <wsse:SecurityTokenReference > > > <wsse:Reference /> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > </ds:Signature> > > </wsse:Security> > > </SOAP-ENV:Header> > > > > > > I'm fairly sure I've just got the policy file slightly off. Any > > suggestions? Thanks for any reply. > > > > > -- > Samisa Abeysinghe > > http://people.apache.org/~samisa/ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > _________________________________________________________________ Want to do more with Windows Live? Learn “10 hidden secrets” from Jamie. http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008