Thx, I'll try rampart 1.4 service.xml, it contain policy: <service name="RampartSignService"> <description> Security Service, messages are signed </description> <parameter name="ServiceClass">rampart.sign.service.PojoService</parameter> <operation name="sestej"> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </operation>
<!-- security --> <module ref="rampart"/> <wsp:Policy wsu:Id="SigOnly" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> </wsp:Policy> </sp:Wss10> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Body/> </sp:SignedParts> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> <!-- alias v keystoru od servica --> <ramp:user>service</ramp:user> <ramp:passwordCallbackClass>rampart.sign.service.SecurityHandler</ramp:passwordCallbackClass> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file"> D:\\SOAP_TUTOR\\article-transport\\keys\\server.jks </ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">****</ramp:property> </ramp:crypto> </ramp:signatureCrypto> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </service> -------------------------- Req: ---------------------- POST /axis2/services/RampartSignService HTTP/1.1 Content-Type: application/soap+xml; charset=UTF-8; action="urn:sestej" User-Agent: Axis2 Host: jalovec.arnes.si:8080 Transfer-Encoding: chunked <?xml version="1.0" encoding="http://www.w3.org/2003/05/soap-envelope" standalone="no"?> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true"> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-32189467"> <wsu:Created>2009-02-05T08:11:11.735Z</wsu:Created> <wsu:Expires>2009-02-05T08:16:11.735Z</wsu:Expires> </wsu:Timestamp> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-330120"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#Id-5218268"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>GSyf8R7vIO1Exwurae95mxIWgnI=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-32189467"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>dM8fK3UEbaFdUsl1PXNCcuLz6/M=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> 2LW4LfjAP5MZulRXONtdzhu7JpvZawfR4/5e2UEBJVMUGqB8c/zTVgG65Z2cIePYgWdw+ma+dWmu JdgqM+66hzZ5BMAH1sNRxL6onz0DOyuRnDYhEgNYgCjmN67Ok7Q0SQqnEfJ19B1WdAxqawspyLjX VyS4X5BisAG5G+25CrQ= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-25772535"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-27291192"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">+JGv39JjeaxQiilnwwc/wlWlITU=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-5218268"> <ns2:sestej xmlns:ns2="http://service.sign.rampart"> <ns2:a>4</ns2:a> <ns2:b>233</ns2:b> </ns2:sestej> </soapenv:Body> </soapenv:Envelope> --------------------- Resp: --------------------- HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Content-Type: application/soap+xml; action="http://www.w3.org/2005/08/addressing/soap/fault";charset=UTF-8 Transfer-Encoding: chunked Date: Thu, 05 Feb 2009 08:11:12 GMT Connection: close <?xml version="1.0" encoding="http://www.w3.org/2003/05/soap-envelope" standalone="no"?> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"> <soapenv:Body> <soapenv:Fault> <soapenv:Code> <soapenv:Value>soapenv:Receiver</soapenv:Value> </soapenv:Code> <soapenv:Reason> <soapenv:Text xml:lang="en-US">Error in signature with X509Token</soapenv:Text> </soapenv:Reason> <soapenv:Detail/> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> Fingerprint of certs are self signed: client: ----------- Certificate fingerprints: MD5: 0B:F9:7D:8C:17:54:85:B7:DC:22:CC:5B:B8:FC:5E:A0 SHA1: 65:2F:74:5D:27:18:B0:20:CA:95:84:9B:85:FC:DB:1D:F2:58:C7:0B Signature algorithm name: SHA1withRSA Version: 3 server: ------------ Certificate fingerprints: MD5: 0B:F9:7D:8C:17:54:85:B7:DC:22:CC:5B:B8:FC:5E:A0 SHA1: 65:2F:74:5D:27:18:B0:20:CA:95:84:9B:85:FC:DB:1D:F2:58:C7:0B Signature algorithm name: SHA1withRSA Version: 3 Maybe is the problem Signature algorithm name: SHA1withRSA and in my policy I have .... <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15/> </wsp:Policy> </sp:AlgorithmSuite> Regards, Tomaz Erwin Reinhoud wrote: > Hello Tomaz, > > Try also using rampart version 1.4 io 1.3. > > Regards, > Erwin > > ------------------------------------------------------------------------ > *Van:* m4rkuz [mailto:m4r...@gmail.com] > *Verzonden:* woensdag 4 februari 2009 15:16 > *Aan:* axis-user@ws.apache.org > *Onderwerp:* Re: Error in signature with X509Token > > Hi Tomaz, > > I think you should attach you'r policy.xml file and your services.xml, > and maybe an example of the soap message generated, so it could be esiar > to help you. > > > > Marcus V. Sánchez D. > ______________________ > Enterprise Developer. > Sun Certified Java Programmer (SCJP) > > > On Wed, Feb 4, 2009 at 9:08 AM, TomazM <tomaz.majerh...@arnes.si > <mailto:tomaz.majerh...@arnes.si>> wrote: > > Env: > OS: Microsoft Windows XP [Version 5.1.2600] > java: Java(TM) SE Runtime Environment (build 1.6.0_10-b33) > Tomcat: 6.0.16 > Axis2: 1.4.1 > Rampart: 1.3 > > > I'm trying to sign message with my CallbackHandler and wsp:Policy, > keys are in keystore of JKS type(server.jks and client.jks) > > 1) In service.xml I have: > ..... > > <ramp:passwordCallbackClass>rampart.sign.service.SecurityHandler</ramp:passwordCallbackClass> > <ramp:signatureCrypto> > <ramp:crypto > provider="org.apache.ws.security.components.crypto.Merlin"> > <ramp:property > > name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> > <ramp:property > > name="org.apache.ws.security.crypto.merlin.file">keys\\server.jks</ramp:property> > <ramp:property > > name="org.apache.ws.security.crypto.merlin.keystore.password">****</ramp:property> > </ramp:crypto> > > > 2) In client I also have my CallbackHandler and applying > RampartConfig which use client.jks(contain server key) > > > The finger print of server and client certificates are the same in > both keystore. > > > > Error: > org.apache.axis2.AxisFault: Error in signature with X509Token > at > > org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:512) > at > > org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:370) > at > > org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416) > at > > org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228) > at > org.apache.axis2.client.OperationClient.execute(OperationClient.java:163) > > > > > Is anybody have a clue what I'm doing wrong???? > > > > > Best regards, Tomaz > >
begin:vcard fn;quoted-printable:Toma=C5=BE Majerhold n;quoted-printable:Majerhold;Toma=C5=BE org:ARNES, Slovenian NREN;Development team adr:;;Jamova 39;Ljubljana;;;Slovenia title:Developer tel;work:+386 14798930 tel;fax:+386 1 479 88 99 tel;home:+386 1425 38 01 tel;cell:(040) 757-229 url:http://www.arnes.si/ version:2.1 end:vcard