Re: Apache rampart without encryption - nullpointerException
Hi Thomas, Sorry for the late reply. According to the given policy you need to have a encryption crypto defined in the RampartConfig section. Even though you don't have any message parts to be encrypted, you still need an encryption crypto as we have to create an encrypted key in the symmetric binding as I said earlier. That encrypted key will be used to sign the messages back and forth. You need to get the web service's certificate and include that in the key store you provide for encryption crypto. You only need the public key of the web service. According to the above policy, you don't need a certificate for yourself. According to the policy, this web service can be accessed by anonymous clients. This security policy only provides integrity. It doesn't provide authentication or non repudiation. Hope this information will help you. thanks, nandana - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache rampart without encryption - nullpointerException
Oh boy, hitting myself to the head now. I thought you could specifiy an encryptionToken OR a SignatureToken. i guess the jira issue can be set to completed. Sorry for that... I am using the X509 certificates with a private key. I'm gonna give it a try with the endorsingTokens. Tnx for your help that's 5 stars for you! Nunny wrote: Hi Thomas, So, this is something i don't get: I only add add a signatureToken and still rampart tries to add an encryptionToken?! It looks like it is impossible to add a signature without an encryptionToken. -- According to WS - Security Policy Specification, a symmetric binding has to have either a protection token or both encryption token and signature token. sp:SymmetricBinding ... wsp:Policy ( sp:EncryptionToken ... wsp:Policy ... /wsp:Policy /sp:EncryptionToken sp:SignatureToken ... wsp:Policy ... /wsp:Policy /sp:SignatureToken ) | ( sp:ProtectionToken ... wsp:Policy ... /wsp:Policy /sp:ProtectionToken ) ... /wsp:Policy /sp:SymmetricBinding This how the symmetric binding works when a protection token is defined. The web service client creates an encrypted key by encrypting a random key using the web service's public key. Then this encrypted key is used to sign and encrypt the messages back and forth. So only the web service need to have a key pair to do symmetric binding. If the web service need to authenticate the client, then a X509 token can be used as an endorsing supporting token. When an endorsing supporting token is used, the client signs the message signature again generating a second signature ( To do this client has to have the private key of his X509Token, so the client can be authenticated ). In your case, are you using web service's X509 certificate ? Thanks, /nandana - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Apache-rampart-without-encryption--%3E-nullpointerException-tp15408083p15428346.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache rampart without encryption - nullpointerException
Hi Thomas, from the certificate authority doesn't allow use for encryption, i get a java.security.InvalidKeyException: Wrong key usage - exception. So, is there a possibility to use a protectionToken without automatically loading an encryption key? Can you post the complete stack trace of the above mentioned exception so that we can see what is really happening. Can please post the complete policy you are using including the rampart config information. ( replace usernames, passwords with dummy values). Will fix the JIRA about Signature Token soon. thanks, nandana http://nandana83.blogspot.com/ http://nandanasm.wordpress.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache rampart without encryption - nullpointerException
Hi Thomas, So, this is something i don't get: I only add add a signatureToken and still rampart tries to add an encryptionToken?! It looks like it is impossible to add a signature without an encryptionToken. -- According to WS - Security Policy Specification, a symmetric binding has to have either a protection token or both encryption token and signature token. sp:SymmetricBinding ... wsp:Policy ( sp:EncryptionToken ... wsp:Policy ... /wsp:Policy /sp:EncryptionToken sp:SignatureToken ... wsp:Policy ... /wsp:Policy /sp:SignatureToken ) | ( sp:ProtectionToken ... wsp:Policy ... /wsp:Policy /sp:ProtectionToken ) ... /wsp:Policy /sp:SymmetricBinding This how the symmetric binding works when a protection token is defined. The web service client creates an encrypted key by encrypting a random key using the web service's public key. Then this encrypted key is used to sign and encrypt the messages back and forth. So only the web service need to have a key pair to do symmetric binding. If the web service need to authenticate the client, then a X509 token can be used as an endorsing supporting token. When an endorsing supporting token is used, the client signs the message signature again generating a second signature ( To do this client has to have the private key of his X509Token, so the client can be authenticated ). In your case, are you using web service's X509 certificate ? Thanks, /nandana - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache rampart without encryption - nullpointerException
Hi Thomas, This seems a bug in Rampart. Please go on create a JIRA issue [1]. For the moment, you can use protection token property instead of signature token property. That would work. thanks, /nandana [1] - http://issues.apache.org/jira/browse/Rampart On Feb 11, 2008 3:09 PM, thomasV [EMAIL PROTECTED] wrote: Hi, i'm sort of a webservices newbie and i have to build a WS-client to consume some webservices the government provided for our company. these webservices have ws-security enabled so i'm building the client using apache axis with the rampart module (i'm using version 1.3). The webservices require me to only Sign the message, and not do any encryption. So i try to build a policy file with a SignatureToken without an EncryptionToken. This is the snippet from my policy xml file: sp:SignatureToken wsp:Policy sp:X509Token sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient; wsp:Policy sp:RequireDerivedKeys/ sp:RequireThumbprintReference/ sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:SignatureToken I attached a keystore through the rampart config part of the policy.xml. When I try to run the client, it gives me the following exception: Exception in thread main java.lang.NullPointerException at org.apache.rampart.policy.RampartPolicyBuilder.symmetricBinding(RampartPolicyBuilder.java:288) at org.apache.rampart.policy.RampartPolicyBuilder.processSymmetricPolicyBinding(RampartPolicyBuilder.java:158) The code where this goes wrong is here: private static void symmetricBinding(SymmetricBinding binding, RampartPolicyData rpd) throws WSSPolicyException { Assertion token = binding.getProtectionToken(); if (token != null) { rpd.setProtectionToken(((ProtectionToken)token).getProtectionToken()); } else { token = binding.getEncryptionToken(); Assertion token1 = binding.getSignatureToken(); if (token == null token1 == null) { // this is an error - throw something } rpd.setEncryptionToken( ((EncryptionToken) token).getEncryptionToken()); rpd.setSignatureToken(((SignatureToken) token).getSignatureToken()); } } So, this is something i don't get: I only add add a signatureToken and still rampart tries to add an encryptionToken?! It looks like it is impossible to add a signature without an encryptionToken. Am is missing something here or is this a bug in Rampart? Any help or advice will be very much appreciated! tnx Thomas -- View this message in context: http://www.nabble.com/Apache-rampart-without-encryption--%3E-nullpointerException-tp15408083p15408083.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache rampart without encryption - nullpointerException
Hi Nandana, This is the complete error stack, underneath is the policy xml file Exception in thread main org.apache.axis2.AxisFault: Error in creating an encrypted key at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:70) at org.apache.axis2.engine.Phase.invoke(Phase.java:292) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:377) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:374) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163) at be.***.***.***.v1.ServiceStub.consultPerson(Unknown Source) at org.***.***.TestClient.consultPerson(TestClient.java:82) at org.***.***.TestClient.main(TestClient.java:36) Caused by: org.apache.rampart.RampartException: Error in creating an encrypted key at org.apache.rampart.builder.BindingBuilder.getEncryptedKeyBuilder(BindingBuilder.java:219) at org.apache.rampart.builder.SymmetricBindingBuilder.setupEncryptedKey(SymmetricBindingBuilder.java:562) at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:351) at org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:80) at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:128) at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64) ... 9 more Caused by: org.apache.ws.security.WSSecurityException: Cannot encrypt/decrypt data; nested exception is: java.security.InvalidKeyException: Wrong key usage at org.apache.ws.security.message.WSSecEncryptedKey.prepareInternal(WSSecEncryptedKey.java:193) at org.apache.ws.security.message.WSSecEncryptedKey.prepare(WSSecEncryptedKey.java:167) at org.apache.rampart.builder.BindingBuilder.getEncryptedKeyBuilder(BindingBuilder.java:215) ... 14 more Caused by: java.security.InvalidKeyException: Wrong key usage at javax.crypto.Cipher.init(DashoA13*..) at javax.crypto.Cipher.init(DashoA13*..) at org.apache.ws.security.message.WSSecEncryptedKey.prepareInternal(WSSecEncryptedKey.java:191) ... 16 more This is the policy i'm using right new. this probably isn't the final policy i need but as i said in the beginning, i'm still an the learning curve concerning this. wsp:Policy wsu:Id=SecConvPolicy2 xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; wsp:ExactlyOne wsp:All sp:SymmetricBinding xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:ProtectionToken wsp:Policy sp:X509Token sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient; wsp:Policy sp:RequireDerivedKeys/ sp:RequireThumbprintReference/ sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:ProtectionToken sp:AlgorithmSuite wsp:Policy sp:Basic128Rsa15/ /wsp:Policy /sp:AlgorithmSuite sp:SignedParts sp:Body/ /sp:SignedParts sp:EncryptedParts /sp:EncryptedParts sp:Layout wsp:Policy sp:Lax/ /wsp:Policy /sp:Layout /wsp:Policy /sp:SymmetricBinding ramp:RampartConfig xmlns:ramp=http://ws.apache.org/rampart/policy; ramp:user/ramp:user
Apache rampart without encryption - nullpointerException
Hi, i'm sort of a webservices newbie and i have to build a WS-client to consume some webservices the government provided for our company. these webservices have ws-security enabled so i'm building the client using apache axis with the rampart module (i'm using version 1.3). The webservices require me to only Sign the message, and not do any encryption. So i try to build a policy file with a SignatureToken without an EncryptionToken. This is the snippet from my policy xml file: sp:SignatureToken wsp:Policy sp:X509Token sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient; wsp:Policy sp:RequireDerivedKeys/ sp:RequireThumbprintReference/ sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:SignatureToken I attached a keystore through the rampart config part of the policy.xml. When I try to run the client, it gives me the following exception: Exception in thread main java.lang.NullPointerException at org.apache.rampart.policy.RampartPolicyBuilder.symmetricBinding(RampartPolicyBuilder.java:288) at org.apache.rampart.policy.RampartPolicyBuilder.processSymmetricPolicyBinding(RampartPolicyBuilder.java:158) The code where this goes wrong is here: private static void symmetricBinding(SymmetricBinding binding, RampartPolicyData rpd) throws WSSPolicyException { Assertion token = binding.getProtectionToken(); if (token != null) { rpd.setProtectionToken(((ProtectionToken)token).getProtectionToken()); } else { token = binding.getEncryptionToken(); Assertion token1 = binding.getSignatureToken(); if (token == null token1 == null) { // this is an error - throw something } rpd.setEncryptionToken( ((EncryptionToken) token).getEncryptionToken()); rpd.setSignatureToken(((SignatureToken) token).getSignatureToken()); } } So, this is something i don't get: I only add add a signatureToken and still rampart tries to add an encryptionToken?! It looks like it is impossible to add a signature without an encryptionToken. Am is missing something here or is this a bug in Rampart? Any help or advice will be very much appreciated! tnx Thomas -- View this message in context: http://www.nabble.com/Apache-rampart-without-encryption--%3E-nullpointerException-tp15408083p15408083.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache rampart without encryption - nullpointerException
Hi, tnx for that quick reply. i'm gonna create the jira issue. i'm a bit stuck with the protectionToken. It does work but if i use this, rampart automatically tries to load an encryption key. The key i received from the certificate authority doesn't allow use for encryption, i get a java.security.InvalidKeyException: Wrong key usage - exception. I don't think the government will give us another certificate that does allow encryption. So, is there a possibility to use a protectionToken without automatically loading an encryption key? thanks in advance! cheers thomas Nunny wrote: Hi Thomas, This seems a bug in Rampart. Please go on create a JIRA issue [1]. For the moment, you can use protection token property instead of signature token property. That would work. thanks, /nandana [1] - http://issues.apache.org/jira/browse/Rampart On Feb 11, 2008 3:09 PM, thomasV [EMAIL PROTECTED] wrote: Hi, i'm sort of a webservices newbie and i have to build a WS-client to consume some webservices the government provided for our company. these webservices have ws-security enabled so i'm building the client using apache axis with the rampart module (i'm using version 1.3). The webservices require me to only Sign the message, and not do any encryption. So i try to build a policy file with a SignatureToken without an EncryptionToken. This is the snippet from my policy xml file: sp:SignatureToken wsp:Policy sp:X509Token sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient; wsp:Policy sp:RequireDerivedKeys/ sp:RequireThumbprintReference/ sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:SignatureToken I attached a keystore through the rampart config part of the policy.xml. When I try to run the client, it gives me the following exception: Exception in thread main java.lang.NullPointerException at org.apache.rampart.policy.RampartPolicyBuilder.symmetricBinding(RampartPolicyBuilder.java:288) at org.apache.rampart.policy.RampartPolicyBuilder.processSymmetricPolicyBinding(RampartPolicyBuilder.java:158) The code where this goes wrong is here: private static void symmetricBinding(SymmetricBinding binding, RampartPolicyData rpd) throws WSSPolicyException { Assertion token = binding.getProtectionToken(); if (token != null) { rpd.setProtectionToken(((ProtectionToken)token).getProtectionToken()); } else { token = binding.getEncryptionToken(); Assertion token1 = binding.getSignatureToken(); if (token == null token1 == null) { // this is an error - throw something } rpd.setEncryptionToken( ((EncryptionToken) token).getEncryptionToken()); rpd.setSignatureToken(((SignatureToken) token).getSignatureToken()); } } So, this is something i don't get: I only add add a signatureToken and still rampart tries to add an encryptionToken?! It looks like it is impossible to add a signature without an encryptionToken. Am is missing something here or is this a bug in Rampart? Any help or advice will be very much appreciated! tnx Thomas -- View this message in context: http://www.nabble.com/Apache-rampart-without-encryption--%3E-nullpointerException-tp15408083p15408083.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Apache-rampart-without-encryption--%3E-nullpointerException-tp15408083p1540.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]