I fixed my problem, they were two fold: 1. I hadn't yet imported the server's key into the client keystore 2. I didn't see the WS-Security headers in SOAPMonitor because the output phase was at the begining instead of the end
Thanks Marc ---------- Forwarded message ---------- From: Marc Boorshtein <mboorsht...@gmail.com> Date: Sat, Feb 28, 2009 at 10:28 AM Subject: Axis2 response not signed To: rampart-...@ws.apache.org All, I'm trying to create a services that uses Rampart to sign both the request and the response. The request works great, but the response is not signed. Here's my service config: <?xml version="1.0" encoding="UTF-8"?> <service> <module ref="rampart" /> <parameter name="ServiceClass" locked="false">tutorial.rampart.service.SecureService </parameter> <operation name="add"> <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </operation> <wsp:Policy wsu:Id="SigOnly" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient "> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss10 xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> </wsp:Policy> </sp:Wss10> <sp:SignedParts xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Body/> </sp:SignedParts> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> <ramp:user>server-cert</ramp:user> <ramp:encryptionUser>client-cert</ramp:encryptionUser> <ramp:passwordCallbackClass>tutorial.rampart.service.PWCBHandlerCert</ramp:passwordCallbackClass> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">/home/mlb/apps/apache-tomcat-6.0.18/webapps/axis2/WEB-INF/keystores/server-certs.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">secret</ramp:property> </ramp:crypto> </ramp:signatureCrypto> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </service> here's the request: <?xml version='1.0' encoding='utf-8'?> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"> <soapenv:Header> <wsse:Security xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true"> <wsu:Timestamp xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-6503761"> <wsu:Created>2009-02-28T15:20:15.894Z</wsu:Created> <wsu:Expires>2009-02-28T15:25:15.894Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-1444955">MIICLzCCAZigAwIBAgIESakwLTANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJ1czELMAkGA1UECBMCdmExEDAOBgNVBAcTB21jY2xlYW4xDDAKBgNVBAoTA3B3YzEMMAoGA1UECxMDbWxiMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMDkwMjI4MTIzODA1WhcNMDkwNTI5MTIzODA1WjBcMQswCQYDVQQGEwJ1czELMAkGA1UECBMCdmExEDAOBgNVBAcTB21jY2xlYW4xDDAKBgNVBAoTA3B3YzEMMAoGA1UECxMDbWxiMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALAIsof7/qW0m6iwjhyYnfRfUFFpoSVd+V9Fod6XiFhT0VOdB0kRk9i4XZqcL43ENQ1BrTO4OAI5hn1aCT+EJCWLaFQp9igzIhwKzzs81WcvHH5fyZbvkeSEkGZOUTpw/tYnnXGS4n5vK6NMrfTNTj/1fmexMs+mbf8YtwLtbA/VAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAYOSvD7ll+EGNw5IbkrAlTgylawRRO2hvLUm86euxb+jJwCNwwISAogUiJHYxXjgheoQb6LvPFZgYp/MXEHggLFzaoF4VPPhnuSRydYI07nDxI+n6Hd3dieonQV1IM3xEBLbwwTKbxISP2LdvqbxETCoX667tOxglvF54lQTvu80=</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-9411122"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#Id-11875256"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>IvAEAuiXrdVReHMVFEQvF5wcwK4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-6503761"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>hDSdKC4JpqLlNp4a6D24WrsAelU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> MYiZUVZjuHCpPjaI4h1qIyX2eLg5LlMD1D3qIkdfkWbgi4G4xaS+bHzERt8IBmPTO3a1FO003KyF hrLq2spW6RvOCoBkb8x/JPuRjczOhJhE0u8IHRgqUSNHAWTIacTQy2UUO+Eg29QIzEl7CJ+aKW39 1G5KuT3CW5NloYejcuE= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-14837200"> <wsse:SecurityTokenReference xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-22552192"> <wsse:Reference URI="#CertId-1444955" ValueType=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-11875256"> <ns1:add xmlns:ns1="http://service.rampart.tutorial"> <ns1:param0>3</ns1:param0> <ns1:param1>4</ns1:param1> </ns1:add> </soapenv:Body> </soapenv:Envelope> here's the response: <?xml version='1.0' encoding='utf-8'?> <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"> <soapenv:Body> <ns:addResponse xmlns:ns="http://service.rampart.tutorial"> <ns:return>7</ns:return> </ns:addResponse> </soapenv:Body> </soapenv:Envelope> I tried comparing my policy to sample02, it checks out. I'm guessing I'm missing something simple? Thanks Marc