Re: Rampart Username and signed certificate
I finally figured it out. I needed to use TransportBinding with an Endorsing Supporting token of an X509 certificate and a SignedSupportingToken of the username. I didn't realize that it didn't need Asymmetric binding. RonnieMJ wrote: Ok the vendor has gotten back to me indicating that they don't see the password. Funny, I don't quite see it either. I've tried setting passwordType, but it doesn't seem to do it (although it's deprecated on 1.4, which I'm using). I do see this in my own logs: 2008-10-08 14:09:47,014 [Timer-0 ] DEBUG EnvelopeIdResolver - enter engineResolve, look for: #UsernameToken-30587319 2008-10-08 14:09:47,015 [Timer-0 ] DEBUG StAXUtils - XMLStreamWriter is com.sun.xml.internal.stream.writers.XMLStreamWriterImpl 2008-10-08 14:09:47,019 [Timer-0 ] DEBUG EnvelopeIdResolver - exit engineResolve, result: XMLSignatureInput/Element/wsse:UsernameToken xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id=UsernameToken-30587319 wsse:UsernameuserNameWasHere/wsse:Username wsse:Password Type=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText;passwordWasHere/wsse:Password /wsse:UsernameToken exclude null comments:false/null 2008-10-08 14:09:47,020 [Timer-0 ] DEBUG ElementProxy - setElement(ds:Transform, null) But I don't see it anything like that in the message. The username is encrypted (guessing)? IF the digestValue is the username: ds:Reference URI=#UsernameToken-30587319 ds:Transforms ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#;/ds:Transform /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1;/ds:DigestMethod ds:DigestValueT2XSh+9LCbwfDzbPzw=/ds:DigestValue /ds:Reference I don't see the password... RonnieMJ wrote: It worked with SignedSupportingTokens or just SupportingTokens? Mine works fine with SignedSupportingTokens, our end service just won't take it. Mary Thompson wrote: Nandana, Your example works correctly in my tomcat/axis environment. Now I just have to figure out why mine doesn't. Maybe there is something missing in our service skeleton class. Mary Nandana Mihindukulasooriya wrote: Hi, I've tried it with SignedSupportingTokens (or even just SupportingTokens) below the binding (as a top level) a few times. It ends up making the token still embedded and encrypted (not a plain old Username token). Yes, when a username token is used as supporting token with symmetric binding or an asymmetric binding it is encrypted due security considerations. You can't control this using policy. If we want to control this we might need to introduce a custom flag in to Rampart configuration. Using just SupportingTokens (without the Signed) removes it entirely. This should be a bug if it removes it completely. Please create a JIRA for this under Apache Rampart [1]. Here's my most recent message: Was this most recent message a successful one ? In that message, it seems the Username Token is encrypted. thanks, nandana [1] - http://issues.apache.org/jira/browse/Rampart On Tue, Oct 7, 2008 at 9:34 AM, keith chapman [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]wrote: On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Nandana Mihindukulasooriya wrote: Hi Ronnie, Please change the policy as given below. But should not this policy come from the service? Ideally yes. ;) I just assumed that the service doesn't have a policy and security requirements are published out of band. I know that I need to send both a usernameToken and sign the header with a certificate. I'm fairly sure I've just got the policy file slightly off. Any suggestions ? But if the WSDL publishes the security requirements via policy, there is no need for us to manually create policies and attach them. If you are using the Axis2 cord generator, it will do this for you. Please take a look at this tutorial [1]. thanks, nandana [1] - http://wso2.org/library/3415 Samisa... -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html Sent from
Re: Rampart Username and signed certificate
Nandana, Your example works correctly in my tomcat/axis environment. Now I just have to figure out why mine doesn't. Maybe there is something missing in our service skeleton class. Mary Nandana Mihindukulasooriya wrote: Hi, I've tried it with SignedSupportingTokens (or even just SupportingTokens) below the binding (as a top level) a few times. It ends up making the token still embedded and encrypted (not a plain old Username token). Yes, when a username token is used as supporting token with symmetric binding or an asymmetric binding it is encrypted due security considerations. You can't control this using policy. If we want to control this we might need to introduce a custom flag in to Rampart configuration. Using just SupportingTokens (without the Signed) removes it entirely. This should be a bug if it removes it completely. Please create a JIRA for this under Apache Rampart [1]. Here's my most recent message: Was this most recent message a successful one ? In that message, it seems the Username Token is encrypted. thanks, nandana [1] - http://issues.apache.org/jira/browse/Rampart On Tue, Oct 7, 2008 at 9:34 AM, keith chapman [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]wrote: On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Nandana Mihindukulasooriya wrote: Hi Ronnie, Please change the policy as given below. But should not this policy come from the service? Ideally yes. ;) I just assumed that the service doesn't have a policy and security requirements are published out of band. I know that I need to send both a usernameToken and sign the header with a certificate. I'm fairly sure I've just got the policy file slightly off. Any suggestions ? But if the WSDL publishes the security requirements via policy, there is no need for us to manually create policies and attach them. If you are using the Axis2 cord generator, it will do this for you. Please take a look at this tutorial [1]. thanks, nandana [1] - http://wso2.org/library/3415 Samisa... -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/ http://www.wso2.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rampart Username and signed certificate
Nandana, I don't think I processed your message fully last night. You're saying that it shouldn't matter if you say SignedSupportingTokens or SupportingTokens if we're using symmetric or asymmetric binding because it SHOULD encrypt both? That would mean that I don't really have the capability to create the attached header (which is my goal)? Nunny wrote: Hi, I've tried it with SignedSupportingTokens (or even just SupportingTokens) below the binding (as a top level) a few times. It ends up making the token still embedded and encrypted (not a plain old Username token). Yes, when a username token is used as supporting token with symmetric binding or an asymmetric binding it is encrypted due security considerations. You can't control this using policy. If we want to control this we might need to introduce a custom flag in to Rampart configuration. Using just SupportingTokens (without the Signed) removes it entirely. This should be a bug if it removes it completely. Please create a JIRA for this under Apache Rampart [1]. Here's my most recent message: Was this most recent message a successful one ? In that message, it seems the Username Token is encrypted. thanks, nandana [1] - http://issues.apache.org/jira/browse/Rampart On Tue, Oct 7, 2008 at 9:34 AM, keith chapman [EMAIL PROTECTED]wrote: On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe [EMAIL PROTECTED] wrote: Nandana Mihindukulasooriya wrote: Hi Ronnie, Please change the policy as given below. But should not this policy come from the service? Ideally yes. ;) I just assumed that the service doesn't have a policy and security requirements are published out of band. I know that I need to send both a usernameToken and sign the header with a certificate. I'm fairly sure I've just got the policy file slightly off. Any suggestions ? But if the WSDL publishes the security requirements via policy, there is no need for us to manually create policies and attach them. If you are using the Axis2 cord generator, it will do this for you. Please take a look at this tutorial [1]. thanks, nandana [1] - http://wso2.org/library/3415 Samisa... -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/ http://www.wso2.org http://www.nabble.com/file/p19879853/exampleHeader.xml exampleHeader.xml -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19879853.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rampart Username and signed certificate
It worked with SignedSupportingTokens or just SupportingTokens? Mine works fine with SignedSupportingTokens, our end service just won't take it. Mary Thompson wrote: Nandana, Your example works correctly in my tomcat/axis environment. Now I just have to figure out why mine doesn't. Maybe there is something missing in our service skeleton class. Mary Nandana Mihindukulasooriya wrote: Hi, I've tried it with SignedSupportingTokens (or even just SupportingTokens) below the binding (as a top level) a few times. It ends up making the token still embedded and encrypted (not a plain old Username token). Yes, when a username token is used as supporting token with symmetric binding or an asymmetric binding it is encrypted due security considerations. You can't control this using policy. If we want to control this we might need to introduce a custom flag in to Rampart configuration. Using just SupportingTokens (without the Signed) removes it entirely. This should be a bug if it removes it completely. Please create a JIRA for this under Apache Rampart [1]. Here's my most recent message: Was this most recent message a successful one ? In that message, it seems the Username Token is encrypted. thanks, nandana [1] - http://issues.apache.org/jira/browse/Rampart On Tue, Oct 7, 2008 at 9:34 AM, keith chapman [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]wrote: On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Nandana Mihindukulasooriya wrote: Hi Ronnie, Please change the policy as given below. But should not this policy come from the service? Ideally yes. ;) I just assumed that the service doesn't have a policy and security requirements are published out of band. I know that I need to send both a usernameToken and sign the header with a certificate. I'm fairly sure I've just got the policy file slightly off. Any suggestions ? But if the WSDL publishes the security requirements via policy, there is no need for us to manually create policies and attach them. If you are using the Axis2 cord generator, it will do this for you. Please take a look at this tutorial [1]. thanks, nandana [1] - http://wso2.org/library/3415 Samisa... -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/ http://www.wso2.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19879575.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rampart Username and signed certificate
Ok the vendor has gotten back to me indicating that they don't see the password. Funny, I don't quite see it either. I've tried setting passwordType, but it doesn't seem to do it (although it's deprecated on 1.4, which I'm using). I do see this in my own logs: 2008-10-08 14:09:47,014 [Timer-0 ] DEBUG EnvelopeIdResolver - enter engineResolve, look for: #UsernameToken-30587319 2008-10-08 14:09:47,015 [Timer-0 ] DEBUG StAXUtils - XMLStreamWriter is com.sun.xml.internal.stream.writers.XMLStreamWriterImpl 2008-10-08 14:09:47,019 [Timer-0 ] DEBUG EnvelopeIdResolver - exit engineResolve, result: XMLSignatureInput/Element/wsse:UsernameToken xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id=UsernameToken-30587319 wsse:UsernameuserNameWasHere/wsse:Username wsse:Password Type=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText;passwordWasHere/wsse:Password /wsse:UsernameToken exclude null comments:false/null 2008-10-08 14:09:47,020 [Timer-0 ] DEBUG ElementProxy - setElement(ds:Transform, null) But I don't see it anything like that in the message. The username is encrypted (guessing)? IF the digestValue is the username: ds:Reference URI=#UsernameToken-30587319 ds:Transforms ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#;/ds:Transform /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1;/ds:DigestMethod ds:DigestValueT2XSh+9LCbwfDzbPzw=/ds:DigestValue /ds:Reference I don't see the password... RonnieMJ wrote: It worked with SignedSupportingTokens or just SupportingTokens? Mine works fine with SignedSupportingTokens, our end service just won't take it. Mary Thompson wrote: Nandana, Your example works correctly in my tomcat/axis environment. Now I just have to figure out why mine doesn't. Maybe there is something missing in our service skeleton class. Mary Nandana Mihindukulasooriya wrote: Hi, I've tried it with SignedSupportingTokens (or even just SupportingTokens) below the binding (as a top level) a few times. It ends up making the token still embedded and encrypted (not a plain old Username token). Yes, when a username token is used as supporting token with symmetric binding or an asymmetric binding it is encrypted due security considerations. You can't control this using policy. If we want to control this we might need to introduce a custom flag in to Rampart configuration. Using just SupportingTokens (without the Signed) removes it entirely. This should be a bug if it removes it completely. Please create a JIRA for this under Apache Rampart [1]. Here's my most recent message: Was this most recent message a successful one ? In that message, it seems the Username Token is encrypted. thanks, nandana [1] - http://issues.apache.org/jira/browse/Rampart On Tue, Oct 7, 2008 at 9:34 AM, keith chapman [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]wrote: On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Nandana Mihindukulasooriya wrote: Hi Ronnie, Please change the policy as given below. But should not this policy come from the service? Ideally yes. ;) I just assumed that the service doesn't have a policy and security requirements are published out of band. I know that I need to send both a usernameToken and sign the header with a certificate. I'm fairly sure I've just got the policy file slightly off. Any suggestions ? But if the WSDL publishes the security requirements via policy, there is no need for us to manually create policies and attach them. If you are using the Axis2 cord generator, it will do this for you. Please take a look at this tutorial [1]. thanks, nandana [1] - http://wso2.org/library/3415 Samisa... -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: Rampart Username and signed certificate
=/ds:DigestValue /ds:Reference ds:Reference URI=#UsernameToken-27184512 ds:Transforms ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#;/ds:Transform /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1;/ds:DigestMethod ds:DigestValueNyG+Wk5lnuvnO23ZYsfWeJFZWCY=/ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue ZJj1RorLDpEmZ8CHi8xaAuyt3XEo16ZZmUkylPJS4rWA71WpFPenuzfr+KfIFTW0Nlnwlo3lQh31 pzYDi4ydyVXJAt24c6s= /ds:SignatureValue ds:KeyInfo Id=KeyId-25849454 wsse:SecurityTokenReference xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id=STRId-3841429 wsse:Reference URI=#CertId-18314596 ValueType=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3;/wsse:Reference /wsse:SecurityTokenReference /ds:KeyInfo /ds:Signature /wsse:Security /soapenv:Header soapenv:Body xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; wsu:Id=Id-4519815 /soapenv:Body /soapenv:Envelope On Tue, Oct 7, 2008 at 9:34 AM, keith chapman [EMAIL PROTECTED]wrote: On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe [EMAIL PROTECTED] wrote: Nandana Mihindukulasooriya wrote: Hi Ronnie, Please change the policy as given below. But should not this policy come from the service? Ideally yes. ;) I just assumed that the service doesn't have a policy and security requirements are published out of band. I know that I need to send both a usernameToken and sign the header with a certificate. I'm fairly sure I've just got the policy file slightly off. Any suggestions ? But if the WSDL publishes the security requirements via policy, there is no need for us to manually create policies and attach them. If you are using the Axis2 cord generator, it will do this for you. Please take a look at this tutorial [1]. thanks, nandana [1] - http://wso2.org/library/3415 Samisa... -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rampart Username and signed certificate
Hi, I've tried it with SignedSupportingTokens (or even just SupportingTokens) below the binding (as a top level) a few times. It ends up making the token still embedded and encrypted (not a plain old Username token). Yes, when a username token is used as supporting token with symmetric binding or an asymmetric binding it is encrypted due security considerations. You can't control this using policy. If we want to control this we might need to introduce a custom flag in to Rampart configuration. Using just SupportingTokens (without the Signed) removes it entirely. This should be a bug if it removes it completely. Please create a JIRA for this under Apache Rampart [1]. Here's my most recent message: Was this most recent message a successful one ? In that message, it seems the Username Token is encrypted. thanks, nandana [1] - http://issues.apache.org/jira/browse/Rampart On Tue, Oct 7, 2008 at 9:34 AM, keith chapman [EMAIL PROTECTED]wrote: On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe [EMAIL PROTECTED] wrote: Nandana Mihindukulasooriya wrote: Hi Ronnie, Please change the policy as given below. But should not this policy come from the service? Ideally yes. ;) I just assumed that the service doesn't have a policy and security requirements are published out of band. I know that I need to send both a usernameToken and sign the header with a certificate. I'm fairly sure I've just got the policy file slightly off. Any suggestions ? But if the WSDL publishes the security requirements via policy, there is no need for us to manually create policies and attach them. If you are using the Axis2 cord generator, it will do this for you. Please take a look at this tutorial [1]. thanks, nandana [1] - http://wso2.org/library/3415 Samisa... -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/ http://www.wso2.org
Re: Rampart Username and signed certificate
Thanks Nandana, No the most recent message wasn't accepted (ASSUMEDLY due to the username token being encrypted). I'll check with the other side (other company) to see if they have more detail as to why it wasn't accepted. Nunny wrote: Hi, I've tried it with SignedSupportingTokens (or even just SupportingTokens) below the binding (as a top level) a few times. It ends up making the token still embedded and encrypted (not a plain old Username token). Yes, when a username token is used as supporting token with symmetric binding or an asymmetric binding it is encrypted due security considerations. You can't control this using policy. If we want to control this we might need to introduce a custom flag in to Rampart configuration. Using just SupportingTokens (without the Signed) removes it entirely. This should be a bug if it removes it completely. Please create a JIRA for this under Apache Rampart [1]. Here's my most recent message: Was this most recent message a successful one ? In that message, it seems the Username Token is encrypted. thanks, nandana [1] - http://issues.apache.org/jira/browse/Rampart On Tue, Oct 7, 2008 at 9:34 AM, keith chapman [EMAIL PROTECTED]wrote: On Tue, Oct 7, 2008 at 8:50 AM, Samisa Abeysinghe [EMAIL PROTECTED] wrote: Nandana Mihindukulasooriya wrote: Hi Ronnie, Please change the policy as given below. But should not this policy come from the service? Ideally yes. ;) I just assumed that the service doesn't have a policy and security requirements are published out of band. I know that I need to send both a usernameToken and sign the header with a certificate. I'm fairly sure I've just got the policy file slightly off. Any suggestions ? But if the WSDL publishes the security requirements via policy, there is no need for us to manually create policies and attach them. If you are using the Axis2 cord generator, it will do this for you. Please take a look at this tutorial [1]. thanks, nandana [1] - http://wso2.org/library/3415 Samisa... -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19859682.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/ http://www.wso2.org -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19872561.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Rampart Username and signed certificate
ds:Signature ds:SignedInfo ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ ds:Reference ds:Transforms ds:Transform / /ds:Transforms ds:DigestMethod / ds:DigestValue /ds:DigestValue /ds:Reference ds:Reference ds:Transforms ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ ds:DigestValue /ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue /ds:SignatureValue ds:KeyInfo wsse:SecurityTokenReference wsse:Reference / /wsse:SecurityTokenReference /ds:KeyInfo /ds:Signature /wsse:Security /SOAP-ENV:Header I'm fairly sure I've just got the policy file slightly off. Any suggestions? Thanks for any reply. -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19843845.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rampart Username and signed certificate
What is the exception that you get? Samisa... RonnieMJ wrote: I'm pretty new to WS, and especially the security piece, but I'm using rampart 1.4 using policy files to try to function as a client to an existing (external to my company) web service. I know that I need to send both a usernameToken and sign the header with a certificate. I've been able to do EITHER, but so far haven't been able to do both. I've tried it about 20 different ways, but my most recent attempt is: wsp:Policy wsu:Id=SigAndUName xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; wsp:All sp:AsymmetricBinding xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:InitiatorToken wsp:Policy sp:X509Token sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient; wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:InitiatorToken sp:RecipientToken wsp:Policy sp:X509Token sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never; wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:RecipientToken sp:AlgorithmSuite wsp:Policy sp:Basic128Rsa15/ /wsp:Policy /sp:AlgorithmSuite sp:Layout wsp:Policy sp:Lax/ /wsp:Policy /sp:Layout sp:OnlySignEntireHeadersAndBody/ sp:SupportingTokens wsp:Policy sp:UsernameToken sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient; / /wsp:Policy /sp:SupportingTokens /wsp:Policy /sp:AsymmetricBinding sp:Wss10 xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:MustSupportRefKeyIdentifier / sp:MustSupportRefIssuerSerial / /wsp:Policy /sp:Wss10 sp:SignedParts xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; sp:Body/ /sp:SignedParts ramp:RampartConfig xmlns:ramp=http://ws.apache.org/rampart/policy; ramp:useruser/ramp:user ramp:encryptionUseruser/ramp:encryptionUser ramp:passwordCallbackClasscom.xo.vzn_asr.business.util.PWCBHandler/ramp:passwordCallbackClass ramp:signatureCrypto ramp:crypto provider=org.apache.ws.security.components.crypto.Merlin ramp:property name=org.apache.ws.security.crypto.merlin.keystore.typejks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.fileclient.jks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.aliasuser/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.passwordkeypassword/ramp:property /ramp:crypto /ramp:signatureCrypto /ramp:RampartConfig /wsp:All /wsp:Policy I expect the final header output to be something like: SOAP-ENV:Header wsse:Security wsse:UsernameToken wsse:Username XXX/wsse:Username /wsse:UsernameToken
RE: Rampart Username and signed certificate
take a look at Rampart configuration parameters available at http://ws.apache.org/rampart/rampartconfig-guide.html specifically these 2 attributes need to be specified userThe user's nameSet username of UsernameToken to be used user bob/user userCertAliasThe user's cert aliasSet alias of the key to be used to sign userCertAlias bob/userCertAlias //then create the java keystores * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or later, and put the JAR files into $JAVA_HOME/jre/lib/ext. * Execute: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) with a password value of changeit for both the certificate and the keystore itself. keytool -certreq [-v] [-protected] [-alias alias] [-sigalg sigalg] [-file csr_file] [-keypass keypass] [-keystore keystore] [-storepass storepass] [-storetype storetype] [-providerName name] [-providerClass provider_class_name [-providerArg arg]] ... (you'll want to specify the csr_file) this is a sample Receiver defined in axis2.xml notice the keystore filename and the keypassword which you specifed above parameter name=keystore locked=false KeyStore Locationidentity.jks/Location TypeJKS/Type Passwordpassword/Password KeyPasswordpassword/KeyPassword /KeyStore /parameter parameter name=truststore locked=false TrustStore Locationtrust.jks/Location TypeJKS/Type Passwordpassword/Password /TrustStore /parameter-- HTH Martin __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. Date: Tue, 7 Oct 2008 06:48:56 +0530 From: [EMAIL PROTECTED] To: axis-user@ws.apache.org Subject: Re: Rampart Username and signed certificate What is the exception that you get? Samisa... RonnieMJ wrote: I'm pretty new to WS, and especially the security piece, but I'm using rampart 1.4 using policy files to try to function as a client to an existing (external to my company) web service. I know that I need to send both a usernameToken and sign the header with a certificate. I've been able to do EITHER, but so far haven't been able to do both. I've tried it about 20 different ways, but my most recent attempt is: wsp:Policy wsu:Id=SigAndUName xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; wsp:All sp:AsymmetricBinding xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:InitiatorToken wsp:Policy sp:X509Token sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient; wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:InitiatorToken sp:RecipientToken wsp:Policy sp:X509Token sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never; wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:RecipientToken sp:AlgorithmSuite wsp:Policy sp:Basic128Rsa15/ /wsp:Policy /sp:AlgorithmSuite sp:Layout wsp:Policy sp:Lax/ /wsp:Policy /sp:Layout
Re: Rampart Username and signed certificate
the final header output to be something like: SOAP-ENV:Header wsse:Security wsse:UsernameToken wsse:Username XXX/wsse:Username /wsse:UsernameToken wsse:BinarySecurityToken binaryTokenHere/wsse:BinarySecurityToken ds:Signature ds:SignedInfo ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ ds:Reference ds:Transforms ds:Transform / /ds:Transforms ds:DigestMethod / ds:DigestValue /ds:DigestValue /ds:Reference ds:Reference ds:Transforms ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ ds:DigestValue /ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue /ds:SignatureValue ds:KeyInfo wsse:SecurityTokenReference wsse:Reference / /wsse:SecurityTokenReference /ds:KeyInfo /ds:Signature /wsse:Security /SOAP-ENV:Header I'm fairly sure I've just got the policy file slightly off. Any suggestions? Thanks for any reply. -- Samisa Abeysinghe http://people.apache.org/~samisa/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rampart Username and signed certificate
1. What is your server side? 2. Did you author this policy, or did you get it from the service? 3. What is the fault that you get? Thanks, Samisa... RonnieMJ wrote: I don't actually get an exception (well I do get a soap fault for not having all of the right headers from their server). The message usually gets sent out simply without the username token. If I DO get the username token to go, it's as a signedsupportingtoken (which is not what they want). Samisa Abeysinghe-2 wrote: What is the exception that you get? Samisa... RonnieMJ wrote: I'm pretty new to WS, and especially the security piece, but I'm using rampart 1.4 using policy files to try to function as a client to an existing (external to my company) web service. I know that I need to send both a usernameToken and sign the header with a certificate. I've been able to do EITHER, but so far haven't been able to do both. I've tried it about 20 different ways, but my most recent attempt is: wsp:Policy wsu:Id=SigAndUName xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd; xmlns:wsp=http://schemas.xmlsoap.org/ws/2004/09/policy; wsp:All sp:AsymmetricBinding xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:InitiatorToken wsp:Policy sp:X509Token sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient; wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:InitiatorToken sp:RecipientToken wsp:Policy sp:X509Token sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never; wsp:Policy sp:WssX509V3Token10/ /wsp:Policy /sp:X509Token /wsp:Policy /sp:RecipientToken sp:AlgorithmSuite wsp:Policy sp:Basic128Rsa15/ /wsp:Policy /sp:AlgorithmSuite sp:Layout wsp:Policy sp:Lax/ /wsp:Policy /sp:Layout sp:OnlySignEntireHeadersAndBody/ sp:SupportingTokens wsp:Policy sp:UsernameToken sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient; / /wsp:Policy /sp:SupportingTokens /wsp:Policy /sp:AsymmetricBinding sp:Wss10 xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:MustSupportRefKeyIdentifier / sp:MustSupportRefIssuerSerial / /wsp:Policy /sp:Wss10 sp:SignedParts xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; sp:Body/ /sp:SignedParts ramp:RampartConfig xmlns:ramp=http://ws.apache.org/rampart/policy; ramp:useruser/ramp:user ramp:encryptionUseruser/ramp:encryptionUser ramp:passwordCallbackClasscom.xo.vzn_asr.business.util.PWCBHandler/ramp:passwordCallbackClass ramp:signatureCrypto ramp:crypto provider=org.apache.ws.security.components.crypto.Merlin ramp:property name=org.apache.ws.security.crypto.merlin.keystore.typejks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.fileclient.jks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.aliasuser/ramp:property
Re: Rampart Username and signed certificate
ramp:encryptionUseruser/ramp:encryptionUser ramp:passwordCallbackClasscom.xo.vzn_asr.business.util.PWCBHandler/ramp:passwordCallbackClass ramp:signatureCrypto ramp:crypto provider=org.apache.ws.security.components.crypto.Merlin ramp:property name=org.apache.ws.security.crypto.merlin.keystore.typejks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.fileclient.jks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.aliasuser/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.passwordkeypassword/ramp:property /ramp:crypto /ramp:signatureCrypto /ramp:RampartConfig /wsp:All /wsp:Policy I expect the final header output to be something like: SOAP-ENV:Header wsse:Security wsse:UsernameToken wsse:Username XXX/wsse:Username /wsse:UsernameToken wsse:BinarySecurityToken binaryTokenHere/wsse:BinarySecurityToken ds:Signature ds:SignedInfo ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ ds:Reference ds:Transforms ds:Transform / /ds:Transforms ds:DigestMethod / ds:DigestValue /ds:DigestValue /ds:Reference ds:Reference ds:Transforms ds:Transform Algorithm= http://www.w3.org/2001/10/xml-exc-c14n#/ /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ ds:DigestValue /ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue /ds:SignatureValue ds:KeyInfo wsse:SecurityTokenReference wsse:Reference / /wsse:SecurityTokenReference /ds:KeyInfo /ds:Signature /wsse:Security /SOAP-ENV:Header I'm fairly sure I've just got the policy file slightly off. Any suggestions? Thanks for any reply. -- Samisa Abeysinghe http://people.apache.org/~samisa/ http://people.apache.org/%7Esamisa/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/ http://www.wso2.org
Re: Rampart Username and signed certificate
/securitypolicy; wsp:Policy sp:MustSupportRefKeyIdentifier / sp:MustSupportRefIssuerSerial / /wsp:Policy /sp:Wss10 sp:SignedParts xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; sp:Body/ /sp:SignedParts ramp:RampartConfig xmlns:ramp=http://ws.apache.org/rampart/policy; ramp:useruser/ramp:user ramp:encryptionUseruser/ramp:encryptionUser ramp:passwordCallbackClasscom.xo.vzn_asr.business.util.PWCBHandler/ramp:passwordCallbackClass ramp:signatureCrypto ramp:crypto provider=org.apache.ws.security.components.crypto.Merlin ramp:property name=org.apache.ws.security.crypto.merlin.keystore.typejks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.fileclient.jks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.aliasuser/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.passwordkeypassword/ramp:property /ramp:crypto /ramp:signatureCrypto /ramp:RampartConfig /wsp:All /wsp:Policy I expect the final header output to be something like: SOAP-ENV:Header wsse:Security wsse:UsernameToken wsse:Username XXX/wsse:Username /wsse:UsernameToken wsse:BinarySecurityToken binaryTokenHere/wsse:BinarySecurityToken ds:Signature ds:SignedInfo ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ ds:Reference ds:Transforms ds:Transform / /ds:Transforms ds:DigestMethod / ds:DigestValue /ds:DigestValue /ds:Reference ds:Reference ds:Transforms ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ ds:DigestValue /ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue /ds:SignatureValue ds:KeyInfo wsse:SecurityTokenReference wsse:Reference / /wsse:SecurityTokenReference /ds:KeyInfo /ds:Signature /wsse:Security /SOAP-ENV:Header I'm fairly sure I've just got the policy file slightly off. Any suggestions? Thanks for any reply. -- Samisa Abeysinghe http://people.apache.org/~samisa/ http://people.apache.org/%7Esamisa/ - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/ http://www.wso2.org -- Samisa Abeysinghe http://people.apache.org/~samisa/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rampart Username and signed certificate
/securitypolicy; wsp:Policy sp:MustSupportRefKeyIdentifier / sp:MustSupportRefIssuerSerial / /wsp:Policy /sp:Wss10 sp:SignedParts xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; sp:Body/ /sp:SignedParts ramp:RampartConfig xmlns:ramp=http://ws.apache.org/rampart/policy; ramp:useruser/ramp:user ramp:encryptionUseruser/ramp:encryptionUser ramp:passwordCallbackClasscom.xo.vzn_asr.business.util.PWCBHandler/ramp:passwordCallbackClass ramp:signatureCrypto ramp:crypto provider=org.apache.ws.security.components.crypto.Merlin ramp:property name=org.apache.ws.security.crypto.merlin.keystore.typejks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.fileclient.jks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.aliasuser/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.passwordkeypassword/ramp:property /ramp:crypto /ramp:signatureCrypto /ramp:RampartConfig /wsp:All /wsp:Policy I expect the final header output to be something like: SOAP-ENV:Header wsse:Security wsse:UsernameToken wsse:Username XXX/wsse:Username /wsse:UsernameToken wsse:BinarySecurityToken binaryTokenHere/wsse:BinarySecurityToken ds:Signature ds:SignedInfo ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ ds:Reference ds:Transforms ds:Transform / /ds:Transforms ds:DigestMethod / ds:DigestValue /ds:DigestValue /ds:Reference ds:Reference ds:Transforms ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ ds:DigestValue /ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue /ds:SignatureValue ds:KeyInfo wsse:SecurityTokenReference wsse:Reference / /wsse:SecurityTokenReference /ds:KeyInfo /ds:Signature /wsse:Security /SOAP-ENV:Header I'm fairly sure I've just got the policy file slightly off. Any suggestions? Thanks for any reply. -- Samisa Abeysinghe http://people.apache.org/~samisa/http://people.apache.org/%7Esamisa/ http://people.apache.org/%7Esamisa/ - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html Sent from the Axis - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/ http://www.wso2.org -- Samisa Abeysinghe http://people.apache.org/~samisa/ http://people.apache.org/%7Esamisa/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: Rampart Username and signed certificate
sp:OnlySignEntireHeadersAndBody/ sp:SupportingTokens wsp:Policy sp:UsernameToken sp:IncludeToken= http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient / /wsp:Policy /sp:SupportingTokens /wsp:Policy /sp:AsymmetricBinding sp:Wss10 xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; wsp:Policy sp:MustSupportRefKeyIdentifier / sp:MustSupportRefIssuerSerial / /wsp:Policy /sp:Wss10 sp:SignedParts xmlns:sp=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy; sp:Body/ /sp:SignedParts ramp:RampartConfig xmlns:ramp=http://ws.apache.org/rampart/policy; ramp:useruser/ramp:user ramp:encryptionUseruser/ramp:encryptionUser ramp:passwordCallbackClasscom.xo.vzn_asr.business.util.PWCBHandler/ramp:passwordCallbackClass ramp:signatureCrypto ramp:crypto provider=org.apache.ws.security.components.crypto.Merlin ramp:property name=org.apache.ws.security.crypto.merlin.keystore.typejks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.fileclient.jks/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.aliasuser/ramp:property ramp:property name=org.apache.ws.security.crypto.merlin.keystore.passwordkeypassword/ramp:property /ramp:crypto /ramp:signatureCrypto /ramp:RampartConfig /wsp:All /wsp:Policy I expect the final header output to be something like: SOAP-ENV:Header wsse:Security wsse:UsernameToken wsse:Username XXX/wsse:Username /wsse:UsernameToken wsse:BinarySecurityToken binaryTokenHere/wsse:BinarySecurityToken ds:Signature ds:SignedInfo ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ ds:SignatureMethod Algorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1/ ds:Reference ds:Transforms ds:Transform / /ds:Transforms ds:DigestMethod / ds:DigestValue /ds:DigestValue /ds:Reference ds:Reference ds:Transforms ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/ /ds:Transforms ds:DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1/ ds:DigestValue /ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue /ds:SignatureValue ds:KeyInfo wsse:SecurityTokenReference wsse:Reference / /wsse:SecurityTokenReference /ds:KeyInfo /ds:Signature /wsse:Security /SOAP-ENV:Header I'm fairly sure I've just got the policy file slightly off. Any suggestions? Thanks for any reply. -- Samisa Abeysinghe http://people.apache.org/~samisa/http://people.apache.org/%7Esamisa/ http://people.apache.org/%7Esamisa/ - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Rampart-Username-and-signed-certificate-tp19843845p19850087.html Sent from the Axis - User mailing