RE: Timestamp error when invoking a Rampart service from a .NET client.
Hi Nandana, Jose, You were right about the timeskew element! I finally got it to work and it appears the client machine was 8 mins faster than the service machine. Thanks once again for both your help. Regards Sanjay From: Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] Sent: 24 July 2008 11:26 To: axis-user@ws.apache.org Subject: Re: Timestamp error when invoking a Rampart service from a .NET client. Hi Sanjay, In deed this seems to be a clock synchonization issue as pointed out by Jose. As it seems this fails when the Rampart validates the created element. As it seems created value contains a future time w.r.t the server machine. You can adjust a skew value to get over from that issue using the timestampMaxSkew [1] parameter in the Rampart Configuration. Anyway, I hope the following timestamps your posted are not generated at the same time. It seems to have a huge difference. SOAP Request from your .NET client 2008-07-23T14:55:04Z 2008-07-23T15:00:04Z ### Java ### http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-1035988"> 2008-07-24T08:59:27.952Z 2008-07-24T09:04:27.952Z thanks, nandana
Re: Timestamp error when invoking a Rampart service from a .NET client.
Hi Sanjay, In deed this seems to be a clock synchonization issue as pointed out by Jose. As it seems this fails when the Rampart validates the created element. As it seems created value contains a future time w.r.t the server machine. You can adjust a skew value to get over from that issue using the timestampMaxSkew [1] parameter in the Rampart Configuration. Anyway, I hope the following timestamps your posted are not generated at the same time. It seems to have a huge difference. SOAP Request from your .NET client 2008-07-23T14:55:04Z 2008-07-23T15:00:04Z ### Java ### http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-1035988"> 2008-07-24T08:59:27.952Z 2008-07-24T09:04:27.952Z thanks, nandana [1] - http://ws.apache.org/rampart/rampartconfig-guide.html On Thu, Jul 24, 2008 at 3:02 PM, Sanjay Vivek <[EMAIL PROTECTED]> wrote: > Hi Nandana, > > I've looked at the Tomcat logs and I don't see any errors at all. I've > looked at a few previous postings below and it appears that this issue was > solved but unfortunately I've come across it again. Thanks > > Sanjay > > > * > http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL > PROTECTED] > *<http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL > PROTECTED]> > > * > http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL > PROTECTED] > *<http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL > PROTECTED]> > > * > http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL > PROTECTED] > *<http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL > PROTECTED]> > > * > http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL > PROTECTED] > *<http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL > PROTECTED]> > > ---------- > *From:* Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] > *Sent:* 24 July 2008 10:17 > *To:* axis-user@ws.apache.org > *Subject:* Re: Timestamp error when invoking a Rampart service from a .NET > client. > > Hi, > Can you post the server's stack trace ? > > thanks, > nandana > >
RE: Timestamp error when invoking a Rampart service from a .NET client.
Hi Jose, The reason there's such a big time difference between the 2 timestamps is because the .NET client invoked the service yesterday while I invoked the service using a Java client today. I merely wanted to show the formatting of the 2 timestamps. I'm sorry if I mislead you! The .NET developer isn't around today so I couldn't get him to invoke the service so I used yesterday's invocation as an example. Cheers. Regards Sanjay From: José Ferreiro [mailto:[EMAIL PROTECTED] Sent: 24 July 2008 10:30 To: axis-user@ws.apache.org Subject: Re: Timestamp error when invoking a Rampart service from a .NET client. Hello Sanjay, Please observe the following: SOAP Request from your .NET client 2008-07-23T14:55:04Z 2008-07-23T15:00:04Z ### Java ### http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-1035988"> 2008-07-24T08:59:27.952Z 2008-07-24T09:04:27.952Z Please take a look at the clock synchonization between the two machines. By default this value should not have a difference bigger than 300 seconds (5 minutes) timetolive parameter in Axis(for sure) or Axis2( I guess too) [1]. I you would like to change this default value in .NET proceed as follow in the configuration file. MICROSOFT World: WSE 3.0 [2] - Use the tags timeToleranceInSeconds and defaultTtlInSeconds in the app.config file of the web service in your project (illustration follows with the corresponding xml tags) < configuration > < microsoft.web.services3 > < security > < timeToleranceInSeconds value = "3600" / > < defaultTtlInSeconds value = "3600" / > Maybe you may investigate in this direction because your SOAP message seems OK but it fails when verifying the timestamp. Also in .NET the timestamp is always there by default. You cannot remove it. This is not the case with Java where you may specify if it is there or not. Hope this helps. [1] - http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#time [2] - http://msdn.microsoft.com/en-us/library/ms824668.aspx -- José Ferreiro EPFL Communication Systems engineer ing.sys.com.dipl.EPFL
RE: Timestamp error when invoking a Rampart service from a .NET client.
Hi Nandana, I've looked at the Tomcat logs and I don't see any errors at all. I've looked at a few previous postings below and it appears that this issue was solved but unfortunately I've come across it again. Thanks Sanjay http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL PROTECTED] http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL PROTECTED] http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL PROTECTED] http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/200706.mbox/[EMAIL PROTECTED] From: Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] Sent: 24 July 2008 10:17 To: axis-user@ws.apache.org Subject: Re: Timestamp error when invoking a Rampart service from a .NET client. Hi, Can you post the server's stack trace ? thanks, nandana
Re: Timestamp error when invoking a Rampart service from a .NET client.
Hello Sanjay, Please observe the following: SOAP Request from your .NET client 2008-07-23T14:55:04Z 2008-07-23T15:00:04Z ### Java ### http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-1035988"> 2008-07-24T08:59:27.952Z 2008-07-24T09:04:27.952Z Please take a look at the clock synchonization between the two machines. By default this value should not have a difference bigger than 300 seconds (5 minutes) timetolive parameter in Axis(for sure) or Axis2( I guess too) [1]. I you would like to change this default value in .NET proceed as follow in the configuration file. MICROSOFT World: WSE 3.0 [2] - Use the tags timeToleranceInSeconds and defaultTtlInSeconds in the app.config file of the web service in your project (illustration follows with the corresponding xml tags) < configuration > < microsoft.web.services3 > < security > < timeToleranceInSeconds value = "3600" / > < defaultTtlInSeconds value = "3600" / > Maybe you may investigate in this direction because your SOAP message seems OK but it fails when verifying the timestamp. Also in .NET the timestamp is always there by default. You cannot remove it. This is not the case with Java where you may specify if it is there or not. Hope this helps. [1] - http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#time [2] - http://msdn.microsoft.com/en-us/library/ms824668.aspx -- José Ferreiro EPFL Communication Systems engineer ing.sys.com.dipl.EPFL On 7/24/08, Sanjay Vivek <[EMAIL PROTECTED]> wrote: > > > > Hi everyone, > > I'm attempting to invoke a simple Rampart enabled EchoService from a .NET > client. However, I get a "The timestamp could not be validated" error > everytime. I've disabled the Timestamp option on the service side but it > doesn't make any difference. I've compared the Timestamp formatting between > a .NET and Java client and there's not much difference at all as shown > below: > > ### .NET ### > > 2008-07-23T14:55:04Z > 2008-07-23T15:00:04Z > > > ### Java ### > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="Timestamp-1035988"> > 2008-07-24T08:59:27.952Z > 2008-07-24T09:04:27.952Z > > > I've searched the web and one of the issues raised was that a .NET client > appends the Timestamp at the top of the security header while a Java client > appends the Timestamp at the bottom of the security header. Could this be an > issue? Although I doubt the ordering of WSSE elements should make any > difference. > > I've posted both the SOAP request (from a .NET client) and response (from a > Rampart enabled service) messages at the bottom of this email for further > reference. Any insight would be greatly appreciated. Cheers. > > Regards > -- > Sanjay Vivek > > > > > SOAP Request from a .NET client > > > > http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd=" > http://www.w3.org/2001/XMLSchema"; xmlns:wsa=" > http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > > urn:echo > > > urn:uuid:1673e489-d3be-4810-b40e-854423fef2c2 > > > http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous > > > > http://128.240.2.3:8083/rampart-echo/services/RampartEchoService.RampartEchoServiceHttpSoap11Endpoint > > > wsu:Id="Timestamp-74569579-8e34-407f-a10c-c27d3b119b80"> > 2008-07-23T14:55:04Z > 2008-07-23T15:00:04Z > > > > > http://service.echo.rampart";> >hello > > > > > > SOAP Response from a Rampart enabled service > > > >http://schemas.xmlsoap.org/soap/envelope/";> >http://schemas.xmlsoap.org/ws/2004/08/addressing";> > > http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous > > urn:uuid:42C68E847DB869C8CA1216824473152 > > http://schemas.xmlsoap.org/ws/2004/08/addressing/fault > > urn:uuid:257f8523-4b91-4073-b87a-76c0b3e4151f > > >http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> >wsse:InvalidSecurity >The timestamp could not be > validated > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands,
Re: Timestamp error when invoking a Rampart service from a .NET client.
Hi, Can you post the server's stack trace ? thanks, nandana On Thu, Jul 24, 2008 at 2:34 PM, Sanjay Vivek <[EMAIL PROTECTED]> wrote: > > > Hi everyone, > > I'm attempting to invoke a simple Rampart enabled EchoService from a .NET > client. However, I get a "The timestamp could not be validated" error > everytime. I've disabled the Timestamp option on the service side but it > doesn't make any difference. I've compared the Timestamp formatting between > a .NET and Java client and there's not much difference at all as shown > below: > > ### .NET ### > > 2008-07-23T14:55:04Z > 2008-07-23T15:00:04Z > > > ### Java ### > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="Timestamp-1035988"> > 2008-07-24T08:59:27.952Z > 2008-07-24T09:04:27.952Z > > > I've searched the web and one of the issues raised was that a .NET client > appends the Timestamp at the top of the security header while a Java client > appends the Timestamp at the bottom of the security header. Could this be an > issue? Although I doubt the ordering of WSSE elements should make any > difference. > > I've posted both the SOAP request (from a .NET client) and response (from a > Rampart enabled service) messages at the bottom of this email for further > reference. Any insight would be greatly appreciated. Cheers. > > Regards > -- > Sanjay Vivek > > > > > SOAP Request from a .NET client > > > > http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd=" > http://www.w3.org/2001/XMLSchema"; xmlns:wsa=" > http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > > urn:echo > > urn:uuid:1673e489-d3be-4810-b40e-854423fef2c2 > > > http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous > > > > http://128.240.2.3:8083/rampart-echo/services/RampartEchoService.RampartEchoServiceHttpSoap11Endpoint > > > wsu:Id="Timestamp-74569579-8e34-407f-a10c-c27d3b119b80"> > 2008-07-23T14:55:04Z > 2008-07-23T15:00:04Z > > > > > http://service.echo.rampart";> >hello > > > > > > SOAP Response from a Rampart enabled service > > > >http://schemas.xmlsoap.org/soap/envelope/";> >http://schemas.xmlsoap.org/ws/2004/08/addressing";> > > http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous > > urn:uuid:42C68E847DB869C8CA1216824473152 > > http://schemas.xmlsoap.org/ws/2004/08/addressing/fault > > urn:uuid:257f8523-4b91-4073-b87a-76c0b3e4151f > > >http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> >wsse:InvalidSecurity >The timestamp could not be > validated > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
Timestamp error when invoking a Rampart service from a .NET client.
Hi everyone, I'm attempting to invoke a simple Rampart enabled EchoService from a .NET client. However, I get a "The timestamp could not be validated" error everytime. I've disabled the Timestamp option on the service side but it doesn't make any difference. I've compared the Timestamp formatting between a .NET and Java client and there's not much difference at all as shown below: ### .NET ### 2008-07-23T14:55:04Z 2008-07-23T15:00:04Z ### Java ### http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-1035988"> 2008-07-24T08:59:27.952Z 2008-07-24T09:04:27.952Z I've searched the web and one of the issues raised was that a .NET client appends the Timestamp at the top of the security header while a Java client appends the Timestamp at the bottom of the security header. Could this be an issue? Although I doubt the ordering of WSSE elements should make any difference. I've posted both the SOAP request (from a .NET client) and response (from a Rampart enabled service) messages at the bottom of this email for further reference. Any insight would be greatly appreciated. Cheers. Regards -- Sanjay Vivek SOAP Request from a .NET client http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> urn:echo urn:uuid:1673e489-d3be-4810-b40e-854423fef2c2 http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous http://128.240.2.3:8083/rampart-echo/services/RampartEchoService.RampartEchoServiceHttpSoap11Endpoint 2008-07-23T14:55:04Z 2008-07-23T15:00:04Z http://service.echo.rampart";> hello SOAP Response from a Rampart enabled service http://schemas.xmlsoap.org/soap/envelope/";> http://schemas.xmlsoap.org/ws/2004/08/addressing";> http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous urn:uuid:42C68E847DB869C8CA1216824473152 http://schemas.xmlsoap.org/ws/2004/08/addressing/fault urn:uuid:257f8523-4b91-4073-b87a-76c0b3e4151f http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> wsse:InvalidSecurity The timestamp could not be validated - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]