Re: fediz production

Thanks for pointing me in the right direction. basically what the documentation lacks is that the ststrust.jks must contain MyTCIDP.cer, i.e. keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias idpcert -file MyTCIDP.cer -noprompt i looked through the original

RE: In the java_first_jaxws sample of cxf there are no SayHi and SayHiResponse types.

Hi, The SayHi and SayHiResponse are just wrappers around string request/response. They are necessary, because only a string cannot be sent as a valid XML. The wrapper types are generated by default on the base of method name (sayHi), so you don't need to define them explicitly in java code. You

CXF wsdl2java generates SOAP 1.1 message

Hi, I generated my SOAP client code using Apache CXF 3.0.4. When I message the SOAP service (not under my control), I was receiving an error indicating the namespace used in my message is wrong. I debugged a bit and noticed that the message version is Soap11 so I changed it (via my

In the java_first_jaxws sample of cxf there are no SayHi and SayHiResponse types.

In the java_first_jaxws sample of cxf there are for example no SayHi and SayHiResponse types. Why not? Aren't they needed for (de)serialization? In the wsdl_first sample, types like GetCustomersByName and GetCustomersByNameResponse are there, and in the debugger I saw that they are used. When I

Re: multiple entries in soap security header for Signature, Timestamp, EncryptedKey

On Wed, Oct 25, 2017 at 2:02 PM, pra...@tracelink.com wrote: > Should the wsdl basically look like this? > Probably, although you should really ask the designer of the security policy what they security requirements should be. The SignedSupportingToken may or may not be

Re: multiple entries in soap security header for Signature, Timestamp, EncryptedKey

Should the wsdl basically look like this? http://schemas.xmlsoap.org/ws/2005/07/securitypolicy;>... http://schemas.xmlsoap.org/ws/2005/07/securitypolicy;>... http://schemas.xmlsoap.org/ws/2005/07/securitypolicy;>...

RE: Websphere 9 and CXF

Colm, Thank you. That makes sense. I just wonder if I am the only one trying to integrate CXF and Websphere. Mark -Original Message- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Wednesday, October 25, 2017 5:06 AM To: markfu...@yahoo.com Cc: users@cxf.apache.org

Re:

When I use javaws, SayHi and SayHiResponse are there. Thanks! On Wed, Oct 25, 2017 at 2:35 PM, Eric J. Van der Velden < ericjvandervel...@gmail.com> wrote: > In the java_first_jaxws sample of cxf there are for example no SayHi and > SayHiResponse types. > > Why not? Aren't they needed for

Re: fediz production

Your truststore in cxf-tls.xml must trust the certificate presented by the STS. Also, it must contain a keystore with the private key of the IdP, which in turn must be trusted by the STS. Colm. On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead < matthew.broadh...@nbmlaw.co.uk> wrote: > Are the

Re: fediz production

Are the two keystores responsible for the trust between idp and sts are supposed to be stsrealm_a.jks and ststrust.jks it is just that the cert it is not trusting is the idp-ssl-key.jks (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc does this mean ststrust.jks should

Re: fediz production

You'll need to go through the output to figure out why the cert is not trusted. If you generate some test certs + create a testcase somewhere I will take a look. Colm. On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead < matthew.broadh...@nbmlaw.co.uk> wrote: > i get a load of stuff, but in

Re: fediz production

i get a load of stuff, but in the middle of the one before the error i get Warning: no suitable certificate found - continuing without client authentication On 25/10/2017 13:42, Matthew Broadhead wrote: ahhh... -Djavax.net.debug=all On 25/10/2017 13:39, Matthew Broadhead wrote: How would I

Re: fediz production

ahhh... -Djavax.net.debug=all On 25/10/2017 13:39, Matthew Broadhead wrote: How would I enable the debug? services/idp/src/main/webapp/WEB-INF/security-config.xml ? On 25/10/2017 13:37, Colm O hEigeartaigh wrote: If you change it to "required" does it fail? If so, you could try running the

Re: fediz production

How would I enable the debug? services/idp/src/main/webapp/WEB-INF/security-config.xml ? On 25/10/2017 13:37, Colm O hEigeartaigh wrote: If you change it to "required" does it fail? If so, you could try running the Tomcat IdP with Java SSL debugging enabled and it should tell you why the IdP

Re: fediz production

If you change it to "required" does it fail? If so, you could try running the Tomcat IdP with Java SSL debugging enabled and it should tell you why the IdP can't connect to the STS. Colm. On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead < matthew.broadh...@nbmlaw.co.uk> wrote: > Hi Colm, > >

Re: fediz production

Hi Colm, I realise now that this html file was included in the examples/samplekeys directory in the code.  but i was taking it from the internet. I am 100% using clientAuth="want" on my Tomcat connector but I am still getting the same error over and again.  I can browse the wsdl without

Re: fediz production

You can see the HTML here: https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html I'll update the webpage to point to github instead of SVN. Colm. On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <

Re: fediz production

Hi Colm Firstly is there somewhere to see these instructions correctly formatted in html? https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html Secondly there is a massive difference between

Re: fediz production

Why not try the simple Connector configuration I gave earlier but with your own keys? Colm. On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead < matthew.broadh...@nbmlaw.co.uk> wrote: > in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html# >

Re: fediz production

in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2 it says clientAuth This is an alias for the certificateVerification attribute of the default SSLHostConfig element. then certificateVerification Set to required if you want the SSL

Re: fediz production

The problem is that your Tomcat container hosting the STS is not asking for client authentication. You can check this by using a web browser or curl to view the WSDL of the STS - if you can get it to work then the configuration is incorrect, as it should error on the browser not supplying a client

Re: multiple entries in soap security header for Signature, Timestamp, EncryptedKey

The problem here is that you have ExactlyOne/All and then multiple security binding policies, so CXF interprets this as both the AsymmetricBinding and TransportBinding are required. Instead, your security policy should read something like: ExactlyOne All AsymmetricBinding /All

Re: Websphere 9 and CXF

The Basic Security Profile mandates that EncryptedData structures must come after EncryptedKey structures that reference them: http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html#EncryptedKey_Precedes_EncryptedData Your best bet is to re-order the header on the receiving side so that the