As far as I could see, the IDP (passive STS) is using a test certificate (CN=test) for signing the SAML token (Not sure if that can be the issue). I tried to change the certificate to the use BSL.Com (The certificate that the passive STS in .NET is using). I basically changed the certicate in the Fedidp.xml file, and I tried to deploy the file again in the opensso instance running in the idp. However, I am getting a permission error or something like that.
[#|2009-11-03T16:01:36.778-0400|WARNING|sun-appserver9.1|com.sun.xml.ws.wspolicy.com.sun.xml.ws.api.policy.ModelTranslator|_ThreadID=10;_ThreadName=main;_RequestID=d6f93987-e8d6-485b-aa77-8996d6ac1b7a;|WSM1007: Failed to create a ModelTranslator instance. com.sun.xml.ws.policy.PolicyException: WSP0071: Multiple policy assertion creators try to register for namespace 'http://schemas.xmlsoap.org/ws/2005/02/rm/policy'. Old creator`s class: 'com.sun.xml.ws.rx.policy.spi_impl.RxAssertionCreator', new creator`s class: 'com.sun.xml.ws.rm.policy.spi_impl.RmAssertionCreator'. at com.sun.xml.ws.policy.sourcemodel.PolicyModelTranslator.<init>(PolicyModelTranslator.java:184) at com.sun.xml.ws.api.policy.ModelTranslator.<init>(ModelTranslator.java:81) at com.sun.xml.ws.api.policy.ModelTranslator.<clinit>(ModelTranslator.java:70) at com.sun.xml.ws.policy.BuilderHandler.getPolicies(BuilderHandler.java:97) at com.sun.xml.ws.policy.BuilderHandler.getPolicySubjects(BuilderHandler.java:105) at com.sun.xml.ws.policy.BuilderHandlerEndpointScope.doPopulate(BuilderHandlerEndpointScope.java:67) at com.sun.xml.ws.policy.BuilderHandler.populate(BuilderHandler.java:77) at com.sun.xml.ws.policy.PolicyMapBuilder.getNewPolicyMap(PolicyMapBuilder.java:103) at com.sun.xml.ws.policy.PolicyMapBuilder.getPolicyMap(PolicyMapBuilder.java:85) at com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:955) at com.sun.xml.ws.wsdl.parser.DelegatingParserExtension.postFinished(DelegatingParserExtension.java:187) at com.sun.xml.ws.wsdl.parser.WSDLParserExtensionFacade.postFinished(WSDLParserExtensionFacade.java:334) at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:262) at com.sun.xml.ws.server.EndpointFactory.getWSDLPort(EndpointFactory.java:531) at com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:174) at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:505) at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253) at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147) at com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:124) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.identity.wss.sts.STSContextListener.contextInitialized(STSContextListener.java:107) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4523) at org.apache.catalina.core.StandardContext.start(StandardContext.java:5184) at com.sun.enterprise.web.WebModule.start(WebModule.java:326) at com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58) at com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304) at com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176) at com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192) at com.sun.enterprise.web.VirtualServer.startChildren(VirtualServer.java:1672) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231) at org.apache.catalina.core.StandardHost.start(StandardHost.java:955) at com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58) at com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304) at com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176) at com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192) at com.sun.enterprise.web.EmbeddedWebContainer$WebEngine.startChildren(EmbeddedWebContainer.java:453) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:533) at org.apache.catalina.startup.Embedded.start(Embedded.java:936) at com.sun.enterprise.web.WebContainer.start(WebContainer.java:873) at com.sun.enterprise.web.PEWebContainer.startInstance(PEWebContainer.java:790) at com.sun.enterprise.web.PEWebContainerLifecycle.onStartup(PEWebContainerLifecycle.java:84) at com.sun.enterprise.server.ApplicationServer.onStartup(ApplicationServer.java:442) at com.sun.enterprise.server.ondemand.OnDemandServer.onStartup(OnDemandServer.java:120) at com.sun.enterprise.server.PEMain.run(PEMain.java:411) at com.sun.enterprise.server.PEMain.main(PEMain.java:338) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.enterprise.server.PELaunch.main(PELaunch.java:412) |#] Is there any additional step I do not know required to change the certificate ? Thanks Pablo. -----Original Message----- From: jiandong....@sun.com [mailto:jiandong....@sun.com] Sent: Monday, November 02, 2009 8:09 PM To: stonehenge-dev@incubator.apache.org Subject: Re: Third interop test between Metro and .NET Pablo Cibraro wrote: > Besides that issue with the WS-Trust message, these are my findings for this > scenario, > > > 1. The active STS in metro is using an username token for > authenticating the client application (trader web client). .NET is using a > client certificate for that purpose (BSL.Com), and I think it is the correct > mechanism. I basically changed the .NET Active STS and trader client > implementation to use username tokens. > Reasonable since the client already has the certificate to identify it. We need to update Metro part for this. > 2. The wsit-client.xml for the trader client application in metro looks > as follow, > > <tc:PreconfiguredSTS > xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/client"; > > endpoint=http://localhost:9001/tradeactivests (.NET) > > wsdlLocation=http://apps.stonehenge.com:1316/active_sts/ActiveSTS?wsdl (WSDL > in METRO) > serviceName="SecurityTokenService" > portName="ISecurityTokenService_Port" > namespace="http://tempuri.org/"; > shareToken="true"> > </tc:PreconfiguredSTS> > > I could not make it work against the .NET Active STS Wsdl. > For some reasons, all the requests with that WSDL are not protected with > WS-Security. I updated all the bindings and ports in the .NET to use > ISecurityTokenService and http://tempuri.org as namespace, but that does not > work. > > One possible reason is version mismatch since we have to use addressing Action header to identity and secure the message properly. Can you check if you use <sp:Trust13 and have something like wsap10:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; set in the wsdl? > 3. Metro was using derived keys and basic 128 as algorithm suite. WCF > was throwing a weird parsing error exceptions for the derived keys (this > option was enabled in the WCF bindings too), so I disable that feature in > metro and .NET. > > "Cannot read the token from the 'DerivedKeyToken' element with the > 'http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512' namespace for > BinarySecretSecurityToken, with a '' ValueType. If this element is expected > to be valid, ensure that security is configured to consume tokens with the > name, namespace and value type specified." > Can you get the request message for this? I'd like to see where we have this ValueType=" ". Thanks! Jiandong > Regards, > Pablo. > >
