Hello Colm, I have a bit of an urgent question re WSS4J.
I am using JBoss 6.1 which includes JBossWS 3.4.1. This version of the JBoss web services CXF stack is based on Apache CXF 2.3.1. I think this means that I am using WSS4J 1.5.8. Looking at your blog at this page, http://coheigea.blogspot.com/2011/01/wss4j-16-crypto-property-change.html, you are describing the changes from WSS4J 1.5.x and 1.6 and you state that "there is no clean separation of the keystore used to obtain private/secret keys, and that used to verify trust on received credentials" So, just to make sure that I understand you, in this older version of WSS4J, a SINGLE keystore is used to contain both the private encryption keys for outbound traffic and the public keys to decrypt and/or authenticate incoming requests? I.e., there is NO truststore? So, if I have a security properties file used by the WSS4J interceptor that contains these entries: org.apache.ws.security.crypto.merlin.file=common-config/server.keystore # # Truststore information org.apache.ws.security.crypto.merlin.truststore.file=config/server.truststore Then, I am mixing configuration elements for the older WSS4J 1.5.x version and the newer 1.6.x version and, in fact, the truststore entries are ignored? And, this is a forlorn hope, but if this is true, I don't suppose there would be any clean way of dropping in a newer version of WSS4J 1.6 and have it work with CXF 2.3.1? Thanks