Made some progress on this and wanted to share for anyone having a similar
problem.
In my WS-SecurityPolicy it states the following for the RecipientToken:
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token11/>
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
In layman's terms, it requires the serial number of the issuer of the
webservice's certificate. The serial number being sent in the SOAP response
is different from the serial number I have of the issuer's public
certificate in my truststore. I got a hold of the public certificate for
the webservice, and added that to my truststore and the client no longer
threw 'The signature or decryption was invalid' exception! This shouldn't
be a requirement though, so I'm waiting to hear back from the webservice
developer. We both have the issuing cert authorities public cert, and have
confirmed it's different than what the webservice has!
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
