Re: Help(urgent) : My Keypair did not work for wss4j project (wss4j\interop example)

[Ron Reynolds]

so your server is signing and encrypting its response as well to be verified by the client?  then i would expect that both certificates would have to be signed (or self-signed as in my example) and then exported and imported into the other keystore as a trusted cert.  i did find that if you want to work with .NET clients you're best off using RSA keys in a PKCS12 keystore (save as a .p12 or .pfx file and it's very easy to import the certificate).  however i did have to leave my server keystore as JKS - i had some trouble loading many trusted certificates into a PKCS12 keystore.  as i said, i am no crypto expert - certainly someone on the wss4j list knows the answer... ----- Original Message ----- From: Elilvannan Nagarajah To: 'Ron Reynolds' Sent: Saturday, December 03, 2005 11:52 PM Subject: RE: Help(urgent) : My Keypair did not work for wss4j project (wss4j\interop example) Thanks Reynolds.                           Yah I followed the same steps as u described (earlier I used 2 keystore and did the same steps but that did not work then I used the same key store for both client and server). Anyway for my case I want to add encryption and signature both.   These r my configurations   Clientside   <service name="AddressBook">   <requestFlow>    <handler type="java:org.apache.ws.axis.security.WSDoAllSender">     <parameter name="signatureKeyIdentifier" value="DirectReference"/>     <parameter name="user" value="affnoclient"/>     <parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier"/>     <parameter name="signaturePropFile" value="wsstest.properties"/>        <parameter name="encryptionUser" value="affnoserver"/>     <parameter name="passwordCallbackClass" value="org.apache.ws.axis.oasis.PWCallback1"/>     <parameter name="action" value="Signature Encrypt Timestamp"/>    </handler>   </requestFlow>   <responseFlow>    <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">     <parameter name="signaturePropFile" value="wsstest.properties"/>     <parameter name="passwordCallbackClass" value="org.apache.ws.axis.oasis.PWCallback1"/>     <parameter name="action" value="Signature Encrypt Timestamp"/>    </handler>   </responseFlow>  </service>       In the server side . <service name=" AddressBook " provider="java:RPC" style="wrapped" use="literal">   <operation name="ping" qname="ns17:Ping" soapAction="" xmlns:ns17="http://xmlsoap.org/Ping">    <parameter qname="ns17:ticket" type="ns17:ticketType"/>    <parameter mode="inout" qname="ns17:text" type="xsd:string" xmlns:xsd="http://www.w3.org/2001/XMLSchema"/>   </operation> <requestFlow>    <handler type="java:org.apache.ws.axis.security.WSDoAllSender">     <parameter name="signatureKeyIdentifier" value="DirectReference"/>     <parameter name="user" value=" affnoserver"/>     <parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier"/>     <parameter name="signaturePropFile" value="wsstest.properties"/>        <parameter name="encryptionUser" value="affnoclient"/>     <parameter name="passwordCallbackClass" value="org.apache.ws.axis.oasis.PWCallback1"/>     <parameter name="action" value="Signature Encrypt Timestamp"/>    </handler>   </requestFlow>   <responseFlow>    <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">     <parameter name="signaturePropFile" value="wsstest.properties"/>     <parameter name="passwordCallbackClass" value="org.apache.ws.axis.oasis.PWCallback1"/>     <parameter name="action" value="Signature Encrypt Timestamp"/>    </handler>   </responseFlow>  </service>      </responseFlow>   <parameter name="allowedMethods" value="ping"/>   <parameter name="wsdlPortType" value="PingPort"/>   <parameter name="wsdlServicePort" value="Ping3"/>   <parameter name="className" value="org.apache.ws.axis.oasis.ping.PingBindingImpl"/>   <parameter name="wsdlTargetNamespace" value="http://xmlsoap.org/Ping"/>   <parameter name="sendXsiTypes" value="false"/>   <parameter name="sendMultiRefs" value="false"/>   <parameter name="wsdlServiceElement" value="PingService"/>   <typeMapping deserializer="org.apache.axis.encoding.ser.SimpleDeserializerFactory" encodingStyle="" qname="ns18:ticketType" serializer="org.apache.axis.encoding.ser.SimpleSerializerFactory" type="java:org.apache.ws.axis.oasis.ping.TicketType" xmlns:ns18="http://xmlsoap.org/Ping"/>  </service>       Could u please check this configuration ? But same configuration is working for the example that’s wss4j\interop example.   I do not know how they created the keystore . If I used keytool utility did I have to change any configurations   Could u help in this issue pls?   Thanks and best regards, Elilvannan From: Ron Reynolds [mailto:[EMAIL PROTECTED] Sent: Sunday, December 04, 2005 1:27 PM To: [EMAIL PROTECTED] Subject: Re: Help(urgent) : My Keypair did not work for wss4j project (wss4j\interop example)   i'm no expert in security but these are the steps i used to create a trust between my client and server - generate the two keystores as you did, then: create a self-signed certificate for the client keytool -selfcert ... export the certificate from the client keystore keytool -export ... import the certificate into the server's keystore keytool -import ... it'll ask if you trust the certificate - tell it yes.  at that point when the client signs and includes its x.509 with the message the server will be able to look the cert up and verify that it trusts the signer.  i was working on a wiki that covers this is a bit more detail - perhaps it'll help (tho it's not entirely done) - http://wiki.apache.org/ws/RonReynolds/XmlSigSetup     ----- Original Message ----- From: Elilvannan Nagarajah To: wss4j-dev@ws.apache.org Sent: Saturday, December 03, 2005 10:53 PM Subject: Help(urgent) : My Keypair did not work for wss4j project (wss4j\interop example)   Hi all,        I tried to use the wss4j project for adding security for my web services. For my web service I want to add signature and encryption type of security.  First I tested the interop example (tested with 'bob' and 'alice' entries) in the wss4j project. That works fine.                Then I tried to create my key store (using keytool) and generated 2 keypairs one for server and one for client. I configured correctly all properties ( I replace the entries ‘bob’ and ‘alice’ with my own aliases name ‘affnoserver’ and ‘affnoclinet’). But for my case client side is working fine (encrypt the request and sign and send) but in the serverside I got an exception (when decrypting).   This is the exception trace ----   org.apache.ws.security.WSSecurityException: Cannot encrypt/decrypt data; nested exception is:         java.security.UnrecoverableKeyException: Cannot recover key         at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncrypte dKey(EncryptedKeyProcessor.java:268)         at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncrypte dKey(EncryptedKeyProcessor.java:81)         at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(En cryptedKeyProcessor.java:75)         at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur ityEngine.java:252)         at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur ityEngine.java:179)         at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja va:159)          this is my key store :       Keystore type: jks Keystore provider: SUN   Your keystore contains 2 entries   Alias name: affnoserver Creation date: Dec 2, 2005 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=affnoserver, OU=affno, O=eng, L=col, ST=col, C=sl Issuer: CN=affnoserver, OU=affno, O=eng, L=col, ST=col, C=sl Serial number: 43900be2 Valid from: Fri Dec 02 14:54:58 LKT 2005 until: Thu Mar 02 14:54:58 LKT 2006 Certificate fingerprints:          MD5:  23:92:DD:B9:D5:CA:66:5B:AD:92:27:0E:48:11:8C:75          SHA1: AB:13:03:92:32:FD:EA:51:DE:DD:9E:7C:DD:90:DD:35:96:52:25:08     ******************************************* *******************************************     Alias name: affnoclient Creation date: Dec 2, 2005 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=affnoclient, OU=affno, O=eng, L=col, ST=col, C=SL Issuer: CN=affnoclient, OU=affno, O=eng, L=col, ST=col, C=SL Serial number: 43904844 Valid from: Fri Dec 02 19:12:36 LKT 2005 until: Thu Mar 02 19:12:36 LKT 2006 Certificate fingerprints:          MD5:  B3:76:5E:F5:81:1A:80:9E:0A:9A:FA:A3:36:8E:D7:C3          SHA1: 51:D7:04:8F:4C:5D:4F:F9:21:B0:41:B3:58:8B:E9:FB:FA:98:6A:D2     ******************************************* *******************************************   I used following commands for creating this key store.   keytool -genkey -keyalg RSA -alias affnoserver -keystore affnoserver.jks   -keypass XXXXXXX  -storepass password   keytool -genkey -keyalg RSA -alias affnoclient -keystore affnoserver.jks   -keypass XXXXXXX  -storepass password     Should I use some other commands to create this key store (like openssl or PKCS12 format ...)   Please anybody can help me how to create my own keystore and keypairs for this wss4j project?     Thanks and best regards, N.Elilvannan