How to sign a X.509 Certificate

Similar Messages

• How to sign a document with certificate on USB key

  Hi everyone,
  I would like to know how to sign a document with a certificate on an USB key.
  Does anyone has already solve this problem ?
  Regards,
  Fred

  Hi Amitk,
  PDF is a commercial software which is not supported in MSDN forum. Maybe some forum talk about PDF is a better place to ask this question.
  I make a quick research on the web, and you may need to use some third party to sign a PDF document through DSC. Check this :
  http://stackoverflow.com/questions/378247/digitally-sign-pdf-files
  Hope this helps some.
  Shu
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• How to pass x.509 certificate in my request...

  Hi all,
  Can any one of you tell me how to create a x.509 certificate?? and how to pass it in my request???
  Thanks in advance
  Manoj Nair....

  Thanks a lot abhishek but I couldn't make out any thing.
  What I have seen in one the ppts is that no coding is required for sending the certificate in the request.
  Can you help me how would I go about it regarding the above??
  The thing is like I have created a java keystore and it fetched me a self-signed certificate.
  The thing is like How would I send this certificate in my request... and you know that there is a policy step like "verfify certificate" where in it asks for the keystore.
  I have given my keystore location.
  When I tried to test the page, it should an error like " verification of certificate failed"
  When I saw my gateway logs, it spoke something like;
  'certificate is not presented in the request'
  'no matching certificate is found in the keystore'
  'verification of certificate failed'
  It is evident from the first two statements of the gateway log that there is no certificate coming in the request. Had there been certificate, it would have tried to match the certificate with the certificate that is in the keystore and would have verified it. But here it is not the case... I am not able to send in the certificate in my request...
  Can you tell me out how to go about this...
  one more question.......
  is the self-signed certificate that is created by the keytool utility written in x.509 certificate standard or not?

• How to sign a certificate signing request

  Hi all,
  In the PKI process, a client generates a PKCS#10 [certificate signing request|http://en.wikipedia.org/wiki/Certificate_signing_request] (CSR see [sun.security.pkcs.PKCS10|http://www.docjar.com/docs/api/sun/security/pkcs/PKCS10.html] ), sends it to the certification authority (CA), & once the identity has been checked by the CA, the client retrieves his X.509 certificate (signed by the CA), sometimes along with the CA X.509 self-signed certificate.
  I am acting as a CA, the current only way I know to transform a CSR to a X.509 certificate is by using OpenSSL :
  openssl ca -config X509CA/openssl.cnf -days 365 -in CertName_csr.pem -out CertName.pem (see here ).
  Is there any keytool way or even better any sun.security.* way to do that operation programmatically using Java code ?
  Thanks for your feedback.
  Edited by: Le_Sage on 19 avr. 2010 12:12

  That's right, found the doc here : [keytool -gencert|http://download.java.net/jdk7/docs/technotes/tools/windows/keytool.html#gencertCmd] .
  I guess the underlying code must be found under sun.security.* or com.sun.* code. I'll try to have a look.
  Thanks for your feedback.

• How to sign iPhone application using developer certificates

  Hello,
  will anyone tell me that how to sign the iPhone application using developer certificate and one more thing that how will i get the developer certificate.
  Thanks

  ya i got the solution, just go through the following link...
  you will also know how we do that..
  http://developer.apple.com/iphone/library/documentation/Xcode/Conceptual/iphonedevelopment/120-Running_Applications/runningapplications.html
  http://developer.apple.com/iphone/library/documentation/Xcode/Conceptual/iphonedevelopment/128-Managing_Devices/devices.html#//appleref/doc/uid/TP40007959-CH4-SW38

• How to sign a java applet using iPlanet SSL certificate?

  Dear all,
  I have a IPlanet web server with SSL installed,
  can I use the SSL certificate to sign my java applet which will run on the server? how to sign a java applet in this scenario? somebody please help me! thanks!
  yours sincerely
  dashel

  Why can't you create jar files?

• How to sign a certificate

  hi,
  I want to know "how to sign a certificate". If I act as a CA, I must be able to sign a certificate. I need which class or method to be used to sign others certificate(not self sign)(as verisign does). Do we have such option or not?
  I need it urgently.
  Thanks in advance.
  regards,
  Deepa Raghuraman

  If you want to use a csr you need that to be signed by a CA, but if you want to sign a certificate for yourself, you can use the -selfcert option in the keytool here is a page that talks about that
  http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html#EXAMPLES
  they talk about it in the middle of the page some where and here is the basics of the command that they use
  keytool -selfcert -alias dukeNew -keypass b92kqmp -dname "cn=Duke Smith, ou=Purchasing, o=BlueSoft, c=US"
  You have to change some stuff around, but this is what I did to make a self-signed certificate. It really wasn't that difficult when I finally found out how to do it.
  Pup

• How to sign the applet with verisign certificate?

  Hi,
  I got a test certificate from the Verisign.
  Now I want to know, how to sign my applet with that certificate?
  Thanks,
  Siva E.

  Hi!
  You have to create a keystore wich contains the certificate. I think you call keystore -import "verisign.cert"Try the command, and it will tell you what it needs.
  To do the acutal signing of an applet (jar-file), you write somehting like this:
  jarsigner  -keystore "NameOfKeystore" -keypass "PasswordToPrivKey"  -storepass "PasswordToStore" "YourJarFile.jar" "CertAlias"The cert alias is an alias you created when importing the certificate. Hope it Helps!
  Henrik

• How to sign a 509certificate with another non CA certificate

  Hi,
  How to sign a x509 certifcate with another certificate (not CA)? does keytool helps?

  you will probably want to use OpenSSL. google around for how to setup your own certificate authority, such tutorials usually include instructions on signing and importing with keytool etc.

• X.509 certificate signed by RSA-PSS

  I am writing a parser for x.509 certificate.
  Can someone be so kind and send me a X.509 certificate signed by this scheme. it could be a self singed certificate.
  I need it for testing.
  Thanks alot,
  majorsoul

  I think if you select security profile in the channel then you can do sign and verify the certificate in the reciever agreement. THat is only for Security parameters. For just configure certificate authentication,  you will not see anything in the receiver agreement.

• How to sign multiple jar files using the same certificate..?

  hi,
  I want to run my application using Java Web Start.. i am using around 16 different jar files out of which around 13 are 3rd party component jars. I want to sign these jars using the same certifcate..., i am using the follwing code to sign the jars:
  (for the jar file ischeduler.jar)
  keytool -genkey -alias signFiles91 -keystore dtss -keypass dtss1351 -dname "cn=dtss" -storepass decisioncraft
  jarsigner -keystore dtss -storepass decisioncraft -keypass dtss1351 -signedjar signedischeduler.jar ischeduler.jar signFiles91
  keytool -export -keystore dtss -storepass decisioncraft -alias signFiles91 -file ischeduler.cer
  keytool -import -alias DCA2 -file ischeduler.cer -keystore Impischeduler -storepass ischeduler
  (for the jar file ischedulerclient.jar)
  keytool -genkey -alias signFiles92 -keystore dtss -keypass dtss1351 -dname "cn=dtss" -storepass decisioncraft
  jarsigner -keystore dtss -storepass decisioncraft -keypass dtss1351 -signedjar signedischedulerclient.jar ischedulerclient.jar signFiles92
  keytool -export -keystore dtss -storepass decisioncraft -alias signFiles92 -file ischeduler.cer
  keytool -import -alias DCA3 -file ischeduler.cer -keystore Impischeduler -storepass ischeduler
  but when i use the above signed jars in my application i get an error saying:
  "jars not signed by the same certificate"
  can someone plz tel me wher is the error....thanx
  andy

  Well for mulitple signing of jar files you can use ANT tool. Its easier and faster.
  Regarding the present problem -- hmm.. well it looks like you are using 2 different alias names for signing the jar file. Try using the same alias name and that might solve your problem.
  regards
  Saby

• How to filter list of digital certificates for signing PDF

  Is it possible to change the configuration of Reader installation to filter the list of installed certificates that can be used for digitally signing documents?
  The filtered list will appear when users attempt to select a certificate for digitally signing a document.
  Thanks.

  Hi Carla,
  Unfortunately, Extended Key Usage is not one of the properties you can enforce.
  The things you can set are:
  appearanceFilter (i.e. enforce the use of a custom signature appearance)
  certspec(i.e. the signing certificate must meet some specific criteria)  <<<----- This is what you are more interested in, more below
  digestMethod(i.e. enforce the use of a specific cryptographic hashing algorithm)
  filter (i.e. enforce the use of a specific security handler if you want to use something other than the one built into Acrobat)
  legalAttestations (i.e. enforce the reason or purpose of the certifying signature)
  lockDocument (i.e. enforce any further changes to the document after the signature is applied)
  mdp (i.e. the rules for changing the document applied as part of a certifying signature)
  reasons (i.e. a list of one or more reasons the signer can use, as opposed to them adding their own)
  shouldAddRevInfo (i.e. force the inclusion on the revocation information (CRL or OCSP response) in the PDF file)
  subFilter (i.e. require the use of a specific signature format. This is very arcane)
  timeStampspec (i.e. require the use of a specific time stamp server)
  version (i.e the minimum version of Acrobat that can decipher the signature. the only two options are versions 6 or 8)
  The second item is the certspec, and this is what I've been pointing you towards. For the sake of discussion, think of everything you can read in a certificate as an extension. The serial number is an extension, the subject is an extension, the valid from date is an extension, etc. When a certificate is created, some of these extensions are required, other optional, and you can even add in extension that are not publicly defined, and only you will know about.
  Acrobat has the ability to enforce the signer to use a certificate that contains some, but not all of the known extensions. The extensions it can enforce are:
  issuer (i.e. require the use of a certificate that is issued by a specific Certificate Authority)
  keyUsage (i.e. require the signers certificate contain one or more of the nine possible values that can be included)
  oid (i.e. require that the Certificate Policy extension contain a specific value)
  subject (i.e. require that the document is signed by one specific person using one specific digital ID)
  subjectDN (i.e. require that the document is signed by one specific person, but they get to choose which digital ID to use)
  url (i.e. if a required digital ID is not available, where the signer can procure an acceptable digital ID)
  urlType (i.e. if the user is directed to the URL, should it be a web server where they can download a digital ID or a remote signing server where the digital ID stays on the remote server)
  That's it. If it's not one of these items then Acrobat cannot enforce that the item is available. Extended Key Usage is not on the list.
  Steve

• GateKeeper: How to just get the executable signed from Developer ID certificate using Xcode?

  Hi All,
  I have an app(executable) on Mac OS 10.8 built using gcc compiler(without using Xcode). We have Xcode also on that machine. As a developer, we want to register for a unique ID which allows us to sign our app but does not require it be sold through the App Store. So we want our app to be signed by Developer's ID certificate. 
  From the Apple's forum i found the method to sign my app with Developer ID certificate(using Xcode, it builds the full source code also... ). But it would be helpful if someone tells the method to just load the app(executable) in Xcode and just get that signed by Developer ID certificate(As i don't want to build the full source code, i just want that executable to be signed).
  Please let me know the steps to be followed to load the app(executable) in Xcode and get that signed by Developer ID certificate.
  Thanks & Regards,
  Vinay

  Use the codesign command line tool. There are examples in various places on the internet.

• How to sign java applet policy to end user?

  i have putted my applet class on server, i want all end users can access it on server, how to sign the java.policy to there JRE?
  can anyone help me?

  I found this some where else. It shows how to sign an applet.
  START OF DOC
  How To Sign a Java Applet
  The purpose of this document is to document the steps required to sign and use an
  applet using a self-signed cert or CA authorized in the JDK 1.3 plugin.
  The original 9 steps of this process were posted by user irene67 on suns message forum:
  http://forums.java.sun.com/thread.jsp?forum=63&thread=132769
  -----begin irene67's original message -----
  These steps describe the creation of a self-signed applet. This is useful for testing purposes. For use of public reachable applets, there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer).
  The applet needs to run in the plugin, as only the plugin is platform- and browser-independent. And without this indepence, it makes no sense to use java...
  1. Create your code for the applet as usual.
  It is not necessary to set any permissions or use security managers in
  the code.
  2. Install JDK 1.3
  Path for use of the following commands: [jdk 1.3 path]\bin\
  (commands are keytool, jar, jarsigner)
  Password for the keystore is any password. Only Sun knows why...
  perhaps ;-)
  3. Generate key: keytool -genkey -keyalg rsa -alias tstkey
  Enter keystore password: *******
  What is your first and last name?
  [Unknown]: Your Name
  What is the name of your organizational unit?
  [Unknown]: YourUnit
  What is the name of your organization?
  [Unknown]: YourOrg
  What is the name of your City or Locality?
  [Unknown]: YourCity
  What is the name of your State or Province?
  [Unknown]: YS
  What is the two-letter country code for this unit?
  [Unknown]: US
  Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
  correct?
  [no]: yes
  (wait...)
  Enter key password for tstkey
  (RETURN if same as keystore password):
  (press [enter])
  4. Export key: keytool -export -alias tstkey -file tstcert.crt
  Enter keystore password: *******
  Certificate stored in file tstcert.crt
  5. Create JAR: jar cvf tst.jar tst.class
  Add all classes used in your project by typing the classnames in the
  same line.
  added manifest
  adding: tst.class(in = 849) (out= 536)(deflated 36%)
  6. Verify JAR: jar tvf tst.jar
  Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
  68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF
  849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
  7. Sign JAR: jarsigner tst.jar tstkey
  Enter Passphrase for keystore: *******
  8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar
  130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF
  183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF
  920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA
  Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/
  smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class
  X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US
  (tstkey)
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  jar verified.
  9. Create HTML-File for use of the Applet by the Sun Plugin 1.3
  (recommended to use HTML Converter Version 1.3)
  10. (Omitted See Below)
  -----end irene67's original message -----
  To make the plug-in work for any browser you have two options with the JDK 1.3 plugin.
  1) Is to export a cert request using the key tool and send it to a CA verification source like verisign.
  When the reponse comes back, import it into the keystore overwriting the original cert for the generated key.
  To export request:
  keytool -certreg -alias tstkey -file tstcert.req
  To import response:
  keytool -import -trustcacerts -alias tstkey -file careply.crt
  An applet signed with a cert that has been verified by a CA source will automatically be recognized by the plugin.
  2) For development or otherwise, you may want to just use your self-signed certificate.
  In that case, the JDK 1.3 plugin will recognize all certs that have a root cert located in the JDK 1.3 cacerts keystore.
  This means you can import your test certificate into this keystore and have the plugin recognize your jars when you sign them.
  To import self-signed certificate into the cacerts keystore, change directory to where the JDK plugin key store is located.
  For JDK 1.3.0_02: C:\Program Files\JavaSoft\JRE\1.3.0_02\lib\security
  For JDK 1.3.1: C:\Program Files\JavaSoft\JRE\1.3.1\lib\security
  Import your self-signed cert into the cacerts keystore:
  keytool -import -keystore cacerts -storepass changeit -file tstcert.crt
  (the password is literally 'changeit')
  Now, regardless of which method you use, the applet should be recognized as coming from a signed jar. The user can choose to activate it if he / she chooses. If your applet uses classes from multiple jars, for example Apache's Xerce's parser, you will need to sign those jars as well to allow them to execute in the client's brower. Otherwise, only the classes coming from the signed jar will work with the java.security.AllPermission setting and all other classes from unsigned jars will run in the sandbox.
  NOTE: Unless otherwise specified by the -keystore command in all keytool and jarsigner operations, the keystore file used is named '.keystore' in the user's home directory.
  The first time any keystore is accessed (including the default) it will be created and secured with the first password given by the user. There is no way to figure out the password if you forget it, but you can delete the default file and recreate it if necessary. For most operations, using the -keystore command is safer to keep from cluttering or messing up your default keystore.

• Failed Calling A X.509 Certificate Secured Web Service From OSB

  Hi,
  I have wsdl resource, business service and proxy service setup in OSB 11.1.1.6 on Linux. The business service will consume a X.509 certificate secured web service running on a remote server.
  Below is my approach:
  The consumer of the proxy service of OSB signs its saop request header.
  My OSB proxy service authenticates the signature and forward the request to business service.
  The business service signs the outbound soap request header. (To do this I configured the keystore in Security Provider Configuration of my SOA_domain in Enterprise Manager. Also I applied Web Service Policy of Service Client type to the business service.)
  This is not working yet. Not sure if my approach is correct or not?
  Thank you,
  Eric

  I validated the keystore, all the certificates used and the value for keystore.sig.csf.key / value for keystore.recipient.alias. They are all as expected. Restarted the server. Still failed for OSB to invoke the remote secured web service, but worked if only use soapUI to invoke the same remote secured web service directly.
  The error message is:
  General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption)
  In the soap request / reponse message shown in the OSB Test Console, there seems to be two signature sections in the header and encryption section although I tried not to encrypt the soap request. I am using Web Service Client Policy "calpers/wss11_x509_token_with_message_integrity_client_policy_osb" which was created based on "oracle/wss11_x509_token_with_message_protection_client_policy". The difference between the two policies is my policy not to sign nor to encrypt entire body.
  In the "Message Signing Setting" section, I unchecked the "Include Entire Body" and left the three default namespaces under the Header Elements.
  In the "Message Encrypt Setting" section, I unchecked the "Include Entire Body" and also left the one default namespace under the Header Elements.
  I don't know how to attach document here, so i add long saop message here.
       Business Service Testing - BookSec_Biz_Svc_52
       Request Document
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  </soap:Header>
  <soapenv:Body>
  <book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
  <book:bookId>10</book:bookId>
  <book:bookTitle>eric</book:bookTitle>
  <book:bookAuthor>Z</book:bookAuthor>
  </book:BookRequest>
  </soapenv:Body>
  </soapenv:Envelope>
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsu:Timestamp wsu:Id="Timestamp-eEud1RcUOPcnV0fDqd6gZQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsu:Created>2013-03-14T18:10:00Z</wsu:Created>
  <wsu:Expires>2013-03-14T18:15:00Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-VnzMtSwHMI8THKi2hhG2SQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  MIICazCCAdSgAwIBAgIEUTY65zANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwHhcNMTMwMzA1MTgzNTE5WhcNMTMwNjAzMTgzNTE5WjB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJhF0cMUwB/EjAyIOy9Cq8KCDqTXvlnlvMGq6LEhiGOtrATYy+JnHURcPUeusi65Ua3bE7JACWhHJ0fYEl7NtxPPSN3Q1RovkWGQ6I5O2XuEyMHg3MISh2CHhnkGSR+W6riDSUoB0ZC0KTgu14OTwqo54JSY/ugQszY7QC9DAuabAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAWeQ6LjMo12bY65GmnrmLdbRNm95RkL6gJCKa9pyUaMfvaIqKpmMQW8RM+eB90CR5DrM8oO2+8uKcqTt/pGNRYi2UJh2X0CdmyQQTmf3mCfgoZ597VTl+k3mKHKeeST7ZwAyBRL2jI0VisopFHpUhIwABoDgwOMpLcCF974AZ2rA=
  </wsse:BinarySecurityToken>
  *<dsig:Signature* Id="XSIG-oISn2AADumTdR86sONuz8g22" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
  <dsig:Reference URI="#Timestamp-eEud1RcUOPcnV0fDqd6gZQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>3LQ1IpQR3rKHvP6Ov/m9ZRoecZM=</dsig:DigestValue>
  </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>X2BUn9TLL26Ay9A3HGEn/mnGCCE=</dsig:SignatureValue>
  <dsig:KeyInfo>
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#EK-h7saqC1VyBKZw2n1IHz8GQ22" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  +*</dsig:Signature>*+
  *<dsig:Signature* xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <dsig:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>dau9qjB2lxIvlaoDIHuWVHqjulI=</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#STR-QC3ZDBRwsXv8unEWVns9rQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
  <wsse:TransformationParameters>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </wsse:TransformationParameters>
  </dsig:Transform>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>nPO9mKSC9cMg2fEkGZI+ujy5O1Q=</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#XSIG-oISn2AADumTdR86sONuz8g22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>qXkW/ZFFNc8Bu0VL9eF6c4np7IA=</dsig:DigestValue>
  </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>
  MuHCTh5cW8TiVKtkWFl+Of2EFAiHwuPTR7J9b4/n2KZtPy2OCrgi1lBpuzhFKLhoBxYNOK8TMOa/3b223Vv+CQUfUP7z0YVj5Ck7QETYngaQlS07KulnstJjsAgHBV8Zk3A0EafuWF2c3t5wBzEkgEC99v0EdY3mRiCzt7vh2qs=
  </dsig:SignatureValue>
  <dsig:KeyInfo Id="KeyInfo-0LT1QavoIVXOHesZfrxTwg22">
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  +*</dsig:Signature>*+
  *<xenc:EncryptedKey* Id="EK-h7saqC1VyBKZw2n1IHz8GQ22" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/>
  </xenc:EncryptionMethod>
  <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <wsse:SecurityTokenReference wsu:Id="STR-QC3ZDBRwsXv8unEWVns9rQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">q9Z9yPxvNw4CvSLQNI4rxVlSF+w=</wsse:KeyIdentifier>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  <xenc:CipherData>
  <xenc:CipherValue xmime:contentType="application/octet-stream" xmlns:xmime="http://www.w3.org/2005/05/xmlmime">
  Tgdhxy6wMJBBrw23iq1GLCm0TYKBXSVQvBcN+7TXdXL6FPSjhcbfXqtoz7wzirbSwUZuu+DrYuWs
  0BjRXqw3auUSCMlkm4IoT1ag3wFQQ/PEbB8HNlYhW3gp/At3toTw+k5p9wOUd4BMFAiXyeHQ8+dQ
  8JUiohXhiHErTDn6fFQ=
  </xenc:CipherValue>
  </xenc:CipherData>
  </xenc:EncryptedKey>
  </wsse:Security>
  </soap:Header>
  <soapenv:Body>
  <book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
  <book:bookId>10</book:bookId>
  <book:bookTitle>eric</book:bookTitle>
  <book:bookAuthor>Z</book:bookAuthor>
  </book:BookRequest>
  </soapenv:Body>
  </soapenv:Envelope>
       Response Document
  The invocation resulted in an error: Internal Server Error.
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
  <soapenv:Fault>
  <faultcode>soapenv:Client</faultcode>
  <faultstring xmlns:lang="en">
  General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption) </faultstring>
  </soapenv:Fault>
  </soapenv:Body>
  </soapenv:Envelope>
       Response Metadata
  <con:metadata xmlns:con="http://www.bea.com/wli/sb/test/config">
  <tran:headers xsi:type="http:HttpResponseHeaders" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <tran:user-header name="Accept" value="text/xml"/>
  <tran:user-header name="Expires" value="Thu, 14 Mar 2013 18:10:01 GMT"/>
  <tran:user-header name="SOAPAction" value="&quot;&quot;"/>
  <http:Cache-Control>max-age=0</http:Cache-Control>
  <http:Connection>close</http:Connection>
  <http:Content-Type>text/xml; charset=UTF-8</http:Content-Type>
  <http:Date>Thu, 14 Mar 2013 18:10:01 GMT</http:Date>
  <http:Server>Apache</http:Server>
  <http:Transfer-Encoding>chunked</http:Transfer-Encoding>
  </tran:headers>
  <tran:response-code xmlns:tran="http://www.bea.com/wli/sb/transports">2</tran:response-code>
  <tran:response-message xmlns:tran="http://www.bea.com/wli/sb/transports">Internal Server Error</tran:response-message>
  <tran:encoding xmlns:tran="http://www.bea.com/wli/sb/transports">UTF-8</tran:encoding>
  <http:http-response-code xmlns:http="http://www.bea.com/wli/sb/transports/http">500</http:http-response-code>
  </con:metadata>