Owsm policy step verify certificate
We try to use the OWSM for client authentication using "verify certificate". for what i understand of it i have to send along the public certificate with my request and that certificate should be in the trusted store. Can this store be the same store as the wallet the http server is already using.
when i look for the details of the verify certificate step i see that there are a few prerequisites
Prerequisite Steps Verify Signature, Decrypt and Verify, or if the transport security uses SSL.
i use a https://<server>/gateway/services/SID0003006?wsdl as endpoint from within the webserviceproxy and added the following before setting the endpoint in de proxy.
System.setProperty("javax.net.ssl.keyStore", "/home/maqish/keystore");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", "/home/maqish/keystore");
System.setProperty("javax.net.ssl.trustStoreType", "JKS");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
I have added the server certificate in my trusted keystore and the public key is send to the server to be added as a trusted certificate.
using verify certificate it should be possible to verify that a request is from a trusted source. but this does not seem to work very well. or else there could be some other problem in my thoughts.
anyone who tried the same? or has ever used the policy step verify certificate?
i do use the soa suite and jdeveloper 10.1.3.3 i have created a webservice which i have deployed to the soa application server. using this webservice works using http and https
when i use owsm to add this webservice as a service this also works. using http and https
when i add the request policystep verify certificate i get the following error
Failed to initialize pipeline 'Request' in policy 'repeater(0.1)
Similar Messages
-
OWSM customize policy step sign message
Hi,
is it possible to customize the OWSM policy step "sign message" ?
- to set the attribute mustUnderstand of the element wsse:Security to 0 (default is 1)
- to add the timestamp wsu:Expires to the security header (in addition to the wsu:Created timestamp)
Bye,
MarkusHi Vikas,
Thanks for the reply.
I suspect that the "fiddling with the Outgoing Transport Protocol that is between OWSM Gateway and actual service" as mentioned in my original post is probably the same as "creating a custom transport messenger between gateway and service" as mentioned by you.
Any pointers to get me going, e.g. what interfaces te implement, classes to extend, how to register and manage with OWSM?
Thanks and best regards,
Sjoerd -
I am currenly implementing an integration systems between our systems and a third party system. There is a requirement for all messages sent across the interface to be acknowldeged by the other system. The transactions are synchronous so we have hand off approach where the receiving system must acknowledge message receipt by sending a synchronous response message back. This acknowledgement message will contain a boolean flag that either says true or false depending on whether they are receiving or rejecting the message. Messages could be rejected because they have an invalid digital certificate or failed message integrity. Is it possible to create custom policy step in the OWSM that allows me to send these acknoledgement messages. the message structure will contain only 3 elements:
successfulDelivery (boolean)
RejectedCode (Rejection ErrorCode)
RejectedReason (Rejected Error Reason)
Can any one help? I am still new to the OWSM.Here's an example on how to add a custom SOAP header to the request message inside a custom step.
public IResult execute(IMessageContext messageContext) throws Fault {
MessageContext msgCtxt = (MessageContext) messageContext;
SOAPEnvelope senv = msgCtxt.getRequest().getAxisMessage().getSOAPEnvelope();
((org.apache.axis.message.SOAPEnvelope)senv).setDirty(true);
Name header = factory.createName("CustomHeader", "http://foo.com/custom/header");
SOAPHeaderElement headerElement = senv.getHeader().addHeaderElement(header);
headerElement.addTextNode("My custom header data");
OWSM uses AXIS implementation internally to represent the SOAP message.
Cheers,
Vikas Jain -
OWSM - Logging in Custom Policy Step
I'm trying to implement a custom policy step for Oracle Web Service Management.
For debugging purposes, I need to write a diagnostic log file (like gateway.log, policymanager.log, ccore.log...) with the behavior of my step. I have to use log4j library...
Could you help me with OWSM log configuration?
Thanks!I have been reading more about this issue but I have doubts yet...
Now, I know that I must use the package "com.cfluent.ccore.util.logging" in my code. For example:
ILogger logger = LogManager.getLogger(...);
logger.log(Level.INFO, "..");
In which owsm log file does this information appear?
Thanks! -
Extend OWSM with Custom Policy Step: MessageContext.setResponseMessage()?
Hi,
I intend to create a custom policy step for OWSM.
In the execute method of my step (that extends AbstractStep) I want to set the Response Message using the setResponseMessage() method. According to the Extensibility Guide, this method should be passed a com.cfluent.ccore.message.SOAPMessage object as parameter.
Basically, the code looks something like this:
public IResult execute(IMessageContext messageContext) throws Fault {
MessageContext msgCtxt = (MessageContext)messageContext;
Result result = new Result();
msgCtxt.setResponseMessage(msgCtxt.getRequestMessage());
result.setStatus(IResult.SUCCEEDED);
return result;
At compile time however, JDeveloper throws the following error:
SOAPMessage not found in class nl.amis.soa.CustomStep
and points to the line
msgCtxt.setResponseMessage(msgCtxt.getRequestMessage());
Should I use AXIS SOAP objects (knowing OWSM is based on AXIS or uses it)? Or a MessageFactory? Or ... ?
Any tips and preferably a code sample is much appreciated!
Thanks, SjoerdHi Sjoerd ,
Looks like documentation error. Are you importing the om.cfluent.ccore.message.SOAPMessage class? Try compiling without the import. I was able to compile your code with no issues. All I have is coresv-4.0.jar added to my jDev project.
FYI MessageContext.get/setRequestMessage() really takes javax.xml.soap.SOAPMessage as parameter.
Here is the code I can compile:
package com.junk.wsm;
import com.cfluent.pipelineengine.container.MessageContext;
import com.cfluent.policysteps.sdk.AbstractStep;
import com.cfluent.policysteps.sdk.IMessageContext;
import com.cfluent.policysteps.sdk.IResult;
import com.cfluent.policysteps.sdk.Result;
public class junkStep extends AbstractStep {
public junkStep() {
public IResult execute(IMessageContext messageContext) {
MessageContext msgCtxt = (MessageContext)messageContext;
Result result = new Result();
msgCtxt.setResponseMessage(msgCtxt.getRequestMessage());
result.setStatus(IResult.SUCCEEDED);
return result;
Regards,
Rajesh -
OWSM Custom Policy Step: use of the setProcessingStage() method?
Hello,
When creating a Custom Policy Step for use in an OWSM pipeline the API provides the option to set the processing stage. Possible values are STAGE_PREREQUEST, STAGE_REQUEST, STAGE_RESPONSE and so on.
Can anyone tell me the use of setting the processing stage. Would it allow me to literally take the message request to a different stagewhat, e.g. what should happen when in the Request Stage I set it to STAGE_RESPONSE?
I have tried this and cannot see any effect.
Thanks, SjoerdHi Vikas,
Thanks for the reply.
I suspect that the "fiddling with the Outgoing Transport Protocol that is between OWSM Gateway and actual service" as mentioned in my original post is probably the same as "creating a custom transport messenger between gateway and service" as mentioned by you.
Any pointers to get me going, e.g. what interfaces te implement, classes to extend, how to register and manage with OWSM?
Thanks and best regards,
Sjoerd -
Hi,
I Build an Lync 2013 set up with FEpool, Director pool and Exchange server is integrated. I have windows 8 client machine, with Lync client installed. When I try to login to the lync client, I am getting error like"There was a problem verifying
certificate from the server".
When I installed ROOT CA cert manually on client machine I am able to login to the lync client. similarly if I add my client machine in my domain, I am able to login to the Lync client.
Now is there any other way to send the certificate automatically to the client machine (Which are NOT part of the DOMAIN) from the server, instead of manual installation process.
Please help me troubleshoot this problemAgree with S Guna, there is no easy way to push a certificate automatically to a client that you don't control other than building an installer package and asking them to run it. In this situation, if there are a lot of non-domain joined machines
a third party certificate is the way you need to go.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
Custom Policy Step and the WS-Security header attibute "mustUnderstand"
Hi there,
I have some issues testing the custom policy step that comes with OWSM (CustomAuthenticationStep), which i describe next.
I manage to compile/deploy the custom step successfully. I also restart the server and add the brand new step into the request pipeline. The pipeline only has two steps, a log step and a custom authentication step.
I develop a client for the gateway service which use the "Username to Authenticate" option of the Proxy Security. The other options (inbound/outbound integrity/encryption) are all unchecked.
When I test the client, the following SOAP message is produced:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns0="http://agesic.entidad/types/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
env:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<ns0:reverseElement>
<ns0:aString>Holas!</ns0:aString>
</ns0:reverseElement>
</env:Body>
</env:Envelope>
Which looks just fine. However I get the following exception:
javax.xml.rpc.soap.SOAPFaultException: SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
at agesic.cliente.gateway.proxy.runtime.EchoReverseSoapHttp_Stub.reverse(EchoReverseSoapHttp_Stub.java:78)
at agesic.cliente.gateway.proxy.EchoReverseSoapHttpPortClient.reverse(EchoReverseSoapHttpPortClient.java:44)
at agesic.cliente.gateway.proxy.EchoReverseSoapHttpPortClient.main(EchoReverseSoapHttpPortClient.java:33)
If i look at the log produced by the custom step, it looks like the step was successfully passed.
********** Entering Custom Authentication execute method **********
Processing stage is Request
Request SOAP message is <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="h
ttp://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-ins
tance" xmlns:ns0="http://agesic.entidad/types/" xmlns:wsu="http://docs.oasis-ope
n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><env:Header><wsse
:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004
/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.or
g/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://sche
mas.xmlsoap.org/soap/envelope/"><wsse:UsernameToken xmlns:wsse="http://docs.oasi
s-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http:/
/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ws
se:Username>test</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/
wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse
:Password></wsse:UsernameToken></wsse:Security></env:Header><env:Body><ns0:rever
seElement><ns0:aString>Holas!</ns0:aString></ns0:reverseElement></env:Body></env
:Envelope>
User locale is English
Client ip address is rhel4.tecinfo.com.uy:7777
Verified user is test
The problems is with the mustUnderstand attribute. It looks like no step tells the OWSM that he understands the header, so the OWSM pass through the pipeline and when it ends it thinks that that header was not processed properly.
I try to find documentation on this issue but I didn't find any.
Any ideas? Is there any way to specify that the step actually understands the ws-security header?
Thanks!
LeoOk. Thanks. The problem here is a little bit different. At the client side, we have the following:
<?xml version="1.0" encoding="UTF-8"?>
<oracle-webservice-clients xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:noNamespaceSchemaLocation='http://xmlns.oracle.com/oracleas/schema/oracle-webservices-client-10_0.xsd'>
<webservice-client>
<service-qname namespaceURI="http://agesic.entidad/" localpart="EchoReverse"/>
<port-info>
<wsdl-port namespaceURI="http://agesic.entidad/" localpart="EchoReverseSoapHttpPort"/>
<runtime enabled="security">
<security>
<inbound/>
<outbound>
<username-token password-type="PLAINTEXT" add-nonce="false" add-created="false"/>
</outbound>
</security>
</runtime>
<operations>
<operation name='reverse'>
</operation>
</operations>
</port-info>
</webservice-client>
</oracle-webservice-clients>
The <outbound> here is requered in order to use the WSS UserName token profile. I try to remove the <inbound/> to check if it was a problem like yours, but we still have the same exception.
The problem seems to be with the gateway at the server side.
Intercepting the communication between the client and the server, we are getting the following response:
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns0="http://agesic.entidad/types/">
<env:Body>
<env:Fault>
<faultcode>env:MustUnderstand</faultcode>
<faultstring>SOAP must understand error:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
We need a way to instruct the gateway that he actually understands the wss header.
Any ideas?
Thanks!
Leo -
I am creating a OWSM custom step for validating 'XML Signature Verification'. The step provided by the tool has some limitations (if otherwise please correct me).
Only one certificate can be configured and the certificates need to be provided in jks file store.
My requirements are a bit different. I am using both username token as well as XML signatures. Using the username I will retrieve the certificate from the LDAP or database. But my question is how do I verify the XML signature. Can I extend the step already provided in OWSM?
I have already written a custom step that retrieves the certificate from the database using the username.
Thanks,
SashwatI've come across the following Beans which look like they provide the details I need:
com.cfluent.webui.uibeans.opcockpit.ServiceLatencyBean;
com.cfluent.webui.uibeans.opcockpit.MessageTrafficBean;
Has anyone used these and tried to access data via these beans directly? -
Custom Policy Step calling EJB
Hi there,
I'm a newby to OC4J and need some help in regards to some library issues. I've created an EJB using spring and deployed it to the oc4j container. Then I created an owsm custom policy step which retrieves the EJB bean using spring and retrieves the custom security header, which I then add to the current SOAP header. I wasn't quite sure how to create the custom policy step jar as it contains my spring jar as well as my ejb jar, so I used maven to create the jar with all my dependent jars as well. Everything works great, as in, it retrieves the EJB calls the method on the EJB which will retrieve a value from LDAP and then uses that value to query our data store and then return the object, but when it returns the object it throws the following exception:
java.lang.LinkageError: Class com/cochlear/erpsecurity/domain/ErpSoapHeader violates loader constraints
Which is due to the fact that I have the ErpSoapHeader in my custom policy step jar as well as my ejb jar. When I don't include the ejb jar in my custom policy step jar however then it give a class not found exception when trying to load the ejb with spring. Then I tried something dodgy and added the ejb jar to my server.xml in oracle.wsm.gateway shared library, but this caused the linkage error as well.
Any help on how I can resolve this library issue will be great appreciated.
Thanks so much,
IdaHere's an example on how to add a custom SOAP header to the request message inside a custom step.
public IResult execute(IMessageContext messageContext) throws Fault {
MessageContext msgCtxt = (MessageContext) messageContext;
SOAPEnvelope senv = msgCtxt.getRequest().getAxisMessage().getSOAPEnvelope();
((org.apache.axis.message.SOAPEnvelope)senv).setDirty(true);
Name header = factory.createName("CustomHeader", "http://foo.com/custom/header");
SOAPHeaderElement headerElement = senv.getHeader().addHeaderElement(header);
headerElement.addTextNode("My custom header data");
OWSM uses AXIS implementation internally to represent the SOAP message.
Cheers,
Vikas Jain -
HTTP 503 after enabling OWSM policy on an ADF BC Service
I deployed an ADF BC Service to soa_server1 and tested (no problem). But when I added an OWSM policy, I could no longer access the service, nor its WSDL contract.
Here's the steps:
1. Deploy and test your ADF BC Service with no policy
2. In EM, go to the Web Services menu item for the deployed service application, then Policies tab.
3. Attach the "oracle/log_policy" policy to the service's endpoint
4. Restart the application after saving the change (as EM tells you to do).
5. Try to access your Service and/or the Service's WSDL ==> *503 Error*
6. Use EM to Detach the policy on the service's endpoint
7. Restart the application after saving the change
8. Retest -- works fine.Note that I can apply the same policy at Develop-Time and deploy and that works. i.e. Specific to Attaching the policy through EM.
Actually, Firefox fooled me with a browser cache. The same problem occurs whether the policy is applied at Develop-Time or through EM.
-Todd
Edited by: tbeets on May 22, 2009 1:29 PM -
** OWSM Custom Step: Accessing OWSM Monitor Metrics Programmatically ?? **
Hi all,
I have posted this in the SOA Forum with no response, so trying my luck here.
I would like to programmatically access the OWSM monitor metrics, specifically the Service Statistics (Traffic Analysis and Latency Variance).
Is there any way to programmatically query the current Stats for the service protected by OWSM policies?
I would like create a custom policy step that interrogates the current OWSM Monitor status of the Service, and then actions it accordingly.
I have looked in the Extensibility Guide, but documentation is not very clear.
I have found classes in com.cfluent.coreman.sdk.* and com.cfluent.webui.uibeans.opcockpit.* which seem useful, but no documentation is available as these APIs do not appear to be published.
Any help would be greatly appreciated.I've come across the following Beans which look like they provide the details I need:
com.cfluent.webui.uibeans.opcockpit.ServiceLatencyBean;
com.cfluent.webui.uibeans.opcockpit.MessageTrafficBean;
Has anyone used these and tried to access data via these beans directly? -
Constant Verify Certificate Message in Mail
Hi Forum,
in mail on my Mac Mini i get a constant message of:
Verify Certificate
The Identity of "Server" cvannot be verified.
the server it mentions is an old email i used to use but now dont. Its been deleted from my accounts and doesntr exist. I cant find anywhere in this or internet accounts that makes reference to this server?!?!?! How can i find it. Its constant. I cancel the message and it reappears.First, and most important, never change the trust settings of any SSL certificate unless you created it yourself. That's one of the most dangerous things you can do with a computer.
Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.
Step 1
From the menu bar, select
▹ System Preferences... ▹ Date & Time
Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.
Check the box marked
Set date and time automatically
if it's not already checked, and select one of the Apple time servers from the menu next to it.
Step 2
Triple-click anywhere in the line below on this page to select it:
/System/Library/Keychains/SystemCACertificates.keychain
Right-click or control-click the highlighted line and select
Services ▹ Show Info
from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.
Repeat with this line:
/System/Library/Keychains/SystemRootCertificates.keychain
If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.
*If you don't see the contextual menu item, copy the selected text to the Clipboard (command-C). Open a TextEdit window and paste into it (command-V). Select the line you just pasted and continue as above.
Step 3
Launch the Keychain Access application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.
In the Keychains list, there should be items named System and System Roots. If not, select
File ▹ Add Keychain
from the menu bar and add the following items:
/Library/Keychains/System.keychain
/System/Library/Keychains/SystemRootCertificates.keychain
From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu at the top, select
When using this certificate: Use System Defaults
Close the inspection window. You'll be prompted for your administrator password to update the settings. Revert all the certificates with non-default trust settings. Never again change any of those settings.
Step 4
Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.
Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select
Help ▹ Keychain Access Help
from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.
Step 5
From the menu bar, select
Keychain Access ▹ Preferences ▹ Certificates
There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.
Step 6
Triple-click anywhere in the line of text below on this page to select it:
/var/db/crls
Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.
A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.
Step 7
Reboot, empty the Trash, and test. -
Verify certificate using Bouncycastle (J2ME)
Good evening. I have a problem.. I'm trying to verify certificate but signatures doesn't match!!!
byte[] cert_decoded = Base64.decode(pem_cert);
ASN1InputStream ais = new ASN1InputStream(cert_decoded);
DERObject obj = ais.readObject();
ASN1Sequence seq = (ASN1Sequence)obj;
ais.close();
X509CertificateStructure cert = new X509CertificateStructure(seq);
// getting certificate signature
byte[] signature = cert.getSignature().getBytes();
// trying to get "to be signed" structure
TBSCertificateStructure tbs = cert.getTBSCertificate();
// is it correct? trying to get bytes array of TBS..
byte[] tbs_byte = tbs.getEncoded();
RSAEngine engine = new RSAEngine();
// Is it correct? Cert uses "RSAwithSHA1"..
SHA1Digest digest = new SHA1Digest();
// Public key i'v got before from signing CA cert...
PSSSigner signer = new PSSSigner(engine, digest, 0);
signer.init(false, pub);
signer.update(tbs_byte, 0, tbs_byte.length);
boolean istrue = signer.verifySignature(signature);
In all cases i'm getting FALSE 8( what's wrong, please help! 8(
I tried to sign TBS data using CA's private key but signatures doesn't match anyway...I found example code here: http://www-128.ibm.com/developerworks/library/j-midpds.html
Below is that code pieced together with some minor fixes (seems they
had outdated calls to verifySignature() and generateSignature()).
This program runs and returns true for me. Maybe this can
help you figure out what's going on with your code...
import java.math.BigInteger;
import java.security.SecureRandom;
import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
import org.bouncycastle.crypto.digests.SHA1Digest;
import org.bouncycastle.crypto.engines.RSAEngine;
import org.bouncycastle.crypto.generators.RSAKeyPairGenerator;
import org.bouncycastle.crypto.params.RSAKeyGenerationParameters;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters;
import org.bouncycastle.crypto.signers.PSSSigner;
import org.bouncycastle.util.encoders.Base64;
public class RSASigBCLW {
private static BigInteger pubExp = new BigInteger("11", 16);
private static RSAPrivateCrtKeyParameters privKey;
private static RSAKeyParameters pubKey;
public static void main(String[] args) {
try {
_main(args);
} catch (Exception e) {
System.out.println("ERROR: " + e.getMessage());
* @param args
public static void _main(String[] args) throws Exception {
SecureRandom sr = new SecureRandom();
RSAKeyGenerationParameters RSAKeyGenPara = new RSAKeyGenerationParameters(
pubExp, sr, 1024, 80);
RSAKeyPairGenerator RSAKeyPairGen = new RSAKeyPairGenerator();
RSAKeyPairGen.init(RSAKeyGenPara);
AsymmetricCipherKeyPair keyPair = RSAKeyPairGen.generateKeyPair();
privKey = (RSAPrivateCrtKeyParameters) keyPair.getPrivate();
pubKey = (RSAKeyParameters) keyPair.getPublic();
String message = "this is a test message.";
String signature = getSignature(message);
boolean b = verify(message, signature, getMod(), getPubExp());
System.out.println("verify? =" + b);
// Public key specific parameter.
public static String getMod() throws Exception {
return (new String(Base64.encode(pubKey.getModulus().toByteArray())));
// General key parameter. pubExp is the same as pubKey.getExponent()
public static String getPubExp() throws Exception {
return (new String(Base64.encode(pubExp.toByteArray())));
static public String getSignature(String mesg) throws Exception {
SHA1Digest digEng = new SHA1Digest();
RSAEngine rsaEng = new RSAEngine();
PSSSigner signer = new PSSSigner(rsaEng, digEng, 64);
signer.init(true, privKey);
byte[] mbytes = mesg.getBytes();
signer.update(mbytes, 0, mbytes.length);
byte[] sig = signer.generateSignature();
String result = new String(Base64.encode(sig));
return result;
static public boolean verify(String mesg, String signature, String mod, String pubExp) {
BigInteger modulus = new BigInteger(Base64.decode(mod));
BigInteger exponent = new BigInteger(Base64.decode(pubExp));
SHA1Digest digEng = new SHA1Digest();
RSAEngine rsaEng = new RSAEngine();
RSAKeyParameters pubKey = new RSAKeyParameters(false, modulus, exponent);
PSSSigner signer = new PSSSigner(rsaEng, digEng, 64);
signer.init(false, pubKey);
byte[] mbytes = mesg.getBytes();
signer.update(mbytes, 0, mbytes.length);
boolean res = signer.verifySignature(Base64.decode(signature));
return res;
} -
Securing web services SOAP headers against OWSM policy
Hi,
I need to authenticate the user against the OWSM policy. The caller will pass username and password in SOAP headers and I need to attach WSS policy to my exposed web service.
How to extract the Header information and then validate them against the policy.
A simple HelloWorld sample will be of great help.
regards
SanjeevHi,
For service authentication add policy wss_username_token_service_policy to client composite.Create user in security realms in adminstration console.
While testing the service select wss username token option under security tab and test with valid credentails or from, soap UI
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>USER CREATED IN SECURITY REALMS</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PSWD ENTERED FOR THE SAME USER IN SECURITY REALMS</wsse:Password>
</wsse:UsernameToken></wsse:Security> WITH INPUT
Maybe you are looking for
-
Queries regarding Approach to me made for a XI Project
Hi Folks, I have few queries : 1. How to configure SLD in a project? <b>--> Should a company go for single SLD for all Dev,QA or PRD or separate SLD for all..? What are the pros and cons in each case..?</b> 2. What is the best approach : <b>a.> Devel
-
I need to create a Screen Variant and apply to a Z transaction which only allows users access to change MRP Information u2013 MRP1, MRP2, MRP3 and MRP4 tabs. in the Material Master. I do not want to give everyone access to MM02 u2013 Change Material
-
I can't find proofreader on pages anymore.
I can no longer find proofreader after recently updating pages and really would like it back... Any suggestions? Thanks!
-
Having trouble downloading PDF file; blue arrow drops down after click on it, but goes nowhere
I am signed in on a bank account I have used in the past; trying to download a pdf which is a copy of my accounts, but cannot find out where pdf went.
-
how can play videos in full screen normally on iphone5?