Secured Sybase Web Service with outside certificate authority
Hello,
I would like to use Secured Sybase Web Service with outside certificate authority, like Symantec. Could you let me know how I can create CSR for sending to Symantec? What other steps do I need to do?
Thanks,
Sudarat.
Hello Jason,
Thanks for your reply. The certificate authority require the CSR file before issue a signed certificate. If this is a signed certificate for IIS web server, I can create CSR from IIS. But I cannot use a signed certificate created from CSR of IIS with Sybase Web Service. The below steps are what I have tried.
1. I use CreateCert.exe with /r parameter to create CSR and private key.
2. I sent CSR to a certificate authority and they send back a signed certificate.
3. I have to combine a signed certificate from #2 with private key created from #1. Then use that file to specify with -xs{https …when starting the service.
Are the above steps what I have to do? If so, do I need to redistribute createcert.exe to my customers who want to use my application and how? Why I cannot use the signed certificate created from CSR of IIS?
Thanks,
Sudarat.
Similar Messages
-
Importing external web service with SSL certificate security
Hello,
I'm trying to import an external web service (that resides in another server, independent of ours). However, right after I enter the WSDL in the import window I get the following error in the NWDS:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [Error: com.sap.ide.es.core.ui.internal.wizards.fragments Thread[ModalContext,6,main]]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.getURLAsStream(UrlValidationRunnable.java:137)
at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.validate(UrlValidationRunnable.java:75)
at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.run(UrlValidationRunnable.java:55)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 15 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
... 21 more
Has anyone ever consumed an external web service with SSL certificate security? How do you import this in your Web Dynpro project?
Cheers!Hi Alain,
I just checked on a newer NW environment (NW 7.2) and was presented an empty list as well... It seems the mapping procedure I described is deprecated since NW 7.11, and the modeled CAF application service is already exposed as a web service.
You may want to have a look at http://help.sap.com/saphelp_nwce711/helpdata/en/43/f173947bbb025be10000000a1553f7/content.htm or http://scn.sap.com/message/7852996 for more info -
Test Web Services with X509 Certificate
Hello,
We'd like to perform a test of our web services with an X509 Certificate. I have been using SOAPSonar to do my test up to this point. But the version I have will not allow me to test with a certificate. It appears I will need to purchase the software upgrade in order to test with a certificate.
Must I use this software or is there another method/software I can use to do this testing?
Can Altova's XMLSpy test with a X509 certificate?
Thanks,
MattNeetesh,
It looks like SOAPUI will work. I am currently looking into it.
Ravi - I'm not sure what software these steps are refering to? Is that for XMLSpy?
Thanks,
Matt
Edited by: Matthew Herbert on Dec 2, 2009 8:56 PM -
How to implement the security in web service with Weblogic 9.2
I've generated web service by Web Logic 9.2 using existing WSDL (as per client requirement) and want to add security policy for authentications.
I have used following annotation in service class.
@Policies({
@Policy(uri="policy:Auth.xml" , direction=Policy.Direction.inbound)
But it gives compilation time error with following message.
The Policy and Policies annotations are not allowed on jws file when compiledWsdl option is specified
I've also tried to modify the WSDL to accommodate policy configuration and again generate the web service but problem is being as it is.
If anybody has solution of this issue then please let me know ASAP.Did you get an answer to your question? I have the same problem with WebLogic 10.0.
-
Connect to Secure web service with certificate from SAP EP
Hi Experts,
Here is the current situation:
1. Our business requirement is to connect 3rd party RESTful web service which requires secure connection with private client certificate attached
2. I've tested in my Java test application and successfully attached private certificate to HttpsURLConection request to the web service and made a connection. No problem at all.
KeyStore keyStore = KeyStore.getInstance("PKCS12");
InputStream inputStream = new FileInputStream("privateKeyCert.p12");
keyStore.load(inputStream, "myPassword".toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "myPassword".toCharArray());
KeyManager[] kms = keyManagerFactory.getKeyManagers();
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(kms, null, new SecureRandom());
SSLSocketFactory sockFact = sslContext.getSocketFactory();
URL url = new URL("https://www.thirdpartywebservice.com/testroot/");
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(sockFact);
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setUseCaches(false);
conn.setDefaultUseCaches (false);
conn.setRequestProperty("Content-Type", "text/xml");
3. Next, I tried to apply my Java application to SAP EP NetWeaver, and found that I have to use SecureConnectionFactory:
https://help.sap.com/saphelp_nw70ehp1/helpdata/en/e2/71c83edf72e16be10000000a114084/content.htm
4. So, I modified my Java code for SAP EP:
KeyStore keyStore = KeyStore.getInstance("PKCS12");
InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("privateKeyCert.p12");
keyStore.load(inputStream, "myPassword".toCharArray());
SecureConnectionFactory scFactory = new SecureConnectionFactory(keyStore);
HttpURLConnection conn = scFactory.createURLConnection("https://www.thirdpartywebservice.com/testroot/");
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setUseCaches(false);
conn.setDefaultUseCaches (false);
conn.setRequestProperty("Content-Type", "text/xml");
And I'm facing the following error message:
Exception: java.security.UnrecoverableKeyException: ja
va.security.GeneralSecurityException: Unable to decrypt private key: javax.crypto.BadPaddingException: Invalid PKCS#5 padding length: 253
Could you please help me what this error message means?
Do you think do I need to to do some other configuration to make connection to web service with client certificate?
This is our first approach. Please help...
Thank you in advance.SunJSSE implement SSL server CertificateRequest in a strict mode, if client failed to find a proper certificate corresponding the server request, it does not guess what's the proper certificate and send to the server. In your case, because there is no intermediate certificate in the client context, so there is no way to make the decision which certificate would be acceptable by server, so client does not send any cert to server. That's why you got a handshaking error.
I guess your client key store does not contains a full certificate path from the client end-entity certificate to the root CA. Please import the full certificate path into the key store.
BTW, these approaches should work, but I found no reason why one does not adopt #1:
1. import the full certification path of client certificate into client key store.
2. as a workaround, configure the server to send a list including the intermediate certificates;
3. as a workaround, you will have to customize the client KeyManager if you don't want to or are not able to configure the server to send a list including the intermediate certificates. -
Web Service (SSL) and certificates (keytool) with INternet Explorer
Hi,
Followed this steps http://www.grallandco.com/blog/archives/2006/10/using_htts_with.html to have a secure SSL WEb service (with client authorization).
Tested from Jdeveloper it worked O.K.
Now I would like to test it with Internet explorer, but now server ask for certificate before internet show parameters page to invoke Web Service.
I generated self signed certificates and keystore using keytool. (This keystore is used by the OC4J and my proxy client).
Imported this certificate (.cer) to internet explorer succesfully, but when access URL for the web service (https) internet does not show this certificate to use it, so failed to connect...
keytool certificates could be used by INternet explorer for this purposes?, what am I doing wrong?
Thanks
J.Hi,
I already configured HTTPS - client authenticate for OC4J, and you can work with follow step:
1: Create keystore for OC4J by java keytool
2: Using openssl to create certificate for your server (privatekey, certificate)
3. Using keytool to import your server's certificate (2) to keystore (1)
4. Generate client certificate (4)
5. Sign on client certificate (4) by privatekey and server certificate (20
6. Import client certificate to windows - (should create keystore with format pkcs12)
You can using "Java Certificate Services" to help you create keystore with multi format or sign cert....
Rgs -
Use of security in web service
Hi,
I have tried to use security from the example jaas-sample of jwsdp 1.5 .
I just want to secure my web service with a username/password.
When I called my service from the client...I see the xml flow :
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>Ron</wsse:Username>
<wsse:Password>****</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">3k18Sv+DMhcO3aoq6YWLB4xa</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2005-03-01T15:26:05Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<ns0:getInformations/>
</env:Body>
</env:Envelope>
it seems to be correct but I have an exception :
Thread : main at 01 mars 2005 16:10:06,593 ERROR Error occured during retrieving informations
java.rmi.ServerException: JAXRPCSERVLET28 : Informations sur le port manquant
at com.sun.xml.rpc.client.StreamingSender._raiseFault(StreamingSender.java:497)
at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:294)
It works when I not use the security option (in wscompile) ...
Have you any idea for a solution?Hi,
I tried the xws-security samples and everything worked fine.
After editing the "java.security" according to the manual with:
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
After that change and a restart of the application server I get the same error message.
I copied the jar file "bcprov-jdk14-127.jar" from bouncycastle to the jre/lib/ext folder.
I will check further.
br
Dieter -
Biztalk 2010 - Consume Web Service with Certificate
Hi
I have to consume a java web service with Biztalk that requires authentication via a client certificate. Until now I have not been able to consume any web service where any kind of authentication was needed. Simple web services without authentication are
no problem. Also using SoapUI works perfectly fine.
I am generating the XSDs and the port binding with the WCF wizard in VS2010. I've read several comments that it's not possible to consume web services with the WCF-WSHttp adapter when the message format should be SOAP 1.1. Therefore I'm trying with the WCF-BasicHttp
and WCF-Custom adapters, but I did not suceed in receiving a positive response yet.
The web service I want to consume uses a client certificate (with a private key) and two root certificates. When I use the BasicHttp adapter I choose either 'Transport' or 'TransportWithMessageCredential' but none of them work. I also have to supply a client
and a service certificate. I always use the one with the private key for the client but I'm not sure which one I have to use for the service. Is there a possibility that I have to provide both root certificates and if so, how can I achieve this?
Hope the question makes sense somehow... thanks for any input.
Error message that I receive currently is that the server needs a client certificate. However I attached it in the send port properties under the tab "Security" => mode "TransportWithMessageCredential".Adapter: WCF-Custom
Binding: customBinding
Cannot send pictures (yet).
<configuration>
<enterpriseLibrary.ConfigurationSource selectedSource="ESB File Configuration Source" />
<system.serviceModel>
<client>
<endpoint address="...." behaviorConfiguration="EndpointBehavior" binding="customBinding" bindingConfiguration="ReceiptBinding" contract="BizTalk" name="WebServicePort" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="EndpointBehavior">
<clientCredentials>
<clientCertificate findValue="..." x509FindType="FindByThumbprint" />
<serviceCertificate>
<defaultCertificate findValue="..." storeLocation="LocalMachine" storeName="AuthRoot" x509FindType="FindByThumbprint" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior" />
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<clear />
<binding name="ReceiptBinding">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="MutualCertificate" />
<httpsTransport proxyAuthenticationScheme="Basic" requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
</system.serviceModel>
</configuration> -
Securing web services with Sun Access Manager
Hi!
I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
My questions are:
1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
2) Are there any documentation/tutorials/etc?
Thanks in advance :-)
Anderswhat you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
So.. having said that. here's what I'd recommend.
1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
2. configure it to use your access manager instance for authentication.
3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
4. voila... your webservices are not "protected" by acces manager ;-) -
SSL Certificate necessary for web Service with HTTPS encoding?
Hi experts,
I wanna create a Web Service with HTTPS. Now when I create an endpoint in Transaction SOAMANAGER, I use "Transport Guarantee Type" HTTPS. I'm a little bit confused, becuase at "Authentication Method I have different options which I don't understand.
At Authentication Method, there are some check boxes.
Whats the difference between HTTP Authentication and Message Authentication?
(Why) can I use User ID/Password as Authentication Method with HTTPS? I think I need X.509 SSL Client Certificate.
What is a Logon Ticket?
Is there a good Documentation in the web, who explains the meaning of the different options and when to use which option?
Thanks and regards,
SebastianHi,
>>>WSDL in Integration Directoryb but that WSDL containt a like staring with the HTTP instead of HTTPS! My question is how to generate a wsdl file with an HTTPS url tot he web service,
you don't use the URL from ID - you need to create one yourself and put it there in the generator
Regards,
Michal Krawczyk -
Exception while accessing web service secure through web services Manager
Hi All,
I deployed sime Hello World web service on JWSDP1.6 and secure it through web service manager(gateway) using Certificate based security.But when I try to access this web service using JWSDP client,I got the following Error while monitoring the soap messages through TCP-Monitor:
/////////////////////////////////Request///////////////////////////////////////////////////////////////
POST /gateway/services/SID0003009 HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 5631
SOAPAction: ""
User-Agent: Java/1.5.0_05
Host: ivy.cs.ucl.ac.uk:8082
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://hello.org/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">eN9famBBWzHNUIwWRhMPktcM+VQ=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>MHjtgA4wOtvI1B+SuRVEmD07yE+jl6axd4XbJ0nvQ3EzSuVVoST9vHzURh+B47yj41187s8T+yjt
Bmpk9OB278Jghonkacv6r+q+LVlxRrQDudNGir7plzFeM6bUadMxf+FLgn5O0a44vU/tvy6V9+zi
yqFdhTvS21No/aW62No=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#XWSSGID-1155126003241-1198323932"/></xenc:ReferenceList></xenc:EncryptedKey><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-11551260018331598979688">MIIC3TCCAkagAwIBAgIBATANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzEMMAoGA1UECBMD
U0NBMQwwCgYDVQQKEwNTVU4xHjAcBgNVBAMTFWNlcnRpZmljYXRlLWF1dGhvcml0eTAeFw0wNjAz
MTkxMzQ5MDJaFw0xNjAzMTYxMzQ5MDJaMEcxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAK
BgNVBAoTA1NVTjEcMBoGA1UEAxMTeHdzLXNlY3VyaXR5LWNsaWVudDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAzNDPKUz1MhUH1LsrLqXKxciOKSWeTrdoe/SVwe/4uy5eobAWSsSTposaOYFy
uxf3cGCCIs7u0jMAXLQ9jzobDbt9XQ4tXPoBzKKzS+yU6hDk2TcOCkioeT9A9db5LF8yevhwXKB4
AJ1Eh//Dp/djoonXCCxsxupQZp3ueRJrR98CAwEAAaOB1jCB0zAJBgNVHRMEAjAAMCwGCWCGSAGG
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUECH05VC3/WGW
H4AGD6tnH0h+kFUweQYDVR0jBHIwcIAUdry1wGRZ2fyJSKisVSxpMEmIiaahTaRLMEkxCzAJBgNV
BAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAKBgNVBAoTA1NVTjEeMBwGA1UEAxMVY2VydGlmaWNhdGUt
YXV0aG9yaXR5ggkA4HaEvd6hq8YwDQYJKoZIhvcNAQEEBQADgYEA0RhOk67pCrO6MgZZGqrmAMW6
76fZowBxTKlFq88nrf8v1MUxV8H9wgbTDrwR0HtxY3TGpDFw2tNAww2pyDX/pQ2Wt46ichluGxjf
aEV53loKTOM7syAmlicWqViGzBfgzriIl918TzFaX9BD/Y55bKZQk057maBCSkUuFfF453s=</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse enc env ns0 xsd xsi"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#XWSSGID-1155126002593447652186"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>UJ1kuwI+WuF/RkrQpZrj1GvraLI=</ds:DigestValue></ds:Reference><ds:Reference URI="#XWSSGID-1155126002602761294100"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>sKG/z5OIGgqJ2nw7JtpXyJzr8pY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SBc65VTG1xpEkRUTz70H0fVGIgoBJ0QnNad0k07RMSfw4vG1WHJdt19R05pO2AvU5aoYuBSaguJe
ZGEjmWzw8mnSWKBi+zeDMeJiwgqwW6HHHX9P7JDslxuTIqoJIVUbSjUTSVz6ww8siIK65quXdkMT
ZzLfp7Cd0gBuA3EEZpg=</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11551260025411896275738">
<wsse:Reference URI="#XWSSGID-11551260018331598979688" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002602761294100"><wsu:Created>2006-08-09T12:20:02Z</wsu:Created><wsu:Expires>2006-08-09T12:20:07Z</wsu:Expires></wsu:Timestamp></wsse:Security></env:Header><env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002593447652186"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="XWSSGID-1155126003241-1198323932" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><xenc:CipherData><xenc:CipherValue>XNqEzHNp47ILtOagAUNCXYkxOCWv4CjHqmZ7j6VKN/NO96ce4BsNSL6lKzqa9dPxHB1sTVGZQ8KA
COQ6DGwyWCP8ip+CU2hor3uUAml7nzHTx1LUw3Db+0p31VAT3EqKJA3aFy38GQrBTr9ojMOUA6tm
Cj71yucN3UCKRUl3RpE8qU68y7AwNxPsyAZeSa2AVm2cmWvSDZlxgMsx+JCEZaf3+D0o1zMp0Fxb
MSISPt/JrEolt1H5UM1AoFGU4QkckWrQNLPyEF9oxEgZ8oCE5U8v/YJwZIAHFrx67XfaLwQLjzXw
VPigsH9gLkfbP2BU8Vp31GsPwBZtUeNz9S35+CZPD7EiqoAB1QuAxZkJV7n00VChYH+scT64tNja
c81bcD8tf4sAr7toCMNDAU6+74+Qy0EyPqgwLtotDxErn4kF8e72cONMMQBQ91tQs+iI+D6C1I6+
f9UiSfgtm/MTuKQK1CRqarEtI9N6lpqVH8k7ulUwH/jFstihxmhMJ3aZY+qQgSwSs3pwSSim+e18
eR7dOEq4vG8ivKuGvTDO4sSV2RP/nL/3eXr0y7eM0kMFKwTUA4JqL4Y/l8Bo/rie/ZXkkbF6hwEu
dX1QmB0gf5k=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body></env:Envelope>
////////////////////////////////Response///////////////////////////////////////////////////////////////
HTTP/1.1 100 Continue
Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
Date: Wed, 09 Aug 2006 12:28:47 GMT
HTTP/1.1 500 Internal Server Error
Date: Wed, 09 Aug 2006 12:28:47 GMT
Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
Connection: Keep-Alive
Keep-Alive: timeout=15, max=100
Content-Type: text/xml
Transfer-Encoding: chunked
157
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
0
So basically, what I am doing here as follows:
HelloClient(using JWSPD1.6)->gateway(web service manager for securing the web service using message level security through certificate )->helloservice(deployed using JWSDP1.6)
I would appreciate if someone could tell me the cause of this errror.Thanks.
Kashiftime to look into the gateway logs as stated by the fault ..
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
looks like the cipher step might have failed -
Unable to call WSS (WS-Security) enabled Web Service using UTL_DBWS
We are attempting to call a WSS (WS-Security) enabled Web Service from PL/SQL using the UTL_DBWS package (see [http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/u_dbws.htm#CHDIDGJH] ). We are doing this in similar fashion to [http://www.oracle-base.com/articles/10g/utl_dbws10g.php] with calls to utl_dbws.create_service, utl_dbws.create_call and utl_dbws.invoke.
Using this method we can successfully call an unsecured Web Service, but calls to WSS-enabled Web Services fail. We are currently using Oracle Database 10.2.0.3.
The failure we are getting is:
ORA-29532: Java call terminated by uncaught Java exception: javax.xml.rpc.soap.SOAPFaultException:
com.sun.xml.wss.XWSSecurityException: Message does not conform to configured
policy ( AuthenticationTokenPolicy(S) ): No Security Header found;nested
exception is com.sun.xml.wss.XWSSecurityException:
com.sun.xml.wss.XWSSecurityException: Message does not conform to configured
policy ( AuthenticationTokenPlicy(S) ): No Security Header found
Apparently UTL_DBWS does not support calling WSS enabled services, although this doesn't appear to be an officially recognised position. Does anyone know if Oracle are planning to support this soon (if ever)? Looking at Re: Calling WS from PL/SQL using WS-security suggests that support has been considered before, but not yet realised.
Thanks,
TomHaving raised a Service Request with Oracle support on this, I got the following response from Oracle Development (On unpublished bug [8542959|https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=BUG&p_id=8542959]):
Development has confirmed that WS-Security is not supported through UTL_DBWS. They have also acknowledged that this is not documented and they will change the official Oracle documentation will reflect this fact. From what is being stated, it would appear that there is no plan to support the use of WS-Security through UTL_DBWS in any release in the near future.
So, in short, without developing your own home-grown SOAP request, there is no way to call a WSS enabled web service from within PL/SQL.
-Tom -
Issue with OSI PI WCF Web Service with wshttpbinding
Hi Experts,
System Details:
SAP MII 14 SP4
OSI PI Web Service: PITimeSeries
I am having issue when trying to call OSI PI web service using http post. it is returning status 0 when i am using exception handler in BLS.
Same web service works fine with basichttpbinding (SOAP 1.1) but with wshttpbinding (SOAP 1.2) it is giving error.
Following are Web config binding details for web service.
<wsHttpBinding>
<binding name="wsBinding_2011" sendTimeout="00:01:00" receiveTimeout="00:10:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="Message">
<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
I am not sure it could be the issue with passing windows credentials.
Did anybody consumed WCF web service with wshttpbinding with security mode as Message and clientCredentialType as Windows.
Also i was trying to pass MYSAPSSO2 SSO token to service in http post but first i am not sure if this is correct windows token and second which header property of service should be mapped and i am not sure that I am going into correct direction or not.
Please let me know what i am missing.
I have tried following other options and tools:
SOAP UI: basichttpbinding works fine for wshttpbinding receiving Internal Server error in log and Response as
The security context token is expired or is not valid.
MII Web Service Action Block: basichttpbinding works fine for wshttpbinding not able to configure url through wizard because as per my discussion with other MII experts MII does not support SOAP1.2. that is one reason for using http post.
WCF Storm: both bindings works fine (There is option to select windows authentication and Impersonation level as delegation)
WCF Test Client: Both bindings works fine
Any help is appreciated.
Thanks & Regards,
Manoj BilthareHi Sam,
The web service is valid following are details of testing on various tools.
SOAP UI: basichttpbinding works fine for wshttpbinding receiving Internal Server error in log and Response as The security context token is expired or is not valid.
MII Web Service Action Block: basichttpbinding works fine for wshttpbinding not able to configure url through wizard because as per my discussion with other MII experts MII does not support SOAP1.2. that is one reason for using http post.
WCF Storm: both bindings works fine (There is option to select windows authentication and Impersonation level as delegation)
WCF Test Client: Both bindings works fine
Please let me know if additional details required.
Thanks & Regards,
Manoj Bilthare -
Error while executing Secure SOAP web service from Web Service Navigator
Hi All,
I have created a web service for a stateless session bean choosing option "Secure SOAP".
When I am testing it through web service navigator, it is showing following error:-
Security: Authentication expected but missing
And in response text it is showing following :-
HTTP/1.1 500 Internal Server Error
Connection: close
Server: SAP J2EE Engine/7.00
Content-Type: text/xml; charset=UTF-8
Date: Wed, 17 Dec 2008 05:42:10 GMT
Set-Cookie: <value is hidden>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>Security: Authentication expected but missing</faultstring><detail><ns1:com.sap.engine.interfaces.webservices.runtime.ProtocolException xmlns:ns1='http://sap-j2ee-engine/error'>Security: Authentication expected but missing</ns1:com.sap.engine.interfaces.webservices.runtime.ProtocolException></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
Can anybody help me with above thing?
And my second question : I have created web service with "Basic Auth SOAP" option. and while executing at web service navigator, its asking for username & password.
What role / right should be granted to this user so as to make him able to execute this web service? This user must be a UME user, correct?
Pls help me in resolving this.
Thanks and regards,
Amey MogareHi Fazal,
I have read the thread, but my questions are still unanswered.
1. I know how to set username and password while using "Basic Auth SOAP" protocol. But my question in this case is what are the accesses user requires to be able to execute web service.
2. And about Secure SOAP, why is above mentioned error is appearing?
Thanks and regards,
Amey Mogare -
WS-Security, WSE, Web Services, Authentication and Flex 2
Hey All,
I've been working hard on getting Flex to communicate with a
Microsoft .NET 2.0 Web Services project enabled with WSE 3.0
WS-Security. I can't seem to get the headers into the SOAP request
that I need.
For example, I can get a SOAP header into the message like
so:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<ns0:Security xmlns:ns0="
http://tempuri.org/">
<ns0:password>pass</ns0:password>
<ns0:username>DOMAIN\Administrator</ns0:username>
</ns0:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<HelloWorld xmlns="
http://tempuri.org/" />
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
.. but, this isn't what my WSE, WS-Security enabled service
expects. Which is:
<soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="
http://www.w3.org/2001/XMLSchema"
xmlns:wsa="
http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action>
http://tempuri.org/HelloWorld</wsa:Action>
<wsa:MessageID>urn:uuid:5be8b55a-df7b-4547-8def-76282fcd8b47</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>
http://localhost/CampaignMojoAPI.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp
wsu:Id="Timestamp-aab299a8-81e3-4d8a-bfa4-555f38978584">
<wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
<wsu:Expires>2007-06-06T20:31:37Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-b43668b1-51a3-4ba1-a90a-69eca3b98b66">
<wsse:Username>DOMAIN\Administrator</wsse:Username>
<wsse:Password Type="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#Passwor dText">pass</wsse:Password>
<wsse:Nonce>IK4ZemfS1pj3kpdYO5+FBg==</wsse:Nonce>
<wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<HelloWorld xmlns="
http://tempuri.org/" />
</soap:Body>
</soap:Envelope>
I've tried "addSimpleHeader" and "addHeader", but both seem
to inject nested xml elements. Can anyone help me shape this WS
call into the format I need it in? Would it be possible to call
this WS manually via a direct HTTP post from Flex 2?
Thanks!,
SeanYeah,
Hey guys - thanks for the responses. I looked into this and
it seems no one uses WS-Security from the browser. That's why even
Google's APIs use alternative key logins, etc. I read from one user
that in the next version of Microsoft's AJAX platform that they
might support it, but that's about it. For now, it looks like
there's not even an AJAX/Javascript way to do this. If we could do
it via Javascript, then we could use the FABridge. I don't think
Flex supports it. I've tried to manipulate the headers into place
via Flex classes and I don't think enough control is there to get
the output in the form that's needed.
I think it's possible to write it in Javascript. But right
now my time budget just doesn't allow for it. I already spent two
whole days re-writing how Flex makes Web Service calls so they're
synchronous with timeouts instead of this massive amount of
asynchronous code they want you to write, so no more
re-writing/extending of components for me for a while.
But if anyone wants to work together to support it via
AJAX/Javascript, I would invest money into developing it.
I would like a public WS-Security AJAX/Javascript framework
for making these calls via WS-Security so I can offer customers a
standard way of accessing/authenticating against our public API
set. It would also make it possible for Flex to access standard web
services with WS-Security enabled.
Let me know what you guys think, or if anyone else has any
good suggestions/software.
Thanks much,
S.
Maybe you are looking for
-
Hi All I am new to OIM 11g R2. I am trying to create custom connector for trusted recon. The case is to migrate the users from 10g to 11g R2. The recon event is created but it is in Event Recieved status and when I re-evaluate the event, its giving e
-
Synching iphone with outlook calendar
I have just set up a new icloud account and attempted to synch with my outlook calendar and contacts. The outlook was synching with previous icloud account but it is not synching with the new icloud account. Help Please
-
Adobe Media Encoder Crashes when launched
Hello, friends on the forum! I am using a PC with a Windows XP (Home Edition) o/s. It has an Intel Pentium 4 cpu @ 2.80 GHz and 2.5 gb or RAM. This problem just developed: when I try to export a CS4 project, AME hangs and crashes. I then get a mes
-
Insert Photoshop Web Gallery swf file into Dreamweaver
So i tried to take a shortcut, and created a flash photoshop web gallery and placed the "gallery.swf" file into my html file in Dreamweaver. However, it is showing a blank white screen (i'm guessing it can't find the images?) but when I view it on my
-
Im stuck in a migration from PC to Mac Book Pro . Help!
It just stopped with 21 hours to go and wont reconnect. Ive rebooted the PC and iMigration Assistant but it just says 'waiting for Mac to connect' but Mac has no controls at this stage because its a new machine.