Signing XML and Canonicalization

Similar Messages

• Use Sign.xml and Encrypt.xml for both request AND response within WSDL?

  Hi,
  ALSB: 2.6
  I was wandering if it's possible to use abstract outof the box WS-Policy file within WSDL file to specify encryption
  (Encrypt.xml) and digital signature(Sign.xml) with X509 for both request and response???
  So far, it only works for either request or response BUT not both. i.e. within WSDL file
  <!-- following WSDL works for encrypting and signing request with X509 in test console -->.....
  <wsdl:binding name="DexService2Soap" type="tns:DexService2Soap">
      <soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document" />
      <wsdl:operation name="Message">
              <soap:operation soapAction="urn:moe:dex:dexservice:2.0.0/Message" style="document" />
                            <wsdl:input>
                             <!-- WS-Policy file applied here -->
                           <wsp:Policy>
                                          <wsp:PolicyReference URI="policy:Sign.xml"/>
                                          <wsp:PolicyReference URI="policy:Encrypt.xml"/>
                                     </wsp:Policy>
                                   <soap:body use="literal" />
                             </wsdl:input>
                           <wsdl:output>
                                <soap:body use="literal" />
                             </wsdl:output>
      </wsdl:operation>
    </wsdl:binding>
             Or
  <!-- following WSDL works for encrypting and signing response with X509 in test console -->
  <wsdl:binding name="DexService2Soap" type="tns:DexService2Soap">
      <soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document" />
      <wsdl:operation name="Message">
              <soap:operation soapAction="urn:moe:dex:dexservice:2.0.0/Message" style="document" />
                            <wsdl:input>
                                   <soap:body use="literal" />
                             </wsdl:input>
                           <wsdl:output>
                                     <!-- WS-Policy file applied here -->
                                     <wsp:Policy>
                                          <wsp:PolicyReference URI="policy:Sign.xml"/>
                                          <wsp:PolicyReference URI="policy:Encrypt.xml"/>
                                     </wsp:Policy>
                                <soap:body use="literal" />
                             </wsdl:output>
      </wsdl:operation>
    </wsdl:binding>
  But not both
  <!-- following WSDL doesn't work for encrypting and signing both response and request with X509 in test console -->
  <wsdl:binding name="DexService2Soap" type="tns:DexService2Soap">
      <soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document" />
      <wsdl:operation name="Message">
              <soap:operation soapAction="urn:moe:dex:dexservice:2.0.0/Message" style="document" />
                            <wsdl:input>
                                      <!-- WS-Policy file applied here -->
                                     <wsp:Policy>
                                          <wsp:PolicyReference URI="policy:Sign.xml"/>
                                          <wsp:PolicyReference URI="policy:Encrypt.xml"/>
                                     </wsp:Policy>
                                   <soap:body use="literal" />
                             </wsdl:input>
                           <wsdl:output>
                                     <!-- WS-Policy file applied here -->
                                     <wsp:Policy>
                                          <wsp:PolicyReference URI="policy:Sign.xml"/>
                                          <wsp:PolicyReference URI="policy:Encrypt.xml"/>
                                     </wsp:Policy>
                                <soap:body use="literal" />
                             </wsdl:output>
      </wsdl:operation>
    </wsdl:binding>
  ...      Instead, I got error message like
  <15/01/2008 10:15:04 AM NZDT> <Error> <ALSB Security> <BEA-387023> <An error ocurred during web service security inbound response processing [error-code: Fault
  , message-id: 3917705281899426819-4368b1eb.117762cff6e.-7fdb, proxy: DexServiceX509-Stub/Proxy Services/DexServiceX509-ProxyService, operation: Message]
  --- Error message:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><soapenv:Fault><faultcode>soapenv:Server</faultcode>
  <faultstring>Failed to get token for tokenType: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</faultstring></soapenv:Fa
  ult></soapenv:Body></soapenv:Envelope>
  weblogic.xml.crypto.wss.WSSecurityException: Failed to get token for tokenType: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
  X509v3
  at weblogic.xml.crypto.wss.SecurityBuilderImpl.addEncryption(SecurityBuilderImpl.java:308)
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processConfidentiality(SecurityPolicyDriver.java:280)
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:75)
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:64)
  at weblogic.wsee.security.WssServerHandler.processOutbound(WssServerHandler.java:86)
  Truncated. see log file for complete stacktrace
  >
  <15/01/2008 10:15:24 AM NZDT> <Error> <com.bea.weblogic.kernel> <000000> <Failed to build CertPath
  java.security.cert.CertPathBuilderException: [Security:090603]The certificate chain is invalid because it could not be completed. The trusted CAs did not inclu
  de CN=x509,OU=x509,O=x509,L=Wellington,ST=Wellington,C=NZ.
  at weblogic.security.providers.pk.WebLogicCertPathProviderRuntimeImpl$JDKCertPathBuilder.engineBuild(WebLogicCertPathProviderRuntimeImpl.java:669)
  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
  at com.bea.common.security.internal.legacy.service.CertPathBuilderImpl$CertPathBuilderProviderImpl.build(CertPathBuilderImpl.java:67)
  at com.bea.common.security.internal.service.CertPathBuilderServiceImpl.build(CertPathBuilderServiceImpl.java:86)
  at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
          Truncated. see log file for complete stacktrace
  >
  <15/01/2008 10:15:24 AM NZDT> <Error> <ALSB Security> <BEA-387022> <An error ocurred during web service security inbound request processing [error-code: Fault,
  message-id: 3917705281899426819-4368b1eb.117762cff6e.-7fd8, proxy: DexServiceX509-Stub/Proxy Services/DexServiceX509-ProxyService, operation: null]
  --- Error message:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><soapenv:Fault xmlns:wsse="http://docs.oasis-open.or
  g/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>wsse:InvalidSecurityToken</faultcode><faultstring>Security token failed to validate. weblo
  gic.xml.crypto.wss.SecurityTokenValidateResult@3c5347b[status: false][msg [
    Version: V1
    Subject: CN=x509, OU=x509, O=x509, L=Wellington, ST=Wellington, C=NZ
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key:  Sun RSA public key, 1024 bits
    modulus: 13052787793731294943682394984664645854838424340012907077330623....
    The 'System Error Handler' from 'Invocation Trace' in ALSB test console is something like
  [pre]     
  $fault:
  <con:fault xmlns:con="http://www.bea.com/wli/sb/context">
       <con:errorCode>BEA-386201</con:errorCode>
       <con:reason>
            A web service security fault
            occurred[{http://schemas.xmlsoap.org/soap/envelope/}Server][Failed
            to get token for tokenType:
            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3]
       </con:reason>
       <con:details>
            <err:WebServiceSecurityFault
                 xmlns:err="http://www.bea.com/wli/sb/errors">
                 <err:faultcode
                      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
                      soapenv:Server
                 </err:faultcode>
                 <err:faultstring>
                      Failed to get token for tokenType:
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
                 </err:faultstring>
            </err:WebServiceSecurityFault>
       </con:details>
       <con:location>
            <con:path>response-pipeline</con:path>
       </con:location>
  </con:fault>
  So is this a feature not supported in ALSB 2.6 yet or am I missing something dead simple?
  Thanks in advance
  Sam

  Instead of specifying policies for input and output separately you could place the policy reference only once in the operation element. Maybe will this solve your problem...
  http://e-docs.bea.com/alsb/docs26/security/ws_policy.html#wp1061166

• Authentication between Single Sign-On and Web based applications

  Hi everyone,
  I need to create a way in Portal 10g (10.1.2.0.2) that allow me to do the following:
  Once the user is logged on Portal (against Single Sign-On - SSO) he doesn't need to retype his username/password when he access a web based application throught the portal, in my case, an ASP application (not .NET, just ASP).
  I made a test creating a External Application in SSO and after publishing this portlet (external application) inside portal.
  It worked, BUT I was prompted to inform username/password to log on the aplication.
  So, the user end up entering his password twice.
  Does anybody know a way to acomplish this task?
  The documentation I'm researching is:
  Oracle Application Server Single Sign-On
  Administrator's Guide
  10g Release 2 (10.1.2)
  B14078-02
  Oracle Application Server Single Sign-On
  Security Guide
  10g Release 2 (10.1.2)
  B13999-03
  Thank you very much,
  Diogo Santos.

  have figured out how to secure any HTML, ASP, PHP, CFM, etc. web page again Portal / OID using the PDK toolkit.
  Using AJAX (Asynchronous JavaScript and XML) and one Oracle Stored Procedure just adding a simple Javascript call to any HTML, ASP, PHP, etc. web page can secure it via Oracle SSO (OID). Access to any secured web page will require that it to be linked from an authenticated Portal session or a page opened in an authenticated Portal session.
  This process can be easily modified to add in group security etc. This is just my starting point.
  1) Create a stored procedure
  # Make sure it has access to portal.wwctx_api.is_logged_on
  CREATE OR REPLACE PROCEDURE login_ajax_check (
  display_error IN number default NULL) AS
  BEGIN NULL;
  If portal.wwctx_api.is_logged_on = false then
  htp.prn('DENY');
  ELSE
  htp.prn('ALLOW');
  END IF;
  Exception when others then htp.p('DENY');
  END;
  2) Use this Javascript in any page you wish to secure.
  <-- Begin Paste Here -->
  <script>
  var allowgo=2
  function ajaxCallRemotePage(url)
  if (window.XMLHttpRequest)
  // Non-IE browsers
  req = new XMLHttpRequest();
  req.onreadystatechange = processStateChange;
  req.open("GET", url, false);
  req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
  req.send(null);
  else if (window.ActiveXObject)
  // IE
  req = new ActiveXObject("Msxml2.XMLHTTP");
  req.onreadystatechange = processStateChange;
  req.open("GET", url, false);
  req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
  req.send();
  else
  return; // Navigateur non compatible
  // process the return of the "ajaxCallRemotePage"
  function CheckPortal()
  ajaxCallRemotePage('[Your page calling the procedure from above]');
  function processStateChange()
  if (req.readyState == 4)
  if (req.status == 200)
  if (req.responseText.substring(0,4) == 'ALLO')
  allowgo = 0;
  else
  allowgo = 1;
  function doPage()
  if (allowgo==1)
  window.location='[Your login or error page]';
  CheckPortal();
  doPage();
  </script>
  <-- End Paste Here -->
  That's it!!! Super easy. It works great too.
  Larry Schenavar
  [email protected]

• Single sign-on and custom DBLoginModule

  Hi,
  I need help in making sso work. I have Application Server version 10.1.3.1.0, I've developed application in JDeveloper 10.1.3.3. that uses form based login and when deployed to server I can normally login/logout. Now I want to enable single sign on, so I've changed security provider of javasso to the one I'm using in my application (oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule) and started javasso, added my application to participating applications, and restarted the instance.
  When I try to access my application, login page of javasso is shown but I cannot login, always get incorrect username/password. The strange thing is that logs are empty, so i guess that dblogin module is never fired.
  Also I've changed my login method so it supports identity callback, like described in here .
  This Re: Custom Login Module and JavaSSO said that orion-application.xml of my application and javasso should be the same, I haven't figured out what should I do with javasso orion-application.xml and how sould it look like.
  this is orion-application.xml of my application
  <?xml version = '1.0' encoding = 'windows-1250'?>
  <orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd">
  <library path="./adf"></library>
  <jazn location="./jazn-data.xml" provider="XML"/>
      <data-sources path="./data-sources.xml"/>
  <jazn-loginconfig>
       <application>
            <name>secure-web-app</name>
            <login-modules>
                 <login-module>
                      <class>oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule</class>
                      <control-flag>required</control-flag>
                      <options>
                           <option>
                                <name>data_source_name</name>
                                <value>jdbc/WMSPortalDS</value>
                           </option>
                           <option>
                                <name>debug</name>
                                <value>true</value>
                           </option>
                           <option>
                                <name>plsql_procedure</name>
                                <value>PK_SECURITY.GET_USER_AUTHENTICATION</value>
                           </option>
                           <option>
                                <name>log_level</name>
                                <value>ALL</value>
                           </option>
                      </options>
                 </login-module>
            </login-modules>
       </application>
  </jazn-loginconfig>        
  </orion-application>this is orion-application.xml of javasso
  <?xml version = '1.0' encoding = 'utf-8'?>
  <orion-application
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"
      schema-major-version="10"
      schema-minor-version="0"
      component-classification="internal">
  <security-role-mapping name="{{PUBLIC}}">
      <group name="{{PUBLIC}}" />
  </security-role-mapping>
  <jazn provider="XML">
  </jazn>
  </orion-application>Please help, this is very urgent to me, all advices and guide lines are more than welcome.
  Thanks in advance,
  Tomislav.

  To be clear maybe someone will help.
  I have a cluster topology, with one application server and 3 oc4j instances.
  I've done following steps and without success, on my test instance:
  1. Deployed application with custom DBLogin (I'm using: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule)
  2. Sucessfully login / logout -> so I guess DBLogin is working fine
  3. Stopped the java sso application
  4. Changed the javasso Security Provider to my custom DBLogin with following parameters:
  class: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule
  data_source_name - jdbc/WMSPortalDS
  log_level - ALL
  plsql_procedure - PK_SECURITY.GET_USER_AUTHENTICATION
  debug - true
  5. Added Connection Pool and Data Source in javasso Administration -> JDBC -> tested connections and it was sucessful
  6. Started javasso application
  7. Then I went to Java SSO Configuration -> Participating applications -> checked my application
  8. Restarted instance
  9. Try to login -> invalid username / password
  In enerprise manager Log files -> javasso -> there are only messages regarding starting and stopping application
  Questions:
  1. orion-application.xml for javasso -> what exactly needs to be specified inside, currently I have following:
  <?xml version="1.0"?>
  <orion-application  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"  deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" component-classification="internal"
    schema-major-version="10" schema-minor-version="0" >
          <web-module id="javasso-web" path="javasso-web.war" />
          <security-role-mapping name="{{PUBLIC}}">
                  <group name="{{PUBLIC}}" />
          </security-role-mapping>
          <persistence path="persistence" />
          <jazn provider="XML">
                  <property name="custom.loginmodule.provider" value="true" />
                  <property name="role.mapping.dynamic" value="true" />
          </jazn>
          <log>
                  <file path="application.log" />
          </log>
          <data-sources path="./data-sources.xml" />
  </orion-application>2. orion-application.xml for my application
  <?xml version="1.0"?>
  <orion-application  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"  deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" see-parent-data-sources="false" component-classification="external"
    schema-major-version="10" schema-minor-version="0" >
          <web-module id="Portal" path="Portal.war" />
          <persistence path="persistence" />
          <library path="./adf" />
          <jazn provider="XML" location="jazn-data.xml" default-realm="jazn.com" >
                  <property name="custom.loginmodule.provider" value="true" />
                  <property name="role.mapping.dynamic" value="true" />
                  <jazn-web-app auth-method="CUSTOM_AUTH" />
          </jazn>
          <log>
                  <file path="application.log" />
          </log>
          <data-sources path="./data-sources.xml" />
  </orion-application>3. How to get any information into logs, I cannot find out what I'm doing wrong since there's no output in logs for javasso and my application.
  Please help, I'm really stuck and I have to resolve this as soon as possible.
  Thanks in advance,
  Tomislav.

• NullPointerException while sending signed XML via SOAP to Axis webservice

  Hello,
  I was wondering if it was possible to change the behavior of Apache XML Security libraries and delete "ds:" namespaces while digitally signing XML files.
  We are trying to send signed XML to a local chilean IRS, as a part of an automatic autentication process. The steps to authenticate are quite straightforward and involve:
  1. Obtain from webservice 1 a "seed", which is a random number representing temporal session opened
  2. Sign this seed (in XML format) using our certificate
  3. Send signed XML to another webservice 2, which should validate it and open a permanent session, returning a "token", which is an alphanumeric string
  What happens is that steps 1 and 2 are completed without problems, while we cannot pass step 3. The webservice (as far I know mounted on Apache Axis) fails with ugly error "NullPointerException".
  The IRS says that our signed XML, although valid, seems strange to them, as it contains those "ds:" added by Apache Xml Security libraries while signing the file.
  So here comes the question: is it possible to obtain valid signed XML without those "ds:"? What other reasons may result in that NullPointerException error?
  We use simple Java class and VeriSign certificate stored in Java keystore to sign XML files, and Apache Xml Security 1.2.0 jars.
  For any clues that could help us thank you in advance.
  Jack

  Hi,
  Few months ago we had also problems with "locked user" in XI, in our case XIAPPLUSER was sometimes (b)locked.
  Perhaps note:
  721548 Changing the passwords of the XI 3.0 service users
  will help you.
  We removed and entered the service users again, with the password in CAPITALS and language blank.
  After that our problem was solved, I hope yours too.
  Regards
  Jack

• XML and its influence over program design (2 issues)

  I have 2 open questions about XML and Java. I apologise if they are not clear-cut or specific enough, but really I am fishing for sound advice.
  I am trying to develop a J2EE application but find myself stuttering at an early stage because I cannot decide on the best design for my application. Part of my problem is a lack of experience with the different J2EE technologies/API (especially XML APIs), and the realisation that there is 101 ways to do what I want to do.
  A major issue is this: my application basically is concerned with representing conversations between the server and a user, e.g. a simple sequence of yes/no questions asked by the server to the user, which the user replies to in turn. I believe that the XML format would be a very suitable way to represent these conversations. My first question is:
  * Should the decision to use XML as a storage format influence the design of the rest of the program? I feel that in choosing XML to represent the conversation data, I am stuck thinking about the rest of my program in a XML way (i.e. doing everything using a DOM etc.). Am I right in thinking that my program should be designed in such a way that an XML-based storage system could be easily interchanged with, say, a relational flat-tabled database?
  My second question is:
  * Imagine that each conversation contains one or more questions, and there are, say, 4 different types of question (e.g. yes/no, multiple choice, etc.). Each of these needs to be handled in a different way. Is there a good pattern or recommended way of handling this sort of situation in code, ideally avoiding a big 'if' or switch statement (e.g. if the node is of "ABC" type do this, else if it is "yes/no"...). It would be great if one could easily add new types of question to the XML and then similarly one can make easy additions to the code to cope with these new cases.
  Thank you very much indeed for any advice.
  Greg

  I am trying to develop a J2EE application but find
  myself stuttering at an early stage because I cannot
  decide on the best design for my application. Part of
  my problem is a lack of experience with the different
  J2EE technologies/API (especially XML APIs), and theThat's nothing to be ashamed of. And realising that you lack experience and trying to remedy that is a good sign.
  A major issue is this: my application basically is
  concerned with representing conversations between the
  server and a user, e.g. a simple sequence of yes/no
  questions asked by the server to the user, which the
  user replies to in turn. I believe that the XML
  format would be a very suitable way to represent
  these conversations. My first question is:
  XML might be overkill if it's just a question followed by an answer and neither contains complex hierarchical data structures.
  * Should the decision to use XML as a storage format
  influence the design of the rest of the program? ICertainly not.
  XML should represent data structures that are natural to your program, thus becoming a tool rather than forcing its structure upon you.
  feel that in choosing XML to represent the
  conversation data, I am stuck thinking about the rest
  of my program in a XML way (i.e. doing everything
  using a DOM etc.). Am I right in thinking that my
  program should be designed in such a way that an
  XML-based storage system could be easily interchanged
  with, say, a relational flat-tabled database?
  Flexibility is good to keep in mind, but at the moment I'd worry about just getting something to work.
  * Imagine that each conversation contains one or more
  questions, and there are, say, 4 different types of
  question (e.g. yes/no, multiple choice, etc.). Each
  of these needs to be handled in a different way. Is
  there a good pattern or recommended way of handling
  this sort of situation in code, ideally avoiding a
  big 'if' or switch statement (e.g. if the node is of
  "ABC" type do this, else if it is "yes/no"...). It
  would be great if one could easily add new types of
  question to the XML and then similarly one can make
  easy additions to the code to cope with these new
  cases.
  Think of a factory that creates the handlers on the fly based on the actual message received.
  If the factory makes use of some mapping construct to do so there's no need for any conditionals at all in your decision tree.
  I've myself used XML structures successfully to define such mappings (and so have others) on disc, but simple ones can be easily represented using just a properties file.

• Correlate XML and PDF file/mail

  Following ugly requirement: PI receives XMLfiles and mails with PDF attachment. The XML contains the plain invoice data, the PDF is the signed invoice. PI sends both types as files to the customer. But the customer wants that files which belong together (see below) are sent within a time interval of max. 6 hours.
  Problem is, the PDF is signed by an external partner which may need longer than those 6 hours. And the supplier is not able to hold back the corresposing XML files.
  I fear the only way to solve it is by integration process (?)
  The XML has a file reference tag, which corresponds to the mail attachment name, so in theory, we know what fits together. But the PDF is a binary message, so how to definine a correlation definition on it ? Do I need to map the PDF into an own XML structure, e.g. some header tag which contains the attachment name, and a base64 tag which contains the PDF ? But then I would later have to recreate the binary PDF, after the 2 messages are correlated. Is that possible in the process ? Can I map message 2 again when it leaves the process ?
  We are on PI 7.0, soon 7.1
  CSY

  Additional info: I just implemented the solution with 2 receiver interfaces. And write both messages with file reveiver channels, one of them uses the PayloadSwapBean. Works great. The solution is better than the zip option, because now I can even set the filename as I want:
  1. for the XML file, I can just use the adapter specific attribute filename (= use the name of the original XMLfile)
  2. for the PDF file, this does not work without additional change because it was read as attachment with the XML file, and so gives the name of the XML file, and the original PDF filename is not in the PI message anymore. But I just add a Java mapping in the routing of the PDF file, and set the needed filename value in dynamic configuration (read the value, remove .xml and append .pdf)
  CSY

• Signed XML in SOAP Adapter

  Hello Experts,
  I have a scenario with receiver SOAP adapter, I have used the security profile in the channel and receiver agreement i have selected sign and all rudimentary requirements..
  But im unable to see the signed payload in the CC monitoring..it should be in the format
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="................</wsse:BinarySecurityToken>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
  <ds:Reference URI="#id-24819136">
  <ds:Transforms>
  <ds:Transform Algorithm=...........
  Im not able to see it in the SOAP adapter...have i missed something in the config...I have generated the cert in visual admin and given the correct values too in the channel and recv agreement.
  Can ne one elucidate on this please...
  How can i view the signed xml coming from the SOAP adapter?
  Regards,
  Farooq
  Edited by: Farooq Hussain on Nov 12, 2008 7:46 PM

  Hi  Farooq
  You have generated certificates? this will encrypt complete xml while sending. for that you need to set procedure as Encrypt this is what my understanding in this.
  XML Signature
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/55814003-0b01-0010-1ca2-c683a191ebfc
  Did you have checked with this
  Using Digital Signatures in XI
  it doesn't talk about generating the certificate and encrypting complete message but it actually encrypt complete message when you generate certificate.
  How XML Encryption can be done using web services security in SAP NetWeaver XI
  This also speaks similar. I am not able to get the link .. try search for "Ensure the Confidentiality of Your SOAP Message Content" to understand more on this
  Thanks
  Gaurav

• Digitally Signing XML messages

  My servlets receive XML messages and after processing and filling in some values, Digitally Sign the XMLs and send over secure connection to another server. How could possibly this be performed?
  Please support your answer with code samples.
  Awaiting Response

  Hi,
  You may need to sigm in, but try this (it's free)
  http://207.68.162.250/cgi-bin/linkrd?_lang=EN&lah=7ffae4f4a6000dbf55d82280194c86c1&lat=1031873112&hm___action=http%3a%2f%2fwww%2einformit%2ecom%2fcontent%2findex%2easp%3fproduct_id%3d%7bC5920864%2d705B%2d45D3%2dBF71%2dC1E18270319A%7d%26amp%3b090102
  yes, bit of a mouthful, isn't it?
  best
  kev
  (probably a digital signature)

• Transforming signed XML document with namespace invalidates signature

  I am running into a problem signing an XML document. Well, signing the document isn't the problem, as I can sign it and then verify the signature with the public key successfully. The problem comes when I transform the document to a string. It all appears to be OK, but when I transform it back, the hash no longer verifies. After more testing, it appears that the issue is related to namespaces. When I remove namespaces from the document, the signing and transformations work just fine. Does anyone have any insight on this?
  Here is how I am transforming the document to an XML string that I and back.
      try
        signSAML( doc, assertionElement );
        xmlSource = new DOMSource( doc );
        baos = new ByteArrayOutputStream();
        outputTarget = new StreamResult( baos );
        xmlString  = new String( new ByteArrayInputStream( baos.toByteArray() ) );
        transformerFactory = TransformerFactory.newInstance();
        transformer = transformerFactory.newTransformer();
        transformer.transform( xmlSource, outputTarget ); 
        boolean verified = verify( doc );
        if ( verified )
          System.out.println( "Verified" );
        else
          System.out.println( "UNVerified" );
      catch ( Exception e )
        // TODO Auto-generated catch block
        e.printStackTrace();
      }

  jtahlborn wrote:
  i'm not talking about the transform, i'm talking about this line:
  xmlString  = new String( new ByteArrayInputStream( baos.toByteArray() ) );which is a great way to break xml data.Yes. That's not the only kind of data it's good at breaking, either.
  To the OP: just have your transform output to a StringWriter in the first place. Don't muck about converting between chars and bytes unless you know the correct encoding and use it. Which you don't know it and you didn't use it.

• Copy Signed XML without altering it

  Hi everyone,
  I have a windows 2003 svr with JRE 1.6.0_18, and xmlsec v1.2.97 jar imported.
  I'm building a new module of an existing application, which creates xml for invoices, signs them, and sends them to another company. This signed XMLs are stored on the filesystem.
  I need to copy one of such xml files, lets call it A.xml (with valid signature, I checked using DOM's security validation tools) into another xml, lets say B.xml, without altering the contents of A.xml ( therefore voiding the signature ).
  Then I have to sign B.xml
  I have tried the following so far:
  1. using Filereader to copy byte by byte to B.xml.
  2. using inputstreamreaders (with apropriate encoding parameter) and copy line by line.
  3. using DOM to add new node, and Transformer API to generate B.xml (proper enconding parameters are being set)
  when I run a signature validation on B.xml, the signature has become invalid.
  One intresting thing though, is that if I use method 1 to copy A.xml to another xml having only A's tree, this new XML has a valid signature.
  Has anyone gone through something similar?
  I'm I missing something?
  or is it that whenever I insert an XML into another, it's signature will become void?
  Thank you in advance for your help and time!
  Regards,
  Reynod

  Well, #1 should work. Although I didn't understand what you said about "A's tree". Either you copy the file byte for byte (in which case you don't break the signature) or you produce something different (in which case you break the signature).
  Anything which changes the contents of the XML should generate a document whose signature is invalid. That's the main point of signing a document.

• My Iphoto application stays on the opening loading sign stage and won't open up at all

  Hi there - first time user, so please be patient ...
  Does anyone know why my Iphoto won't open?  I can't figure out why it just stays on the opening loading sign stage and won't open up any more - was working previously but seems to freeze in that opening symbol stage now whenever I try to directly open it or use it through the application field to open any jpeg format.
  Cheers
  Henrie

  What version of iPhoto? Assuming 09 or later
  Option 1
  Back Up and try rebuild the library: hold down the command and option (or alt) keys while launching iPhoto. Use the resulting dialogue to rebuild. Choose to Rebuild iPhoto Library Database from automatic backup.
  If that fails:
  Option 2
  Download iPhoto Library Manager and use its rebuild function. This will create a new library based on data in the albumdata.xml file. Not everything will be brought over - no slideshows, books or calendars, for instance - but it should get all your albums and keywords back.
  Because this process creates an entirely new library and leaves your old one untouched, it is non-destructive, and if you're not happy with the results you can simply return to your old one. .
  Regards
  TD

• OSB: fn-bea:inlinedXML format my signed XML

  Hello.
  I'm trying to replace my output xml message with the same message, but digitally signed.
  My proxy flow looks like:
  1. Call to BS.
  2. In response, take the output from BS and digitally sign it (Service callout to a signing service).
  3. Take the output from that service (it returns the signed xml into a "CDATA" section).
  4. Extract the xml (CDATA), and call to fn-bea:inlinedXML
  5. Substitute the output message with the xml in point 4).
  But "inlinedXML" seems to format the xml string (whitespace, line breaks,...), so the sign is no longer valid.
  ¿Can OSB convert from string to xml without formatting?.
  Thanks.

  Hello.
  Does anyone knows how to tell OSB to stop formatting my XML?.
  Thanks.

• Oracle.security.crypto.cert.PKCS7 signing xml message

  Dear All
  Can anybody have java sample code to sign xml message by using oracle.security.crypto.cert.PKCS7 libarary.
  Regards
  Aamir

  Hi Michal,
  > about a WM application (which only has SAP in the name)
  I'm afraid you have a completely wrong understanding of the Business Connector... 
  About 10-20% of the code (everything that deals with RFC communication, IDoc processing and conversion of IDoc/function module data to and from XML) has been developed here at SAP. And with release 4.7 (2003), SAP obtained 100% control over the source code, and we have done many fixes and enhancements in the webMethods part of the code (as well as in our own...) since then.
  I just wanted to make this point clear...
  BTW: the problem reported here is neither related to webMethods, nor to SAP: it's simply a problem with the certificate (probably a mismatch between private key and public key?!)
  Best Regards, Ulrich
  (SAP BC team)

• Multiple plugtmp-1 plugtmp-2 etc. in local\temp folder stay , crossdomain.xml and other files containing visited websitenames created while private browsing

  OS = Windows 7
  When I visit a site like youtube whith private browsing enabled and with the add-on named "shockwave flash" in firefox add-on list installed and activate the flashplayer by going to a video the following files are created in the folder C:\Users\MyUserName\AppData\Local\Temp\plugtmp-1
  plugin-crossdomain.xml
  plugin-strings-nl_NL-vflLqJ7vu.xlb
  The contents of plugin-crossdomain contain both the "youtube.com" adress as "s.ytimg.com" and is as follows:
  <?xml version="1.0"?>
  <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
  -<cross-domain-policy> <allow-access-from domain="s.ytimg.com"/> <allow-access-from domain="*.youtube.com"/> </cross-domain-policy>
  The contents of the other file I will spare you cause I think those are less common when I visit other sites but I certainly don't trust the file. The crossdomain.xml I see when I visit most other flashpayer sites as well.
  I've also noticed multiple plugin-crossdomain-1.xml and onwards in numbers, I just clicked a youtube video to test, got 6 of them in my temp plus a file named "plugin-read2" (no more NL file cause I changed my country, don't know how youtube knows where I'm from, but that's another subject, don't like that either). I just noticed one with a different code:
  <?xml version="1.0"?>
  -<cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>
  So I guess this one comprimises my browsing history a bit less since it doesn't contain a webadress. If these files are even meant to be deposited in my local\temp folder. The bigger problem occurs when they stay there even after using private browsing, after clearing history, after clearing internet temporary files, cache, whatever you can think of. Which they do in my case, got more than 50 plugtmp-# folders in the previous mentioned local\temp folder containing all website names I visited in the last months. There are a variety of files in them, mostly ASP and XML, some just say file. I have yet to witness such a duplicate folder creation since I started checking my temp (perhaps when firefox crashes? I'd say I've had about 50 crashes in recent months).
  I started checking my temp because of the following Microsoft Security Essential warnings I received on 23-4-12:
  Exploit:Java/CVE-2010-0840.HE
  containerfile:C:\Users\Username\AppData\Local\Temp\jar_cache2196625541034777730.tmp
  file:C:\Users\Username\AppData\Local\Temp\jar_cache2196625541034777730.tmp->pong/reversi.class
  and...
  Exploit:Java/CVE-2008-5353.ZT
  containerfile:C:\Users\Noname\AppData\Local\Temp\jar_cache1028270176376464057.tmp
  file:C:\Users\Noname\AppData\Local\Temp\jar_cache1028270176376464057.tmp->Testability.class
  Microsoft Security Essentials informed me that these files were quarantained and deleted but when going to my temp file they were still there, I deleted them manually and began the great quest of finding out what the multiple gigabytes of other files and folders were doing in that temp folder and not being deleted with the usual clearing options within firefox (and IE).
  Note that I have set my adobe flasplayer settings to the most private intense I could think of while doing these tests (don't allow data storage for all websites, disable peer-to peer stuff, don't remember exactly anymore, etc.). I found it highly suspicious that i needed to change these settings online on an adobe website, is that correct? When right-clicking a video only limited privacy options are available which is why I tried the website thing.
  After the inital discovery of the java exploit (which was discovered by MSE shortly after I installed and started my first scan with Malwarebytes, which in turn made me suspicious whether I had even downloaded the right malwarebytes, but no indication in the filename if I google it). Malwarebytes found nothing, MSE found nothing after it said it removed the files, yet it didn't remove them, manually scanning these jar_cache files with both malwarevytes and MSE resulted in nothing. Just to be sure, I deleted them anyways like I said earlier. No new jar_cache files have been created, no exploits detected since then. CCleaner has cleaned most of my temp folder, I did the rest, am blocking all cookies (except for now shortly), noscript add-on has been running a while on my firefox (V 3.6.26) to block most javascripts except from sites like youtube. I've had almost the same problem using similar manual solutions a couple of months ago, and a couple of months before that (clearing all the multiple tmp folders, removing or renaming jar_cache manually, running various antmalware software, full scan not finding a thing afterwards, installing extra add-ons to increase my security, this time it's BetterPrivacy which I found through a mozilla firefox https connection, I hope, which showed me nicely how adobe flash was still storing LSO's even after setting all storage settings to 0 kb and such on the adobe website, enabling private browsing in firefox crushed those little trolls, but still plugtmp trolls are being created, help me crush them please, they confuse me when I'm looking for a real threat but I still want to use flash, IE doesn't need those folders and files, or does it store them somewhere else?).
  I'm sorry for the long story and many questions, hope it doesn't scare you away from helping me fight this. I suspect it's people wanting to belong to the hackergroup Anonymous who are doing this to my system and repeating their tricks (or the virus is still there, but I've done many antivirus scans with different programs so no need to suggest that option to me, they don't find it or I run into it after a while again, so far, have not seen jar_cache show up). Obviously, you may focus on the questions pertaining firefox and plugtmp folders, but if you can help me with any information regarding those exploits I would be extremely grateful, I've read alot but there isn't much specific information for checking where it comes from when all the anti-virus scanners don't detect anything anymore and don't block it incoming. I also have downloaded and installed process monitor but it crashes when I try to run it. The first time I tried to run it it lasted the longest, now it crashes after a few seconds, I just saw the number of events run up to almost a million and lots of cpu usage. When it crashed everything returned back to normal, or at least that's what I'm supposed to think I guess. I'll follow up on that one on their forum, but you can tell me if the program is ligit or not (it has a microsoft digital signature, or the name micosoft is used in that signature).

  update:
  I haven't upgraded my firefox yet because of a "TVU Web Player" plugin that isn't supported in the new firefox and I'm using it occasionally, couldn't find an upgrade for it. Most of my other plugins are upgraded in the green (according to mozilla websitechecker):
  Java(TM) Platform SE 6 U31 (green)
  Shockwave for Director (green - from Adobe I think)
  Shockwave Flash (green - why do I even need 2 of these adobe add-ons? can I remove one? I removed everything else i could find except the reader i think, I found AdobeARM and Adobe Acrobat several versions, very confusing with names constantly switching around)
  Java Deployment Toolkit 6.0.310.5 (green, grrr, again a second java, why do they do this stuff, to annoy people who are plagued with java and flash exploits? make it more complicating?)
  Adobe Acrobat (green, great, it's still there, well I guess this is the reader then)
  TVU Web Player for FireFox (grey - mentioned it already)
  Silverlight Plug-In (yellow - hardly use it, I think, unless it's automatic without my knowing, perhaps I watched one stream with it once, I'd like to remove it, but just in case I need it, don't remember why I didn't update, perhaps a conflict, perhaps because I don't use it, or it didn't report a threat like java and doesn't create unwantend and history compromising temp files)
  Google Update (grey - can I remove? what will i lose? don't remember installing it, and if I didn't, why didn't firefox block it?)
  Veetle TV Core (grey)
  Veetle TV Player (grey - using this for watching streams on veetle.com, probably needs the Core, deleted the broadcaster that was there earlier, never chose to install that, can't firefox regulate that when installing different components? or did i just miss that option and assumed I needed when I was installing veetle add-on?)
  Well, that's the list i get when checking on your site, when i use my own browseroptions to check add-ons I get a slightly different and longer list including a few I have already turned off (which also doesn't seem very secure to me, what's the point in using your site then for anything other than updates?), here are the differences in MY list:
  I can see 2 versions of Java(TM) Platform SE 6 U31, (thanks firefox for not being able to copy-paste this)
  one "Classic Java plug-in for Netscape and Mozilla"
  the other is "next generation plug-in for Mozilla browsers".
  I think I'll just turn off the Netscape and Mozilla one, don't trust it, why would I need 2? There I did it, no crashes, screw java :P
  There's also a Mozilla Default plugin listed there, why does firefox list it there without any further information whether I need it or not or whether it really originates from Mozilla firefox? It doesn't even show up when I use your website plugin checker, so is there no easy way by watching this list for me to determin I can skip worrying about it?
  There's also some old ones that I recently deactivated still listed like windows live photo gallery, never remember adding that one either or needing it for anything and as usual, right-clicking and "visit homepage" is greyed out, just as it is for the many java crap add-ons I encountered so far.
  Doing a quick check, the only homepage I can visit is the veetle one. The rest are greyed out. I also have several "Java Console" in my extentions tab, I deactivated all but the one with the highest number. Still no Java Console visible though, even after going to start/search "java", clicking java file and changing the settings there to "show" console instead of "hide" (can't remember exact details).
  There's some other extentions from noscript, TVU webplayer again, ADblock Plus and now also BetterPrivacy (sidenote, a default.LSO remains after cleanup correct? How do I know that one isn't doing anything nasty if it's code has been changed or is being changed? To prevent other LSO's I need to use both private browsing and change all kinds of restrictions online for adobe flashplayer, can anyone say absurd!!! if you think you're infected and want to improve your security? Sorry that rant was against Adobe, but it's really against Anonymous, no offense).