Web service security with active directory

Hi,
i want to protect my webservice by using active directory for authentication.
(i am using jdeveloper 10.1.3.1 and bundled OC4J)
i follow the document web service developer guide (section External LDAP Security Providers) and set up the LDAP security provider...
in the OC4J web admin security page...i have press the 'test ldap authorization'
button to CONFIRM the ldap connection is correctly set.
but when i call the web service, deployed in that OC4J container,
operation fail with the following message :
javax.xml.rpc.soap.SOAPFaultException: UnsupportedCallbackException: oracle.security.jazn.callback.IdentityCallback@19f410 not available to gather authentication information from the user
at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
at test.proxy.ws1.runtime.MyWebService1SoapHttp_Stub.getUserNameYY(MyWebService1SoapHttp_Stub.java:134)
at test.proxy.ws1.MyWebService1SoapHttpPortClient.getUserNameYY(MyWebService1SoapHttpPortClient.java:50)
at test.proxy.ws1.MyWebService1SoapHttpPortClient.main(MyWebService1SoapHttpPortClient.java:33)
could anybody help me?
thank you very much

actually i use the default setting provided by oracle's configuration
wizard for active directory
User:
LDAP User Name Attribute: sAMAccountName
LDAP User Object Class : inetOrgPersion
User Search Scope: subtree
User Search Base: dc=xxx, dc=com
Groups:
LDAP Group Name Attribute: cn
LDAP Group Object Class: group
LDAP Group Member Attribute: member
Group Search Scope: subtree
Group Membership Search Scope: direct
Group Search Base: dc=xxx, dc=com
using the same user, user searchbase, i can search the AD using other
tools.
could anybody help me ?
thank yous.

Similar Messages

  • Web Service Security with SAML - Invalid XML signature

    Hello together,
    we want to build a scenario where we want to use Web Service Security  with SAML.
    The scenario will be
    WS Client (Java Application) -> WS Adapter -> Integration Engine ->  WS Adapter-> CRM (Web AS ABAP 7.01 SP 3)
    SAP PI release is 7.11 (SP Level 4)
    We want to use the SAML Authentification from WS Client to PI and from PI to Web AS ABAP.
    The SAML authentifications between the WS Client and PI works when there is no SAML auth between PI and CRM.
    But we get following error at calling the CRM system when we want to communicate with SAML:
      <E_TEXT>CX_WS_SECURITY_FAULT:Invalid XML signature</E_TEXT>
    Has somebody an idea of the possible reason for the error.
    Thanks in advance
    Stefan

    Error Messages in the Trace/Log Viewer:
    CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48
    A SOAP Runtime Core Exception occurred in method CL_ST_CRYPTO==================CM00G of class CL_ST_CRYPTO==================CP at position id 48  with internal error id 1001  and error text CX_WS_SECURITY_FAULT:Invalid XML signature (fault location is 1  ).
    Invalid XML signature

  • Java Web Services Security with 10.1.2.1

    I have developed a Java Web Service with J Developer 10.1.2.1 which was deployed onto Oracle 10.1.2.1 application server. Now I have to implement Security for this Web Service (similar to ws-security etc.,), how I can achieve Security with 10.1.2.1?
    J Developer 10.1.3.1 seems to have the feature to implement Web Service Security, but a Java Web Service developed using J Developer 10 .1.3.1 with security enabled cannot be deployed onto Oracle 10.1.2.1 application server.
    Please help as how I can implement Java Web Service Security with 10.1.2.1?
    Email: [email protected]
    Thanks for the help in advance.

    You can use Oracle Web Services Manager to virtualize the end point and still implement WS-Security.
    Thanks
    Ram

  • Web service security with mutiple certificates

    Is it possible to secure a web service on OC4J such that multiple clients can securely access the same web service. I have been trying to send messages to the same web service end point using multiple signature keys. The problem that I am getting is that if I do not use the signature key specified within OC4J to sign the message I am receiving the following error "javax.xml.rpc.soap.SOAPFaultException: Chain does not terminate with a trusted CA". Note all the certificates are present in the configure OC4J keystore.
    Can anyone point me in the direction of some documentation on how to configure a web service to be securely accessed by multiple clients (certificates)
    Cheers
    Neil

    Here is an example where we have two keystores, Bob and Alice.
    Bob's Keystore:
    Entry Alias: alice (Trusted Certificate) >>> No password
    Entry Alias: bob (Key Pair + CA Certs) >>> password welcome1
    Alice's Keystore:
    Entry Alias: bob (Trusted Certificate) >>> No password
    Entry Alias: Alice (Key Pair + CA Certs) >>> password welcome1
    In our scheme each party on the end of the message exchange have two key-pairs one for signature and one of encryption:
    In the Oracle Web Service.xml you should see something to the effect:
    <key-store name="mykeystore" store-pass="welcome1"
    path="META-INF/bob.jks"/>
    <signature-key key-pass="welcome1" alias="bob"/>
    <encryption-key key-pass="welcome1" alias="bob"/>
    Later in this XML, you would see the encrypt element, here we let it know to use alice for XML Encryption:
    <encrypt>
    <recipient-key alias="alice"/>
    <encryption-method>AES-128</encryption-method>
    <tbe-elements>
    <tbe-element local-part="Body"
    name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
    </tbe-elements>
    </encrypt>
    The default behavior is to only work with one client. If you need to work with multiple, then we have a means here:
    http://download-west.oracle.com/docs/cd/B31017_01/web.1013/b28976/adminasc.htm#BABFFICH

  • Web Service security with Apache Axis. 403 forbidden error

    Hello.
    I have to invoke a Web Service method via https. To achieve that, I have correctly added the server certificate to my truststore.
    When I invoke the method, I obtain this error:
    AxisFault
    faultCode: {http://xml.apache.org/axis/}HTTP
    faultSubcode:
    faultString: (403)Forbidden
    This is because the server requests me for a client certificate.
    I have the certificate, but I don't know how to use it in the java client.
    Does anybody know how to do that? Any kind of help will be very useful.
    Thank you very much in advance.
    NOTE: If I write the url of the web service in a web browser, the server requests me for a client cert. When I chose the appropiate certficate, the web browser shows me this message from the web service: "Hello, this is a Web Service"

    Finally my problem has been solved.
    I added the necesary properties to the system and everything went well.
    This is the code:
    String trustStore = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
    String keyStore = System.getProperty("java.home") + "/lib/security/keystorePKCS12".replace('/', File.separatorChar);
    String tspasswd = "myTrustStorePassword";
    String kspasswd = "myKeyStorePassword";
    System.setProperty("javax.net.ssl.trustStore", trustStore);
    System.setProperty("javax.net.ssl.trustStorePassword", tspasswd );
    System.setProperty("javax.net.ssl.keyStore", keyStore);
    System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
    System.setProperty("javax.net.ssl.keyStorePassword", kspasswd );It's necesary to say that my keystore is PKCS12 type, and it stores only one pkcs certificate.
    Note that is also posible to set these system properties in the Tomcat start script.

  • Working with Web Service Security

    Hi... forum
    I really need your help.
    I created a web service client. with JDEV 10.1.3, when i crearted a function call i got this error
    javax.xml.rpc.soap.SOAPFaultException: SoapException
    at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:540)
    at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:390)
    at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:111)
    at com.ws.runtime.POSSoap_Stub.comprar(POSSoap_Stub.java:659)
    at com.ws.POSSoapClient.comprar(POSSoapClient.java:55)
    at com.ws.POSSoapClient.main(POSSoapClient.java:40)
    I debug the application and then get down in this line:
    send((String) getProperty(ENDPOINT_ADDRESS_PROPERTY), _state);
    i also using web Secure Proxy
    and i have another methor called ping and this work fine, but one method that needs webservice security doesn´t work.
    some body has work with Webservice Security ?
    How can i view the message that is sending ?
    i don´t know what´s happenning ?
    Can help me, please?
    thnks
    Josue

    HI Frank, thank you for your help...
    I run the HTTP analyzer and see the error.. the usernametoken doesn´t was put it...
    My proxy i put it like secure proxy and i check the option username token. but the service. doesn´t put me this tag.
    this the message send it.
    <?xml version = '1.0' encoding = 'UTF-8'?>
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="urn:schemas-orbitel-com-co:pos">
    <env:Body>
    <ns0:SolicitudCompra>
    <ns0:IdTransaccion>123</ns0:IdTransaccion>
    <ns0:TipoTarjeta>Orbitel Europa</ns0:TipoTarjeta>
    <ns0:Localizacion>Colombia</ns0:Localizacion>
    <ns0:Valor>0</ns0:Valor>
    <ns0:ZonaHoraria>0</ns0:ZonaHoraria>
    </ns0:SolicitudCompra>
    </env:Body>
    </env:Envelope>
    And the error message is..:
    <soap:Fault>
    <faultcode>soap:Server</faultcode>
    <faultstring>SoapException</faultstring>
    <faultactor>urn:schemas-orbitel-com-co:pos</faultactor>
    <detail>
    <Error xmlns="urn:schemas-orbitel-com-co:pos">
    <Codigo>POS006</Codigo>
    <Descripcion>El UsernameToken no fue suministrado</Descripcion>
    </Error>
    </detail>
    </soap:Fault>
    Frank, what can i do. to put the usernametoken into the send message.. ?
    thnks four your help...
    thnks.
    Joshua

  • OIM Integration with Active Directory Federation Services (ADFS)

    Hello friends
    I have a question about the integration of Oracle Identity Manager with Active Directory which is federated with another external directory for ADFS. My question is:
    What considerations should be to contemplate if I have an active directory federated environment when carrying out the integration with Identity Manager?
    I use version 9.1.0.2 of Oracle Identity Manager with Microsoft Active Directory Connector User Management 9.1.1.7
    Thanks for the support.

    First consideration is that the OIM's target ADFS - in the federated scenario, will that participate as a Service provider or identity provider. I would think identity provider.
    Next consideration: What all attributes are required to be played in the SAML assertion to the other end-point? All these attributes must be present and should be provisioned to the AD in this case.
    So, OIM should be set up (UDF etc) to provision all those attributes needed in the SAML.
    Next consideration: What all scenario to support? IdP initiated or SP initiated? If SP initiated, then process will hv to be defined if a user id does not exist in the AD of the OIM target. Will the request be failed or a in-time provisioning should happen.
    Hope this helps.

  • SOAP Request with Web Service Security

    Hi masters of XI,
    the Oasis standard for web services security saids that exists three levels of security for web services, at higher level is Encryption, middle level is signature and at lower level is authentication with username and password inside the soap envelope.
    I need to do a SOAP Request signed with a X.509 certificate and username and password too in SAP PI 7.0 SP11. I can sign the request with X.509 certificate without problems but i can't authenticate the request with username and password in usernametoken element like saids the Oasis standard
    <wsse:Security>
    <wsse:UsernameToken>
    <wsse:Username>XXXX</wsse:Username>
    <wsse:Password>XXXXXXXXX</wsse:Password>
    </wsse:UsernameToken>
    </wsse:Security>
    How can we send UserNameToken's elements inside SOAP web service envelope
    signing with X.509 certificate also? There are any way to do it in the
    receiver agreement or receiver SOAP adapter?
    thanks.

    Hi,
    thank you very much for your answers.
    I have solved the SSL comunication and i can sign with X.509 certificates. My problem is that in the SOAP envelope of resquest signed only travels the X.509 certificate and I need to send the username security token (wsse:UsernameToken) also.
    <wsse:Security>
    <wsse:UsernameToken>
    <wsse:Username>XXXX</wsse:Username>
    <wsse:Password>XXXXXXXXX</wsse:Password>
    </wsse:UsernameToken>
    </wsse:Security>
    I can't find the solution to do it. The Netweaver documentation says that Netweaver is able to sign SOAP request with X.509 certificates and is able too for using UsernameToken as part of Oasis standard for web service security. In abap stack of NW you can assign a security profile to a web service call for signing the message or authenticate it with username/password inside SOAP envelope, but in java stack of XI i think that there is no way to do it.
    This is my Request:
    <?xml version="1.0" encoding="utf-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
          <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-71968700">MIIHdTCCBl2gAwIBAgIQOq4nmg5zi4NGsIGjPUZVuTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ...8d4pAJYk=</wsse:BinarySecurityToken>
          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-104376803">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <ds:Reference URI="#id-104309952">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>R6WE9gs+l496jHCgslgALWswEnE=</ds:DigestValue>
              </ds:Reference>
              <ds:Reference URI="#Timestamp-104310599">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>aiCTZ0WwiZQEv8zVmmf8GLu/bYA=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>YR9Q5oUA6kFFmPYOIOQPTOgTgapMbkmgdlDM/TZJ2CS8ENAntfsnmpEbpUgOPUVMkgaECog0OKvlADHP0HvJtPdm2NJljZNCCgrk3hlmmtkXkRauVuH5KRiHE5NeWT4+Uspp3ashebu0IuOO66zt4Q=</ds:SignatureValue>
            <ds:KeyInfo Id="KeyId-104377209">
              <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-104377346">
                <wsse:Reference URI="#CertId-71968700" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
              </wsse:SecurityTokenReference>
            </ds:KeyInfo>
          </ds:Signature>     
          <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-104310599">
            <wsu:Created>2008-01-16T21:28:44.081Z</wsu:Created>
            <wsu:Expires>2008-01-16T21:33:44.081Z</wsu:Expires>
          </wsu:Timestamp>
        </wsse:Security>
      </soapenv:Header>
    And this is the request I need:
    <?xml version="1.0" encoding="utf-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
          <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-71968700">MIIHdTCCBl2gAwIBAgIQOq4nmg5zi4NGsIGjPUZVuTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ...8d4pAJYk=</wsse:BinarySecurityToken>
          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-104376803">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <ds:Reference URI="#id-104309952">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>R6WE9gs+l496jHCgslgALWswEnE=</ds:DigestValue>
              </ds:Reference>
              <ds:Reference URI="#Timestamp-104310599">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>aiCTZ0WwiZQEv8zVmmf8GLu/bYA=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>YR9Q5oUA6kFFmPYOIOQPTOgTgapMbkmgdlDM/TZJ2CS8ENAntfsnmpEbpUgOPUVMkgaECog0OKvlADHP0HvJtPdm2NJljZNCCgrk3hlmmtkXkRauVuH5KRiHE5NeWT4+Uspp3ashebu0IuOO66zt4Q=</ds:SignatureValue>
            <ds:KeyInfo Id="KeyId-104377209">
              <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-104377346">
                <wsse:Reference URI="#CertId-71968700" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
              </wsse:SecurityTokenReference>
            </ds:KeyInfo>
          </ds:Signature>
    <!-- THIS IS THE PART I NEED -->
    <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-104312926">
            <wsse:Username>xxxxxxx</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/>
          </wsse:UsernameToken>
    <!--  -->
    <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-104310599">
            <wsu:Created>2008-01-16T21:28:44.081Z</wsu:Created>
            <wsu:Expires>2008-01-16T21:33:44.081Z</wsu:Expires>
          </wsu:Timestamp>
        </wsse:Security>
      </soapenv:Header>

  • Issue with Web Service Security

    Dear Forum Members and Readers,
    I am a beginner to Web Services, and facing an issue with WS-Security.
    My issue seemingly is quite specific to my projects though, It will be great if you can provide me your views.
    Context Description:
    I am developing a Java Web Service application that is deployed on JBoss Application Server.
    This application will communicate with two other applications those are not deployed in same JBoss Application Server.
    These 2 applications are third party applications, one is C++ based web services and other is Java based web services.
    My application gives a call to Third Party Application1 and receives the response back form it. It then passes this received response to Third Party Application 2.
    Issue Description:
    I now need to enable https paradigm among these 3 applications. (I need to implement web service security model here)
    I started with looking in to JBoss specific WS-Security but found it not suitable in my case, as it requires to configure both the client and server. I have the control over my application but not on other 2 third party applications.
    To this extent, I am unable to identify a solution that can address my issue.
    Can anybody please provide me with initial thoughts or any reference material that might help me to give this a start.
    Any clue will be highly appreciated!
    Thanks in advance
    Mukul

    mukul.object wrote:
    Actually, my SOAP messages contains some critical information that needs to be encrypted.You think that its critical information however your third party doesn't. If they would have had same thought they would have enabled the security. As I said earlier, you will have to discuss this with them.
    Another solution (however I don't know the viability in your case) could be to deploy one component before each third party service. Your web service will call this new component (Which is installed in their environment i.e. local to third party web service) and new component will forward the request to third party service. Now you can apply security/encryption/decryption between your web service and your component.
    I have had a look in to XMLEncrytion using that I can encrypt my SOAP messages but I wonder how would other tools decrypt that.My above comments answers this.
    Is there anyway I can encrypt my SOAP messages (without having to customize third party tools) in this scenario ??My above comments answers this.

  • [OSB Kernel:398133]The service is based on WSDL with Web Services Security

    Team,
    I need to use the wsdl given by external client. When I create a osb business service, I am receiving the below error.
    OSB Kernel:398133]The service is based on WSDL with Web Services Security Policies that are not natively supported by Oracle Service Bus. Please select OWSM Policies - From OWSM Policy Store option and attach equivalent OWSM security policy. For the Business Service, either you can add the necessary client policies manually by clicking Add button or you can let Oracle Service Bus automatically pick and add compatible client policies by clicking Add Compatible button.     ...
    WSDL:
    http://personator.melissadata.net/v3/SOAP/ContactVerify
    We don't have OWSM set up. Is there any workaround that I can use to connect to this service for OSB?

    As a workaround, you can try to remove the Policy definition and reference from the copy you will import in OSB.
    I would recommend to add OWSM to your domain. It's a straight forward process.
    Regards,
    Fabio.

  • Regarding Web services security.

    Can I implement a database level username/password security for a web service.
    So only database users can access the web service.is it possible?
    Any implementation example or related document?
    Thanks!

    Hi Soni,
    Yes, you could.
    Two options I can think of:
    - Program WS-Security for your specific web service
    - Use Oracle Web Services Manager
    With respect to the latter: I believe there is no OWSM policy step to handle your requirement out of the box. OWSM comes with policy steps for file-based authentication as well as for authenticating against Active Directory or a generic LDAP directory.
    In this case you could opt for the creation of a custom policy step.
    Hope this help.
    Sjoerd

  • Web Services Security - Symmetric Keys

    I am writing my first web service and I have some questions regarding security.
    From what I understand I have two options. Communicate with my clients with us both having private/public key pairs (which I did manage to get working) or to use symmetric keys.
    Rather than have each of my clients create a key pair and send me their public key it would be beneficial I believe to use symmetric keys?
    Using the synchronous (symmetric key) method I would give my client my public key. Before my client connects to my web service they will generate a symmetric key and use that to encrypt their request and send the symmetric key with the request?
    My web service will then use my private key to decrypt the symmetric key they sent and I will use that key to decrypt their request as well as encrypt the response?
    The only way to use the symmetric key is to code that in on the client and server side using Java 2 Security?
    I am using WebSphere wizards for version 5.1 to create the service and the client. The tutorials I've seen are just for public/private key pairs it would seem because you create two keystores, export each certificate, then trust them with each other.

    Hi Soni,
    Yes, you could.
    Two options I can think of:
    - Program WS-Security for your specific web service
    - Use Oracle Web Services Manager
    With respect to the latter: I believe there is no OWSM policy step to handle your requirement out of the box. OWSM comes with policy steps for file-based authentication as well as for authenticating against Active Directory or a generic LDAP directory.
    In this case you could opt for the creation of a custom policy step.
    Hope this help.
    Sjoerd

  • Weblogic app server wsdl web service call with SSL Validation error = 16

    Weblogic app server wsdl web service call with SSL Validation error = 16
    I need to make wsdl web service call in my weblogic app server. The web service is provided by a 3rd party vendor. I keep getting error
    Cannot complete the certificate chain: No trusted cert found
    Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure
    Validation error = 16
    From the SSL debug log, I can see 3 verisign hierarchy certs are correctly loaded (see 3 lines in the log message starting with “adding as trusted cert”). But somehow after first handshake, I got error “Cannot complete the certificate chain: No trusted cert found”.
    Here is how I load trustStore and keyStore in my java program:
         System.setProperty("javax.net.ssl.trustStore",”cacerts”);
         System.setProperty("javax.net.ssl.trustStorePassword", trustKeyPasswd);
         System.setProperty("javax.net.ssl.trustStoreType","JKS");
    System.setProperty("javax.net.ssl.keyStoreType","JKS");
    System.setProperty("javax.net.ssl.keyStore", keyStoreName);
         System.setProperty("javax.net.ssl.keyStorePassword",clientCertPwd);      System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump","true");
    Here is how I create cacerts using verisign hierarchy certs (in this order)
    1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignClass3G5PCA3Root.txt -alias "Verisign Class3 G5P CA3 Root"
    1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediatePrimary.txt -alias "Verisign C3 G5 Intermediate Primary"
    1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediateSecondary.txt -alias "Verisign C3 G5 Intermediate Secondary"
    Because my program is a weblogic app server, when I start the program, I have java command line options set as:
    -Dweblogic.security.SSL.trustedCAKeyStore=SSLTrust.jks
    -Dweblogic.security.SSL.ignoreHostnameVerification=true
    -Dweblogic.security.SSL.enforceConstraints=strong
    That SSLTrust.jks is the trust certificate from our web server which sits on a different box. In our config.xml file, we also refer to the SSLTrust.jks file when we bring up the weblogic app server.
    In addition, we have working logic to use some other wsdl web services from the same vendor on the same SOAP server. In the working web service call flows, we use clientgen to create client stub, and use SSLContext and WLSSLAdapter to load trustStore and keyStore, and then bind the SSLContext and WLSSLAdapter objects to the webSerive client object and make the webservie call. For the new wsdl file, I am told to use wsimport to create client stub. In the client code created, I don’t see any way that I can bind SSLContext and WLSSLAdapter objects to the client object, so I have to load certs by settting system pramaters. Here I attached the the wsdl file.
    I have read many articles. It seems as long as I can install the verisign certs correctly to web logic server, I should have fixed the problem. Now the questions are:
    1.     Do I create “cacerts” the correct order with right keeltool options?
    2.     Since command line option “-Dweblogic.security.SSL.trustedCAKeyStore” is used for web server jks certificate, will that cause any problem for me?
    3.     Is it possible to use wsimport to generate client stub that I can bind SSLContext and WLSSLAdapter objects to it?
    4.     Do I need to put the “cacerts” to some specific weblogic directory?
    ---------------------------------wsdl file
    <wsdl:definitions name="TokenServices" targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
         <wsp:Policy wsu:Id="TokenServices_policy">
              <wsp:ExactlyOne>
                   <wsp:All>
                        <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                             <wsp:Policy>
                                  <sp:TransportToken>
                                       <wsp:Policy>
                                            <sp:HttpsToken RequireClientCertificate="true"/>
                                       </wsp:Policy>
                                  </sp:TransportToken>
                                  <sp:AlgorithmSuite>
                                       <wsp:Policy>
                                            <sp:Basic256/>
                                       </wsp:Policy>
                                  </sp:AlgorithmSuite>
                                  <sp:Layout>
                                       <wsp:Policy>
                                            <sp:Strict/>
                                       </wsp:Policy>
                                  </sp:Layout>
                             </wsp:Policy>
                        </sp:TransportBinding>
                        <wsaw:UsingAddressing/>
                   </wsp:All>
              </wsp:ExactlyOne>
         </wsp:Policy>
         <wsdl:types>
              <xsd:schema targetNamespace="http://tempuri.org/Imports">
                   <xsd:import schemaLocation="xsd0.xsd" namespace="http://tempuri.org/"/>
                   <xsd:import schemaLocation="xsd1.xsd" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
              </xsd:schema>
         </wsdl:types>
         <wsdl:message name="ITokenServices_GetUserToken_InputMessage">
              <wsdl:part name="parameters" element="tns:GetUserToken"/>
         </wsdl:message>
         <wsdl:message name="ITokenServices_GetUserToken_OutputMessage">
              <wsdl:part name="parameters" element="tns:GetUserTokenResponse"/>
         </wsdl:message>
         <wsdl:message name="ITokenServices_GetSSOUserToken_InputMessage">
              <wsdl:part name="parameters" element="tns:GetSSOUserToken"/>
         </wsdl:message>
         <wsdl:message name="ITokenServices_GetSSOUserToken_OutputMessage">
              <wsdl:part name="parameters" element="tns:GetSSOUserTokenResponse"/>
         </wsdl:message>
         <wsdl:portType name="ITokenServices">
              <wsdl:operation name="GetUserToken">
                   <wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetUserToken" message="tns:ITokenServices_GetUserToken_InputMessage"/>
                   <wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetUserTokenResponse" message="tns:ITokenServices_GetUserToken_OutputMessage"/>
              </wsdl:operation>
              <wsdl:operation name="GetSSOUserToken">
                   <wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserToken" message="tns:ITokenServices_GetSSOUserToken_InputMessage"/>
                   <wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserTokenResponse" message="tns:ITokenServices_GetSSOUserToken_OutputMessage"/>
              </wsdl:operation>
         </wsdl:portType>
         <wsdl:binding name="TokenServices" type="tns:ITokenServices">
              <wsp:PolicyReference URI="#TokenServices_policy"/>
              <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
              <wsdl:operation name="GetUserToken">
                   <soap12:operation soapAction="http://tempuri.org/ITokenServices/GetUserToken" style="document"/>
                   <wsdl:input>
                        <soap12:body use="literal"/>
                   </wsdl:input>
                   <wsdl:output>
                        <soap12:body use="literal"/>
                   </wsdl:output>
              </wsdl:operation>
              <wsdl:operation name="GetSSOUserToken">
                   <soap12:operation soapAction="http://tempuri.org/ITokenServices/GetSSOUserToken" style="document"/>
                   <wsdl:input>
                        <soap12:body use="literal"/>
                   </wsdl:input>
                   <wsdl:output>
                        <soap12:body use="literal"/>
                   </wsdl:output>
              </wsdl:operation>
         </wsdl:binding>
         <wsdl:service name="TokenServices">
              <wsdl:port name="TokenServices" binding="tns:TokenServices">
                   <soap12:address location="https://ws-eq.demo.i-deal.com/PhxEquity/TokenServices.svc"/>
                   <wsa10:EndpointReference>
                        <wsa10:Address>https://ws-eq.demo.xxx.com/PhxEquity/TokenServices.svc</wsa10:Address>
                   </wsa10:EndpointReference>
              </wsdl:port>
         </wsdl:service>
    </wsdl:definitions>
    ----------------------------------application log
    adding as trusted cert:
    Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x641be820ce020813f32d4d2d95d67e67
    Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020
    adding as trusted cert:
    Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
    Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028
    adding as trusted cert:
    Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    Algorithm: RSA; Serial number: 0x250ce8e030612e9f2b89f7054d7cf8fd
    Valid from Tue Nov 07 19:00:00 EST 2006 until Sun Nov 07 18:59:59 EST 2021
    <Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DESede/CBC/NoPadding>
    <Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DESede>
    <Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 28395435>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 SSL3/TLS MAC>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 received HANDSHAKE>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
    Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
    Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
    Not Valid Before:Tue Dec 18 19:00:00 EST 2012
    Not Valid After:Wed Jan 07 18:59:59 EST 2015
    Signature Algorithm:SHA1withRSA
    >
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
    Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
    Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
    Not Valid Before:Sun Feb 07 19:00:00 EST 2010
    Not Valid After:Fri Feb 07 18:59:59 EST 2020
    Signature Algorithm:SHA1withRSA
    >
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
    Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
    Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
    Not Valid Before:Tue Dec 18 19:00:00 EST 2012
    Not Valid After:Wed Jan 07 18:59:59 EST 2015
    Signature Algorithm:SHA1withRSA
    >
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
    Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
    Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
    Not Valid Before:Sun Feb 07 19:00:00 EST 2010
    Not Valid After:Fri Feb 07 18:59:59 EST 2020
    Signature Algorithm:SHA1withRSA
    >
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
    <Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure.>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
    java.lang.Exception: New alert stack
         at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
         at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
         at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
         at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
         at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
         at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
         at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
         at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
         at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
         at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
         at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
         at com.certicom.tls.record.WriteHandler.write(Unknown Source)
         at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
         at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
         at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
         at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
         at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
         at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
         at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
         at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
         at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
         at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
         at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
         at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
         at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
         at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
         at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
         at javax.xml.ws.Service.<init>(Service.java:56)
         at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
         at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
         at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
         at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(Unknown Source)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
         at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
         at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    >
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 22803607>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 14640403>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 SSL3/TLS MAC>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 received HANDSHAKE>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
    Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
    Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
    Not Valid Before:Tue Dec 18 19:00:00 EST 2012
    Not Valid After:Wed Jan 07 18:59:59 EST 2015
    Signature Algorithm:SHA1withRSA
    >
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
    Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
    Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
    Not Valid Before:Sun Feb 07 19:00:00 EST 2010
    Not Valid After:Fri Feb 07 18:59:59 EST 2020
    Signature Algorithm:SHA1withRSA
    >
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
    Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
    Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
    Not Valid Before:Tue Dec 18 19:00:00 EST 2012
    Not Valid After:Wed Jan 07 18:59:59 EST 2015
    Signature Algorithm:SHA1withRSA
    >
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
    Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
    Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
    Not Valid Before:Sun Feb 07 19:00:00 EST 2010
    Not Valid After:Fri Feb 07 18:59:59 EST 2020
    Signature Algorithm:SHA1withRSA
    >
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
    <Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - 12.29.210.156 was not trusted causing SSL handshake failure.>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
    java.lang.Exception: New alert stack
         at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
         at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
         at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
         at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
         at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
         at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
         at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
         at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
         at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
         at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
         at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
         at com.certicom.tls.record.WriteHandler.write(Unknown Source)
         at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
         at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
         at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
         at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
         at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
         at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
         at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
         at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
         at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
         at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
         at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
         at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
         at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
         at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
         at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
         at javax.xml.ws.Service.<init>(Service.java:56)
         at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
         at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
         at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
         at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(Unknown Source)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
         at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
         at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    >
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
    <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 16189141>

    I received a workaround by an internal message.
    The how to guide is :
    -Download the wsdl file (with bindings, not the one from ESR)
    -Correct it in order that the schema corresponds to the answer (remove minOccurs or other things like this)
    -Deploy the wsdl file on you a server (java web project for exemple). you can deploy on your local
    -Create a new logicial destination that point to the wsdl file modified
    -Change the metadata destination in your web dynpro project for the corresponding model and keep the execution desitnation as before.
    Then the received data is check by the metadata logical destination but the data is retrieved from the correct server.

  • Project Server 2010 Web services access with Client Certificate Authentication

    We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
    web service applications that no longer connect to server with the new authentication configuration.  Our custom applications are using the WCF interface to access the public web services.
    Please let us know if it is possible to authenticate with AD FS 2.0 and then call
    Project Server web services. Any help or coding examples would be greatly appreciated.

    what is the error occurred when the custom PSI app connects?
    can you upload the ULS logs here for research?
    What is the user account format you specified in the code for authentication?
    For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
    'I:0#.w|mybusinessdomain\ewmccarty').
    It requires you to manually call the UpnLogon method of
    “Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)  
    {  var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;  }  
    if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
    var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
    Than you need to extract UPN-Claim from the identity.
    Upload the verbose log if possible.
    Did you see this?
    http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

  • Web Service Security not configured on this component.

    Hi Experts,
                           Before configuring the scenario, i went to RWB to check whether the comopnents are in active mode or not.
                                  Integration Engine XID 
                                  Business Process Engine XID 
                                  Mapping Runtime XID 
                                  Adapter Engine XID 
                                  Integration Engines
                          All components are in Green mode  Except Integration Engine, The Integration is in yellow mode
                           and shows the following details.
                         Details for 'Is Web service security available?'
                           Web Service Security not configured on this component.
    Can you give the solution for this.

    Hi,
                      1, While sending idoc from sapR/3 to PI , in r/3 sm58 shows the foll error:
    "No service for system SAPQA,client 200 in integration directory"*
                               Even the Bussiness sytem pointing R/3.
    From your initial post, it appears that you are using XID system and from above error, I believe you are trying to send the IDoc from QA system. R3 dev will communicate to PI dev, so verify the partner profile and ports in your IDoc Header settings.
                         2, When i execute the tcode sm58 in PI   it shows the following error:
                                   "Syntax error in program SAPLSXI_AC_CACHE _REFERESH"
    I am kinda confused how come sm58 tcode can show an error for this program, as sm58 is for checking the transactional RFCs and  SAPLSXI_AC_CACHE_REFERESH is for XI Cache refresh for Alert Category. Might be some one else can explain this.
                         3, WHEN I EXECUTE THE tcode SXI_CACHE
                                             Under the *STATUS OF RUNTIME CACHE
                                                           Unable to refresh cache contents
                                                           Error during last attempt toreferesh cache
                                                             (red colour triangle leading above both)
    Check this SAP Note 764176, might help in your situation.
    Worth reading - http://help.sap.com/saphelp_nw04/helpdata/en/0d/28e1c20a9d374cbb71875c5f89093b/frameset.htm
                        4, Still there is no messages in Message monitoring.
    Obviously because of error # 1, you are unable to send IDocs, how come you expect messages to reach PI ... strange, isn't it
    Hope this helps.
    Regards,
    Neetesh

Maybe you are looking for

  • Apache Help! Computer has slowed to a crawl & no net access

    After following tutorials: firstly here, and secondly here, my laptop has slowed to an excruciating crawl, when the machine boots it asks for my username and password when the Sys Prefs are set to auto log in. It also can't access the net anymore. It

  • Microsoft Windows (7) boot from (native) VHD : Question about missing boot (flag) on active primary partition

    Hi! First, where can I post queries about native VHDs on Windows 7? I see VHD Native Boot and Driver Cloning  in Windows Desktop Development forums >  General Windows Desktop Development Issues, (when I navigate there the option's N/A, http://i.imgur

  • JDOM, JDK1.1.8 and Personal Java...

    Has anyone succeeded in building a class with JDOM (XML), compiled with JDK 1.1.8 to run on a Personal Java ? I'm trying to make a class that use JDOM, but I didn't even compile it on a JDK 1.1.8..

  • Font not appearing on a mac

    I'm embedding a Helvetica Neue font with my text fields but it itsn't showing up on in Safari, it's a T1 font (postscript) is this a common problem does anyone know?

  • Discoverer Portlet fails with ora-01017

    This is about OAS 10gR2 Middle tier version: 10.1.2.0.2 Discoverer version: 10.1.2.48.18 I've manually changed password for Discoverer EUL Owner schema (using "alter user blablabla identified by blablabla" statement, in sqlplus) and now I can't regis