Web Service Security X509 token issue...

Hi All,
I have an issue with using X509 certificates. Please find the details attached below:-
I used the following link to create a simple keystore using 3rd party tools:-
http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/CreateKeyStore_howto.htm
NOTES:
1) I think the above link creates self signed certificates.
2) The signature and encryption key for both the web service and proxy created below are the same.
As can be seen from this link, two certificates are created with aliases sam and dave. I then used the following link to secure the web service and proxy:-
http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html
This link uses the OAS manager to set the keytoll related properties. These entries are already into system-jazn-data.xml. A point to note here is that the aliases of the certificates are stored in system-jazn-data.xml.
My oracle-webservices.xml has the mapping attribute of the verify-x509-token token set to CN (Common Name). Hence I changed the above entries in system-jazn-data to reflect the common names instead of the aliases.
However the standalone OC4J server still throws the following error whether I try to run the proxy with the mapping attr set to alias or CN in the jazn file:-
07/07/05 20:58:14 Oracle Containers for J2EE 10g (10.1.3.1.1) initialized
2007-07-05 20:58:39.876 ERROR Cannot authenticate X509 certificate, User CN=Sam
Cooke, OU=samDept, EMAILADDRESS=[email protected], O=samOrg, L=samCity, ST=samState
, C=US does not exist in our system
07/07/05 20:58:39 javax.security.auth.login.LoginException: Cannot authenticate
X509 certificate, User CN=Sam Cooke, OU=samDept, EMAILADDRESS=[email protected], O=
samOrg, L=samCity, ST=samState, C=US does not exist in our system
I have not exported any certificates from client to serve or vice versa.
Please could someone help out? This is urgent.
Regards,
Lester.

I had the same issue and solved it like this:
Create a signed certificate, import it into your keystore and use that as Signature Key alias in both the client as the server security. Make sure the user with the same name exists in the realm on the server.
Hope this helps,
Lonneke

Similar Messages

Web Service Security Username Token Issue

Hi,
I am trying to implement WS-Security (Username Token) on web services deployed on Weblogic Server 8.1 (sp4). The deployment works fine but whenever I try to invoke the service using auto generated client stub (created using clientgen) or weblogic server console (service test page) , I get the following error:
<Nov 8, 2006 12:01:46 PM GMT+05:30> <Info> <WebService> <BEA-220024> <Handler weblogic.webservice.core.handler.WSSEClientHandler threw an exception from its handleRequest method. The exception was:
java.lang.AssertionError: Bad password type: wsse:PasswordText.>
Failed to create web service client:java.rmi.RemoteException: SOAP Fault:javax.xml.rpc.soap.SOAPFaultException: Exception during processing: java.lang.AssertionError: Bad password type: wsse:PasswordText (see Fault Detail for stacktrace)
Detail:
<detail>
<bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">java.lang.AssertionError: Bad password type: wsse:PasswordText
at weblogic.xml.security.wsse.v200207.UsernameTokenImpl.<init>(UsernameTokenImpl.java:64)
at weblogic.xml.security.wsse.v200207.SecurityElementFactoryImpl.createToken(SecurityElementFactoryImpl.java:59)
at weblogic.webservice.core.handler.WSSEClientHandler.processSpecs(WSSEClientHandler.java:300)
at weblogic.webservice.core.handler.WSSEClientHandler.handleRequest(WSSEClientHandler.java:100)
at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:143)
at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:231)
at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:143)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:457)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:443)
at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:303)
at com.cts.sipservices.implementation.client.MrmPartyServiceImplementationPort_Stub.getParty(MrmPartyServiceImplementationPort_Stub.java:46)
at com.cts.sipservicesclient.client.SecureClient.<init>(SecureClient.java:76)
at com.cts.sipservicesclient.client.SecureClient.main(SecureClient.java:38)
</bea_fault:stacktrace>
</detail>; nested exception is:
javax.xml.rpc.soap.SOAPFaultException: Exception during processing: java.lang.AssertionError: Bad password type: wsse:PasswordText (see Fault Detail for stacktrace)
This is the â€˜securityâ€™ tag of my â€˜web-services.xmlâ€™:
<security>
<spec:SecuritySpec xmlns:spec="http://www.openuri.org/2002/11/wsse/spec"
Namespace="http://schemas.xmlsoap.org/ws/2002/07/secext"
Id="default-spec">
<spec:UsernameTokenSpec xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"
PasswordType="wsse:PasswordText">
</spec:UsernameTokenSpec>
</spec:SecuritySpec>
</security>
Thanks

Apply these debug flags, to get some more debug information from WSSE server side processing following debug flags are helpful:
-Dweblogic.webservice.security.debug=true
-Dweblogic.webservice.security.verbose=true

Web service security policies interoperability issue with WCF

Hi,
I've created a web service in Jdeveloper 11g which I have deployed to a stand alone weblogic server 10.3. I also created a web service proxy in Jdeveloper 11g that works perfectly. The service is using Wssp1.2-2007-Https.xml policy.
I have the requirement of a C# consumer, but when I run svcutil to generate the client class and config, it throws the following warning:
A security policy was imported for the endpoint. The security policy contains requirements that cannot be represented in a Windows Communication Foundation configuration. Look for a comment about the SecurityBindingElement parameters that are required in the configuration file that was generated. Create the correct binding element with code. The binding configuration that is in the configuration file is not secure.
What security policy is compatible with WCF?
Thanks,
Miguel.

I had the same issue and solved it like this:
Create a signed certificate, import it into your keystore and use that as Signature Key alias in both the client as the server security. Make sure the user with the same name exists in the realm on the server.
Hope this helps,
Lonneke

Web Service Security username token...

Hi All,
I am presently trying to build in security authentication into my web service using the username-token and the verify-username-token tokens.
My WS_stub.xml on the proxy side looks like the following:-
other tokens
<security>
<inbound/>
<outbound>
<username-token name="NAME" password="PASS" password-type="DIGEST" add-nonce="true" add-created="true"/>
</outbound>
</security>
other tokens
and my oracle-webservices.xml on hte web service side looks like the following:-
other tokens
<security>
<inbound>
<verify-username-token name="NAME" password="PASS" password-type="DIGEST"
require-nonce="true"
require-created="true"/>
</inbound>
<outbound/>
</security>
other tokens
I have set the javacache.xml for the embedded OC4J location as follows:-
</persistence>
<max-objects>1000</max-objects>
<max-size>48</max-size>
<clean-interval>60</clean-interval>
</cache-configuration>
When I run the web service followed by the proxy I get the following error at the proxy side.
javax.xml.rpc.soap.SOAPFaultException: Policy requires DIGEST passwords
     at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
     at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
     at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
     at com.airliquide.smartcyl.runtime.TrailerWSSoapHttp_Stub.addtrailerinfo(TrailerWSSoapHttp_Stub.java:76)
     at com.airliquide.smartcyl.TrailerWSSoapHttpPortClient.addtrailerinfo(TrailerWSSoapHttpPortClient.java:60)
     at com.airliquide.smartcyl.TrailerWSSoapHttpPortClient.main(TrailerWSSoapHttpPortClient.java:47)
Also it gives exceptions with repect to nonces such as "Policy requires nonce". Please could someone tell me how to setup an nonce in the xml files above and how to use nonce in web services?
Regards,
Lester.

Hi All,
Presently I am trying to set the security for my web service and am receiving the following error when doing so at the proxy side:-
oracle.j2ee.ws.common.soap.fault.SOAP11FaultException: java.lang.NullPointerException
     at oracle.j2ee.ws.common.mgmt.runtime.InterceptorChainImpl.createSoapFaultException(InterceptorChainImpl.java:338)
     at oracle.j2ee.ws.common.mgmt.runtime.InterceptorChainImpl.handleException(InterceptorChainImpl.java:256)
     at oracle.j2ee.ws.common.mgmt.runtime.InterceptorChainImpl.handleRequest(InterceptorChainImpl.java:128)
     at oracle.j2ee.ws.common.mgmt.runtime.AbstractInterceptorPipeline.handleRequest(AbstractInterceptorPipeline.java:87)
     at oracle.j2ee.ws.client.StubBase._preRequestSendingHook(StubBase.java:699)
     at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:147)
     at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
     at com.airliquide.smartcyl.runtime.TrailerWSSoapHttp_Stub.addtrailerinfo(TrailerWSSoapHttp_Stub.java:76)
     at com.airliquide.smartcyl.TrailerWSSoapHttpPortClient.addtrailerinfo(TrailerWSSoapHttpPortClient.java:62)
     at com.airliquide.smartcyl.TrailerWSSoapHttpPortClient.main(TrailerWSSoapHttpPortClient.java:49)
Process exited with exit code 0.
My WS_Stub.xml file under runtime of the proxy project looks as follows:-
<?xml version="1.0" encoding="UTF-8"?>
<oracle-webservice-clients xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:noNamespaceSchemaLocation='http://xmlns.oracle.com/oracleas/schema/oracle-webservices-client-10_0.xsd'>
<webservice-client>
<service-qname namespaceURI="http://trailerinfo/" localpart="TrailerWS"/>
<port-info>
<wsdl-port namespaceURI="http://trailerinfo/" localpart="TrailerWSSoapHttpPort"/>
<runtime enabled="security">
<security>
<key-store name="mytestkeystore" store-pass="mytestkeystore" path="C:\Temp\mytestkeystore.jks"/>
<signature-key key-pass="sampwd" alias="sam"/>
<encryption-key key-pass="davepwd" alias="dave"/>
<inbound>
<verify-signature>
<signature-methods>
<signature-method>DSA-SHA1</signature-method>
<signature-method>RSA-MD5</signature-method>
<signature-method>RSA-SHA1</signature-method>
</signature-methods>
<tbs-elements>
<tbs-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<verify-timestamp created="true" expiry="28800"/>
</verify-signature>
<decrypt>
<encryption-methods>
<encryption-method>AES-128</encryption-method>
<encryption-method>AES-256</encryption-method>
<encryption-method>3DES</encryption-method>
</encryption-methods>
<tbe-elements>
<tbe-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT"/>
</tbe-elements>
</decrypt>
</inbound>
<outbound>
<username-token password-type="PLAINTEXT" add-nonce="false" add-created="true"/>
<signature>
<signature-method>RSA-SHA1</signature-method>
<tbs-elements>
<tbs-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<add-timestamp created="true" expiry="28800"/>
</signature>
<encrypt>
<recipient-key alias="dave"/>
<encryption-method>3DES</encryption-method>
<keytransport-method>RSA-1_5</keytransport-method>
<tbe-elements>
<tbe-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT"/>
</tbe-elements>
</encrypt>
</outbound>
</security>
</runtime>
<operations>
<operation name='addtrailerinfo'>
<runtime>
<security>
<inbound/>
<outbound>
<username-token password-type="PLAINTEXT" add-nonce="false" add-created="true"/>
<signature>
<signature-method>RSA-SHA1</signature-method>
<tbs-elements>
<tbs-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<add-timestamp created="true" expiry="28800"/>
</signature>
<encrypt>
<recipient-key alias="test"/>
<encryption-method>3DES</encryption-method>
<keytransport-method>RSA-1_5</keytransport-method>
<tbe-elements>
<tbe-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT"/>
</tbe-elements>
</encrypt>
</outbound>
</security>
</runtime>
</operation>
</operations>
</port-info>
</webservice-client>
</oracle-webservice-clients>
My oracle-webservices.xml file looks like the following:-
<oracle-webservices xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/oracle-webservices-10_0.xsd">
<webservice-description name="TrailerWS">
<port-component name="TrailerWSSoapHttpPort">
<runtime enabled="security">
<security>
<key-store name="mytestkeystore" store-pass="mytestkeystore"
path="META-INF/mytestkeystore.jks"/>
<signature-key key-pass="sampwd" alias="sam"/>
<encryption-key key-pass="davepwd" alias="dave"/>
<inbound>
<verify-username-token password-type="PLAINTEXT"
require-nonce="false"
require-created="true"/>
<verify-signature>
<signature-methods>
<signature-method>DSA-SHA1</signature-method>
<signature-method>RSA-MD5</signature-method>
<signature-method>RSA-SHA1</signature-method>
</signature-methods>
<tbs-elements>
<tbs-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<verify-timestamp created="true" expiry="28800"/>
</verify-signature>
<decrypt>
<encryption-methods>
<encryption-method>AES-128</encryption-method>
<encryption-method>AES-256</encryption-method>
<encryption-method>3DES</encryption-method>
</encryption-methods>
<tbe-elements>
<tbe-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbe-elements>
</decrypt>
</inbound>
<outbound>
<signature>
<signature-method>RSA-SHA1</signature-method>
<tbs-elements>
<tbs-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<add-timestamp created="true" expiry="28800"/>
</signature>
<encrypt>
<recipient-key key-pass="" alias="dave"/>
<encryption-method>3DES</encryption-method>
<tbe-elements>
<tbe-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbe-elements>
</encrypt>
</outbound>
</security>
</runtime>
<operations>
<operation name="addtrailerinfo"
input="{http://trailerinfo/}addtrailerinfoElement">
<runtime>
<security>
<inbound>
<verify-username-token require-nonce="false"
require-created="true"
password-type="PLAINTEXT"/>
<verify-signature>
<signature-methods>
<signature-method>DSA-SHA1</signature-method>
<signature-method>RSA-MD5</signature-method>
<signature-method>RSA-SHA1</signature-method>
</signature-methods>
<tbs-elements>
<tbs-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<verify-timestamp created="true" expiry="28800"/>
</verify-signature>
<decrypt>
<encryption-methods>
<encryption-method>AES-128</encryption-method>
<encryption-method>AES-256</encryption-method>
<encryption-method>3DES</encryption-method>
</encryption-methods>
<tbe-elements>
<tbe-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"
mode="CONTENT"/>
</tbe-elements>
</decrypt>
</inbound>
<outbound/>
</security>
</runtime>
</operation>
</operations>
</port-component>
</webservice-description>
</oracle-webservices>
I checked this exception out at hte following link
http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html#keystore
which lists hte instructions to secure a web service. The trouble shooting section lists this exception and says it might be due to a timestamp created flag being set to false. However I have made sure that both the client and service side xml files above have this set to true and are matching.
However I am still not able to eliminate this error. Please could someone help me out? This is urgent.
Regards,
Lester.

Log4j.jar issue under Web Service Security Module

I am running into an issue with log4j.jar for WebLogic OES PDP. there is a custom appender class that extends org.apache.log4j.AppenderSkeleton, if we packed into one jar file under \bea\ales32-ssm\webservice-ssm\lib\log4j.jar everthing is fine. if we split this class with another jar file(sth like patch.jar) and add a entry in the config file WLESws.wrapper.conf under bea\ales32-ssm\webservice-ssm\instance\WSSM\config and it failed with this error,
but an error is
generated when starting the WSSM(Web Service Security Module):
log4j:ERROR A "com.foo.AuditJMSQueueAppender" object is not assignable to a "org.apache.log4j.Appender" variable.
log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
log4j:ERROR [com.bea.security.providers.utils.InverseURLClassLoader@5f7d3f] whereas object of type
log4j:ERROR "com.foo.AuditJMSQueueAppender" was loaded by [sun.misc.Launcher$AppClassLoader@a18aa2].
log4j:ERROR Could not instantiate appender named "JMS_AUDIT".
130
ARME is started now
Rendering object type: AuditAtzEvent
I have tried add java option:log4j.ignoreTCL=true. in this WLESws.wrapper.conf file, but does not work.
How to resolve this issue, Thanks for your help!

hi
Can anyone help with this...

Issue with Web Service Security

Dear Forum Members and Readers,
I am a beginner to Web Services, and facing an issue with WS-Security.
My issue seemingly is quite specific to my projects though, It will be great if you can provide me your views.
Context Description:
I am developing a Java Web Service application that is deployed on JBoss Application Server.
This application will communicate with two other applications those are not deployed in same JBoss Application Server.
These 2 applications are third party applications, one is C++ based web services and other is Java based web services.
My application gives a call to Third Party Application1 and receives the response back form it. It then passes this received response to Third Party Application 2.
Issue Description:
I now need to enable https paradigm among these 3 applications. (I need to implement web service security model here)
I started with looking in to JBoss specific WS-Security but found it not suitable in my case, as it requires to configure both the client and server. I have the control over my application but not on other 2 third party applications.
To this extent, I am unable to identify a solution that can address my issue.
Can anybody please provide me with initial thoughts or any reference material that might help me to give this a start.
Any clue will be highly appreciated!
Thanks in advance
Mukul

mukul.object wrote:
Actually, my SOAP messages contains some critical information that needs to be encrypted.You think that its critical information however your third party doesn't. If they would have had same thought they would have enabled the security. As I said earlier, you will have to discuss this with them.
Another solution (however I don't know the viability in your case) could be to deploy one component before each third party service. Your web service will call this new component (Which is installed in their environment i.e. local to third party web service) and new component will forward the request to third party service. Now you can apply security/encryption/decryption between your web service and your component.
I have had a look in to XMLEncrytion using that I can encrypt my SOAP messages but I wonder how would other tools decrypt that.My above comments answers this.
Is there anyway I can encrypt my SOAP messages (without having to customize third party tools) in this scenario ??My above comments answers this.

Web Services Security using X509 certificate

Hi,
I have secured a web service using X509 certificate. i also secured the proxy of it but when i run the proxy client it says.
javax.security.auth.login.LoginException: Cannot authenticate X509 certificate, User CN=Sam, OU=Technology, O=FS, L=Dallas, ST=Texas, C=US does not exist in our system
Any idea on this. Do i need to configure the X509 certificate in the server. I am using Oracle SOA Suite and JDeveloper 10.1.3.1
Thanks

Hi,
I have secured a web service using X509 certificate. i also secured the proxy of it but when i run the proxy client it says.
javax.security.auth.login.LoginException: Cannot authenticate X509 certificate, User CN=Sam, OU=Technology, O=FS, L=Dallas, ST=Texas, C=US does not exist in our system
Any idea on this. Do i need to configure the X509 certificate in the server. I am using Oracle SOA Suite and JDeveloper 10.1.3.1
Thanks

"Define Web Service" - Security Issues

Hello all,
I have successfully defined a Web service with the wizard in ID. So I already have my WSDL file.
Now, I need to use this WSDL file from a Web Application that exposed to all public internet.
Now my question is, how is security managed for this web service? I mean, if the web service is exposed to any user of the web application in the internet, how can I assure that, the information in the WSDL file will not be used to access the XI Server with out authorization?
Who should be in charge of the security, the web application? the web service? or xi?
Thanks,
Felipe

If you are using the SOAP Adapter for receiving the information it provides the features like
1. HTTP without Client Authentication
2. HTTP with Client Authentication
Even you can select Security Prameters like
1. Web Service Security
2. S/MIME
If you configure all this then which other kind of security you are looking for.
Gaurav Jain
Reward Point if answer is helpful

Unable to call Web Service with Username Token

-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
I posted this in the JDeveloper forum but got no response.
-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
I have JDeveloper 10g release 3.
I created a regular Java application. Added a Web service proxy with no special mappings or anything. Right clicked on the proxy and said "Secure Proxy". I only used basic plain text username token. Added a method to my class that call instantiates a client, and called the operation.
However when I run this I get the following error message.
SEVERE: No username found
Error::oracle.j2ee.ws.common.soap.fault.SOAP11FaultException: No username found
The Web Service Security Proxy Wizard created an xml in my src file, that I updated to put the username and password of the web service. Below is the xml file.
<oracle-webservice-clients xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:noNamespaceSchemaLocation='http://xmlns.oracle.com/oracleas/schema/oracle-webservices-client-10_0.xsd'>
<webservice-client>
<service-qname namespaceURI="http://tempuri.org/SOAPTestWS/Service1" localpart="Service1"/>
<port-info>
<wsdl-port namespaceURI="http://tempuri.org/SOAPTestWS/Service1" localpart="Service1Soap"/>
<runtime enabled="security">
<security>
<inbound/>
<outbound>
<username-token name="myusername" password="xxxxx" password-type="PLAINTEXT" add-nonce="false" add-created="false"/>
</outbound>
</security>
</runtime>
<operations>
<operation name='TryMe'>
</operation>
</operations>
</port-info>
</webservice-client>
</oracle-webservice-clients>
And this configuration file is processed in the stub file.
setupConfig("project2/runtime/Service1Soap_Stub.xml");
What am I doing wrong. I cannot find any documentation on the secure web service client wizard and it's generated code.
Thanks, MIke L.

Mike,
I updated the 3 xml files with the name and password and I get a different error now ...
WARNING: Unable to connect to URL: https://dssd001.ca.boeing.com:443/bartinterface/SOAP/resSetup.cgi due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
java.rmi.RemoteException: ; nested exception is:
HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
I am using the simple text based username auth, but jdev for some reason still goes and looks for the x509 cert? How did you get yours to work?
Thanks
Sriram

SOAP Request with Web Service Security

Hi masters of XI,
the Oasis standard for web services security saids that exists three levels of security for web services, at higher level is Encryption, middle level is signature and at lower level is authentication with username and password inside the soap envelope.
I need to do a SOAP Request signed with a X.509 certificate and username and password too in SAP PI 7.0 SP11. I can sign the request with X.509 certificate without problems but i can't authenticate the request with username and password in usernametoken element like saids the Oasis standard
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>XXXX</wsse:Username>
<wsse:Password>XXXXXXXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
How can we send UserNameToken's elements inside SOAP web service envelope
signing with X.509 certificate also? There are any way to do it in the
receiver agreement or receiver SOAP adapter?
thanks.

Hi,
thank you very much for your answers.
I have solved the SSL comunication and i can sign with X.509 certificates. My problem is that in the SOAP envelope of resquest signed only travels the X.509 certificate and I need to send the username security token (wsse:UsernameToken) also.
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>XXXX</wsse:Username>
<wsse:Password>XXXXXXXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
I can't find the solution to do it. The Netweaver documentation says that Netweaver is able to sign SOAP request with X.509 certificates and is able too for using UsernameToken as part of Oasis standard for web service security. In abap stack of NW you can assign a security profile to a web service call for signing the message or authenticate it with username/password inside SOAP envelope, but in java stack of XI i think that there is no way to do it.
This is my Request:
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
      <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-71968700">MIIHdTCCBl2gAwIBAgIQOq4nmg5zi4NGsIGjPUZVuTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ...8d4pAJYk=</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-104376803">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-104309952">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>R6WE9gs+l496jHCgslgALWswEnE=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#Timestamp-104310599">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>aiCTZ0WwiZQEv8zVmmf8GLu/bYA=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>YR9Q5oUA6kFFmPYOIOQPTOgTgapMbkmgdlDM/TZJ2CS8ENAntfsnmpEbpUgOPUVMkgaECog0OKvlADHP0HvJtPdm2NJljZNCCgrk3hlmmtkXkRauVuH5KRiHE5NeWT4+Uspp3ashebu0IuOO66zt4Q=</ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-104377209">
          <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-104377346">
            <wsse:Reference URI="#CertId-71968700" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
      <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-104310599">
        <wsu:Created>2008-01-16T21:28:44.081Z</wsu:Created>
        <wsu:Expires>2008-01-16T21:33:44.081Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
</soapenv:Header>
And this is the request I need:
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
      <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-71968700">MIIHdTCCBl2gAwIBAgIQOq4nmg5zi4NGsIGjPUZVuTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ...8d4pAJYk=</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-104376803">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-104309952">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>R6WE9gs+l496jHCgslgALWswEnE=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#Timestamp-104310599">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>aiCTZ0WwiZQEv8zVmmf8GLu/bYA=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>YR9Q5oUA6kFFmPYOIOQPTOgTgapMbkmgdlDM/TZJ2CS8ENAntfsnmpEbpUgOPUVMkgaECog0OKvlADHP0HvJtPdm2NJljZNCCgrk3hlmmtkXkRauVuH5KRiHE5NeWT4+Uspp3ashebu0IuOO66zt4Q=</ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-104377209">
          <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-104377346">
            <wsse:Reference URI="#CertId-71968700" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>

<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-104312926">
        <wsse:Username>xxxxxxx</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/>
      </wsse:UsernameToken>

<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-104310599">
        <wsu:Created>2008-01-16T21:28:44.081Z</wsu:Created>
        <wsu:Expires>2008-01-16T21:33:44.081Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
</soapenv:Header>

Web service security in PI

Mine is PROXY to SOAP asynchronous.
PI consumes the service, my requirement is when PI calls the service I need to pass web service security in SOAP header.
so that at receiver statem they can validate the user using these.
When i am calling webservice from soapui with the header parameters
Username , Password and Password Type - PasswordText , it is able to get results. The soapui tool automatically adds the following in the soap header -
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-9368150" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>xxxxx</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">xxxxx</wsse:Password>
<wsse:Nonce>aOA1P6t2hJPRyuraQ/IliQ==</wsse:Nonce>
<wsu:Created>2009-07-10T14:58:33.781Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
What configuration needs to be done in PI.

I got this in Runtime work bench
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
- <SOAP:Header>
- <sap:Main xmlns:sap="http://sap.com/xi/XI/Message/30" versionMajor="3" versionMinor="0" SOAP:mustUnderstand="1" xmlns:wsu="http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsuid-main-92ABE13F5C59AB7FE10000000A1551F7">
<sap:MessageClass>ApplicationMessage</sap:MessageClass>
<sap:ProcessingMode>asynchronous</sap:ProcessingMode>
<sap:MessageId>4a3a1651-b19b-0199-e100-8000aa064690</sap:MessageId>
<sap:TimeSent>2009-07-15T15:46:10Z</sap:TimeSent>
- <sap:Sender>
<sap:Party agency="" scheme="" />
<sap:Service>test2310</sap:Service>
</sap:Sender>
- <sap:Receiver>
<sap:Party agency="" scheme="" />
<sap:Service>test_serivce</sap:Service>
</sap:Receiver>
<sap:Interface namespace="urn:Publish">msgIF_publish_I_Async</sap:Interface>
</sap:Main>
- <sap:ReliableMessaging xmlns:sap="http://sap.com/xi/XI/Message/30" SOAP:mustUnderstand="1">
<sap:QualityOfService>ExactlyOnce</sap:QualityOfService>
</sap:ReliableMessaging>
- <sap:Diagnostic xmlns:sap="http://sap.com/xi/XI/Message/30" SOAP:mustUnderstand="1">
<sap:TraceLevel>Fatal</sap:TraceLevel>
<sap:Logging>On</sap:Logging>
</sap:Diagnostic>
- <sap:HopList xmlns:sap="http://sap.com/xi/XI/Message/30" SOAP:mustUnderstand="1">
- <sap:Hop timeStamp="2009-07-15T15:46:10Z" wasRead="false">
<sap:Engine type="BS">test_serivce</sap:Engine>
<sap:Adapter namespace="http://sap.com/xi/XI/System">XI</sap:Adapter>
<sap:MessageId>4a3a1651-b19b-0199-e100-8000aa064690</sap:MessageId>
<sap:Info>3.0</sap:Info>
</sap:Hop>
- <sap:Hop timeStamp="2009-07-15T15:46:11Z" wasRead="false">
<sap:Engine type="IS">is.68.devai020</sap:Engine>
<sap:Adapter namespace="http://sap.com/xi/XI/System">XI</sap:Adapter>
<sap:MessageId>4a3a1651-b19b-0199-e100-8000aa064690</sap:MessageId>
<sap:Info>3.0</sap:Info>
</sap:Hop>
- <sap:Hop timeStamp="2009-07-15T15:46:12Z" wasRead="false">
<sap:Engine type="AE">af.dxi.devai020</sap:Engine>
<sap:Adapter namespace="http://sap.com/xi/XI/System">XIRA</sap:Adapter>
<sap:MessageId>4a3a1651-b19b-0199-e100-8000aa064690</sap:MessageId>
</sap:Hop>
</sap:HopList>
</SOAP:Header>
Edited by: Vamsi on Jul 15, 2009 7:06 PM

Web Service Security using OpenSSO

Hi,
I have a question regarding the usage of the OpenSSO in order to secure web services.
I have read the documentation and it states the OpenSSO enables web service security.
However, in the docs the main scenario is where the WSC and WSP are protected by the agent.
In my scenario, I would like to use agents only on the WSP side, but leave the implementation of the client side open to the partners. Partners will have the interface from the OpenSSO for the authentication and saml token retrieval. The client will have to create soap by itself. This is the case since the WSC are to be standalone applications on client computers.
To set the actual question; what are web service interfaces that OpenSSO as a STS offers for authentication and saml token issuance. Is there same sort of a referential architecture for this case where only the STS and WSP can be configured and the WSC implementation of the WSS left to the partner. Any pointers and directions would be appreciated.
Thanks!

Hi
Thanks for your reply
I downloaded OC4J 10.1.2.0.2 and ran it as as a standalone server.
I read the blog you linked and made the changes to the web.xml for the webservice. All of which I was able to do using the property palette in jdev 10.1.2.1.0.
I deployed my webservice to my oc4j standalone server and it appeared as a new application. I editied the orion-web.xml for the new application manually.
When I point my browser at the webservice I get the test page which allows me to pass parameters to the webserive. I invoke the webservice (which does a HTTP GET according to the test page) and the webservice runs. No user and password is needed though.
What is the expected behaviour? I was hoping that the webservice wouldn't run until I supplied the admin user name and password
paul

Oracle Service Bus 11gR1 - missing Web Services Security Configuration?

I am trying to configure a web service which uses username token policy.
The below option is missing in Proxy Service --> Security
Web Services Security Configuration
Process WS-Security Header Yes NoIs there anything that needs to be enabled for the above to show up in Proxy Service-->Security.

This option was enabled by removing the username token policy from the wsdl file.
Thanks for looking.

Web Services Security - What to expect

I am reviewing a vendor�s product that will run on a J2EE platform. One of the features of this product is a web services framework for developing web services. What I want to assess is how well they support web services security. They may say they rely on the underlying application server to �do the security stuff� � is this enough?
A further question is: what should I expect from different J2EE application server vendors in the area of security. Is there reasonable compliance between them or is there still an amount of proprietary implementation, that will ultimately result in application server lock-in, should I need a particular security feature?

I may have posted this to the wrong area so I have also now posted it to the web services technology forum (although the layout of the forums made this area look as though it was a sub set of web services). So excuse the duae posting, although arguably it is a portability issue standalone also.

How to make my Portal Web Service SECURED?

Hi Experts,
I created one portal Service and exposed it as Portal Web Service.
Everything is working fine, as i deployed my Portal Web Service on to the SAP J2EE Engine ie SAP Server.
I m able to access functions of Web Service from my StandAlone Java Application.
but the problem is my Web Service is not SECURED.
How can i make my Portal Web Service SECURED?
Please help me out.
Help will be appreciated and rewarded!!!!!

user13046122 wrote:
I have an old pl/sql "helper" package, originally written to make SOAP Web Service calls from the database - it uses UTL_HTTP to invoke the target services.
I now need to make SOAP Web Service calls - from an 8.1.7.4 database
But the version of UTL_HTTP inside 8.1.7.4 does not contain the functions needed in the helper package
Can anybody suggest a means of making SOAP Web Service calls from an 8.1.7.4 database ?I think you'll be very lucky to find anyone here who still has access to a version of Oracle that is that old.... I mean... that's like what? 15 years old at least? I'm surprised you've still got hardware that can run that.
It would probably help if you could post what code you've got and explain which function(s) it's complaining about, as I doubt people will want to guess.

Web Service Security X509 token issue...

Similar Messages

Maybe you are looking for