Andy,
I appreciate the help.
They had me go through a process with a web app, Microsoft Certificate
Services, to request a certificate. Among other details I was
instructed to ask for a Client Authentication Certificate and
subsequently use IE to export it to a .cer file.
As my first assumption was that it was for SSL mutual authentication I
successfully set up a keystore and a trust store. I obtained their
server certificate and put that and the certificate provided in the
appropriate keystores. That all worked as far as SSL was concerned but
then I got a SOAP fault.
javax.xml.rpc.soap.SOAPFaultException: No authorised X.509 certificate
detected
at
com.sun.xml.rpc.client.StreamingSender._raiseFault(StreamingSender.java:
360)
at
com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:224)
at
edubase.EstablishmentSoap_Stub.retrieveLookupFields(EstablishmentSoap_St
ub.java:666)
at
uk.gov.ngfl.portal.wsc.JaxEduWSClient.main(JaxEduWSClient.java:57)
From the .NET peoples perspective they provide the following example
VB.NET code for users of their web service:
========================================================================
=======
Imports System.Security.Cryptography.X509Certificates
Module WSTest
Sub Main()
Console.WriteLine("Application begun, instancting object...")
Dim svc As AppBase.WebServices = New AppBase.WebServices()
Console.WriteLine("Object instanced successfully...")
Try
svc.RetrieveDeletedEstablishments()
Console.WriteLine("Call succeeded without credentials...")
Catch exc As Exception
Console.WriteLine("Call failed without credentials: " &
exc.ToString())
End Try
Dim x509Cert AsX509Certificate = _
X509Certificate.CreateFromCertFile("c:\appbase.cer")
svc.ClientCertificates.Add(x509Cert)
Try
svc.RetrieveDeletedEstablishments()
Console.WriteLine("Call succeeded with credentials...")
Catch exc As Exception
Console.WriteLine("Call failed with credentials: " &
exc.ToString())
End Try
Console.WriteLine("Application terminating...")
End Sub
End Module
========================================================================
========
Their presumption is that I have a Java API that is similar. They just
create a certificate object and add it to the webservice object.
Now this doesn't imply anything about extracting private or public keys
and using them in any way. Hopefully I am in the right place with and
the XWS-Security SecurityEnvironmentHandler but I seem to be going to
greater lengths.
TIA
-----Original Message-----
From: Andy Wolf [mailto:andy.wolf_at_schwaben.de]
Sent: 19 January 2005 11:39
To: users_at_jax-rpc.dev.java.net
Subject: Re: Adding X.509 certificate to SOAP Header
Hi,
to me it looks like the WebService provider quoted below does not know
what he is talking about.
An SSL Certificate is only a document that certifies that a specific
public key belongs to a certain person or organization. It therefore
contains the public key, the information about the owner and a digital
signature from a well-know party (certificate authority).
You do not use the X.509 certifiate but only the public key that is
included. You can either use this key to encrypt messages to or to
validate a digital signature from the other party.
In both cases you have to setup a keystore that contains the public key
and you have to have a truststore which contains the public key of the
certificate authority.
So in your case you might either want to setup an encrypted and
authenticated communication (HTTPS) or you might want to encrypt or sign
the data that is transferred.
If the certificate really is a client certificate that you do have a
private key and you must have sent a Certificate Signing Request (CSR)
to your Web Service provider. If this is not the case, the certificate
most likely is a server certificate...
Maybe you should try to find someone at your Web Service provider who
knows about these kind of things ;-)
regards
Andy
Paul Worrall wrote:
> From the pointer Vishal kindly gave I now have a more focussed
question
> with regard to the XWS-Security framework and the
> SecurityEnvironmentHandler Class required for the security
configuration
> file.
>
>
>
> It looks like what this handler does is general enough to be generated
> with the stub classes when you use wscompile. Do I really have to
> provide my own implementation?
>
>
>
> TIA
>
>
>
> Paul
>
>
>
>
>
>
------------------------------------------------------------------------
>
> *From:* Paul Worrall
> *Sent:* 18 January 2005 11:47
> *To:* users_at_jax-rpc.dev.java.net
> *Subject:* RE: Re: Adding X.509 certificate to SOAP Header
>
>
>
> Hi,
>
>
>
> Actually it is expecting me to present the certificate for
> authentication. Not encrypting the message. I quote the Web Service
> provider:-
>
>
>
> "The client certificate is not for mutual SSL authentication, it is
for
> attaching to the web service SOAP call. Within the web service method
on
> our side, we look for the attached certificate and check the
credentials
> within it before proceeding. It sounds like it's at this point that
> we're currently rejecting your call. I'm not sure how you attach an
> X.509 certificate to a java call, but the documentation you've got
gives
> examples of how to do it in .Net if that helps."
>
>
>
> ...
>
>
>
>
------------------------------------------------------------------------
>
> *From:* Vishal Mahajan [mailto:Vishal.Mahajan_at_Sun.COM]
> *Sent:* 18 January 2005 09:57
> *To:* users_at_jax-rpc.dev.java.net
> *Subject:* Re: Adding X.509 certificate to SOAP Header
>
>
>
> Hi Paul,
>
> I would guess that the web service expects your client to use its
> certificate for encrypting the requests. For such a use-case you can
use
> the XML and Web Services Security component in JWSDP 1.5. For a
detailed
> information on this component, you may refer Ch-3 of the JWSDP
tutorial
> - http://java.sun.com/webservices/docs/1.5/tutorial/doc/index.html.
>
> HTH,
>
> Vishal
>
> Paul Worrall wrote:
>
> I have been provided with a X.509 digital certificate by a web service
> endpoint provider to be able to access their web service. This is not
> for use in mutual authentication at the SSL level but for presentation
> in the SOAP Header.
>
> I have used wscompile to generate static stubs against the providers
WSDL.
>
> I can not find any documentation on how to add this certificate to the
> SOAP message from the JAX-RPC, wscompile generated, stub classes.
>
> Can anyone help?
>
> TIA
>
>
>
> Regards
>
>
>
>
>
> Paul Worrall
>
> Portal Technology and Innovation
>
> BECTA
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net