RE: Re: Adding X.509 certificate to SOAP Header

From: Paul Worrall <>
Date: Fri, 21 Jan 2005 12:58:55 -0000


1. I was not asked to create or provide any keys. I was just sent a
certificate as a result of going through an online request process.

2. In IE Tools->Internet Options->Content->Certificates->Personal I see
the certificate that was issued to me and picked up by IE at the end of
the process. In the Certificates->Trusted Root Certificate Authorities
there is a server certificate that was pickup up when I first used the
https: service from a browser to see if I could see the WSDL.

3. Because I got a javax.xml.rpc.soap.SOAPFaultException: No authorised
X.509 certificate I presume that was thrown by the endpoint. Hence, an
SSL channel had been correctly established. This fault is just telling
me that the web service is expecting a certificate/signature/whatever or
whatever to be presented/applied/whatever.

I am still not sure what the .NET implementation is because, you are
right, I haven't heard anything about any key pairs. However, putting
that to one side I have been busy figuring out how to sign a SOAP
message at the JAX-RPC level. I have found that WSDP 1.3 had some
helper classes,*, and that WSDP 1.5 now has a
declarative implementation where I can pass an XML security deployment
descriptor to wscompile. The former appears to be obsolete and the
latter requires a SecurityEnvironmentHandler that throws ALL the
implementation details back to me. That is hardly easy when my
objective was to use JAX-RPC stubs to do all this general work for me.

Finally, I am noticing that all the explanations are very much tied into
the container so it is hard to separate out the key processes from Suns
proprietary environment.

I have to get to the bottom of this because my project is about
providing a technical road map for the organisations future development
methodology. It has already been suggested we should just build .NET
clients and be done with it. Scary.


Paul W.

-----Original Message-----
From: Andy Wolf []
Sent: 21 January 2005 12:00
Subject: Re: Adding X.509 certificate to SOAP Header

Hello Paul,

Paul Worrall wrote:
> They had me go through a process with a web app, Microsoft Certificate
> Services, to request a certificate. Among other details I was
> instructed to ask for a Client Authentication Certificate and
> subsequently use IE to export it to a .cer file.

So what you got is a client certificate. I assume that during the
process they have had your IE create the public and private keys and
sumbit the public key to the server as part of a certificate signing
request. At least this is something I have seen at other similar

Now the question is what has been exported by IE into the .cer file.
Only the Certificate including the public key? Most probably you will
need the private key as well...

> As my first assumption was that it was for SSL mutual authentication I
> successfully set up a keystore and a trust store. I obtained their
> server certificate and put that and the certificate provided in the
> appropriate keystores.

Well this sounds like server certificate only which might not be enough.

As they apparently are talking about a client certificate you might have

to use either both client and server certificate (for authentication) or

only the client certificate (for decryption).

For authentication you will need the server certificate including the
public key for verification of the server identity and you will need the

client certificate resp. the client private key for encrypting a token
that the server can decrpyt for verification of identity.

> That all worked as far as SSL was concerned

So you were already able to set up an SSL connection including server
and client authentication?

> but then I got a SOAP fault.
> javax.xml.rpc.soap.SOAPFaultException: No authorised X.509 certificate
> detected

Not authorized sounds like the certificate of the certification
authority could not be found. Have you checked the truststore setup?

>>>From the .NET peoples perspective they provide the following example
> VB.NET code for users of their web service:

> Their presumption is that I have a Java API that is similar. They
> create a certificate object and add it to the webservice object.

Obviously you will have to dig deeper into this .NET stuff and find out
what really happens here :-)

Good luck...Andy

To unsubscribe, e-mail:
For additional commands, e-mail:

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

To unsubscribe, e-mail:
For additional commands, e-mail: