users@jax-rpc.java.net

generating new keystore and trusted store certificates with jwsdp-1.5 ....

From: jagan <Jagan.Kommineni_at_infotech.monash.edu.au>
Date: Wed, 27 Apr 2005 16:58:50 +1000

Hi All,

The keystore and trusted store certificates which are part of the
jwsdp-1.5 are no more useful.

I tried to create my own certificates to replace the supplied
certificates, Unfortunately I was not
successful. I am here with giving procedures I adopted in creating
certificates. I would really be happy, if some one give some helping
hand in fix this problem.

=================================================================
First I created my own certification Authority
==============================
mkdir demoCA
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
touch demoCA/serial
echo "01" > demoCA/serial
openssl req -x509 -days 365 -newkey rsa:1024 -keyout
demoCA/private/cakey.pem -out demoCA/cacert.pem -passout pass:capass
-------------------------------------------------------------------------------------------------------------------------
Client Key Store Generation
====================
openssl req -nodes -newkey 1024 -keyout client.key -out client.req
openssl ca -in client.req -out client.crt -notext -passin pass:capass
openssl pkcs12 -in client.crt -inkey client.key -export -out client.p12
-nodes
                                                -CAfile
demoCA/cacert.pem
----------------------------------------------
Importing certificates into the client keystores
----------------------------------------------
                                          
keytool -import -trustcacerts -alias certificate-authority -file
cacert.pem -keystore client-keystore.jks -storepass changeit
pkcs12import.sh -file client.p12 -keystore client-keystore.jks -alias
xws-security-client
------------------------------------------------------------------------------------------------------
Server Keystore
-------------------
openssl req -nodes -newkey 1024 -keyout server.key -out server.req
openssl ca -in server.req -out server.crt -notext -passin pass:capass
openssl pkcs12 -in server.crt -inkey server.key -export -out server.p12
-nodes
                                          -CAfile demoCA/cacert.pem
--------------------------------------------------------
Importing server certificates into the Server keystore ...
---------------------------------------------------------
keytool -import -trustcacerts -alias certificate-authority -file
cacert.pem -keystore server-keystore.jks -storepass changeit
pkcs12import.sh -file ~/cert/server.p12 -keystore server-keystore.jks
-alias s1as
-----------------------------------------------------------------------------------------------------
Server trused .....
==================================
keytool -import -trustcacerts -alias certificate-authority -file
cacert.pem -keystore server-truststore.jks -storepass changeit

keytool -import -trustcacerts -file client.crt -keystore
server-truststore.jks -storepass changeit -alias xws-security-client
==========================================================================
Client trusted

keytool -import -trustcacerts -alias certificate-authority -file
cacert.pem -keystore client-truststore.jks -storepass changeit

keytool -import -trustcacerts -file server.crt -keystore
client-truststore.jks -storepass changeit -alias s1as
-------------------------------------------------------------------------------------------------------

I replaced the files in the directory
/cygdrive/c/jwsdp-1.5/xws-security/etc with the new ones.
================================================================
I am getting the following error message when I enable
client.security.config=config/sign-client.xml
and client.security.config=config/sign-server.xml in build.properties
file in the sample.
==============================================================
The web log shows the following error messge ......
====================================
INFO: ==== Received Message Start ====
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns0="http://com.test/wsdl/MyJobrun"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<env:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
env:mustUnderstand="1">
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="Id7195803132116813894">MIIDTDCCArWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJOQTELMAkGA1UECBMC
TkExCzAJBgNVBAcTAk5BMQswCQYDVQQKEwJOQTELMAkGA1UECxMCTkExHjAcBgNVBAMTFWNlcnRp
ZmljYXRlLWF1dGhvcml0eTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMDUwNDI3MDIxMjQ2WhcNMDYw
NDI3MDIxMjQ2WjBlMQswCQYDVQQGEwJOQTELMAkGA1UECBMCTkExCzAJBgNVBAoTAk5BMQswCQYD
VQQLEwJOQTEcMBoGA1UEAxMTeHdzLXNlY3VyaXR5LWNsaWVudDERMA8GCSqGSIb3DQEJARYCTkEw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKBe3Pome8AiX9nceh/U0YczWWhPuhKoFBOb08ka
OwuVT5IlvGu5FsMqG41U3z5pUqI319z7ySUCrfeuu2Yj56aVE9H8CId3IZV6uRGqGPohiLP6nigu
0TXYNsOiLBKIzyXe1nkOiVatC7XwARXR0Jrfq5o31KOqum2AvWSocTebAgMBAAGjgfwwgfkwCQYD
VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFMK+rbL/WP7Ih69qVlYbnP8BJyU4MIGeBgNVHSMEgZYwgZOAFNJ2aQ4GrWhV+vcGmsIs
boAreQ+BoXikdjB0MQswCQYDVQQGEwJOQTELMAkGA1UECBMCTkExCzAJBgNVBAcTAk5BMQswCQYD
VQQKEwJOQTELMAkGA1UECxMCTkExHjAcBgNVBAMTFWNlcnRpZmljYXRlLWF1dGhvcml0eTERMA8G
CSqGSIb3DQEJARYCTkGCAQAwDQYJKoZIhvcNAQEEBQADgYEAvVVydcCGBCxJFVPtOxR7P9O8gS+4
+tE+tYSkdQdCxndfC+lRfLvhVZBJ9zb3DENyRiKhmUPzt98o/a0DP6Uc96z2QGAm8uzZEzaDtVzz
7JYcBLAeNjVbABuPmTsWYLIS5l9B2k6abjeyVGHynh80Gzi8FfBv7/NrqpiOM6myy9I=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Id1745895204691890536">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>dsL0YRE8j1dhtMdyGH7Ull9d8SA=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Id6832993404318231966">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Wuy/Gaq+CX46IbX+8z+fFha+v1E=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
MI3z3GjXIiuGJZiKx3oKtxpE/ZjoIObPgsz3nRUDF2bdwhmC35yvhRPAjzz67LKn55E22HJ37SlP
sTynoRB7Fd6R++dX4QJWSxiBGt2JLOe/sX1yfK3gDOEz/5FDHnhlS2TE1aoiQ3cWYXijyW6OOlNE
KaodTr1jCtR32MaaFuY=
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#Id7195803132116813894"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id6832993404318231966">
<wsu:Created>2005-04-27T04:54:41Z</wsu:Created>
<wsu:Expires>2005-04-27T04:59:41Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</env:Header>
<env:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id1745895204691890536">
<ns0:jobrun>
<String_1 xsi:type="xsd:string">hostname</String_1>
</ns0:jobrun>
</env:Body>
</env:Envelope>
==== Received Message End ====

sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
    at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
    at
com.sun.xml.wss.sample.SecurityEnvironmentHandler$X509CertificateValidatorImpl.validate(SecurityEnvironmentHandler.java:552)
    at
com.sun.xml.wss.impl.callback.CertificateValidationCallback.getResult(CertificateValidationCallback.java:38)
    at
com.sun.xml.wss.impl.DefaultSecurityEnvironmentImpl.validateCertificate(DefaultSecurityEnvironmentImpl.java:616)
    at
com.sun.xml.wss.filter.ImportCertificateTokenFilter.process(ImportCertificateTokenFilter.java:71)
    at
com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.processBinarySecurityToken(ExtendedProcessSecurityHeaderFilter.java:553)
    at
com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.processingHook(ExtendedProcessSecurityHeaderFilter.java:487)
    at
com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.process(ExtendedProcessSecurityHeaderFilter.java:83)
    at
com.sun.xml.wss.SecureCorrespondent.filterMessage(SecureCorrespondent.java:39)
    at
com.sun.xml.wss.SecureCorrespondent.filterMessageInContext(SecureCorrespondent.java:52)
    at
com.sun.xml.wss.SecurityRecipient.acceptHeaderElement(SecurityRecipient.java:56)
    at
com.sun.xml.rpc.security.SecurityPluginUtil.preHandlingHook(SecurityPluginUtil.java:312)
    at jobrun.JobrunIF_Tie.preHandlingHook(JobrunIF_Tie.java:239)
    at
com.sun.xml.rpc.server.StreamingHandler.handle(StreamingHandler.java:102)
    at
com.sun.xml.rpc.server.http.JAXRPCServletDelegate.doPost(JAXRPCServletDelegate.java:443)
    at
com.sun.xml.rpc.server.http.JAXRPCServlet.doPost(JAXRPCServlet.java:102)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
    at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
    at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
    at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
    at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
    at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
    at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
    at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
    at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
    at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
    at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
    at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
    at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:535)
    at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
    at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
    at
org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
    at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:790)
    at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:709)
    at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:572)
    at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:644)
    at java.lang.Thread.run(Thread.java:595)
27/04/2005 14:54:42 com.sun.xml.wss.filter.ImportCertificateTokenFilter
process
SEVERE: WSS0156: Exception [ Certificate validation failed ] while
validating certificate
27/04/2005 14:54:42 com.sun.xml.wss.filter.DumpFilter process
INFO: ==== Response Start ====
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns0="http://com.test/wsdl/MyJobrun"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<env:Body>
<env:Fault>
<faultcode
xmlns:ans1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ans1:InvalidSecurityToken</faultcode>
<faultstring>Certificate validation failed</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
==== Response End ====
==============================================
     I tried these certificates with ssl connection and worked perfectly
fine without any problem.
with regards,

Jagan Kommineni
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.