We have the keystores regenerated and ready. I think its a matter of our
legal clearing, before they get posted. Will check and let you know soon.
jagan wrote:
> Hi All,
>
> The keystore and trusted store certificates which are part of the
> jwsdp-1.5 are no more useful.
>
> I tried to create my own certificates to replace the supplied
> certificates, Unfortunately I was not
> successful. I am here with giving procedures I adopted in creating
> certificates. I would really be happy, if some one give some helping
> hand in fix this problem.
>
> =================================================================
> First I created my own certification Authority
> ==============================
> mkdir demoCA
> mkdir demoCA/private
> mkdir demoCA/newcerts
> touch demoCA/index.txt
> touch demoCA/serial
> echo "01" > demoCA/serial
> openssl req -x509 -days 365 -newkey rsa:1024 -keyout
> demoCA/private/cakey.pem -out demoCA/cacert.pem -passout pass:capass
> -------------------------------------------------------------------------------------------------------------------------
>
> Client Key Store Generation
> ====================
> openssl req -nodes -newkey 1024 -keyout client.key -out client.req
> openssl ca -in client.req -out client.crt -notext -passin pass:capass
> openssl pkcs12 -in client.crt -inkey client.key -export -out
> client.p12 -nodes
> -CAfile
> demoCA/cacert.pem
> ----------------------------------------------
> Importing certificates into the client keystores
> ----------------------------------------------
> keytool -import -trustcacerts
> -alias certificate-authority -file cacert.pem -keystore
> client-keystore.jks -storepass changeit
> pkcs12import.sh -file client.p12 -keystore client-keystore.jks -alias
> xws-security-client
> ------------------------------------------------------------------------------------------------------
>
> Server Keystore
> -------------------
> openssl req -nodes -newkey 1024 -keyout server.key -out server.req
> openssl ca -in server.req -out server.crt -notext -passin pass:capass
> openssl pkcs12 -in server.crt -inkey server.key -export -out
> server.p12 -nodes
> -CAfile demoCA/cacert.pem
> --------------------------------------------------------
> Importing server certificates into the Server keystore ...
> ---------------------------------------------------------
> keytool -import -trustcacerts -alias certificate-authority -file
> cacert.pem -keystore server-keystore.jks -storepass changeit
> pkcs12import.sh -file ~/cert/server.p12 -keystore server-keystore.jks
> -alias s1as
> -----------------------------------------------------------------------------------------------------
>
> Server trused .....
> ==================================
> keytool -import -trustcacerts -alias certificate-authority -file
> cacert.pem -keystore server-truststore.jks -storepass changeit
>
> keytool -import -trustcacerts -file client.crt -keystore
> server-truststore.jks -storepass changeit -alias xws-security-client
> ==========================================================================
>
> Client trusted
>
> keytool -import -trustcacerts -alias certificate-authority -file
> cacert.pem -keystore client-truststore.jks -storepass changeit
>
> keytool -import -trustcacerts -file server.crt -keystore
> client-truststore.jks -storepass changeit -alias s1as
> -------------------------------------------------------------------------------------------------------
>
>
> I replaced the files in the directory
> /cygdrive/c/jwsdp-1.5/xws-security/etc with the new ones.
> ================================================================
> I am getting the following error message when I enable
> client.security.config=config/sign-client.xml
> and client.security.config=config/sign-server.xml in build.properties
> file in the sample.
> ==============================================================
> The web log shows the following error messge ......
> ====================================
> INFO: ==== Received Message Start ====
> <?xml version="1.0" encoding="UTF-8"?>
> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
> xmlns:ns0="http://com.test/wsdl/MyJobrun"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
> <env:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> env:mustUnderstand="1">
> <wsse:BinarySecurityToken
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
> wsu:Id="Id7195803132116813894">MIIDTDCCArWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJOQTELMAkGA1UECBMC
>
> TkExCzAJBgNVBAcTAk5BMQswCQYDVQQKEwJOQTELMAkGA1UECxMCTkExHjAcBgNVBAMTFWNlcnRp
>
> ZmljYXRlLWF1dGhvcml0eTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMDUwNDI3MDIxMjQ2WhcNMDYw
>
> NDI3MDIxMjQ2WjBlMQswCQYDVQQGEwJOQTELMAkGA1UECBMCTkExCzAJBgNVBAoTAk5BMQswCQYD
>
> VQQLEwJOQTEcMBoGA1UEAxMTeHdzLXNlY3VyaXR5LWNsaWVudDERMA8GCSqGSIb3DQEJARYCTkEw
>
> gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKBe3Pome8AiX9nceh/U0YczWWhPuhKoFBOb08ka
>
> OwuVT5IlvGu5FsMqG41U3z5pUqI319z7ySUCrfeuu2Yj56aVE9H8CId3IZV6uRGqGPohiLP6nigu
>
> 0TXYNsOiLBKIzyXe1nkOiVatC7XwARXR0Jrfq5o31KOqum2AvWSocTebAgMBAAGjgfwwgfkwCQYD
>
> VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
>
> VR0OBBYEFMK+rbL/WP7Ih69qVlYbnP8BJyU4MIGeBgNVHSMEgZYwgZOAFNJ2aQ4GrWhV+vcGmsIs
>
> boAreQ+BoXikdjB0MQswCQYDVQQGEwJOQTELMAkGA1UECBMCTkExCzAJBgNVBAcTAk5BMQswCQYD
>
> VQQKEwJOQTELMAkGA1UECxMCTkExHjAcBgNVBAMTFWNlcnRpZmljYXRlLWF1dGhvcml0eTERMA8G
>
> CSqGSIb3DQEJARYCTkGCAQAwDQYJKoZIhvcNAQEEBQADgYEAvVVydcCGBCxJFVPtOxR7P9O8gS+4
>
> +tE+tYSkdQdCxndfC+lRfLvhVZBJ9zb3DENyRiKhmUPzt98o/a0DP6Uc96z2QGAm8uzZEzaDtVzz
>
> 7JYcBLAeNjVbABuPmTsWYLIS5l9B2k6abjeyVGHynh80Gzi8FfBv7/NrqpiOM6myy9I=</wsse:BinarySecurityToken>
>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#Id1745895204691890536">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>dsL0YRE8j1dhtMdyGH7Ull9d8SA=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#Id6832993404318231966">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>Wuy/Gaq+CX46IbX+8z+fFha+v1E=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> MI3z3GjXIiuGJZiKx3oKtxpE/ZjoIObPgsz3nRUDF2bdwhmC35yvhRPAjzz67LKn55E22HJ37SlP
>
> sTynoRB7Fd6R++dX4QJWSxiBGt2JLOe/sX1yfK3gDOEz/5FDHnhlS2TE1aoiQ3cWYXijyW6OOlNE
>
> KaodTr1jCtR32MaaFuY=
> </ds:SignatureValue>
> <ds:KeyInfo>
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#Id7195803132116813894"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> <wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id6832993404318231966">
> <wsu:Created>2005-04-27T04:54:41Z</wsu:Created>
> <wsu:Expires>2005-04-27T04:59:41Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> </env:Header>
> <env:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id1745895204691890536">
> <ns0:jobrun>
> <String_1 xsi:type="xsd:string">hostname</String_1>
> </ns0:jobrun>
> </env:Body>
> </env:Envelope>
> ==== Received Message End ====
>
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
>
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
> at
> com.sun.xml.wss.sample.SecurityEnvironmentHandler$X509CertificateValidatorImpl.validate(SecurityEnvironmentHandler.java:552)
>
> at
> com.sun.xml.wss.impl.callback.CertificateValidationCallback.getResult(CertificateValidationCallback.java:38)
>
> at
> com.sun.xml.wss.impl.DefaultSecurityEnvironmentImpl.validateCertificate(DefaultSecurityEnvironmentImpl.java:616)
>
> at
> com.sun.xml.wss.filter.ImportCertificateTokenFilter.process(ImportCertificateTokenFilter.java:71)
>
> at
> com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.processBinarySecurityToken(ExtendedProcessSecurityHeaderFilter.java:553)
>
> at
> com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.processingHook(ExtendedProcessSecurityHeaderFilter.java:487)
>
> at
> com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.process(ExtendedProcessSecurityHeaderFilter.java:83)
>
> at
> com.sun.xml.wss.SecureCorrespondent.filterMessage(SecureCorrespondent.java:39)
>
> at
> com.sun.xml.wss.SecureCorrespondent.filterMessageInContext(SecureCorrespondent.java:52)
>
> at
> com.sun.xml.wss.SecurityRecipient.acceptHeaderElement(SecurityRecipient.java:56)
>
> at
> com.sun.xml.rpc.security.SecurityPluginUtil.preHandlingHook(SecurityPluginUtil.java:312)
>
> at jobrun.JobrunIF_Tie.preHandlingHook(JobrunIF_Tie.java:239)
> at
> com.sun.xml.rpc.server.StreamingHandler.handle(StreamingHandler.java:102)
> at
> com.sun.xml.rpc.server.http.JAXRPCServletDelegate.doPost(JAXRPCServletDelegate.java:443)
>
> at
> com.sun.xml.rpc.server.http.JAXRPCServlet.doPost(JAXRPCServlet.java:102)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
>
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
>
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
>
> at
> org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
>
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
>
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
>
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
>
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
>
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
>
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:535)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
>
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
>
> at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
> at
> org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:790)
>
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:709)
>
> at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:572)
>
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:644)
>
> at java.lang.Thread.run(Thread.java:595)
> 27/04/2005 14:54:42
> com.sun.xml.wss.filter.ImportCertificateTokenFilter process
> SEVERE: WSS0156: Exception [ Certificate validation failed ] while
> validating certificate
> 27/04/2005 14:54:42 com.sun.xml.wss.filter.DumpFilter process
> INFO: ==== Response Start ====
> <?xml version="1.0" encoding="UTF-8"?>
> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
> xmlns:ns0="http://com.test/wsdl/MyJobrun"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
> <env:Body>
> <env:Fault>
> <faultcode
> xmlns:ans1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ans1:InvalidSecurityToken</faultcode>
>
> <faultstring>Certificate validation failed</faultstring>
> </env:Fault>
> </env:Body>
> </env:Envelope>
> ==== Response End ====
> ==============================================
> I tried these certificates with ssl connection and worked
> perfectly fine without any problem.
> with regards,
>
> Jagan Kommineni
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
> For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net
>