users@jax-rpc.java.net

Re: generating new keystore and trusted store certificates with jwsdp-1.5 ....

From: jagan <Jagan.Kommineni_at_infotech.monash.edu.au>
Date: Thu, 28 Apr 2005 08:59:29 +1000

Hello Kumar Jayanti,

When you list your server-truststore you should see two entries similar
to what is show below. Does that happen.

> keytool -list -keystore server-truststore.jks
Enter keystore password: changeit
 
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 2 entries
 
certificate-authority, Apr 12, 2005, trustedCertEntry,
Certificate fingerprint (MD5):
3D:B5:3C:93:F5:65:D5:3D:B5:C5:2E:23:F5:2E:3A:E9
xws-security-client, Apr 12, 2005, trustedCertEntry,
Certificate fingerprint (MD5):
58:5D:0A:BA:A0:FD:46:35:E4:89:C0:4B:92:BB:09:20
---------------------------------------------------------------------------------------------
Here are the two entries similar to your entries in my
server-truststore.jks.

jagan_at_mohan ~/jwsdp-1.5/xws-security/etc
$ keytool -list -keystore server-truststore.jks
Enter keystore password: changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

certificate-authority, 27/04/2005, trustedCertEntry,
Certificate fingerprint (MD5):
2A:38:ED:E9:73:C1:14:AE:84:69:00:8B:79:EB:6C:AF
xws-security-client, 27/04/2005, trustedCertEntry,
Certificate fingerprint (MD5):
A1:B9:DD:1A:D9:5B:E5:A8:2E:D0:17:AE:D8:67:F3:87

jagan_at_mohan ~/jwsdp-1.5/xws-security/etc
--------------------------------------------------------------------------------------
The server-keystore.jks contains the following entries.
=====================================
jagan_at_mohan ~/jwsdp-1.5/xws-security/etc
$ keytool -list -keystore server-keystore.jks
Enter keystore password: changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

certificate-authority, 27/04/2005, trustedCertEntry,
Certificate fingerprint (MD5):
2A:38:ED:E9:73:C1:14:AE:84:69:00:8B:79:EB:6C:AF
s1as, 27/04/2005, keyEntry,
Certificate fingerprint (MD5):
40:47:75:13:3E:87:BA:D1:55:FC:75:80:0F:71:B6:74

jagan_at_mohan ~/jwsdp-1.5/xws-security/etc
$
=============================================================
V B Kumar Jayanti wrote:

> jagan wrote:
>
>> Hi All,
>>
>> The keystore and trusted store certificates which are part of the
>> jwsdp-1.5 are no more useful.
>>
>> I tried to create my own certificates to replace the supplied
>> certificates, Unfortunately I was not
>> successful. I am here with giving procedures I adopted in creating
>> certificates. I would really be happy, if some one give some helping
>> hand in fix this problem.
>>
>> =================================================================
>> First I created my own certification Authority
>> ==============================
>> mkdir demoCA
>> mkdir demoCA/private
>> mkdir demoCA/newcerts
>> touch demoCA/index.txt
>> touch demoCA/serial
>> echo "01" > demoCA/serial
>> openssl req -x509 -days 365 -newkey rsa:1024 -keyout
>> demoCA/private/cakey.pem -out demoCA/cacert.pem -passout pass:capass
>> -------------------------------------------------------------------------------------------------------------------------
>>
>> Client Key Store Generation
>> ====================
>> openssl req -nodes -newkey 1024 -keyout client.key -out client.req
>> openssl ca -in client.req -out client.crt -notext -passin pass:capass
>> openssl pkcs12 -in client.crt -inkey client.key -export -out
>> client.p12 -nodes
>> -CAfile
>> demoCA/cacert.pem
>> ----------------------------------------------
>> Importing certificates into the client keystores
>> ----------------------------------------------
>> keytool -import
>> -trustcacerts -alias certificate-authority -file cacert.pem
>> -keystore client-keystore.jks -storepass changeit
>> pkcs12import.sh -file client.p12 -keystore client-keystore.jks -alias
>> xws-security-client
>> ------------------------------------------------------------------------------------------------------
>>
>> Server Keystore
>> -------------------
>> openssl req -nodes -newkey 1024 -keyout server.key -out server.req
>> openssl ca -in server.req -out server.crt -notext -passin pass:capass
>> openssl pkcs12 -in server.crt -inkey server.key -export -out
>> server.p12 -nodes
>> -CAfile demoCA/cacert.pem
>> --------------------------------------------------------
>> Importing server certificates into the Server keystore ...
>> ---------------------------------------------------------
>> keytool -import -trustcacerts -alias certificate-authority -file
>> cacert.pem -keystore server-keystore.jks -storepass changeit
>> pkcs12import.sh -file ~/cert/server.p12 -keystore server-keystore.jks
>> -alias s1as
>> -----------------------------------------------------------------------------------------------------
>>
>> Server trused .....
>> ==================================
>> keytool -import -trustcacerts -alias certificate-authority -file
>> cacert.pem -keystore server-truststore.jks -storepass changeit
>>
>> keytool -import -trustcacerts -file client.crt -keystore
>> server-truststore.jks -storepass changeit -alias xws-security-client
>> ==========================================================================
>>
>> Client trusted
>>
>> keytool -import -trustcacerts -alias certificate-authority -file
>> cacert.pem -keystore client-truststore.jks -storepass changeit
>>
>> keytool -import -trustcacerts -file server.crt -keystore
>> client-truststore.jks -storepass changeit -alias s1as
>> -------------------------------------------------------------------------------------------------------
>>
>>
>> I replaced the files in the directory
>> /cygdrive/c/jwsdp-1.5/xws-security/etc with the new ones.
>> ================================================================
>> I am getting the following error message when I enable
>> client.security.config=config/sign-client.xml
>> and client.security.config=config/sign-server.xml in build.properties
>> file in the sample.
>> ==============================================================
>> The web log shows the following error messge ......
>> ====================================
>> INFO: ==== Received Message Start ====
>> <?xml version="1.0" encoding="UTF-8"?>
>> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
>> xmlns:ns0="http://com.test/wsdl/MyJobrun"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
>> <env:Header>
>> <wsse:Security
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> env:mustUnderstand="1">
>> <wsse:BinarySecurityToken
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>> wsu:Id="Id7195803132116813894">MIIDTDCCArWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJOQTELMAkGA1UECBMC
>>
>> TkExCzAJBgNVBAcTAk5BMQswCQYDVQQKEwJOQTELMAkGA1UECxMCTkExHjAcBgNVBAMTFWNlcnRp
>>
>> ZmljYXRlLWF1dGhvcml0eTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMDUwNDI3MDIxMjQ2WhcNMDYw
>>
>> NDI3MDIxMjQ2WjBlMQswCQYDVQQGEwJOQTELMAkGA1UECBMCTkExCzAJBgNVBAoTAk5BMQswCQYD
>>
>> VQQLEwJOQTEcMBoGA1UEAxMTeHdzLXNlY3VyaXR5LWNsaWVudDERMA8GCSqGSIb3DQEJARYCTkEw
>>
>> gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKBe3Pome8AiX9nceh/U0YczWWhPuhKoFBOb08ka
>>
>> OwuVT5IlvGu5FsMqG41U3z5pUqI319z7ySUCrfeuu2Yj56aVE9H8CId3IZV6uRGqGPohiLP6nigu
>>
>> 0TXYNsOiLBKIzyXe1nkOiVatC7XwARXR0Jrfq5o31KOqum2AvWSocTebAgMBAAGjgfwwgfkwCQYD
>>
>> VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
>>
>> VR0OBBYEFMK+rbL/WP7Ih69qVlYbnP8BJyU4MIGeBgNVHSMEgZYwgZOAFNJ2aQ4GrWhV+vcGmsIs
>>
>> boAreQ+BoXikdjB0MQswCQYDVQQGEwJOQTELMAkGA1UECBMCTkExCzAJBgNVBAcTAk5BMQswCQYD
>>
>> VQQKEwJOQTELMAkGA1UECxMCTkExHjAcBgNVBAMTFWNlcnRpZmljYXRlLWF1dGhvcml0eTERMA8G
>>
>> CSqGSIb3DQEJARYCTkGCAQAwDQYJKoZIhvcNAQEEBQADgYEAvVVydcCGBCxJFVPtOxR7P9O8gS+4
>>
>> +tE+tYSkdQdCxndfC+lRfLvhVZBJ9zb3DENyRiKhmUPzt98o/a0DP6Uc96z2QGAm8uzZEzaDtVzz
>>
>> 7JYcBLAeNjVbABuPmTsWYLIS5l9B2k6abjeyVGHynh80Gzi8FfBv7/NrqpiOM6myy9I=</wsse:BinarySecurityToken>
>>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference URI="#Id1745895204691890536">
>> <ds:Transforms>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>dsL0YRE8j1dhtMdyGH7Ull9d8SA=</ds:DigestValue>
>> </ds:Reference>
>> <ds:Reference URI="#Id6832993404318231966">
>> <ds:Transforms>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>Wuy/Gaq+CX46IbX+8z+fFha+v1E=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>
>> MI3z3GjXIiuGJZiKx3oKtxpE/ZjoIObPgsz3nRUDF2bdwhmC35yvhRPAjzz67LKn55E22HJ37SlP
>>
>> sTynoRB7Fd6R++dX4QJWSxiBGt2JLOe/sX1yfK3gDOEz/5FDHnhlS2TE1aoiQ3cWYXijyW6OOlNE
>>
>> KaodTr1jCtR32MaaFuY=
>> </ds:SignatureValue>
>> <ds:KeyInfo>
>> <wsse:SecurityTokenReference>
>> <wsse:Reference URI="#Id7195803132116813894"
>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> </ds:Signature>
>> <wsu:Timestamp
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="Id6832993404318231966">
>> <wsu:Created>2005-04-27T04:54:41Z</wsu:Created>
>> <wsu:Expires>2005-04-27T04:59:41Z</wsu:Expires>
>> </wsu:Timestamp>
>> </wsse:Security>
>> </env:Header>
>> <env:Body
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="Id1745895204691890536">
>> <ns0:jobrun>
>> <String_1 xsi:type="xsd:string">hostname</String_1>
>> </ns0:jobrun>
>> </env:Body>
>> </env:Envelope>
>> ==== Received Message End ====
>>
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
>>
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
>> at
>> com.sun.xml.wss.sample.SecurityEnvironmentHandler$X509CertificateValidatorImpl.validate(SecurityEnvironmentHandler.java:552)
>>
>> at
>> com.sun.xml.wss.impl.callback.CertificateValidationCallback.getResult(CertificateValidationCallback.java:38)
>>
>> at
>> com.sun.xml.wss.impl.DefaultSecurityEnvironmentImpl.validateCertificate(DefaultSecurityEnvironmentImpl.java:616)
>>
>> at
>> com.sun.xml.wss.filter.ImportCertificateTokenFilter.process(ImportCertificateTokenFilter.java:71)
>>
>> at
>> com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.processBinarySecurityToken(ExtendedProcessSecurityHeaderFilter.java:553)
>>
>> at
>> com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.processingHook(ExtendedProcessSecurityHeaderFilter.java:487)
>>
>> at
>> com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.process(ExtendedProcessSecurityHeaderFilter.java:83)
>>
>> at
>> com.sun.xml.wss.SecureCorrespondent.filterMessage(SecureCorrespondent.java:39)
>>
>> at
>> com.sun.xml.wss.SecureCorrespondent.filterMessageInContext(SecureCorrespondent.java:52)
>>
>> at
>> com.sun.xml.wss.SecurityRecipient.acceptHeaderElement(SecurityRecipient.java:56)
>>
>> at
>> com.sun.xml.rpc.security.SecurityPluginUtil.preHandlingHook(SecurityPluginUtil.java:312)
>>
>> at jobrun.JobrunIF_Tie.preHandlingHook(JobrunIF_Tie.java:239)
>> at
>> com.sun.xml.rpc.server.StreamingHandler.handle(StreamingHandler.java:102)
>>
>> at
>> com.sun.xml.rpc.server.http.JAXRPCServletDelegate.doPost(JAXRPCServletDelegate.java:443)
>>
>> at
>> com.sun.xml.rpc.server.http.JAXRPCServlet.doPost(JAXRPCServlet.java:102)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
>>
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
>>
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
>>
>> at
>> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
>>
>> at
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
>>
>> at
>> org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
>>
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
>>
>> at
>> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
>>
>> at
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
>>
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
>>
>> at
>> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
>>
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
>>
>> at
>> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
>>
>> at
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
>>
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>> at
>> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
>>
>> at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:535)
>>
>> at
>> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
>>
>> at
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
>>
>> at
>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
>> at
>> org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:790)
>>
>> at
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:709)
>>
>> at
>> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:572)
>>
>> at
>> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:644)
>>
>> at java.lang.Thread.run(Thread.java:595)
>> 27/04/2005 14:54:42
>> com.sun.xml.wss.filter.ImportCertificateTokenFilter process
>> SEVERE: WSS0156: Exception [ Certificate validation failed ] while
>> validating certificate
>> 27/04/2005 14:54:42 com.sun.xml.wss.filter.DumpFilter process
>> INFO: ==== Response Start ====
>> <?xml version="1.0" encoding="UTF-8"?>
>> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/"
>> xmlns:ns0="http://com.test/wsdl/MyJobrun"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
>> <env:Body>
>> <env:Fault>
>> <faultcode
>> xmlns:ans1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ans1:InvalidSecurityToken</faultcode>
>>
>> <faultstring>Certificate validation failed</faultstring>
>> </env:Fault>
>> </env:Body>
>> </env:Envelope>
>> ==== Response End ====
>> ==============================================
>> I tried these certificates with ssl connection and worked
>> perfectly fine without any problem.
>> with regards,
>
>
>
> When you list your server-truststore you should see two entries
> similar to what is show below. Does that happen.
>
>> > keytool -list -keystore server-truststore.jks
>> Enter keystore password: changeit
>>
>> Keystore type: jks
>> Keystore provider: SUN
>>
>> Your keystore contains 2 entries
>>
>> certificate-authority, Apr 12, 2005, trustedCertEntry,
>> Certificate fingerprint (MD5):
>> 3D:B5:3C:93:F5:65:D5:3D:B5:C5:2E:23:F5:2E:3A:E9
>> xws-security-client, Apr 12, 2005, trustedCertEntry,
>> Certificate fingerprint (MD5):
>> 58:5D:0A:BA:A0:FD:46:35:E4:89:C0:4B:92:BB:09:20
>
>
>
>>
>>
>> Jagan Kommineni
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
>> For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
> For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net
>