I followed the following steps for creating keystore and truststores
for clients and services to replace to those of standard certificates
came along with jwsdp-1.5 distribution.
=============================================================
Creating my own CA
===================
mkdir demoCA
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
touch demoCA/serial
echo "01" > demoCA/serial
openssl req -x509 -newkey rsa:512 -keyout demoCA/private/cakey.pem -out
demoCA/cacert.pem -passout pass:capass
------------------------------------------------------------------------------
Client side keystore
===============
keytool -genkey -alias xws-security-client -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/client-keystore.jks -keyalg rsa
-dname "CN=xws-security-client, OU=NA, O=NA, L=NA, S=NA, C=NA"
-storepass changeit -keypass changeit
keytool -certreq -alias xws-security-client -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/client-keystore.jks -storepass
changeit -keypass changeit -file
/home/jagan/jwsdp-1.5/xws-security/etc/client.csr
openssl ca -in /home/jagan/jwsdp-1.5/xws-security/etc/client.csr -out
/home/jagan/jwsdp-1.5/xws-security/etc/client.crt -notext -passin
pass:capass
keytool -import -trustcacerts -alias certificate-authority -file
demoCA/cacert.pem -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/client-keystore.jks -storepass
changeit
keytool -import -trustcacerts -file
/home/jagan/jwsdp-1.5/xws-security/etc/client.crt -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/client-keystore.jks -storepass
changeit -alias xws-security-client
==============================================================
Server side keystore
==============
keytool -genkey -alias s1as -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/server-keystore.jks -keyalg rsa
-dname "CN=xws-security-server, OU=NA, O=NA, L=NA, S=NA, C=NA"
-storepass changeit -keypass changeit
keytool -certreq -alias s1as -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/server-keystore.jks -storepass
changeit -keypass changeit -file
/home/jagan/jwsdp-1.5/xws-security/etc/server.csr
openssl ca -in /home/jagan/jwsdp-1.5/xws-security/etc/server.csr -out
/home/jagan/jwsdp-1.5/xws-security/etc/server.crt -notext -passin
pass:capass
keytool -import -trustcacerts -alias certificate-authority -file
demoCA/cacert.pem -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/server-keystore.jks -storepass
changeit
keytool -import -trustcacerts -file
/home/jagan/jwsdp-1.5/xws-security/etc/server.crt -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/server-keystore.jks -storepass
changeit -alias s1as
==============================================================
Server side trusted .....
==============
keytool -import -trustcacerts -alias certificate-authority -file
demoCA/cacert.pem -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/server-truststore.jks -storepass
changeit
keytool -import -trustcacerts -file
/home/jagan/jwsdp-1.5/xws-security/etc/client.crt -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/server-truststore.jks -storepass
changeit -alias xws-security-client
==========================================================================
Client side trusted
keytool -import -trustcacerts -alias certificate-authority -file
demoCA/cacert.pem -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/client-truststore.jks -storepass
changeit
keytool -import -trustcacerts -file
/home/jagan/jwsdp-1.5/xws-security/etc/server.crt -keystore
/home/jagan/jwsdp-1.5/xws-security/etc/client-truststore.jks -storepass
changeit -alias s1as
===============================================================
When I have run sample application (simple) by selecting configuration
files for service and client
server.security.config=config/sign-server.xml,
client.security.config=config/sign-client.xml.
I got the following message on clinet side
---------------------------------------------------------------------------------
[java] <faultcode
xmlns:ans1="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ans1:InvalidSecurityToken</faultcode>
[java] <faultstring>Certificate validation failed</faultstring>
[java] </env:Fault>
---------------------------------------------------------------------------------------
When I look at the tomcat5.0 log file
(~/tomcat50-jwsdp/logs/launcher.server.log),
=====================================================
<ns0:Ping>
<ns0:ticket>SUNW</ns0:ticket>
<ns0:text>Hello !</ns0:text>
</ns0:Ping>
</env:Body>
</env:Envelope>
==== Received Message End ====
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at
com.sun.xml.wss.sample.SecurityEnvironmentHandler$X509CertificateValidatorImpl.validate(SecurityEnvironmentHandler.java:552)
at
com.sun.xml.wss.impl.callback.CertificateValidationCallback.getResult(CertificateValidationCallback.java:38)
at
com.sun.xml.wss.impl.DefaultSecurityEnvironmentImpl.validateCertificate(DefaultSecurityEnvironmentImpl.java:616)
at
com.sun.xml.wss.filter.ImportCertificateTokenFilter.process(ImportCertificateTokenFilter.java:71)
at
com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.processBinarySecurityToken(ExtendedProcessSecurityHeaderFilter.java:553)
at
com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.processingHook(ExtendedProcessSecurityHeaderFilter.java:487)
at
com.sun.xml.wss.filter.ExtendedProcessSecurityHeaderFilter.process(ExtendedProcessSecurityHeaderFilter.java:83)
at
com.sun.xml.wss.SecureCorrespondent.filterMessage(SecureCorrespondent.java:39)
at
com.sun.xml.wss.SecureCorrespondent.filterMessageInContext(SecureCorrespondent.java:52)
at
com.sun.xml.wss.SecurityRecipient.acceptHeaderElement(SecurityRecipient.java:56)
at
com.sun.xml.rpc.security.SecurityPluginUtil.preHandlingHook(SecurityPluginUtil.java:312)
at
simple.PingPort_Ping_Tie.preHandlingHook(PingPort_Ping_Tie.java:309)
at
com.sun.xml.rpc.server.StreamingHandler.handle(StreamingHandler.java:102)
at
com.sun.xml.rpc.server.http.JAXRPCServletDelegate.doPost(JAXRPCServletDelegate.java:443)
at
com.sun.xml.rpc.server.http.JAXRPCServlet.doPost(JAXRPCServlet.java:102)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:790)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:709)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:572)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:644)
at java.lang.Thread.run(Thread.java:595)Apr 7, 2005 3:56:19 PM
com.sun.xml.wss.filter.ImportCertificateTokenFilter processSEVERE:
WSS0156: Exception [ Certificate validation failed ] while validating
certificate
Apr 7, 2005 3:56:19 PM com.sun.xml.wss.filter.DumpFilter process
=============================================================
when I comment out the following line of code
// PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult)
builder.build(parameters);
in the
jwsdp-1.5/xws-security/samples/simple/src/com/sun/xml/wss/sample/SecurityEnvironmentHandler.java
the code runs without any error message.
I think it is something relating to dveloping the certificate chain.
Could any one have some advise?
Waiting for response,
with regards,
Jagan Kommineni