Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / July 2006

Tip: Looking for answers? Try searching our database.

axis wss4j client signature cert problem WSE590

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
tedx - 26 Jul 2006 21:27 GMT
Can anyone help me to understand the following exception? I've verified
that my self signed public key is installed in Local Computer/Trusted
People which is what I've specified in my policy files as the location
of my client certificates. That said I'm not sure what other possible
problems to look at.

< Status: Error calling JWSSMessage web service at
https://192.168.25.20:443/JWSSMsgService/JWSSMsgService.asmx.
System.Web.Services.Protocols.SoapHeaderException: Server unavailable,
please try later ---> System.ApplicationException: WSE841: An error
occured processing an outgoing fault response. --->
System.Web.Services.Protocols.SoapHeaderException: Referenced security
token could not be retrieved ---> WSE590: Failed to resolve the
following Key Info <KeyInfo Id="KeyId-30831739"
xmlns="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xs
d"><wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X
509SubjectKeyIdentifier"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.
0#Base64Binary">A7dko6gk50Yi62eSPFfVd8yq9YI=</wsse:KeyIdentifier></wsse:Security
TokenReference></KeyInfo>.
Reply to this Message
Pablo Cibraro [MVP] - 27 Jul 2006 15:31 GMT
Hi Tedx,

Who is throwing that exception, WSE or WSS4j ?.
If it is WSE, it is not being able to find the X509 Certificate with the
Subject key A7dko6gk50Yi62eSPFfVd8yq9YI=
Perphaps it is looking for that certificate in another store, you have to
check that in the policy file.

I am not sure how WSS4j looks for the certificates.

> Can anyone help me to understand the following exception? I've verified
> that my self signed public key is installed in Local Computer/Trusted
[quoted text clipped - 15 lines]
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X
509SubjectKeyIdentifier"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.
0#Base64Binary">A7dko6gk50Yi62eSPFfVd8yq9YI=</wsse:KeyIdentifier></wsse:Security
TokenReference></KeyInfo>.
Reply to this Message
tedx - 27 Jul 2006 16:57 GMT
The trace clearly shows the the exception it thrown by WSE. In my
web.config x509 element I set storeLocation to LocalMachine and
verificationMode to TrustedPeopleOnly which I take to mean that WSE
will look in LocalMachine/TrustedPeople for the matching certificate. I
have verified that my clients public key cert is in
LocalMachine/TrustedPeople.

> Hi Tedx,
>
[quoted text clipped - 25 lines]
> > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X
509SubjectKeyIdentifier"
> > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.
0#Base64Binary">A7dko6gk50Yi62eSPFfVd8yq9YI=</wsse:KeyIdentifier></wsse:Security
TokenReference></KeyInfo>.
Reply to this Message
Pablo Cibraro [MVP] - 27 Jul 2006 19:26 GMT
What WSE version are you using ?

Thanks
Pablo.

> The trace clearly shows the the exception it thrown by WSE. In my
> web.config x509 element I set storeLocation to LocalMachine and
[quoted text clipped - 32 lines]
>> > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X
509SubjectKeyIdentifier"
>> > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.
0#Base64Binary">A7dko6gk50Yi62eSPFfVd8yq9YI=</wsse:KeyIdentifier></wsse:Security
TokenReference></KeyInfo>.
Reply to this Message
tedx - 28 Jul 2006 15:59 GMT
I had to use DirectReference in my java client wsdd file for the
signatureKeyIdentifier. But I have a question about this, since I'm
including a full copy of the client certificate public key will WSE
still check that this cert also exists in my trustedpeople store?

> What WSE version are you using ?
>
[quoted text clipped - 37 lines]
> >> > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X
509SubjectKeyIdentifier"
> >> > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.
0#Base64Binary">A7dko6gk50Yi62eSPFfVd8yq9YI=</wsse:KeyIdentifier></wsse:Security
TokenReference></KeyInfo>.
Reply to this Message
Pablo Cibraro [MVP] - 31 Jul 2006 14:53 GMT
Hi,

That depends on the verificationMode setting configured in the WSE section
(web.config).

<microsoft.web.services3>
 <security>
   <x509 verificationMode="TrustedPeopleOrChain" />
 </security>
</microsoft.web.services3>

The verificationMode gives user an ability to choose whether they want to
allow TrustedPeople store to be searched before doing chain verification.
It has three options, TrustedPeopleOnly, ChainOnly and TrustedPeopleOrChain.
If it is TrustedPeopleOnly, then the server will only match the incoming
certificate
with the certificate in the Trusted people store.  If it is ChainOnly, then
the server will try to build  a trusted certificate chain and do the
verification.
If it is TrustedPeopleOrChain, then the server will trust the certificate if
either one succeed.  The default is TrustedPeopleOrChain.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

>I had to use DirectReference in my java client wsdd file for the
> signatureKeyIdentifier. But I have a question about this, since I'm
[quoted text clipped - 50 lines]
>> >> > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X
509SubjectKeyIdentifier"
>> >> > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.
0#Base64Binary">A7dko6gk50Yi62eSPFfVd8yq9YI=</wsse:KeyIdentifier></wsse:Security
TokenReference></KeyInfo>.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.