WS-Security X509 Certificate Token WebMethods 8.2

Hi Everyone,

I am developing one service in webMethods 8.2 environment which invokes webservice of BackEnd system.
This BackEnd has secure communications using standard WS-Security implementation X509 Certificate Token Profile, so for each call is necessary to sign the SOAP message using the given certificate.
While invoking webservice via the connector in webMethods we are getting error “[ISS.0088.9431] Handler processing failed on the consumer: com.webMethods.ws.security.SecurityException: Request does not contain required Security header: [{XML-Signature Syntax and Processing}Signature]” whereas when I invoke same webservice in soapUI after setting a keyStore and adding an Outgoing WS-Security Configuration, and this properties for the signature:

it is providing correct response set by the partner.
This is the soapUI Request header which works:

   <soapenv:Header>
	   <wsse:Security soapenv:mustUnderstand="1" 
				xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
		   <ds:Signature Id="SIG-498759834758937985739847589375787" 
					xmlns:ds="http://www.w3.org/2000/09/xmldsig#">			
				<ds:SignedInfo>
					<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
						<ec:InclusiveNamespaces PrefixList="ct doc doc1 elec soapenv" 
								xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</ds:CanonicalizationMethod>
					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
					<ds:Reference URI="#id-875983478957983458743875983745794">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
								<ec:InclusiveNamespaces PrefixList="ct doc doc1 elec" 
														xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<ds:DigestValue>·$543Pff344/PHAgf034jr4=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>U+L/5348795834798573984579257983257983478593924857983/iu4o5y435375f87b357g23402g3b6
			413iyn963169yfyf//9ZMvEiRWFMyRtGlhGrhjWdrBb/t0V4BHstHAxPOSS+BxB7zpqXFw
			goGtkshEDAKwo0eE7XM=</ds:SignatureValue>
				<ds:KeyInfo Id="KI-234567834095043503451109AB893474">
					<wsse:SecurityTokenReference wsu:Id="STR-234234235834978AB324774423423464">
						<ds:X509Data>
							<ds:X509IssuerSerial>
								<ds:X509IssuerName>CN=keystoreuser</ds:X509IssuerName>
								<ds:X509SerialNumber>1231654565</ds:X509SerialNumber>
							</ds:X509IssuerSerial>
						</ds:X509Data>
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
		</wsse:Security>
	</soapenv:Header>

Could anyone please let me know what setting I need to change in webMethods to access same result in Designer?

I tried setting auth/message/serverCerts/keyStoreAlias and auth/message/serverCerts/keyAlias values in the connector.

I tried too with option setting handler in webService consumer as “WS Security Handler” having different policies including “Consumer policy for Signature, Auth” but it throwing this error:

[ISS.0088.9431] Handler processing failed on the consumer: com.webMethods.ws.security.SecurityException: Request does not contain required Security header: [{XML-Signature Syntax and Processing}Signature]

IS Version:8.2.2.0
LatestFix::IS_8.2_SP2_Core_Fix12

Any help would be much appreciated.

Regards,
Diego

Did you try to configure a consumer type Endpoint Alias?
Once created, assign it to the WS descriptor binder settings.
Did you assign a proper policy in WS descriptor ?

HTH,

Yes I tried to configure a consumer type Endpoint Alias but I have the same result.
How I can Assign a proper policy in WS descriptor?

Thanks and regards,
Diego

Hello again!

I have tried with custom WS-SecurityPolicy policies. First I modified “X509 Authentication and Signature”:

<wsp:Policy wsu:Id="BackEnd_X509Authentication_Signature_V3" Name="BackEnd X509 Authentication and Signature V3"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
  
  <wsp:ExactlyOne>
    <wsp:All>
      <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
        <wsp:Policy>
          <sp:InitiatorToken>
            <wsp:Policy>
              <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                <wsp:Policy>
                  <sp:WssX509V3Token10 />
                  <sp:RequireIssuerSerialReference />
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:InitiatorToken>
          <sp:RecipientToken>
            <wsp:Policy>
              <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                <wsp:Policy>
                  <sp:WssX509V3Token10 />
                  <sp:RequireIssuerSerialReference />
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:RecipientToken>
          
          <sp:AlgorithmSuite>
            <wsp:Policy>
              <sp:TripleDesRsa15 />
            </wsp:Policy>
          </sp:AlgorithmSuite>
          
          <sp:Layout>
            <wsp:Policy>
              <sp:Strict />
            </wsp:Policy>
          </sp:Layout>

          <sp:ProtectTokens />
          
          <sp:OnlySignEntireHeadersAndBody />
          
        </wsp:Policy>
      </sp:AsymmetricBinding>

      <sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <sp:Policy>
              <sp:MustSupportRefKeyIdentifier/>
              <sp:MustSupportRefIssuerSerial/>
              <sp:MustSupportRefThumbprint/>
              <sp:RequireSignatureConfirmation/>
          </sp:Policy>
      </sp:Wss11>
      <sp:Wss10 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <sp:Policy>
              <sp:MustSupportRefKeyIdentifier/>
              <sp:MustSupportRefIssuerSerial/>
          </sp:Policy>
      </sp:Wss10>

      <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
        <sp:Body />
      </sp:SignedParts>

    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

I change <sp:WssX509PkiPathV1Token10 /> to <sp:RequireIssuerSerialReference /> (Initiator and Recipient Token)

I get this error from backEnd:
An error was discovered processing the wsse:Security header.

Then I delete the <sp:IncludeTimestamp /> (BackEnd system does not require TimeStamp), and i get this error message from webMethods: SOAP header missing
Any ideas?

Thanks and regards!
Diego

Solved!
Using X509 Authentication Signature policy, IS expects the response SOAP message to have a security header. If it does not receive one, it may complain of the missing security header: SOAP Header Missing.
In 8.2.2 IS only allows attachment of policies at the service level, so it is not possible to selectively enable security for input/output/faults.
If you want to enable security only for input/request, you should attach the security policy to ?wsdl:binding/wsdl:operation/wsdl:input.

For example:

<wsdl:input> 
<wsp:PolicyReference URI="#X509Policy" 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" />
<soap:body parts="parameters" use="literal" /> 
</wsdl:input> 
<wsdl:output> 
<soap:body parts="parameters" use="literal" /> 
</wsdl:output> 
</wsdl:operation> 
</wsdl:binding>

It worked for me!

Thanks all and regards!
Diego

At least in 9.6, in Designer, when you assign policy, there are checkbox of Input, Output, Fault, where you can enable/disable policy for separately.

Hi,

I need to implement ws-security for request only. I have a consumer created and need to assign the policy only to request and not for response.

I tried following Diego’s last post, but I am getting error as: Malformed Policy Reference URI.

How can I achieve this ?

IS version: 8.2

Regards,
Hitesh

Also where do I exactly need to make these changes for assigning policy only to requests ?

1 Like

Hello Hitesh,

Have you placed the policy in the consumer´s wsdl descriptor?
For example, in the wsdl that you import in designer you should place the Policy (inside the wsdl:definitions tag)

	<!--WS-Policy -->
	<wsp:Policy wsu:Id="YourPolicyDesiredName">
		<wsp:ExactlyOne>
			<wsp:All>
				<sp:AsymmetricBinding>
               ..........................................
	</wsp:Policy>

And inside your request operation:

		<wsdl:operation name="yourOperationName">
			<soap:operation soapAction="" style="document"></soap:operation>
			<wsdl:input name="yourInputOperationName">
				<wsp:PolicyReference URI="#YourPolicyDesiredName"
					xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" />
				<soap:body use="literal"></soap:body>
----------------------------------

Regards,
Diego

Hi Diego,

Thanks for the timely response.

Can you share sample file with me if possible for you ?

I tried adding policy file content from IS Built in Policy which we want to apply and placed it in WSDL file. And then added the policy reference as well. But I am still getting same error.

Do I need to add anything more ?

Hi Hitesh,

Sorry I can’t share with you the WSDL because contains confidential data and i am not allowed.

Be sure to put the # before your policy’s name. For example:

<wsp:PolicyReference URI=“#YourPolicyDesiredName
xmlns:wsp=“Web Services Policy Framework (WS-Policy) and Web Services Policy Attachment (WS-PolicyAttachment)” />

<wsp:Policy wsu:Id=“YourPolicyDesiredName”>

And the Policy must be inside the wsdl:definitions tag

wsdl:definitions

<wsp:Policy wsu:Id=“YourPolicyDesiredName”>
</wsdl:definitions>

Another option you can take is to paste directly the Policy inside the input of the operation you want to apply the Policy. For example:

<wsdl:input name=“yourInputOperationName”>
PAste xml policy File here!
<soap:body use=“literal”></soap:body>

Regards,
Diego

Thanks Diego,

Pasting file directly helped. Now we have different error:
WSSecurityEngine: No crypto property file supplied for decryption
I am searching the cause of this errror.

When we consumed the webService through Soap UI we had implemented Username authorization and Signature. Thus I made use of Username_Signature policy.

Have you encountered this error before ?

thanks in Advance.

Regards,
Hitesh

Hi Hitesh,

In my case i used: X509 Authentication and Signature.
Are you passing auth/message/user and auth/message/pass (If needed) and keystoreAlias parameters (If needed) in the IS request to ws?

You should check if webService response header or body is encypted. In this case, you must apply the policy to the reponse to.

When I was testing this issue i compare request that you use with soapUI with the request that IS generate. In soapUI you can see real request with headers in the RAW View.
In IS you should configure a Proxy or similar to see the complete Request that you are sending to the WebService.
Once you have two Request (soapUI and IS) you can compare them and see the differences.

Regards,
Diego

Hi,

I am able to get a response from SOAPUI using below Outgoing Ws-security configuration.

Key Identifier Type: Binary Security Token
Signature Algorithm: XML-Signature Syntax and Processing
Signature Canonicalization: Exclusive XML Canonicalization Version 1.0
Digest Algorithm: XML-Signature Syntax and Processing
Use Single Certificate: Use single certificate for singing (Checked)

But I am not able to get the response in webMethods, I am using X509Authentication_Signature.policy for now.

Could anyone please advise what changes I need to make in the policy file In order to get the similar response from Web Methods.

Kind Regards
Vikash

Vikas – Can you please share your error logs or any statements which can give us some hints.

THanks,

Can you plz also share your wM environment with fix levels ?

Thanks,

unfortunately the error message doesnt say much…

code
namespaceName http://schemas.xmlsoap.org/soap/envelope/
localName Server
reasons
reasons[0]
*body 111008
detail
ns1:ROSFaultDetail

111008 is a customized error code ,which Indicates
111008 Internal system error has occurred when processing the WS request.

My Policy is as below:

<wsp:Policy wsu:Id=“X509Authentication_Signature_SHA256” Name=“Custom X509 Authentication and Signature SHA256” xmlns:wsu=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd” xmlns:wsp=“Web Services Policy Framework (WS-Policy) and Web Services Policy Attachment (WS-PolicyAttachment)”>
wsp:ExactlyOne
wsp:All
<sp:AsymmetricBinding xmlns:sp=“XML Namespace Document for WS-Security-Policy 1.2”>
wsp:Policy
sp:InitiatorToken
wsp:Policy
<sp:X509Token sp:IncludeToken=“http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient”>
wsp:Policy
sp:WssX509V3Token10/

</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
sp:RecipientToken
wsp:Policy
<sp:X509Token sp:IncludeToken=“http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient”>
wsp:Policy
sp:WssX509V3Token10/

</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
sp:AlgorithmSuite
wsp:Policy
sp:Basic256/

</wsp:Policy>
</sp:AlgorithmSuite>
sp:Layout
wsp:Policy
sp:Strict/
</wsp:Policy>
</sp:Layout>
sp:IncludeTimestamp/
sp:ProtectTokens/
sp:OnlySignEntireHeadersAndBody/
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11 xmlns:sp=“XML Namespace Document for WS-Security-Policy 1.2”>
wsp:Policy

sp:MustSupportRefIssuerSerial/
sp:MustSupportRefThumbprint/
sp:RequireSignatureConfirmation/
</wsp:Policy>
</sp:Wss11>
<sp:Wss10 xmlns:sp=“XML Namespace Document for WS-Security-Policy 1.2”>
wsp:Policy

sp:MustSupportRefIssuerSerial/
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp=“XML Namespace Document for WS-Security-Policy 1.2”>
sp:Body/
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

Version 9.5.1.0
Updates TNS_9.5_SP1_Fix6
IS_9.5_SP1_Core_Fix8

Vikash – PFA sample file and compare your’s with mine. See any issues with your’s.

Thanks,

Policy.txt (4.67 KB)