adding a wsse:security element to the SOAP header using policy and handler

Anu_K · February 16, 2016, 11:01pm

Anu K:

Hi,
I am on WM 9.6 and i have to add the wsse:security tag to the soap header. No encryption is needed and no certificates are exchanged and its a http call. How do i achieve this ? I tried to add the policy “Username_Signature” to the descriptor and provided user name and password, but that does not work. Below is what i need to add to the Soap Header. All that has to be sent is the username and password named “test” in the example below.
<soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
         <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1">
            <wsse:Username>test</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
        </wsse:UsernameToken>
    </wsse:Security>
</soap:Header>

Lukasz_Konkol · June 13, 2018, 9:16am

Small description of the problem and how we have solved it:

1st of all – we have had problem
com.wm.app.b2b.server.ServiceException: org.apache.axis2.AxisFault: Peer sent alert: Alert Fatal: unexpected message
We’ve been focusing on https certificates. I’ve tried to configure multiple things like auth/transport/serverCerts/privateKey, auth/transport/serverCerts/certChain, auth/message/partnerCert etc.

We have had recently similar issue on Itella connection and there we have had 2 errors:
com.wm.app.b2b.server.ServiceException: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure
And when we have used not valid certificate:
com.wm.app.b2b.server.ServiceException: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: decrypt error

For Itella it was cause due to authentication problem. They are only allowing users with register keys to authenticate.

In here we have had different problem. I’ve been searching for unexpected message error, but I couldn’t find anything.
Finally I’ve notice that they are using TSL 1.2 and that was the problem. The only thing that we needed to change is one variable in the webservice connector when we are invoking pub.client:soapClient. There is useJSSE parameter that by default is not set and then by default it is using TSL 1.0. Only what we needed to do is to change it to yes and then it was working.

As the MZ was always working without user/password we though it would be good to introduce this as we already done some changes there. So Edgar has enabled it on his side… and here was new problem. Error that we’ve got is:
Soap fault code: ns1:SecurityError
Soap fault string: A security error was encountered when verifying the message

We’ve got same from SoapUI … and then Edgar told that after he has changed WSS-Password Type to PasswordText it was working fine from SoapUI.

I’ve notice that in that case SopaUI is generating Soap Header:
soapenv:Header
<wsse:Security soapenv:mustUnderstand=“1” xmlns:wsse=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd” xmlns:wsu=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>
<wsse:UsernameToken wsu:Id=“UsernameToken-F59E28CD405D48E2A715288733021296”>
wsse:Usernametip_sender</wsse:Username>
<wsse:Password Type=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText”>Testme1!</wsse:Password>
<wsse:Nonce EncodingType=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>kNfRe+a/AXrcft6gz9tvzw==</wsse:Nonce>
wsu:Created2018-06-13T07:01:42.127Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>

I’ve seen that before in some cases – and I know that we need to apply policies to the webservice to get it. However I wasn’t able to find any example in current version. Seems like we have used that before only.
Also I wasn’t able to find “Policies tab” in webservice descriptor … I’ve spend some time for that. I was looking at views, properties etc … couldn’t see it. Finally after I’ve almost gave up I’ve notice that there are on the bottom tabs like operation, binders, header and … policies ?
Unfortunately, by default SAG is not providing policy with PasswordText and the old one that we used to have – hasn’t been working anymore.

Finally based on the old policies and changing new one – I’ve created new policy that finally was working. However I’ve had one more error for which I wasn’t able to find any solution in empower:
(IS.SERVER) [ISC.0077.9998] 2018-06-12 18:40:00.007 ERROR: Exception → org.apache.axis2.AxisFault: No user value in the rampart configuration policy

That is not documented anywhere …
The issue is that in this case we need to map user and password into auth/message instead of auth/transport. After that finally I’ve got success answer

I’m writing this to document what has been done, what issues we have had and how it has been resolved – just in case someone in future will have similar issues.
The policies files that I’ve created:
<wsp:Policy wsu:Id=“Username_PasswordText” Name=“Username_PasswordText” xmlns:wsu=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd” xmlns:wsp=“Web Services Policy Framework (WS-Policy) and Web Services Policy Attachment (WS-PolicyAttachment)”>
wsp:ExactlyOne
wsp:All
<sp:SignedSupportingTokens xmlns:sp=“XML Namespace Document for WS-Security-Policy 1.2”>
wsp:Policy
<sp:UsernameToken sp:IncludeToken=“http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient” PasswordType=“Text”/>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

The policies are not located under / config/wss/policies
In previous version it was under /config/policy

After adding policies – the server doesn’t need to be restarted. It is checking that automatically.