adding a wsse:security element to the SOAP header using policy and handler

Small description of the problem and how we have solved it:

  1. 1st of all – we have had problem org.apache.axis2.AxisFault: Peer sent alert: Alert Fatal: unexpected message
    We’ve been focusing on https certificates. I’ve tried to configure multiple things like auth/transport/serverCerts/privateKey, auth/transport/serverCerts/certChain, auth/message/partnerCert etc.

We have had recently similar issue on Itella connection and there we have had 2 errors: Peer sent alert: Alert Fatal: handshake failure
And when we have used not valid certificate: Peer sent alert: Alert Fatal: decrypt error

For Itella it was cause due to authentication problem. They are only allowing users with register keys to authenticate.

In here we have had different problem. I’ve been searching for unexpected message error, but I couldn’t find anything.
Finally I’ve notice that they are using TSL 1.2 and that was the problem. The only thing that we needed to change is one variable in the webservice connector when we are invoking pub.client:soapClient. There is useJSSE parameter that by default is not set and then by default it is using TSL 1.0. Only what we needed to do is to change it to yes and then it was working.

  1. As the MZ was always working without user/password we though it would be good to introduce this as we already done some changes there. So Edgar has enabled it on his side… and here was new problem. Error that we’ve got is:
    Soap fault code: ns1:SecurityError
    Soap fault string: A security error was encountered when verifying the message

We’ve got same from SoapUI … and then Edgar told that after he has changed WSS-Password Type to PasswordText it was working fine from SoapUI.

I’ve notice that in that case SopaUI is generating Soap Header:
<wsse:Security soapenv:mustUnderstand=“1” xmlns:wsse=“” xmlns:wsu=“”>
<wsse:UsernameToken wsu:Id=“UsernameToken-F59E28CD405D48E2A715288733021296”>
<wsse:Password Type=“”>Testme1!</wsse:Password>
<wsse:Nonce EncodingType=“”>kNfRe+a/AXrcft6gz9tvzw==</wsse:Nonce>

I’ve seen that before in some cases – and I know that we need to apply policies to the webservice to get it. However I wasn’t able to find any example in current version. Seems like we have used that before only.
Also I wasn’t able to find “Policies tab” in webservice descriptor … I’ve spend some time for that. I was looking at views, properties etc … couldn’t see it. Finally after I’ve almost gave up I’ve notice that there are on the bottom tabs like operation, binders, header and … policies ?
Unfortunately, by default SAG is not providing policy with PasswordText and the old one that we used to have – hasn’t been working anymore.

Finally based on the old policies and changing new one – I’ve created new policy that finally was working. However I’ve had one more error for which I wasn’t able to find any solution in empower:
(IS.SERVER) [ISC.0077.9998] 2018-06-12 18:40:00.007 ERROR: Exception → org.apache.axis2.AxisFault: No user value in the rampart configuration policy

That is not documented anywhere …
The issue is that in this case we need to map user and password into auth/message instead of auth/transport. After that finally I’ve got success answer

I’m writing this to document what has been done, what issues we have had and how it has been resolved – just in case someone in future will have similar issues.
The policies files that I’ve created:
<wsp:Policy wsu:Id=“Username_PasswordText” Name=“Username_PasswordText” xmlns:wsu=“” xmlns:wsp=“”>
<sp:SignedSupportingTokens xmlns:sp=“XML Namespace Document for WS-Security-Policy 1.2”>
<sp:UsernameToken sp:IncludeToken=“” PasswordType=“Text”/>

The policies are not located under / config/wss/policies
In previous version it was under /config/policy

After adding policies – the server doesn’t need to be restarted. It is checking that automatically.