Personalize

WS-security and policy file problem

Submitted by shadmehr on March 9, 2008 - 11:43. Forums :

Hello

I have two ESBs, one is the service provider the other its gateway.

To enable the WS-Security on the system I enabled WS-Security on gateway per policy specified by 'policy_3.xml' from the examples.

The client sends a message including authentication data (username, password) to gateway

Gateway should remove the WS-security header form the message and sends further to provider. After reading the tutorial I think sample 100 is usable for this case; however I have not found how the sample section should be placed / added!! As a sequence, in target definition,or?

The other problem is related with the policy file.

My policy file looks like this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --

<wsp:Policy
   xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
   xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   wsu:Id="SecureMessagePolicy" >
 
 
      <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
        <ramp:user>alice</ramp:user>
        <ramp:encryptionUser>bob</ramp:encryptionUser>
        <ramp:passwordCallbackClass>samples.userguide.PWCallback</ramp:passwordCallbackClass>
            
        <ramp:signatureCrypto>
            <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                <ramp:property name="org.apache.ws.security.crypto.merlin.file">repository/conf/sample/resources/security/store.jks</ramp:property>
                <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
            </ramp:crypto>
        </ramp:signatureCrypto>
        <ramp:encryptionCypto>
            <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                <ramp:property name="org.apache.ws.security.crypto.merlin.file">repository/conf/sample/resources/security/store.jks</ramp:property>
                <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
            </ramp:crypto>
        </ramp:encryptionCypto>
 
 
</wsp:Policy>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --

The gateway does the authentication correctly but sends a fault message back:

<soapenv:Fault>
         <faultcode>soapenv:MustUnderstand</faultcode>
         <faultstring>Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security</faultstring>
         <detail/>
      </soapenv:Fault>

Could somebody get a hint what should still be defined in the policy

Thanks for your help

Shadi

Bookmark/Search this post with:
  • Delicious
  • Digg
  • Reddit
  • Newsvine
  • Facebook
  • Google
  • Yahoo
  • Technorati
‹ How to access a secure endpoint with basic auth? Streaming in the ESB ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hi Shadi Refer to

Submitted by asankha on March 9, 2008 - 18:42.

Hi Shadi

Refer to http://wso2.org/project/esb/java/1.6/docs/ESB_Samples_Setup.html#config for more information on how to start the sample configurations. (Basically you would just start the ESB as "./wso2-esb.sh -sample <n>" to start sample <n> configuration. You could also copy [complete] configurations from any of the samples on page http://wso2.org/project/esb/java/1.6/docs/ESB_Samples.html and paste it on your ESB configuration by going to the configuration tab. Make sure to save the configuration for changes to persist.

<faultcode>soapenv:MustUnderstand</faultcode>

The above seems to be because the gateway did not understand WS-Security. Do you have a proxy service defined on the gateway? If so, check if WS-Security/Rampart is enabled under the QoS tab of the proxy service on which you encounter the above. Basically you need to engage WS-Security/Rampart as well as provide the policy

hope this helps

asankha

 

»

Hi Asankha

Submitted by shadmehr on March 10, 2008 - 04:40.

Hi Asankha

>Do you have a proxy service defined on the gateway

 

Yes! as well as my esb service provider

In order to get the system to start up I did these changes:

- used the policy_1.xml file instead of policy_3.cml file

-used the remove action in the inSequence part

It works now; however I need to remove the WS-header from "outgoing" message in outSequence too. Is that possible?

 

Thanks

Shadi

 

»

Hi Shadi >It works now;

Submitted by asankha on March 10, 2008 - 06:35.

Hi Shadi

>It works now; however I need to remove the WS-header from "outgoing" message in outSequence too. Is that possible?

When WS-Security is engaged on a proxy, the WS-Policy used determines the policy for incoming and outgoing messages. AFAIK you cannot yet state that the outgoing messages (replies) should not be secured but to only secure incoming requests. This would be better answered on a WS-Security / Apache Rampart or Axis2 or WSAS forum

asankha

»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.