Question using Rampart with Ruby web service client
I am trying to design a web service client in Ruby to receive SOAP responses, using WSF Ruby as the underlying framework for the client to send SOAP requests. Now, I am able to generate valid SOAP request messages and received valid SOAP response messages, assuming that I have disabled security/Rampart on the server end. Ideally, Rampart will be enabled on the server end. I have tried looking in the samples, but am unsure about this. So, here is my question: which client sample represents a situation where I want to secure a SOAP request message through using a username and a token/key, where both are specified as strings and not retrieved from a file or certificate? Thanks!
Bookmark/Search this post with:
- Login or register to post comments
- Printer friendly version
- 200 reads
Re: Question using Rampart with Ruby web service client
Hi el2king,
Please have a look at the complete_scenario.rb under samples/consumer/security/complete directory. It has almost everything you asked for.
Also it is possible to specify parameters, as strings instead of using a file to load it.
regards,
Janapriya.
Re: Question using Rampart with Ruby web service client
I have tried that, but I am only seeing the To, Action, and MessageId tags in the SOAP header from my request messages. I don't see any other security tags. Also, I want to test without using an external policy file first, but nothing is working. Is it expected right now that I don't get any security headers, or is there something else that needs to be called to activate security on the client end that the samples don't show? Thanks!
Re: Question using Rampart with Ruby web service client
You should find security headers, once you execute the samples. Could you run the above sample and attach the trace from TCPMon?
regards,
Janapriya
Re: Question using Rampart with Ruby web service client
Here is the trace from the above sample (for both traces, I am blurring out the wsa:To value):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:To>xxxx</wsa:To>
<wsa:Action>http://php.axis2.org/samples/echoString</wsa:Action>
<wsa:MessageID>02d0bbb6-fb59-1dc1-39c4-000c29f7e821</wsa:MessageID>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="CertID-02d19f4a-fb59-1dc1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi99By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsEyvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8VsZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8vaW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkqhkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJAgUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK/wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJxn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYzQK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="SigID-02d1a594-fb59-1dc1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2008-03-26T17:21:03.219Z</wsu:Created>
<wsu:Expires>2008-03-26T17:26:03.219Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">Xeg55vRyK3ZhAEhEf+YT0z986L0=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>Qen07MQFIDAKJQ33owQSvo8msZ84URqYj9LrL5jS/X5VkV3z5DuPKxWGkjEuBBslvrJwsFv2XVw/W2ITYUYOCsWcQdN4SSW1RQalXFTxpju/J3G04X99qJAyP63Ak4iDYSeMuEY1lO6iidtvCM7vjRifJKmEyddxtea4ojm9h/o=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:DataReference URI="#EncDataID-02d383be-fb59-1dc1"/>
<xenc:DataReference URI="#EncDataID-02d3bb90-fb59-1dc1"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" Id="EncDataID-02d3bb90-fb59-1dc1" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>DwpSNoJVrsHj2+WA0cr8Yl6HfPlPHm/qS9xqEUOpTmPH64A0+Q+2XyV/SfEgCualVbS02mnJ2afFCaHYlEq2HwckknM/7hSDKHHsaEXGaYHuFKltob8fJmlb2IQuoAtAIRRkJA4FRD2BSyH4iCxotsB7tCFO+S+5CQ3fEHFGJcmDB7gx3CgORyQYG4RgX71OfwLTJ80M87gWrAWeSkCcY2EN73aLzYcBzmELGpXhGTQCt2rRbee62uUUrl7ooT3s2YFCSiBQqhExxK4C2zSoGTU+ThdJucInh3PTlJMYWZGHMvfNWcM0jLHSjy2h40fX+0xqePkItETfwEzcLW7f5oWb5S4Pcae2vxCpHK6OpCHv6F/SssOTvg2/nHQx9/pErfoRqTLCViu1k/zbPbEp3rdTY5UKmJggxrA+LowdMgHM86dLCLlRPM7y1bobf+y+WLfkDoHnEQe+uopVKNdbWnk0ubT33qhE6ukCHFwF5ZBZwK0rpZBf3UfRdtyGUVwsRUUzNf4WfB6LEWRExK2vzHHOIc598E17fT07gtLuMK8EjerbmssKFX8GMWwUdmGGLyVVFWb2qd1Njf/obIV8Y//hMupOVOWTEmFfGOD0ZcWin5Pj2ian9Txs10fQnge0sQHzfac2pxbO+pPARCRjhatRqwYcP2QvBFLaOlS887nTVfufOCk4bePtk8Db5F7AWAqDlJq/1OWkBBpsOrohVvCRzs1g9KOvQ/3kc1kC/azv1EVev8oVvWP29N+3sDTYJeQNfFuLf8RCYe6p6M+7NwlJBFuUATTPM0n6/OE3njPjzmfYi9ha/asJRtVjKK24eslqz24cGRcjvZDUWxtGIYJDX1sEUPxQC9syLTNaiVi6yM/PTBphn+nP8t1OYNK64sOYGj/9O05gvrT2zsapUQ/84wbncYninG5Ksv7cT/T18TNdO27VaOxJn/WUBb0zs3hBcjEDPWKgH83qvKNV9vuj2kmQfKao+coVZUxpbuovfleS2wd8kNymIh+Cv9GCZDY/u1n5kzMnlUZiAWAgqumXocYVb2LvhiAYcRsr3rJ39AVlpe+i+ggjxHrFnba0qA18osH+4Sbmsy9MsJMSmVILbENZxLmsETJtwoTu8nh13I5hMYvaYjAU7Ckd2WslIlsHFgjO7l8MTvKS1nuYWPPX7NoBg98meIwBPKnRjjFEDmahB5S6y90jxpo/le4w3lSYYSdDyNWKJYL2wbD7gLI0XkeIsYIH+URumLu+5LtlHM4cJ0idrpf9Kq36uhCkePJeEerLPaMIYcgw5bow3iT/4GnnshMVA3qRhzP3dd6d0j7SaATl2q22CT3tmihI2qgJkozU3QUsdPneVyrYAd9Pj4g1m2YB2DphZw61CwFzswKtN5292vySgMV6lm07FvbBEWOHYz29sCKSEvicJOeEA2O30oYIGDhZBgB/xSE6mORZhwlll40/EskxglBRpGESSeRiVgZ9kIY77KN/kT/tJqaMO4jh2Dtxgl68B4y3kKaU3q9cVOHWant3Exyusmh+jMtQGy6RXZ1a4wFXamoPm+u63fq16KwqWarO06gv6G+eI6c3wrwv6DDoaDMEm/c7i0VT76AkWTiMCVI7hyFgKo1iCnlwUKa6v5Mf6sijNODPKugCUSCZvY/G6t1ByTPTjtT3ThfXh8sXT/2oVT2qohvpmJiQMpJRHeT/YgBWCqE1KyxXjid93f9S7a6s7UKqKlvmMRDio5p18MupG0FtUO2w89DLKI05bXputsfkdNqdIQ29i+AYOPQpizhttgr7VVGvj/ER5/c8wFZjBehrIz8/dG19sRFXulG/8rrjSupJmW3hIDCZcllF3v+Zr1N1qEzC6yimbqdVaAk8HPMF8RJWFkcgZMF75eZZ6QJ6iDSPSpBni52m1c8WxkAq</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="SigID-02d1a2f6-fb59-1dc1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" Id="EncDataID-02d383be-fb59-1dc1" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>grK7dj6JMBkY9JViaxitL+i5IUsTr9jKmEntppXH8bzp3JoCEPskYbkp5eltb8C5jlOakCRGtsOz0KaKgaJyg84g9CRw0sUbI587Gec2Ue58PSurIH5GqnNvkFU3ttz92/Y2zXAR+FtnE1bhl1Bz7Q==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
So, I guess for the above sample, I am able to generate security tag headers. Of course, this uses a policy.xml file. Here is a trace without using a policy.xml file:
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:To>xxxx</wsa:To>
<wsa:Action>http://php.axis2.org/samples/echoString</wsa:Action>
<wsa:MessageID>72d4fb34-fb59-1dc1-2a7c-000c29f7e821</wsa:MessageID>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>PcKJ+0puLhIxqGKwIFswI7OwYnHLa995hkgnw5W9iFMu7b+92Wbxi0jgSGJ/3xOLRYCyOkKAjIC6v7Mo+PtIWVjlJ5KqIOFqRUgHhq5FenIQFNl+x3tXsVGn6Mh77f+clIUAi9CZQQKwssDQRQ0eJG3buWdMS1dJw7whOQ0BVlY=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:DataReference URI="#EncDataID-72d5a2dc-fb59-1dc1"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" Id="EncDataID-72d5a2dc-fb59-1dc1" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>H4L8C8rYulUdPf4gpxjeLUcBgE7fTKxItwN6kRL7XOkrPHDaaW/k9Ca1TJP1UjFDmJ/EwFtWV4/CgPesTCn3VJfw7qxXGMiizPHYFSpBf3HrocvDvnkWMWiZHcBr/O/o8mWEe8Ij+BRQDJwZpr0dQw==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
I just don't understand why I can't see these security headers when I am designing my own client. Any thoughts on what I may be missing?
Thanks,
Edward
Re: Question using Rampart with Ruby web service client
Here is a sample of the Ruby client that I am trying to insert security into:
payload = <some XML>
request = WSMessage.new(payload, nil, { "to" => <some URL>, "action" => <some URL>, "attachments" => { "objid" => <some file content> } })
policyContent = { "encrypt" => true, "algorithm_suite" => "Basic256Rsa15", "security_token_reference" => "IssuerSerial" }
policy = WSPolicy.new({ "security" => policyContent })
securityOptions = { "private_key" => "user1", "receiver_certificate" => "user1" }
securityToken = WSSecurityToken.new(securityOptions)
options = { "use_soap" => "1.1", "use_mtom" => true, "use_wsa" => true, "policy" => policy, "security_token" => securityToken}
client = WSClient.new(options, 'test.log')
Now, as I mentioned before, with this setup, I only see the To, Action, and MessageID tags in the SOAP header. When I remove the use_soap parameter in options, I still only see those three tags. Is there something I am not doing right? This looks very similar to the encryption example that does not use a policy.xml, except that I am specifying the encryption details with strings directly. I appreciate the help!
Re: Question using Rampart with Ruby web service client
Hi Edward,
I have used the following code. When I do that I got security headers. Your code didn't work until I updated it to have rec_cert and pvt_key as follows.
-- RUBY CODE -------------------------------------------------------------------------------
require 'wsf'
require 'rexml/document'
include WSO2::WSF
include WSO2::Util
req_payload = <<XML
<ns1:echo xmlns:ns1="http://php.axis2.org/samples"><text>Hello World!</text></ns1:echo>
XML
begin
LOG_FILE = "security_sample.log"
ACTION = "http://php.axis2.org/samples/echoString"
END_POINT = "http://localhost:3000/encryption/encryption"
message_properties = {"to" => END_POINT,
"action" => ACTION,
"attachments" => { "objid" => "lakjglaksjglkadsjgklsadjgklasdgjkdasljg" }}
rec_cert = "MIIDCjCCAfKgAwIBAgIQYDju2/6sm77InYfTq65x+DANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQDEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQwwCgYDVQQDDANCb2IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCquMva4lFDrv3fXQnKK8CkSU7HvVZ0USyJtlL/yhmHH/FQXHyYY+fTcSyWYItWJYiTZ99PAbD+6EKBGbdfuJNUJCGaTWc5ZDUISqM/SGtacYe/PD/4+g3swNPzTUQAIBLRY1pkr2cm3s5Ch/f+mYVNBR41HnBeIxybw25kkoM7AgMBAAGjgZMwgZAwCQYDVR0TBAIwADAzBgNVHR8ELDAqMCiiJoYkaHR0cDovL2ludGVyb3AuYmJ0ZXN0Lm5ldC9jcmwvY2EuY3JsMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUXeg55vRyK3ZhAEhEf+YT0z986L0wHwYDVR0jBBgwFoAUwJ0o/MHrNaEd1qqqoBwaTcJJDw8wDQYJKoZIhvcNAQEFBQADggEBAIiVGv2lGLhRvmMAHSlY7rKLVkv+zEUtSyg08FBT8z/RepUbtUQShcIqwWsemDU8JVtsucQLc+g6GCQXgkCkMiC8qhcLAt3BXzFmLxuCEAQeeFe8IATr4wACmEQE37TEqAuWEIanPYIplbxYgwP0OBWBSjcRpKRAxjEzuwObYjbll6vKdFHYIweWhhWPrefquFp7TefTkF4D3rcctTfWJ76I5NrEVld+7PBnnJNpdDEuGsoaiJrwTW3Ixm40RXvG3fYS4hIAPeTCUk3RkYfUkqlaaLQnUrF2hZSgiBNLPe8gGkYORccRIlZCGQDEpcWl1Uf9OHw6fC+3hkqolFd5CVI"
pvt_key = "MIICXAIBAAKBgQCiqL30HLVVijRoeuQoI1PgOQiA8v9KBqFt4p0aGtu7crZcbtqt8P22ogEgox+tfgan3Q0lrzkBXXKI2wTK+r6ZScyk1wqctcs6OROYwKoNhtuR6EmVc+dpYvO976ZbSkl0/G1/etsPg9L9wFAi+2mOasMBTxWxkpPwM3krLP4RmwIDAQABAoGAY+fazB357rE1YVrh2hlgwh6lr3YRASmzaye+MLOAdNCPW5Sm8iFL5Cn7IU2v/kKi2eW21oeaLtFzsMU9W2LJP6h33caPcMr/1F3wsiHRCBSZiRLgroYnryJ2pWRqB8r6/j1mCKzNkoxwspUS1tPFIT0yJB4L/bQGMIvnoM4v5aECQQDX2hBKRbsQYSgLxZmqx/KJG7+rcpjYXBcztcO09sAsJ+tJe7FPKoKB1CG/KWqj8KQn69blXxhKRDTprPZLiU7RAkEAwOnfR+dwLbnNGTuafvvbWE1d0CCa3YGooCrrCq4Af7D5jv9TZXDxyOIZsHzQH5U47e9ht2JvYllbTlMhirKsqwJBAKbyAadwRz5j5pU0P6XW/78LtzLjb1Pn5goYi0VrkzaTqWcsQ/b26fmAGJnBbrldZZl6zrqY0jCekE4reFLz4AECQA7YMEFFMuGh4YFmj73jvX4u/eANEj2nQ4WHp+x7dTheMuXpCc7NgR13IIjvIci8X9QXToqg/Xcw7xC43uTgWN8CQF2p4WulNa6U64sxyK1gBWOr6kwx6PWU29Ay6MPDPAJPO84lDgb5dlC1SGE+xHUzPPN6E4YFI/ECawOHNrADEsE"
payload = WSMessage.new(req_payload,
nil,
message_properties)
policy_content = {"encrypt"=> true,
"algorithm_suite" => "Basic256Rsa15",
"security_token_reference" => "IssuerSerial"}
policy = WSPolicy.new({"security" => policy_content})
security_options = {"private_key" => pvt_key,
"receiver_certificate" => rec_cert}
security_token = WSSecurityToken.new(security_options)
options = {"use_soap" => "1.1",
"use_mtom" => true,
"use_wsa" => true,
"policy" => policy,
"security_token" => security_token}
client = WSClient.new(options, LOG_FILE)
res_message = client.request(payload)
if not res_message.nil? then
puts "Received OM: "<< "\n" << res_message.payload_to_s << "\n\n"
puts "Client invocation SUCCESSFUL !!!"
else
puts "Client invocation FAILED !!!"
end
rescue WSFault => wsfault
puts "Client invocation FAILED !!!\n"
puts "WSFault : "
puts wsfault.xml
puts "----------"
puts wsfault.code
puts "----------"
puts wsfault.reason
puts "----------"
puts wsfault.role
puts "----------"
puts wsfault.detail
puts "----------"
rescue => exception
puts "Client invocation FAILED !!!\n"
puts "Exception : " << exception
end
-- TCPMon TRACE -------------------------------------------------------------------------------
POST /encryption/encryption HTTP/1.1
User-Agent: Axis2C/1.3.0
SOAPAction: "http://php.axis2.org/samples/echoString"
Content-Length: 2328
Content-Type: multipart/related; boundary=MIMEBoundary77dabebc-49fb-49eb-b3f3-fcd4230ab422; type="application/xop+xml"; start="<0.54bf2b79-c2d6-455b-a307-38eb13e9d5fd@apache.org>"; start-info="text/xml"; charset="UTF-8"
Host: 127.0.0.1:3000
--MIMEBoundary77dabebc-49fb-49eb-b3f3-fcd4230ab422
content-transfer-encoding: binary
content-id: <0.54bf2b79-c2d6-455b-a307-38eb13e9d5fd@apache.org>content-type: application/xop+xml;charset=UTF-8;type="text/xml";
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:To>http://localhost:3000/encryption/encryption</wsa:To>
<wsa:Action>http://php.axis2.org/samples/echoString</wsa:Action>
<wsa:MessageID>5b483d0a-f2f1-4b2e-ad64-c67317b574e4</wsa:MessageID>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>O=OASIS, CN=OASIS Interop Test CA</ds:X509IssuerName>
<ds:X509SerialNumber>2147483647</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>s/gourTdbl4trhCh0RuBASESSqZDRMz5uogZGUesRU7Krr+pS15nGaZKd4A6nDJZG8pcgaGZTsbmns4yZe+tj4Cv4wQAqh8nfeo0/7teKyamD7RX/sefl21vR3x+7lojPuYJSVzUImd6HJkDxwbXz+LjY13jCgXhY6nc0k3T188=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:DataReference URI="#EncDataID-ff0d75b7-86be-47a7"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" Id="EncDataID-ff0d75b7-86be-47a7" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>GWQK4q8l24kwcOHDuBV8XM3zc6x1sjhtdXa+c8eQIZmBRIAK4yVzdyhBtPPxrJ1AlSmQ2Ge2vCHcua7cw/QJP1tK3SD44wKRXj6Rl98m0YUn710Zj6j9bXXbHwzYnkdovJcWa2p4njaWchU5EWaeDw==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>--MIMEBoundary77dabebc-49fb-49eb-b3f3-fcd4230ab422--
-----------------------------------------------------------------------------------------------------------------
hope this helps,
Janapriya.
Re: Question using Rampart with Ruby web service client
I haven't tried this myself on my end, but I can see why this would work. Could you tell me why you put those values for rec_cert and pvt_key? I want to be able to dynamically use those values, not have them as static or stored in a file. Is it possible to define a key of any length, say a length of 4 instead of 256, which is what I think you have there? Also, with a given key, is it possible to determine the certificate dynamically? I just want to understand how you came up with those values for rec_cert and pvt_key. Thanks!
Re: Question using Rampart with Ruby web service client
Hi,
The value for key and certs are actually the base64 encoded format of an X509 certificate. Which is also known as PEM format. Please follow this tutorial[1] to get an understanding how to generate sample certificates and keys and get them signed using OpenSSL. Also the following reference[2] will be useful to understand the x509 standard.
I think you are assuming that this is quite similar to user name and passwords. But it's not. :)
You may generate your own private key and a corresponding self signed certificate.
Feel free to drop further questions if you have any.
Cheers,
Kaushalye
[1]http://wso2.org/library/767
[2]http://en.wikipedia.org/wiki/X.509
Re: Question using Rampart with Ruby web service client
OK, I see that this version of Rampart security makes use of a X509 certificate. Is there any way with the current version of Rampart and/or WSF Ruby to encrypt and sign with the use of a private key of arbitrary length and value, a user-specified username, and the inclusion of a timestamp? I would like to not use a X509 certificate, and still be able to encrypt and sign, if that is even possible. I would also like to avoid using a policy.xml file. I do have one, but it makes use of a C .so file for the RampartConfig section. Would it be possible to maybe use this policy.xml file and replace the part with the C .so file with some other configuration in the XML? Thanks!
Re: Question using Rampart with Ruby web service client
Hi,
Right now Rampart/C supports encryption using X509 certificates(public key) only. (Note that private key is used for signing).
So you cannot encrypt using an arbitrary length string.
You can avoid using policy files by creating an array of policy options. Please find the sample here[1]
Cheers,
Kaushalye
[1]http://wso2.org/repos/wso2/trunk/wsf/ruby/samples/consumer/security/encryption/encrypt_client.rb
Re: Question using Rampart with Ruby web service client
janapriya,
I tried putting in the changes that you mentioned in my code, but I still can only see the To, Action, and MessageID headers. I also inserted the "include WSO2::Util" line into my code, but I just can't get any security SOAP headers to pop up in the message. Is there any else I need to do to make this work? I inspected my own code's client and payload objects and compared them to the encryption sample, and they look like the same. Is there something I could be missing in my own code to enable security?
Thanks!
Re: Question using Rampart with Ruby web service client
Hi Edward,
I have attached the code I have tested with your modifications. Could you please run that and send me the TCPMon trace?
regards,
Janapriya.
Re: Question using Rampart with Ruby web service client
I got security working in my client now. I figured out that there were two problems with the way I configured my environment. First, my LD_LIBRARY_PATH contained two locations for Rampart, so the first location (which is not from the compiled WSF-C framework) was not compatible with WSF Ruby. So, I configured the WSF Ruby libraries first in LD_LIBRARY_PATH and that helped. Second, in wsf.rb in the WSF Ruby framework, I had to change the "require 'wsservice'" line to "require 'WSFC'", since it seemed that the WSF Ruby could read well from wsservice. I have security now working with encryption, username, and timestamp. However, when I try to include signing, with the example keys and certificates hard-coded, I get some error messages from the logs. Here is the trace of errors:
[Wed Apr 23 17:18:56 2008] [error] error.c(94) OXS ERROR [pem.c:77 in openssl_pem_buf_read_pkey] oxs defualt error , private key is NULL
[Wed Apr 23 17:18:56 2008] [error] rampart_signature.c(313) [rampart][rampart_signature] Can't load the key from buffer
[Wed Apr 23 17:18:56 2008] [error] error.c(94) OXS ERROR [signature.c:152 in oxs_sig_sign] invalid data , Cannot support cipher (null)
[Wed Apr 23 17:18:56 2008] [error] rampart_signature.c(667) [rampart][rampart_signature] Message signing failed.
[Wed Apr 23 17:18:56 2008] [error] rampart_sec_header_builder.c(127) [rampart][shb] Signing failed. ERROR
[Wed Apr 23 17:18:56 2008] [error] rampart_sec_header_builder.c(446) [rampart][shb] Asymmetric Binding failed
[Wed Apr 23 17:18:56 2008] [error] rampart_out_handler.c(139) [rampart][rampart_out_handler] Security header building failed ERROR
What changes would you recommend to fix this, and does this occur in your environment?
Thanks,
Edward
Re: Question using Rampart with Ruby web service client
Any update on resolving the problem I explained about in my last reply? I would like to understand what is going on here. Thanks!
Re: Question using Rampart with Ruby web service client
Hi,
Could you please attach the code along with the error log? Hope you are using valid keys and there are no problems extracting from files.
Cheers,
Kau
Re: Question using Rampart with Ruby web service client
Hi,
Sorry for the late reply back. I have been really busy with other work, that I pushed this back a little. Here is some sample code that I am having problems trying to get signed (I can get security to work now, but signing is the issue):
payload = <some XML>
request = WSMessage.new(payload, nil, { "to" => <some URL>, "action" => <some URL>, "attachments" => { "objid" => <some file content> } })
policyContent = { "sign" => true, "algorithm_suite" => "Basic256Rsa15", "security_token_reference" => "KeyIdentifier", "include_time_stamp" => true }
policy = WSPolicy.new({ "security" => policyContent })
securityOptions = {"private_key" => "MIICXAIBAAKBgQCiqL30HLVVijRoeuQoI1PgOQiA8v9KBqFt4p0aGtu7crZcbtqt8P22ogEgox+tfgan3Q0lrzkBXXKI2wTK+r6ZScyk1wqctcs6OROYwKoNhtuR6EmVc+dpYvO976ZbSkl0/G1/etsPg9L9wFAi+2mOasMBTxWxkpPwM3krLP4RmwIDAQABAoGAY+fazB357rE1YVrh2hlgwh6lr3YRASmzaye+MLOAdNCPW5Sm8iFL5Cn7IU2v/kKi2eW21oeaLtFzsMU9W2LJP6h33caPcMr/1F3wsiHRCBSZiRLgroYnryJ2pWRqB8r6/j1mCKzNkoxwspUS1tPFIT0yJB4L/bQGMIvnoM4v5aECQQDX2hBKRbsQYSgLxZmqx/KJG7+rcpjYXBcztcO09sAsJ+tJe7FPKoKB1CG/KWqj8KQn69blXxhKRDTprPZLiU7RAkEAwOnfR+dwLbnNGTuafvvbWE1d0CCa3YGooCrrCq4Af7D5jv9TZXDxyOIZsHzQH5U47e9ht2JvYllbTlMhirKsqwJBAKbyAadwRz5j5pU0P6XW/78LtzLjb1Pn5goYi0VrkzaTqWcsQ/b26fmAGJnBbrldZZl6zrqY0jCekE4reFLz4AECQA7YMEFFMuGh4YFmj73jvX4u/eANEj2nQ4WHp+x7dTheMuXpCc7NgR13IIjvIci8X9QXToqg/Xcw7xC43uTgWN8CQF2p4WulNa6U64sxyK1gBWOr6kwx6PWU29Ay6MPDPAJPO84lDgb5dlC1SGE+xHUzPPN6E4YFI/ECawOHNrADEsE=", \
"certificate" => "MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi99By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsEyvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8VsZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8vaW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkqhkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJAgUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK/wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJxn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYzQK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==", \
"receiver_certificate" => "MIIDCjCCAfKgAwIBAgIQYDju2/6sm77InYfTq65x+DANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQDEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQwwCgYDVQQDDANCb2IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCquMva4lFDrv3fXQnKK8CkSU7HvVZ0USyJtlL/yhmHH/FQXHyYY+fTcSyWYItWJYiTZ99PAbD+6EKBGbdfuJNUJCGaTWc5ZDUISqM/SGtacYe/PD/4+g3swNPzTUQAIBLRY1pkr2cm3s5Ch/f+mYVNBR41HnBeIxybw25kkoM7AgMBAAGjgZMwgZAwCQYDVR0TBAIwADAzBgNVHR8ELDAqMCiiJoYkaHR0cDovL2ludGVyb3AuYmJ0ZXN0Lm5ldC9jcmwvY2EuY3JsMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUXeg55vRyK3ZhAEhEf+YT0z986L0wHwYDVR0jBBgwFoAUwJ0o/MHrNaEd1qqqoBwaTcJJDw8wDQYJKoZIhvcNAQEFBQADggEBAIiVGv2lGLhRvmMAHSlY7rKLVkv+zEUtSyg08FBT8z/RepUbtUQShcIqwWsemDU8JVtsucQLc+g6GCQXgkCkMiC8qhcLAt3BXzFmLxuCEAQeeFe8IATr4wACmEQE37TEqAuWEIanPYIplbxYgwP0OBWBSjcRpKRAxjEzuwObYjbll6vKdFHYIweWhhWPrefquFp7TefTkF4D3rcctTfWJ76I5NrEVld+7PBnnJNpdDEuGsoaiJrwTW3Ixm40RXvG3fYS4hIAPeTCUk3RkYfUkqlaaLQnUrF2hZSgiBNLPe8gGkYORccRIlZCGQDEpcWl1Uf9OHw6fC+3hkqolFd5CVI=",
"ttl" => 300}
securityToken = WSSecurityToken.new(securityOptions)
options = { "use_soap" => "1.1", "use_mtom" => true, "use_wsa" => true, "policy" => policy, "security_token" => securityToken}
client = WSClient.new(options, 'test.log')
Here is the error trace:
[Wed Apr 23 17:18:56 2008] [error] error.c(94) OXS ERROR [pem.c:77 in openssl_pem_buf_read_pkey] oxs defualt error , private key is NULL
[Wed Apr 23 17:18:56 2008] [error] rampart_signature.c(313) [rampart][rampart_signature] Can't load the key from buffer
[Wed Apr 23 17:18:56 2008] [error] error.c(94) OXS ERROR [signature.c:152 in oxs_sig_sign] invalid data , Cannot support cipher (null)
[Wed Apr 23 17:18:56 2008] [error] rampart_signature.c(667) [rampart][rampart_signature] Message signing failed.
[Wed Apr 23 17:18:56 2008] [error] rampart_sec_header_builder.c(127) [rampart][shb] Signing failed. ERROR
[Wed Apr 23 17:18:56 2008] [error] rampart_sec_header_builder.c(446) [rampart][shb] Asymmetric Binding failed
[Wed Apr 23 17:18:56 2008] [error] rampart_out_handler.c(139) [rampart][rampart_out_handler] Security header building failed ERROR
Thanks,
Edward
Re: Question using Rampart with Ruby web service client
I sent you the code sample a couple days ago. Any progress on it? Thanks!
Edward
Re: Question using Rampart with Ruby web service client
Hi Edward,
I finally got it working, you need to provide the pvt_key as it generated. (i.e. multiple lines).
my_key = "MIICXAIBAAKBgQCiqL30HLVVijRoeuQoI1PgOQiA8v9KBqFt4p0aGtu7crZcbtqt
8P22ogEgox+tfgan3Q0lrzkBXXKI2wTK+r6ZScyk1wqctcs6OROYwKoNhtuR6EmV
c+dpYvO976ZbSkl0/G1/etsPg9L9wFAi+2mOasMBTxWxkpPwM3krLP4RmwIDAQAB
AoGAY+fazB357rE1YVrh2hlgwh6lr3YRASmzaye+MLOAdNCPW5Sm8iFL5Cn7IU2v
/kKi2eW21oeaLtFzsMU9W2LJP6h33caPcMr/1F3wsiHRCBSZiRLgroYnryJ2pWRq
B8r6/j1mCKzNkoxwspUS1tPFIT0yJB4L/bQGMIvnoM4v5aECQQDX2hBKRbsQYSgL
xZmqx/KJG7+rcpjYXBcztcO09sAsJ+tJe7FPKoKB1CG/KWqj8KQn69blXxhKRDTp
rPZLiU7RAkEAwOnfR+dwLbnNGTuafvvbWE1d0CCa3YGooCrrCq4Af7D5jv9TZXDx
yOIZsHzQH5U47e9ht2JvYllbTlMhirKsqwJBAKbyAadwRz5j5pU0P6XW/78LtzLj
b1Pn5goYi0VrkzaTqWcsQ/b26fmAGJnBbrldZZl6zrqY0jCekE4reFLz4AECQA7Y
MEFFMuGh4YFmj73jvX4u/eANEj2nQ4WHp+x7dTheMuXpCc7NgR13IIjvIci8X9QX
Toqg/Xcw7xC43uTgWN8CQF2p4WulNa6U64sxyK1gBWOr6kwx6PWU29Ay6MPDPAJP
O84lDgb5dlC1SGE+xHUzPPN6E4YFI/ECawOHNrADEsE="
have a look at the code I have tested.
regards,
Ruwan Janapriya