'[jira] [Commented] (RAMPART-439) Rampart 1.7.0 not working with PKCS11 certificate store'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       rampart-dev
Subject:    [jira] [Commented] (RAMPART-439) Rampart 1.7.0 not working with PKCS11 certificate store
From:       "Bill Resnicow (JIRA)" <jira () apache ! org>
Date:       2017-03-22 12:50:41
Message-ID: JIRA.13057544.1490020276000.87772.1490187041691 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/RAMPART-439?page=com.atlassian.jira.plugin \
.system.issuetabpanels:comment-tabpanel&focusedCommentId=15936239#comment-15936239 ] 

Bill Resnicow commented on RAMPART-439:
---------------------------------------

All, I think I found the problem with this.  I had to add one more configuration \
parameter: org.apache.ws.security.crypto.merlin.keystore.file = "" (blank).
Prior, this parameter was not required, in the latest version of things, it appears \
to be required.  For PKCS11 certificate stores, it should be blank as there is no \
keystore file.   Once this was set, Rampart/WSS4j were able to read the NSS PKCS11 \
certificate store.

I suggest adding some documentation to this effect somewhere, so I will leave this \
open for a time.


> Rampart 1.7.0 not working with PKCS11 certificate store
> -------------------------------------------------------
> 
> Key: RAMPART-439
> URL: https://issues.apache.org/jira/browse/RAMPART-439
> Project: Rampart
> Issue Type: Bug
> Affects Versions: 1.7.0
> Environment: RHEL Linux 7
> Reporter: Bill Resnicow
> 
> I have this problem when upgrading from Axis2/Rampart 1.6.0 to Axis2/Rampart 1.7.4. \
> Our security provider is NSS which is the FIPS compliant PKCS11 certificate \
> keystore.  This worked fine with Axis2/Rampart 1.6.0 but with 1.7.4 it does not \
> work.  The problem is that when trying to create a message signature for a SOAP \
> message, Rampart fails to read the signing certificate from the PKCS11 certificate \
> database.  The exception is below.    It might be an issue with Rampart or with \
> WSS4J which was upgraded from 1.5.11 to 1.6.16. I tried changing the Rampart \
> configuration to use a JKS keystore instead of the PKCS11 keystore and then it \
> worked properly. The following exception occurs when processing an outbound SOAP \
> message response, trying to create a signature part in the header.  See the 'Caused \
> by' at the end. 03-15-2017 13:50:05,617 ERROR \
> [org.apache.axis2.receivers.AbstractMessageReceiver] (Axis2 Task) Error in \
> signature with X509Token: org.apache.axis2.AxisFault: Error in signature with \
> X509Token at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76) \
> [rampart-core-1.7.0.jar:1.7.0] at \
> org.apache.axis2.engine.Phase.invokeHandler(Phase.java:335) \
> [axis2-kernel-1.7.4.jar:1.7.4] at \
> org.apache.axis2.engine.Phase.invoke(Phase.java:308) [axis2-kernel-1.7.4.jar:1.7.4] \
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:250) \
> [axis2-kernel-1.7.4.jar:1.7.4] at \
> org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:415) \
> [axis2-kernel-1.7.4.jar:1.7.4] at \
> org.apache.axis2.receivers.RawXMLINOutMessageReceiver.invokeBusinessLogic(RawXMLINOutMessageReceiver.java:121) \
> [axis2-kernel-1.7.4.jar:1.7.4] at \
> org.apache.axis2.receivers.AbstractMessageReceiver$AsyncMessageReceiverWorker.run(AbstractMessageReceiver.java:229) \
> [axis2-kernel-1.7.4.jar:1.7.4] at \
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) \
> [rt.jar:1.8.0_92] at \
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) \
> [rt.jar:1.8.0_92] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_92]
> Caused by: org.apache.rampart.RampartException: Error in signature with X509Token
> at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:343) \
> [rampart-core-1.7.0.jar:1.7.0] at \
> org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:250) \
> [rampart-core-1.7.0.jar:1.7.0] at \
> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:760) \
> [rampart-core-1.7.0.jar:1.7.0] at \
> org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:417) \
> [rampart-core-1.7.0.jar:1.7.0] at \
> org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:88) \
> [rampart-core-1.7.0.jar:1.7.0] at \
> org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147) \
> [rampart-core-1.7.0.jar:1.7.0] at \
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) \
>                 [rampart-core-1.7.0.jar:1.7.0]
> ... 9 more
> Caused by: org.apache.ws.security.WSSecurityException: General security error (No \
> certificates for user <myusername> were found for signature) at \
> org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:796) \
> [wss4j-1.6.16.jar:1.6.16] at \
> org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:169) \
> [wss4j-1.6.16.jar:1.6.16] at \
> org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:340) \
>                 [rampart-core-1.7.0.jar:1.7.0]
> ... 15 more
> Our Rampart configuration is as follows;
> org.apache.ws.security.crypto.merlin.keystore.provider = SunPKCS11-NSSfips
> org.apache.ws.security.crypto.merlin.cert.provider = (blank)
> org.apache.ws.security.crypto.merlin.load.cacerts = false
> org.apache.ws.security.crypto.merlin.keystore.type=PKCS11
> cryptoConfigProvider = org.apache.ws.security.components.crypto.Merlin



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic