Author |
Message
|
Vincent Vega |
Posted: Tue Oct 16, 2012 11:35 am Post subject: Message Broker & WS-Security |
|
|
Novice
Joined: 27 Sep 2012 Posts: 18 Location: Kiev, Ukraine
|
Hello
I have WSDL file with Policy part:
Code: |
<wsp:Policy wsu:Id="WSHttpBinding_ID_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11>
<wsp:Policy />
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy />
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
|
I have a problem with authorization.
Here is what I did:
1. My flow
MQInput -> Compute -> SOAPRequest -> …
In compute node I wrote:
Code: |
SET OutputRoot.Properties.IdentitySourceType = 'usernameAndPassword';
SET OutputRoot.Properties.IdentitySourceToken = 'ххх';
SET OutputRoot.Properties.IdentitySourcePassword = 'yyyyy;
|
2. I made Policy Set (with UserName authentication token) and Policy Set Binding. Wrote this Policy Set an Policy Binding in my BAR file
My SOPARequest makes this request:
Code: |
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<s:Security
xmlns:s="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soapenv:mustUnderstand="1">
<s:UsernameToken u:Id="unt_20">
<s:Username>xxx</s:Username>
<s:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">yyyyyy</s:Password>
</s:UsernameToken>
</s:Security>
<wsa:To>http://xxxxxxxx
</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous
</wsa:Address>
</wsa:ReplyTo>
<wsa:MessageID>urn:uuid:8E42EA41DC2B2CE91A1350300865332
</wsa:MessageID>
<wsa:Action>http://xxxxxxxx
</wsa:Action>
</soapenv:Header>
<soapenv:Body>
....
|
I get this response
Code: |
Reason
Text:CHARACTER:The message could not be processed. This is most likely because the action 'http://xxxxxx' is incorrect or
because the message contains an invalid or expired security context token or because there is a mismatch between bindings. The
security context token would be invalid if the service aborted the channel due to inactivity.
To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding.
lang:CHARACTER:en-US
|
First that I can see there is not the part IncludeTimestamp in SOAP request. How can I add it to my request?
As far as I understand it must be like this:
Code: |
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2012-10-16T07:47:50.291Z</u:Created>
<u:Expires>2012-10-16T07:52:50.291Z</u:Expires>
</u:Timestamp>
</o:Security>
|
Maybe I have one more mistake… Help me...
WMB: 7.0.0.3 |
|
Back to top |
|
|
lancelotlinc |
Posted: Tue Oct 16, 2012 11:41 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
Wow ! Great post. Excellent due diligence.
You are doing all the right things. Are the SSL certs up-to-date? If you use SoapUI or curl, are you able to submit a transaction to the host? _________________ http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
Back to top |
|
|
lancelotlinc |
Posted: Tue Oct 16, 2012 11:45 am Post subject: Re: Message Broker & WS-Security |
|
|
Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
Vincent Vega wrote: |
First that I can see there is not the part IncludeTimestamp in SOAP request. How can I add it to my request?
As far as I understand it must be like this:
Code: |
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2012-10-16T07:47:50.291Z</u:Created>
<u:Expires>2012-10-16T07:52:50.291Z</u:Expires>
</u:Timestamp>
</o:Security>
|
Maybe I have one more mistake… Help me...
WMB: 7.0.0.3 |
Yes, you can do this.
Code: |
In the XPath Expressions table, click Add to associate XPath to each of the parts that you created in Step 10, as shown in the following table.Name XPath
app_encparts_response Envelope, Header, Security, Signature
app_signparts_response Envelope, Header, Security, Timestamp
app_encparts_request Envelope, Header, Security, Signature
app_signparts_request Envelope, Header, Security, Timestamp
|
http://publib.boulder.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.samples.wssecsamp.doc/doc/setup_policy.htm _________________ http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
Back to top |
|
|
mqjeff |
Posted: Tue Oct 16, 2012 11:48 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
|
Back to top |
|
|
lancelotlinc |
Posted: Tue Oct 16, 2012 11:59 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
I found this APAR which has a ring to similarity to you, although it says if you are on 7.0.0.3 then you are already patched. What is the 'effective level' of your runtime? Use mqsireportbroker to find the effective level.
http://www-01.ibm.com/support/docview.wss?uid=swg1IC66875
IC66875: SOAP FAULT IF SOAP REQUEST MESSAGE HAS BOTH ACTOR ATTRIBUTE AND TIMESTAMP ELEMENT IN THE SECURITY HEADER. _________________ http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
Back to top |
|
|
Vincent Vega |
Posted: Tue Oct 16, 2012 11:59 am Post subject: |
|
|
Novice
Joined: 27 Sep 2012 Posts: 18 Location: Kiev, Ukraine
|
lancelotlinc wrote: |
Wow ! Great post. Excellent due diligence.
You are doing all the right things. Are the SSL certs up-to-date? If you use SoapUI or curl, are you able to submit a transaction to the host? |
Yes, SSL certs up-to-date. My prodaction end point is: https://zzzzz.com/yyyy/ For the test I changed it to http://zzzz.com/yyy to catch traffic by Wireshark.
I have test programm on .net for a test. It works fine with this web service
There are only 2 lines on .net
Code: |
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace Test
{
class Program
{
static void Main(string[] args)
{
var c = new ID.IDClient();
c.ClientCredentials.UserName.UserName = "xxxxx";
c.ClientCredentials.UserName.Password = "yyyyyyyy";
/*Console.WriteLine("Получение возвратов ...");
var rts = c.GetCreditReturns(DateTime.Today.AddDays(-1), DateTime.Now);
foreach(var r in rts)
Console.WriteLine("ФИО: {0}, № договора: {1}", r.FullName, r.CreditDeal);*/
var st = c.SetCoBrMemberData(new DeltaBank.MemberData
{
BankCard = "1234",
ComfortCard = 10000000016,
Approved = DateTime.Today.AddDays(-1),
Activated = DateTime.Today,
LastName = "Иванов",
FirstName = "Иван",
MiddleName = "Иванович",
Birthday = new DateTime(1960, 1, 1),
CellPhone = "(055) 123-44-55",
IdCode = "123456789"
});
Console.WriteLine("Status: {0}, {1}", st.Id, st.Description);
}
}
}
|
[/b]
Last edited by Vincent Vega on Tue Oct 16, 2012 12:14 pm; edited 2 times in total |
|
Back to top |
|
|
Vincent Vega |
Posted: Tue Oct 16, 2012 12:03 pm Post subject: |
|
|
Novice
Joined: 27 Sep 2012 Posts: 18 Location: Kiev, Ukraine
|
lancelotlinc wrote: |
I found this APAR which has a ring to similarity to you, although it says if you are on 7.0.0.3 then you are already patched. What is the 'effective level' of your runtime? Use mqsireportbroker to find the effective level.
http://www-01.ibm.com/support/docview.wss?uid=swg1IC66875
IC66875: SOAP FAULT IF SOAP REQUEST MESSAGE HAS BOTH ACTOR ATTRIBUTE AND TIMESTAMP ELEMENT IN THE SECURITY HEADER. |
Quote: |
$ bash
bash-3.00$ mqsireportbroker WBRK
BIP8927I: Broker Name 'WBRK'
Install path = '/opt/IBM/mqsi/7.0'
Work path = '/var/mqsi'
Broker UUID = 'b9a3a02e-2401-0000-0080-c51da6ac402a'
Process id = '749816'
Queue Manager = 'QMBRK'
User lil path = ''
User exit path = ''
Active user exits = ''
LDAP principal = ''
LDAP credentials = ''
ICU converter path = ''
Trusted (fastpath) Queue Manager application = 'false'
Configuration change timeout = '600' seconds
Internal configuration timeout = '600' seconds
Statistics major interval = '60' minutes
Operation mode = 'enterprise'
Fixpack capability level = '' (effective level '7.0.0.1')
Broker registry format = 'v7.0'
Administration security = ''
Multi-instance Broker = 'false'
Shared Work Path = 'none'
Start as WebSphere MQ Service = 'undefined'
HTTP listener port = '7080'
|
I'll update my server tommorow. |
|
Back to top |
|
|
lancelotlinc |
Posted: Tue Oct 16, 2012 12:09 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
|
Back to top |
|
|
Vincent Vega |
Posted: Tue Oct 16, 2012 12:09 pm Post subject: |
|
|
Novice
Joined: 27 Sep 2012 Posts: 18 Location: Kiev, Ukraine
|
I read this, but I understand that it is for encryption message. Am I right?
My message is not encrypted. |
|
Back to top |
|
|
Vincent Vega |
Posted: Tue Oct 16, 2012 12:11 pm Post subject: |
|
|
Novice
Joined: 27 Sep 2012 Posts: 18 Location: Kiev, Ukraine
|
|
Back to top |
|
|
mqjeff |
Posted: Tue Oct 16, 2012 12:23 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
Your original message states
Quote: |
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding> |
That maps to the options on the Message Level Protection panel.
But before you change that, and after you apply fixpack 4, you should make sure to mqsichangebroker -f all so that you take advantage of the features of FixPack 4, rather than still having a capability level of FixPack 1. |
|
Back to top |
|
|
Vincent Vega |
Posted: Wed Oct 17, 2012 10:04 am Post subject: |
|
|
Novice
Joined: 27 Sep 2012 Posts: 18 Location: Kiev, Ukraine
|
Thanks for help.
I resolved problem with TimeStamp, but now I have another problem. Little bit more about my configurations. I have 2 servers (I’ve updated their today):
Production: wmb 7.0.0.4, aix 6 (x64)
Test: wmb 7.0.0.4, windows xp (x86)
The Keystore, Truststore, Policy Set and Policy Set Bindings are the same on these servers.
Message broker Toolkit 7.0.0.5.
I have 2 BAR files. In test BAR file SOAPRequest node “Web service URL” is http://xxxxx, in production BAR file “Web service URL” is httpS://xxxxx. I did this for catch soap request by Wireshark (http://www.wireshark.org/)
I put the cert in trust store and key store.
After server’s update I have this soap request:
Now I can see Timestamp, but mistake is still exist
Ok. Go to the next level of my quest. In WSDL I have:
Code: |
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
|
It means I must sign Body and some parts of Header and encrypt Body. Is it right?
I tried different configurations but anything doesn’t work. How can I implement this sign and encryption? What certificate should I use? I have only one cert for SSL connection.
My last Policy settings:
I can't deploy my BAR file with this settings. I have mistake
Code: |
MB7BROKER.default ) A Java exception was thrown whilst calling the Java JNI method ''method_com_ibm_broker_axis2_Axis2NodeRegistrationUtil_registerSyncRequestNode''. The Java exception was ''BIP3726E: com.ibm.broker.axis2.MbSoapException: Failed to setup Axis2''. The Java stack trace was ''Frame : 0 com.ibm.broker.axis2.MbSoapException: Failed to setup Axis2
@: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.<init>(Axis2NodeRegistered.java:314)
@: com.ibm.broker.axis2.Axis2NodeRegistered.<init>(Axis2NodeRegistered.java:135)
@: com.ibm.broker.axis2.Axis2EngineManager.registerNode(Axis2EngineManager.java:81)
@: com.ibm.broker.axis2.Axis2NodeRegistrationUtil.registerSyncRequestNode(Axis2NodeRegistrationUtil.java:351)
Frame : 1 com.ibm.broker.axis2.MbSoapException: Configuration using PS and binding failed
@: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.setupSOAPPipeline(Axis2NodeRegistered.java:768)
@: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.<init>(Axis2NodeRegistered.java:269)
@: com.ibm.broker.axis2.Axis2NodeRegistered.<init>(Axis2NodeRegistered.java:135)
@: com.ibm.broker.axis2.Axis2EngineManager.registerNode(Axis2EngineManager.java:81)
@: com.ibm.broker.axis2.Axis2NodeRegistrationUtil.registerSyncRequestNode(Axis2NodeRegistrationUtil.java:351)
Frame : 2 com.ibm.broker.axis2.MbSoapException: Keystore exception
@: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.policySetConfiguration(Axis2NodeRegistered.java:1891)
@: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.setupSOAPPipeline(Axis2NodeRegistered.java:738)
@: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.<init>(Axis2NodeRegistered.java:269)
@: com.ibm.broker.axis2.Axis2NodeRegistered.<init>(Axis2NodeRegistered.java:135)
@: com.ibm.broker.axis2.Axis2EngineManager.registerNode(Axis2EngineManager.java:81)
@: com.ibm.broker.axis2.Axis2NodeRegistrationUtil.registerSyncRequestNode(Axis2NodeRegistrationUtil.java:351)
Frame : 3 com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS7280E: Тип ключа Token Generator [http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3] не соответствует типу ключа шифрования, определенному в стратегии.
@: com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:77)
@: com.ibm.ws.wssecurity.confimpl.PrivateGeneratorConfig.validate(PrivateGeneratorConfig.java:914)
@: com.ibm.ws.wssecurity.handler.PolicyOutboundConfig.init(PolicyOutboundConfig.java:3126)
@: com.ibm.ws.wssecurity.handler.PolicyOutboundConfig.<init>(PolicyOutboundConfig.java:255)
@: com.ibm.ws.wssecurity.handler.WSSecurityBindingLoaderImpl.loadCustom(WSSecurityBindingLoaderImpl.java:379)
@: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.policySetConfiguration(Axis2NodeRegistered.java:1816)
@: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.setupSOAPPipeline(Axis2NodeRegistered.java:738)
@: com.ibm.broker.axis2.Axis2NodeRegistered$SOAPConfig.<init>(Axis2NodeRegistered.java:269)
@: com.ibm.broker.axis2.Axis2NodeRegistered.<init>(Axis2NodeRegistered.java:135)
@: com.ibm.broker.axis2.Axis2EngineManager.registerNode(Axis2EngineManager.java:81)
@: com.ibm.broker.axis2.Axis2NodeRegistrationUtil.registerSyncRequestNode(Axis2NodeRegistrationUtil.java:351)''.
Correct the error, and if necessary redeploy the flow.
|
|
|
Back to top |
|
|
Vincent Vega |
Posted: Wed Oct 17, 2012 10:07 am Post subject: |
|
|
Novice
Joined: 27 Sep 2012 Posts: 18 Location: Kiev, Ukraine
|
Quote: |
com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS7280E: Тип ключа Token Generator [http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3] не соответствует типу ключа шифрования, определенному в стратегии. |
translate:
Quote: |
Key type Token Generator does not match the encryption key, as defined in the strategy. |
|
|
Back to top |
|
|
salvador.wbi |
Posted: Mon Jun 16, 2014 2:01 pm Post subject: Same error! |
|
|
Novice
Joined: 10 Jul 2009 Posts: 18 Location: Monterrey, Mexico
|
Hello guys!
Currently I'm facing the same problem, @Vincent Vega, did you solve this issue? I would appreciate your help! _________________ "The problem with people who have no vices is that generally you can be pretty sure they're going to have some pretty annoying virtues." |
|
Back to top |
|
|
Vincent Vega |
Posted: Mon Jun 16, 2014 3:27 pm Post subject: Re: Same error! |
|
|
Novice
Joined: 27 Sep 2012 Posts: 18 Location: Kiev, Ukraine
|
salvador.wbi wrote: |
Hello guys!
Currently I'm facing the same problem, @Vincent Vega, did you solve this issue? I would appreciate your help! |
Unfortunately I didn't have time for solve this problem. My business department demand result and I used proxy service on .net |
|
Back to top |
|
|
|