Metro › Metro - Users

Signature algorithm should be same for client, sts and service?

Classic

List

Threaded

6 messages Options

gchoi

Signature algorithm should be same for client, sts and service?

Signature algorithm for my client and serivice certificate is SHA1withRSA while sts certificate is SHA256withRSA. It could be a problem? When client call service, it returns Invalid Security Header message. Client-STS-Client call looks good. I am using UserNameToken with symmetric key bindings.

Apr 24, 2012 6:03:55 PM com.sun.xml.wss.jaxws.impl.SecurityClientTube processClientResponsePacket
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.XWSSecurityException: Security Requirements not met - No Security header in message
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:925)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:248)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:450)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientResponsePacket(SecurityClientTube.java:434)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processResponse(SecurityClientTube.java:362)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:972)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
at com.sun.xml.ws.client.Stub.process(Stub.java:429)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
at $Proxy40.doubleIt(Unknown Source)
at client.WSClient.doubleIt(WSClient.java:76)
at client.WSClient.main(WSClient.java:69)
Exception in thread "main" javax.xml.ws.WebServiceException: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientResponsePacket(SecurityClientTube.java:439)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processResponse(SecurityClientTube.java:362)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:972)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
at com.sun.xml.ws.client.Stub.process(Stub.java:429)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
at $Proxy40.doubleIt(Unknown Source)
at client.WSClient.doubleIt(WSClient.java:76)
at client.WSClient.main(WSClient.java:69)
Caused by: javax.xml.ws.soap.SOAPFaultException: Invalid Security Header
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:696)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:714)
... 14 more
Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:349)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:710)
... 14 more

kumarjayanti

Re: Signature algorithm should be same for client, sts and service?

It appears the client did not send a secure message here :
> Security Requirements not met - No
> Security header in message

Can you do a message dump on the server and see what is being sent.

On Apr 25, 2012, at 4:33 AM, gchoi wrote:

>
> Signature algorithm for my client and serivice certificate is
> SHA1withRSA
> while sts certificate is SHA256withRSA. It could be a problem? When
> client
> call service, it returns Invalid Security Header message. Client-STS-
> Client
> call looks good. I am using UserNameToken with symmetric key bindings.
>
>
> Apr 24, 2012 6:03:55 PM com.sun.xml.wss.jaxws.impl.SecurityClientTube
> processClientResponsePacket
> SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound
> Message.
> com.sun.xml.wss.XWSSecurityException: Security Requirements not met
> - No
> Security header in message
> at
> com
> .sun
> .xml
> .ws
> .security
> .opt
> .impl
> .incoming.SecurityRecipient.createMessage(SecurityRecipient.java:925)
> at
> com
> .sun
> .xml
> .ws
> .security
> .opt
> .impl
> .incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:
> 248)
> at
> com
> .sun
> .xml
> .wss
> .jaxws
> .impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:450)
> at
> com
> .sun
> .xml
> .wss
> .jaxws
> .impl
> .SecurityClientTube
> .processClientResponsePacket(SecurityClientTube.java:434)
> at
> com
> .sun
> .xml
> .wss
> .jaxws
> .impl.SecurityClientTube.processResponse(SecurityClientTube.java:362)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:972)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
> at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
> at com.sun.xml.ws.client.Stub.process(Stub.java:429)
> at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:
> 168)
> at
> com
> .sun
> .xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:
> 119)
> at
> com
> .sun
> .xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:
> 102)
> at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
> at $Proxy40.doubleIt(Unknown Source)
> at client.WSClient.doubleIt(WSClient.java:76)
> at client.WSClient.main(WSClient.java:69)
> Exception in thread "main" javax.xml.ws.WebServiceException:
> WSSTUBE0025:
> Error in Verifying Security in the Inbound Message.
> at
> com
> .sun
> .xml
> .wss
> .jaxws
> .impl
> .SecurityClientTube
> .processClientResponsePacket(SecurityClientTube.java:439)
> at
> com
> .sun
> .xml
> .wss
> .jaxws
> .impl.SecurityClientTube.processResponse(SecurityClientTube.java:362)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:972)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
> at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
> at com.sun.xml.ws.client.Stub.process(Stub.java:429)
> at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:
> 168)
> at
> com
> .sun
> .xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:
> 119)
> at
> com
> .sun
> .xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:
> 102)
> at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
> at $Proxy40.doubleIt(Unknown Source)
> at client.WSClient.doubleIt(WSClient.java:76)
> at client.WSClient.main(WSClient.java:69)
> Caused by: javax.xml.ws.soap.SOAPFaultException: Invalid Security
> Header
> at
> com
> .sun
> .xml
> .wss
> .jaxws
> .impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:
> 696)
> at
> com
> .sun
> .xml
> .wss
> .jaxws
> .impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:
> 714)
> ... 14 more
> Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid
> Security
> Header
> at
> com
> .sun
> .xml
> .wss
> .impl
> .SecurableSoapMessage
> .newSOAPFaultException(SecurableSoapMessage.java:349)
> at
> com
> .sun
> .xml
> .wss
> .jaxws
> .impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:
> 710)
> ... 14 more
>
> --
> View this message in context: http://metro.1045641.n5.nabble.com/Signature-algorithm-should-be-same-for-client-sts-and-service-tp5663537p5663537.html
> Sent from the Metro - Users mailing list archive at Nabble.com.

gchoi

RE: Signature algorithm should be same for client, sts and service?

>Can you do a message dump on the server and see what is being sent.
How do I turn on message dump on the sever side?

-----Original Message-----
From: kumarjayanti [mailto:[hidden email]]
Sent: Tuesday, April 24, 2012 9:24 AM
To: [hidden email]
Subject: Re: Signature algorithm should be same for client, sts and service?

It appears the client did not send a secure message here :
> Security Requirements not met - No
> Security header in message

Can you do a message dump on the server and see what is being sent.

On Apr 25, 2012, at 4:33 AM, gchoi wrote:

http://metro.1045641.n5.nabble.com/Signature-algorithm-should-be-same-for-cli
ent-sts-and-service-tp5663537p5663537.html
> Sent from the Metro - Users mailing list archive at Nabble.com.

gchoi

RE: Signature algorithm should be same for client, sts and service?

>Can you do a message dump on the server and see what is being sent.
>How do I turn on message dump on the sever side?

Following is server dump message. Does this mean that it couldn't find
service private key? I don't know where did serial number
14478695720124859712 come from? My service, client and sts don't have serial
number with that value.

Service PrivateKeyEntry
=============================

Alias name: myservicekey
Creation date: Apr 13, 2012
Entry type: trustedCertEntry

Owner: EMAILADDRESS=xxx@xxx, CN=servicecn, OU=xx, O=xxx, L=xxxx,
ST=massachusetts, C=US
Issuer: EMAILADDRESS=xxx@xxx, CN=servicecn, OU=xxx, O=xxx, L=xxxx,
ST=massachusetts, C=US
Serial number: c8eea90bc902c540
Valid from: Tue Apr 10 10:40:33 EDT 2012 until: Fri Apr 08 10:40:33 EDT 2022
Certificate fingerprints:
MD5: B2:76:5C:F9:41:52:45:FE:6D:EC:54:FC:5E:A5:EF:6C
SHA1: 8F:1B:17:A0:AB:6F:8B:C6:02:65:7F:7E:E5:15:9C:79:AE:AE:01:D5
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AC CA 43 29 11 D0 C3 BB 9A 2B 1B 30 F0 BA 8F 4D ..C).....+.0...M
0010: 8D E1 F4 43 ...C
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AC CA 43 29 11 D0 C3 BB 9A 2B 1B 30 F0 BA 8F 4D ..C).....+.0...M
0010: 8D E1 F4 43 ...C
]

]

Server dump
========================

Apr 25, 2012 12:22:37 PM
com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getPrivateKey
SEVERE: WSS0222: Unable to locate matching private key for
14478695720124859712:E=xxx@xxx,CN=servicecn,OU=xxx,O=xxx,L=xxxx,S=xxxx,C=US
using CallbackHandler.
Apr 25, 2012 12:22:37 PM
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor
processX509IssuerSerial
SEVERE: WSS1816: Error occurred while resolving Issuer Serial
javax.xml.crypto.KeySelectorException: com.sun.xml.wss.XWSSecurityException:
No Matching private key for serial number 14478695720124859712 and issuer
name E=XXX@XXX,CN=servicecn,OU=xxx,O=xxx,L=xxxx,S=xxxx,C=US found
at
com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial
(KeySelectorImpl.java:412)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.pr
ocessX509IssuerSerial(SecurityTokenProcessor.java:369)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.pr
ocessX509Data(SecurityTokenProcessor.java:292)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.re
solveReference(SecurityTokenProcessor.java:161)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processK
eyInfo(KeyInfoProcessor.java:152)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(K
eyInfoProcessor.java:132)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.process(EncryptedKey.j
ava:208)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.<init>(EncryptedKey.ja
va:131)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processK
eyInfo(KeyInfoProcessor.java:157)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(K
eyInfoProcessor.java:132)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.process(EncryptedData
.java:156)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.<init>(EncryptedData.
java:113)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHea
der(SecurityRecipient.java:458)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(Secu
rityRecipient.java:291)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(S
ecurityRecipient.java:241)
at
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTube
Base.java:450)
at
com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTu
be.java:295)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:717)
at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:418)
at
com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:364)
at
com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:370)
at
com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:519)
at
com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapt
er.java:206)
at
com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelega
te.java:159)
at
com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDeleg
ate.java:194)
at
com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationF
ilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCha
in.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.jav
a:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.jav
a:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.
java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Proces
sor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Abstract
Protocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:3
07)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.jav
a:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:90
8)
at java.lang.Thread.run(Thread.java:662)
Caused by: com.sun.xml.wss.XWSSecurityException: No Matching private key for
serial number 14478695720124859712 and issuer name
E=xxxx@xxxx,CN=servicecn,OU=xxx,O=xxxx,L=xxxx,S=xxxx,C=US found
at
com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getPrivateKey(Defaul
tSecurityEnvironmentImpl.java:644)
at
com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial
(KeySelectorImpl.java:392)
... 46 more
Apr 25, 2012 12:22:37 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube
processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.XWSSecurityException: WSS1816: Error occurred while resolving
Issuer Serial
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.pr
ocessX509IssuerSerial(SecurityTokenProcessor.java:374)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.pr
ocessX509Data(SecurityTokenProcessor.java:292)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.re
solveReference(SecurityTokenProcessor.java:161)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processK
eyInfo(KeyInfoProcessor.java:152)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(K
eyInfoProcessor.java:132)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.process(EncryptedKey.j
ava:208)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.<init>(EncryptedKey.ja
va:131)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processK
eyInfo(KeyInfoProcessor.java:157)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(K
eyInfoProcessor.java:132)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.process(EncryptedData
.java:156)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.<init>(EncryptedData.
java:113)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHea
der(SecurityRecipient.java:458)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(Secu
rityRecipient.java:291)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(S
ecurityRecipient.java:241)
at
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTube
Base.java:450)
at
com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTu
be.java:295)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:717)
at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:418)
at
com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:364)
at
com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:370)
at
com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:519)
at
com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapt
er.java:206)
at
com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelega
te.java:159)
at
com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDeleg
ate.java:194)
at
com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationF
ilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCha
in.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.jav
a:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.jav
a:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.
java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Proces
sor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Abstract
Protocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:3
07)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.jav
a:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:90
8)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.xml.crypto.KeySelectorException:
com.sun.xml.wss.XWSSecurityException: No Matching private key for serial
number 14478695720124859712 and issuer name
E=xxxx@xxxx,CN=servicecn,OU=xxx,O=xxx,L=xxx,S=xxxxx,C=US found
at
com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial
(KeySelectorImpl.java:412)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.pr
ocessX509IssuerSerial(SecurityTokenProcessor.java:369)
... 45 more
Caused by: com.sun.xml.wss.XWSSecurityException: No Matching private key for
serial number 14478695720124859712 and issuer name
E=xxx@xxx,CN=servicecn,OU=xxxx,O=xxx,L=xxxx,S=xxxx,C=US found
at
com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getPrivateKey(Defaul
tSecurityEnvironmentImpl.java:644)
at
com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial
(KeySelectorImpl.java:392)
... 46 more

-----Original Message-----
From: Gina Choi [mailto:[hidden email]]
Sent: Wednesday, April 25, 2012 9:57 AM
To: [hidden email]; [hidden email]
Subject: RE: Signature algorithm should be same for client, sts and service?

>Can you do a message dump on the server and see what is being sent.
How do I turn on message dump on the sever side?

-----Original Message-----
From: kumarjayanti [mailto:[hidden email]]
Sent: Tuesday, April 24, 2012 9:24 AM
To: [hidden email]
Subject: Re: Signature algorithm should be same for client, sts and service?

It appears the client did not send a secure message here :
> Security Requirements not met - No
> Security header in message

Can you do a message dump on the server and see what is being sent.

On Apr 25, 2012, at 4:33 AM, gchoi wrote:

http://metro.1045641.n5.nabble.com/Signature-algorithm-should-be-same-for-cli
ent-sts-and-service-tp5663537p5663537.html
> Sent from the Metro - Users mailing list archive at Nabble.com.

kumarjayanti

Re: Signature algorithm should be same for client, sts and service?

Hi,

Firstly this exception now seems different from the earlier exception that you sent. So did you change something in the client side wsit configuration ?.

To enable message dumping here is what you need to do in jvm-options

- Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true

It appears the client runtime picked up some certificate of the server which does not exist in the server's keystore.

On Apr 25, 2012, at 10:20 PM, Gina Choi wrote:

Can you do a message dump on the server and see what is being sent.
How do I turn on message dump on the sever side?

Following is server dump message. Does this mean that it couldn't find
service private key? I don't know where did serial number
14478695720124859712 come from? My service, client and sts don't have serial
number with that value.

Service PrivateKeyEntry
=============================

Alias name: myservicekey
Creation date: Apr 13, 2012
Entry type: trustedCertEntry

Owner: EMAILADDRESS=xxx@xxx, CN=servicecn, OU=xx, O=xxx, L=xxxx,
ST=massachusetts, C=US
Issuer: EMAILADDRESS=xxx@xxx, CN=servicecn, OU=xxx, O=xxx, L=xxxx,
ST=massachusetts, C=US
Serial number: c8eea90bc902c540
Valid from: Tue Apr 10 10:40:33 EDT 2012 until: Fri Apr 08 10:40:33 EDT 2022
Certificate fingerprints:
        MD5: B2:76:5C:F9:41:52:45:FE:6D:EC:54:FC:5E:A5:EF:6C
        SHA1: 8F:1B:17:A0:AB:6F:8B:C6:02:65:7F:7E:E5:15:9C:79:AE:AE:01:D5
        Signature algorithm name: SHA1withRSA
        Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AC CA 43 29 11 D0 C3 BB   9A 2B 1B 30 F0 BA 8F 4D ..C).....+.0...M
0010: 8D E1 F4 43                                        ...C
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AC CA 43 29 11 D0 C3 BB   9A 2B 1B 30 F0 BA 8F 4D ..C).....+.0...M
0010: 8D E1 F4 43                                        ...C
]

]

Server dump
========================

Apr 25, 2012 12:22:37 PM
com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getPrivateKey
SEVERE: WSS0222: Unable to locate matching private key for
14478695720124859712:E=xxx@xxx,CN=servicecn,OU=xxx,O=xxx,L=xxxx,S=xxxx,C=US
using CallbackHandler.
Apr 25, 2012 12:22:37 PM
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor
processX509IssuerSerial
SEVERE: WSS1816: Error occurred while resolving Issuer Serial
javax.xml.crypto.KeySelectorException: com.sun.xml.wss.XWSSecurityException:
No Matching private key for serial number 14478695720124859712 and issuer
name E=XXX@XXX,CN=servicecn,OU=xxx,O=xxx,L=xxxx,S=xxxx,C=US found
at
com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial
(KeySelectorImpl.java:412)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.pr
ocessX509IssuerSerial(SecurityTokenProcessor.java:369)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.pr
ocessX509Data(SecurityTokenProcessor.java:292)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.re
solveReference(SecurityTokenProcessor.java:161)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processK
eyInfo(KeyInfoProcessor.java:152)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(K
eyInfoProcessor.java:132)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.process(EncryptedKey.j
ava:208)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.<init>(EncryptedKey.ja
va:131)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processK
eyInfo(KeyInfoProcessor.java:157)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(K
eyInfoProcessor.java:132)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.process(EncryptedData
.java:156)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.<init>(EncryptedData.
java:113)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHea
der(SecurityRecipient.java:458)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(Secu
rityRecipient.java:291)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(S
ecurityRecipient.java:241)
at
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTube
Base.java:450)
at
com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTu
be.java:295)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:717)
at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:418)
at
com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:364)
at
com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:370)
at
com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:519)
at
com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapt
er.java:206)
at
com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelega
te.java:159)
at
com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDeleg
ate.java:194)
at
com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationF
ilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCha
in.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.jav
a:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.jav
a:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.
java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Proces
sor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Abstract
Protocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:3
07)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.jav
a:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:90
8)
at java.lang.Thread.run(Thread.java:662)
Caused by: com.sun.xml.wss.XWSSecurityException: No Matching private key for
serial number 14478695720124859712 and issuer name
E=xxxx@xxxx,CN=servicecn,OU=xxx,O=xxxx,L=xxxx,S=xxxx,C=US found
at
com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getPrivateKey(Defaul
tSecurityEnvironmentImpl.java:644)
at
com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial
(KeySelectorImpl.java:392)
... 46 more
Apr 25, 2012 12:22:37 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube
processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.XWSSecurityException: WSS1816: Error occurred while resolving
Issuer Serial
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.pr
ocessX509IssuerSerial(SecurityTokenProcessor.java:374)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.pr
ocessX509Data(SecurityTokenProcessor.java:292)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.re
solveReference(SecurityTokenProcessor.java:161)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processK
eyInfo(KeyInfoProcessor.java:152)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(K
eyInfoProcessor.java:132)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.process(EncryptedKey.j
ava:208)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.<init>(EncryptedKey.ja
va:131)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processK
eyInfo(KeyInfoProcessor.java:157)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(K
eyInfoProcessor.java:132)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.process(EncryptedData
.java:156)
at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.<init>(EncryptedData.
java:113)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHea
der(SecurityRecipient.java:458)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(Secu
rityRecipient.java:291)
at
com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(S
ecurityRecipient.java:241)
at
com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTube
Base.java:450)
at
com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTu
be.java:295)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:717)
at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:418)
at
com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:364)
at
com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:370)
at
com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:519)
at
com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapt
er.java:206)
at
com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelega
te.java:159)
at
com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDeleg
ate.java:194)
at
com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationF
ilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCha
in.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.jav
a:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.jav
a:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.
java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Proces
sor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Abstract
Protocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:3
07)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.jav
a:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:90
8)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.xml.crypto.KeySelectorException:
com.sun.xml.wss.XWSSecurityException: No Matching private key for serial
number 14478695720124859712 and issuer name
E=xxxx@xxxx,CN=servicecn,OU=xxx,O=xxx,L=xxx,S=xxxxx,C=US found
at
com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial
(KeySelectorImpl.java:412)
at
com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.pr
ocessX509IssuerSerial(SecurityTokenProcessor.java:369)
... 45 more
Caused by: com.sun.xml.wss.XWSSecurityException: No Matching private key for
serial number 14478695720124859712 and issuer name
E=xxx@xxx,CN=servicecn,OU=xxxx,O=xxx,L=xxxx,S=xxxx,C=US found
at
com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getPrivateKey(Defaul
tSecurityEnvironmentImpl.java:644)
at
com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial
(KeySelectorImpl.java:392)
... 46 more

-----Original Message-----
From: Gina Choi [[hidden email]]
Sent: Wednesday, April 25, 2012 9:57 AM
To: [hidden email]; [hidden email]
Subject: RE: Signature algorithm should be same for client, sts and service?

Can you do a message dump on the server and see what is being sent.
How do I turn on message dump on the sever side?

-----Original Message-----
From: kumarjayanti [[hidden email]]
Sent: Tuesday, April 24, 2012 9:24 AM
To: [hidden email]
Subject: Re: Signature algorithm should be same for client, sts and service?

It appears the client did not send a secure message here :
Security Requirements not met - No
Security header in message

Can you do a message dump on the server and see what is being sent.

On Apr 25, 2012, at 4:33 AM, gchoi wrote:

Signature algorithm for my client and serivice certificate is
SHA1withRSA
while sts certificate is SHA256withRSA. It could be a problem? When
client
call service, it returns Invalid Security Header message. Client-STS-
Client
call looks good. I am using UserNameToken with symmetric key bindings.

Apr 24, 2012 6:03:55 PM com.sun.xml.wss.jaxws.impl.SecurityClientTube
processClientResponsePacket
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound
Message.
com.sun.xml.wss.XWSSecurityException: Security Requirements not met
- No
Security header in message
      at
com
.sun
.xml
.ws
.security
.opt
.impl
.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:925)
      at
com
.sun
.xml
.ws
.security
.opt
.impl
.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:
248)
      at
com
.sun
.xml
.wss
.jaxws
.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:450)
      at
com
.sun
.xml
.wss
.jaxws
.impl
.SecurityClientTube
.processClientResponsePacket(SecurityClientTube.java:434)
      at
com
.sun
.xml
.wss
.jaxws
.impl.SecurityClientTube.processResponse(SecurityClientTube.java:362)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:972)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
      at com.sun.xml.ws.client.Stub.process(Stub.java:429)
      at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:
168)
      at
com
.sun
.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:
119)
      at
com
.sun
.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:
102)
      at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
      at $Proxy40.doubleIt(Unknown Source)
      at client.WSClient.doubleIt(WSClient.java:76)
      at client.WSClient.main(WSClient.java:69)
Exception in thread "main" javax.xml.ws.WebServiceException:
WSSTUBE0025:
Error in Verifying Security in the Inbound Message.
      at
com
.sun
.xml
.wss
.jaxws
.impl
.SecurityClientTube
.processClientResponsePacket(SecurityClientTube.java:439)
      at
com
.sun
.xml
.wss
.jaxws
.impl.SecurityClientTube.processResponse(SecurityClientTube.java:362)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:972)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
      at com.sun.xml.ws.client.Stub.process(Stub.java:429)
      at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:
168)
      at
com
.sun
.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:
119)
      at
com
.sun
.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:
102)
      at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
      at $Proxy40.doubleIt(Unknown Source)
      at client.WSClient.doubleIt(WSClient.java:76)
      at client.WSClient.main(WSClient.java:69)
Caused by: javax.xml.ws.soap.SOAPFaultException: Invalid Security
Header
      at
com
.sun
.xml
.wss
.jaxws
.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:
696)
      at
com
.sun
.xml
.wss
.jaxws
.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:
714)
      ... 14 more
Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid
Security
Header
      at
com
.sun
.xml
.wss
.impl
.SecurableSoapMessage
.newSOAPFaultException(SecurableSoapMessage.java:349)
      at
com
.sun
.xml
.wss
.jaxws
.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:
710)
      ... 14 more

--
View this message in context:
http://metro.1045641.n5.nabble.com/Signature-algorithm-should-be-same-for-cli
ent-sts-and-service-tp5663537p5663537.html
Sent from the Metro - Users mailing list archive at Nabble.com.

gchoi

RE: Signature algorithm should be same for client, sts and service?

>Firstly this exception now seems different from the earlier exception that you sent. So did you change something in the client side wsit configuration ?.

Previous exception is from client side. The one that sent to you is from server side. I obtained it by setting com.sun.xml.ws.transport.http.HttpAdapter.dump=true.

>To enable message dumping here is what you need to do in jvm-options

>- Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true

I set Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true and result is same as setting com.sun.xml.ws.transport.http.HttpAdapter.dump=true.

>It appears the client runtime picked up some certificate of the server which does not exist in the server's keystore.

When the client send request to STS, I don’t see <X509SerialNumber>14478695720124859712</X509SerialNumber> in the request, but STS respond client with <X509SerialNumber>14478695720124859712</X509SerialNumber>. Service keystore doesn’t have serial number 14478695720124859712 that’s why exception was thrown. Is this an incompatibility issue between client and STS? Could you tell me how does STS get X509SecrialNmuber value of 14478695720124859712 ?

I listed both server and client log and server dump message.

1. Server dump

Apr 26, 2012 4:35:32 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getPrivateKey

SEVERE: WSS0222: Unable to locate matching private key for 14478695720124859712:E=[hidden email],CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US using CallbackHandler.

Apr 26, 2012 4:35:32 PM com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor processX509IssuerSerial

SEVERE: WSS1816: Error occurred while resolving Issuer Serial

javax.xml.crypto.KeySelectorException: com.sun.xml.wss.XWSSecurityException: No Matching private key for serial number 14478695720124859712 and issuer name E=[hidden email],CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US found

at com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial(KeySelectorImpl.java:412)

at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.processX509IssuerSerial(SecurityTokenProcessor.java:369)

at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.processX509Data(SecurityTokenProcessor.java:292)

at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.resolveReference(SecurityTokenProcessor.java:161)

at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processKeyInfo(KeyInfoProcessor.java:152)

at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(KeyInfoProcessor.java:132)

at com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.process(EncryptedKey.java:208)

at com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.<init>(EncryptedKey.java:131)

at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processKeyInfo(KeyInfoProcessor.java:157)

at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(KeyInfoProcessor.java:132)

at com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.process(EncryptedData.java:156)

at com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.<init>(EncryptedData.java:113)

at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:458)

at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:291)

at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:241)

at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:450)

at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)

at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)

at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)

at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)

at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:717)

at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:418)

at com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:364)

at com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:370)

at com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:519)

at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:206)

at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)

at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194)

at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)

at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)

at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)

at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)

at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

at java.lang.Thread.run(Thread.java:662)

Caused by: com.sun.xml.wss.XWSSecurityException: No Matching private key for serial number 14478695720124859712 and issuer name E=[hidden email],CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US found

at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getPrivateKey(DefaultSecurityEnvironmentImpl.java:644)

at com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial(KeySelectorImpl.java:392)

... 46 more

Apr 26, 2012 4:35:32 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest

SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.

com.sun.xml.wss.XWSSecurityException: WSS1816: Error occurred while resolving Issuer Serial

at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.processX509IssuerSerial(SecurityTokenProcessor.java:374)