Resnicow, Bill
2017-03-17 17:31:04 UTC
Hello all,
I have this problem when upgrading from Axis2/Rampart 1.6.0 to Axis2/Rampart 1.7.4. Our security provider is NSS which is the FIPS compliant PKCS11 certificate keystore. This worked fine with Axis2/Rampart 1.6.0 but with 1.7.4 it does not work. The problem is that when trying to create a message signature for a SOAP message, Rampart fails to read the signing certificate from the PKCS11 certificate database. The exception is below.
Does anyone have any insight about this problem? It might be in Axis/Rampart or WSS4J which was upgraded from 1.5.11 to 1.6.16.
I tried changing the Rampart configuration to use a JKS keystore instead of the PKCS11 keystore and then it worked properly.
The following exception occurs when processing an outbound SOAP message response, trying to create a signature part in the header. See the 'Caused by' at the end.
03-15-2017 13:50:05,617 ERROR [org.apache.axis2.receivers.AbstractMessageReceiver] (Axis2 Task) Error in signature with X509Token: org.apache.axis2.AxisFault: Error in signature with X509Token
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:335) [axis2-kernel-1.7.4.jar:1.7.4]
at org.apache.axis2.engine.Phase.invoke(Phase.java:308) [axis2-kernel-1.7.4.jar:1.7.4]
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:250) [axis2-kernel-1.7.4.jar:1.7.4]
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:415) [axis2-kernel-1.7.4.jar:1.7.4]
at org.apache.axis2.receivers.RawXMLINOutMessageReceiver.invokeBusinessLogic(RawXMLINOutMessageReceiver.java:121) [axis2-kernel-1.7.4.jar:1.7.4]
at org.apache.axis2.receivers.AbstractMessageReceiver$AsyncMessageReceiverWorker.run(AbstractMessageReceiver.java:229) [axis2-kernel-1.7.4.jar:1.7.4]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_92]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_92]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_92]
Caused by: org.apache.rampart.RampartException: Error in signature with X509Token
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:343) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:250) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:760) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:417) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:88) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) [rampart-core-1.7.0.jar:1.7.0]
... 9 more
Caused by: org.apache.ws.security.WSSecurityException: General security error (No certificates for user <myusername> were found for signature)
at org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:796) [wss4j-1.6.16.jar:1.6.16]
at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:169) [wss4j-1.6.16.jar:1.6.16]
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:340) [rampart-core-1.7.0.jar:1.7.0]
... 15 more
Our Rampart configuration is as follows;
org.apache.ws.security.crypto.merlin.keystore.provider = SunPKCS11-NSSfips
org.apache.ws.security.crypto.merlin.cert.provider = (blank)
org.apache.ws.security.crypto.merlin.load.cacerts = false
org.apache.ws.security.crypto.merlin.keystore.type=PKCS11
cryptoConfigProvider = org.apache.ws.security.components.crypto.Merlin
Thanks
Bill R
I have this problem when upgrading from Axis2/Rampart 1.6.0 to Axis2/Rampart 1.7.4. Our security provider is NSS which is the FIPS compliant PKCS11 certificate keystore. This worked fine with Axis2/Rampart 1.6.0 but with 1.7.4 it does not work. The problem is that when trying to create a message signature for a SOAP message, Rampart fails to read the signing certificate from the PKCS11 certificate database. The exception is below.
Does anyone have any insight about this problem? It might be in Axis/Rampart or WSS4J which was upgraded from 1.5.11 to 1.6.16.
I tried changing the Rampart configuration to use a JKS keystore instead of the PKCS11 keystore and then it worked properly.
The following exception occurs when processing an outbound SOAP message response, trying to create a signature part in the header. See the 'Caused by' at the end.
03-15-2017 13:50:05,617 ERROR [org.apache.axis2.receivers.AbstractMessageReceiver] (Axis2 Task) Error in signature with X509Token: org.apache.axis2.AxisFault: Error in signature with X509Token
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:335) [axis2-kernel-1.7.4.jar:1.7.4]
at org.apache.axis2.engine.Phase.invoke(Phase.java:308) [axis2-kernel-1.7.4.jar:1.7.4]
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:250) [axis2-kernel-1.7.4.jar:1.7.4]
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:415) [axis2-kernel-1.7.4.jar:1.7.4]
at org.apache.axis2.receivers.RawXMLINOutMessageReceiver.invokeBusinessLogic(RawXMLINOutMessageReceiver.java:121) [axis2-kernel-1.7.4.jar:1.7.4]
at org.apache.axis2.receivers.AbstractMessageReceiver$AsyncMessageReceiverWorker.run(AbstractMessageReceiver.java:229) [axis2-kernel-1.7.4.jar:1.7.4]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_92]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_92]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_92]
Caused by: org.apache.rampart.RampartException: Error in signature with X509Token
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:343) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:250) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:760) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:417) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:88) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147) [rampart-core-1.7.0.jar:1.7.0]
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) [rampart-core-1.7.0.jar:1.7.0]
... 9 more
Caused by: org.apache.ws.security.WSSecurityException: General security error (No certificates for user <myusername> were found for signature)
at org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:796) [wss4j-1.6.16.jar:1.6.16]
at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:169) [wss4j-1.6.16.jar:1.6.16]
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:340) [rampart-core-1.7.0.jar:1.7.0]
... 15 more
Our Rampart configuration is as follows;
org.apache.ws.security.crypto.merlin.keystore.provider = SunPKCS11-NSSfips
org.apache.ws.security.crypto.merlin.cert.provider = (blank)
org.apache.ws.security.crypto.merlin.load.cacerts = false
org.apache.ws.security.crypto.merlin.keystore.type=PKCS11
cryptoConfigProvider = org.apache.ws.security.components.crypto.Merlin
Thanks
Bill R