1. 首页
  2. 问答
  3. 使用Apache Rampart签署JKS和二进制安全令牌密钥标识

使用Apache Rampart签署JKS和二进制安全令牌密钥标识

2013-04-30 64 views
1

我必须调用客户提供的Web服务(由于此原因,以下某些信息被屏蔽)。我已经提供了一个java密钥库,其中包含我需要用来生成签名以包含在我的请求的WSSecurity头中的私钥。使用Apache Rampart签署JKS和二进制安全令牌密钥标识

此外,我已经发送了一个可用的SoapUI项目,该项目使用适当的安全配置来实现此服务。 soapUI中的传出安全配置将“密钥标识符类型”设置为“二进制安全令牌”

我想在使用Apache Rampart的Java应用程序中设置此调用。我注意到在OutflowSecurity配置中没有与“二进制安全令牌”关键字标识符等效的内容,所以我尝试了以下内容。下面是我的axis2.xml文件中的相关片段:

<module ref="rampart" /> 
<parameter name="OutflowSecurity"> 
    <action> 
     <items>Signature</items> 
     <user>*******</user> 
     <passwordCallbackClass>*******.PWCBHandler</passwordCallbackClass> 
     <signaturePropFile>crypto.properties</signaturePropFile> 
     <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> 
    </action> 
</parameter>

这里是我的crypto.properties文件的内容:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin 
org.apache.ws.security.crypto.merlin.keystore.type=jks 
org.apache.ws.security.crypto.merlin.file=C:/rampart/*****.jks 
org.apache.ws.security.crypto.merlin.keystore.alias=****** 
org.apache.ws.security.crypto.merlin.alias.password=********** 
org.apache.ws.security.crypto.merlin.keystore.password=********* (same as above)

的问题是,当我尝试与执行服务此配置,我收到以下错误:

org.apache.axis2.AxisFault: Error during Signature: 
at org.apache.rampart.handler.WSDoAllSender.processMessage(WSDoAllSender.java:75) 
at org.apache.rampart.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:72) 
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) 
at org.apache.axis2.engine.Phase.invoke(Phase.java:313) 
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) 
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:427) 
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:406) 
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229) 
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165) 
... (removed) 
Caused by: org.apache.ws.security.WSSecurityException: Error during Signature: 
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:64) 
at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:202) 
at org.apache.rampart.handler.WSDoAllSender.processBasic(WSDoAllSender.java:212) 
at org.apache.rampart.handler.WSDoAllSender.processMessage(WSDoAllSender.java:72) 
... 13 more 
Caused by: org.apache.ws.security.WSSecurityException: Signature creation failed 
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:558) 
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:478) 
at org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java:384) 
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:61) 
... 16 more 
Caused by: org.apache.ws.security.WSSecurityException: General security error (The private key for the supplied alias does not exist in the keystore) 
at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:725) 
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:501) 
... 19 more 
Caused by: java.security.UnrecoverableKeyException: Cannot recover key 
at sun.security.provider.KeyProtector.recover(Unknown Source) 
at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source) 
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source) 
at java.security.KeyStore.getKey(Unknown Source) 
at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:711) 
... 20 more

我试过所有不同的signatureKeyIdentifiers选项没有任何运气。任何人都可以帮我解决这个问题吗?

谢谢!

来源

2013-04-30 jmclaughlin

回答

0

固定。我的密码回调处理程序中有错误的用户名。它无法找到用于访问密钥的密码..感谢您的帮助。抱歉回复晚了。我把它作为对之前的原始问题的评论。

来源

2017-04-11 06:46:55 jmclaughlin

2

我不确定您的整体配置,但显而易见的问题是您用来从密钥库加载密钥的别名无效。也许你使用一些公钥的别名而不是私有的?当没有提供别名本身时,Rampart将使用用户作为别名,因此我将确保在服务配置中的用户和属性中的别名被设置为相同的值。

您可以通过验证利用上市从密钥工具JDK密钥库中的内容要使用哪一个:

JDK/bin/keytool -list -keystore path/to/keystore

它应该打印:

alias1, 13-May-2013, trustedCertEntry, (public key only, used to verify signature) 
Certificate fingerprint (SHA1): ***** 
alias2, 13-May-2013, PrivateKeyEntry, (private/public key pair, used to sign messages) 
Certificate fingerprint (SHA1): *****

来源

2013-06-15 10:01:04

1

问题: 1.我们需要做任何其他策略文件以外的配置。 2.如果是这样,我们需要添加它。 3.您可以查看策略文件是否适合使用二进制安全令牌的要求。

 <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 
      <ramp:user>***</ramp:user> 
      <ramp:passwordCallbackClass>com.sosnoski.ws.library.adb.PWCBHandler</ramp:passwordCallbackClass> 

      <ramp:signatureCrypto> 
       <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> 
        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> 
        <ramp:property name="org.apache.ws.security.crypto.merlin.file">com/sosnoski/ws/library/adb/***.jks</ramp:property> 
        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">******</ramp:property> 
       </ramp:crypto> 
      </ramp:signatureCrypto> 
     </ramp:RampartConfig> 
    </wsp:All> 
</wsp:ExactlyOne>

来源

2014-03-20 20:42:03 user3443857

相关问题

 相关问题