I am consuming one service which only establishes the connection over TLSv1.2 protocol.
In SoapUI
-Dsoapui.https.protocols=TLSv1.2 :- This parameter works fine and able to get the response from the service in SOAP UI tool.
Need something similiar like above parameter on the mule ESB flow which allows my request to use TLSv1.2 protocol explicitly during proxing.
I am using Mule 3.7 CE & JDK 7. The message flow uses CXF proxies(cxf:proxy-service) to direct SOAP based requests over Https to the end client. When a request is sent to Mule it is throwing an exception as below.
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding: TLS is not enabled {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}HttpsToken {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179) ~[cxf-rt-ws-policy-2.7.15.jar:2.7.15]
Already tried enabling protocol through tls-default.conf file also adding system arguments and server arguments did not work.
Here is the snippet of wsdl using security policy -
<wsp:Policy wsu:Id="XYSPolicyID">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Any help would be much appreciated !!
You can configure your cryptographic protocols and cipher suites I'm MULE_HOME/tls-default.conf
As stated in the previous reply, enabledProtocols=TLSv1.2 should do the trick.
If you continue having problems, you can use the following to troubleshoot:
Start Mule with the following flag -M-Djavax.net.debug=ssl:handshake:verbose
In that way you will be able to see the actual handshake process.
Another useful tool is TestSSLServer to determine supported protocols and cipher suites of the target system.
Also, you may consider installing the Java Cryptography Extension package.
HTH, Nahuel.
Related
I try to access a java-webservice which uses ws-security (wsse). I tried to consume it using svcutil:
svcutil *.wsdl *.xsd /language:C# /tcv:Version35
This works well, but I get an error importing this block in wsdl-file
<wsp:Policy wsu:Id="myServiceRequestResponseSoapBindingPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
saying
An unsupported security policy assertion was detected
So this gets ignored.
As you may expect communicating with the service returns an error saying "unauthorized". The information I got from the webservice owner pointed out that my message contains no WSSecurity-part.
I found this thread svcutil getting stuck on usernameToken Policy but the policy seems to differ because I don't have any certificate. So I don't get anywhere on this path.
I installed WSE3 cos I had the impression I'd need it for something, but I'm quite unsure now if this is the case and how this needs to interact with my wcf-client.
Any suggestions appreciated, thank you.
Don't worry about that warning, the WSDL section is not relevant (you can even remove it). What you should have is a sample working SOAP request from a wroking client (e.g. Java) or from a sample of the vendor, with the security in it. Then you can configure your binding to support it. Just from the WSDL section you published you might want to try basicHttpBinding with security mode of TransportWithMessageCredential.
Googling for wcf and usernametoken brought me to this solution - it's so easy if you get the right search words...
http://weblog.west-wind.com/posts/2012/Nov/24/WCF-WSSecurity-and-WSE-Nonce-Authentication
I'm using Rampart as my WS-Security module over Axis2.
My policy XML file is below:
<wsp:Policy wsu:Id="UsernameToken"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:passwordType>PasswordText</ramp:passwordType>
</ramp:RampartConfig>
It's working OK as shown in the below SOAP call:
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
<wsu:Created>2013-12-24T12:55:39.089Z</wsu:Created>
<wsu:Expires>2013-12-24T13:00:39.089Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-2">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
What I would like to do is configure the Created value so it is not necessarily bound to the server time, and also configure the duration between Created and Expires.
How can I do that?
Ok so I'm answering my own question.
It seems like there is no point in setting different timestamps as, per standards, the Timestamp should be sent in UTC format.
As for the TTL, this can be configured from the policy.xml file:
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:timestampTTL>600</ramp:timestampTTL>
<ramp:timestampMaxSkew>600</ramp:timestampMaxSkew>
<ramp:RampartConfig>
I will keep the thread open for a day or two to see if anyone else would like to present a different opinion.
Right now we have an issue concerning the duration between created and expires dates. It seems like the message is received on server after it expires, this is because server and client clocks have big differences (I mean more than 2 or 5 seconds) between each other. A workaround is to increase
<ramp:timestampTTL>600</ramp:timestampTTL>
<ramp:timestampMaxSkew>600</ramp:timestampMaxSkew>
This can be done by using rampartConfig.setTimestampTTL and rampartConfig.setTimestampmaxSkew methods on the client side.
My wsdl says Asymmetric Binding. Initiator Token and Receipienct TokenHow can I generate a binary security token for both client and server. Can I implement with kind of security with only one private key.
.
Here is the wsdl
<sp:AsymmetricBinding>
<wsp:Policy>
<wsp:ExactlyOne><wsp:All><sp:InitiatorToken><wsp:Policy><wsp:ExactlyOne>
<wsp:All><sp:X509Token><wsp:Policy>
<wsp:ExactlyOne><wsp:All><sp:WssX509V3Token11/></wsp:All>
</wsp:ExactlyOne>
</wsp:Policy></sp:X509Token></wsp:All>
</wsp:ExactlyOne></wsp:Policy></sp:InitiatorToken>
<sp:RecipientToken><wsp:Policy><wsp:ExactlyOne><wsp:All><sp:X509Token><wsp:Policy><wsp:ExactlyOne><wsp:All>
<sp:WssX509V3Token11/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:X509Token>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy></sp:RecipientToken>
<sp:AlgorithmSuite><wsp:Policy><wsp:ExactlyOne><wsp:All><sp:TripleDesRsa15/></wsp:All></wsp:ExactlyOne></wsp:Policy>
</sp:AlgorithmSuite>
</wsp:All></wsp:ExactlyOne
></wsp:Policy>
</sp:AsymmetricBinding>
In case I make a custom binding with security element like this .
`var sec = `(AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
I was able to genrte Username token with none. This was the security element
var security = TransportSecurityBindingElement.CreateUserNameOverTransportBindingElement();
The Sample soap request uses these terms to describe the binary security tokens
....(eMedNY signed user MLS cert).....
.....( eMedNY MLS web-service end-point public cert).........
...nonce,.
I have the private key for the former. But does the server one need a private key?.. It is a public certificate. What should be the security element. Do I need two security elements. One for the binary security token and one for usernametoken.?
Thank u
I'm kind of confused about setting up standard authentication for my SSL protected service. I have tried the HTTP header way, but that's non standard, and WS-I is important for me. It is possible to set up the Authentication Token to be Username on method level. This is the resulted BindingPolicy in the WSIT XML:
<wsp:Policy wsu:Id="DataStoreWSPortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="false"/>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:Wss10/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DataStoreWSPortBinding_hello_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
SvcUtil warnings:
<!-- WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'http://webServices/': -->
<!-- <wsdl:binding name='DataStoreWSPortBinding'> -->
<!-- <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">..</sp:SupportingTokens> -->
I want to set credentials in the WCF client via ClientCredentials and then authenticate on the service side via database. What are the steps to achieve that?
If you want to have standard way on transport level why don't you use HTTP Basic authentication? That is the common standardized authentication mechanism for HTTP protocol and it works with web services as well.
The error you got is most probably because of SupportingTokens assertion. Even it is correct assertion WCF doesn't support it. Try to use SignedSupportingTokens or SignedEncryptedSupportingTokens. If you are not able to modify your service to produce such WSDL you can even try to modify the WSDL you got manually.
What you meant by WS-I? There are multiple WS-I standards and some of them don't expect policies at all - just plain SOAP services where headers are described in WSDL directly.
Scenario: I am writing a WCF client to access a Java/Metro webservice which requires several SOAP headers to be signed and encrypted:
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Namespace="... application specific headers ..."/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Namespace="... application specific headers ..."/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
It works for the application specific headers (the ProtectionLevel attribute is applied on the respective proxy type members). The WS-Addressing headers, however, are signed but not encrypted.
I tried to add them programmatically to the ChannelProtectionRequirements message parts collection(s) through contract or endpoint behaviors (e.g. like described here). No success.
Any ideas how to do this?
Ok, sackcloth & ashes coming up. I'm not sure what went wrong in my tests, but it does work when I add the respective headers to the IncomingSignatureParts and IncomingEncryptionParts of the service endpoint through a contract behavior.