We Keep Coding

Enable TLSv1.2 Protocol in Mule ESB while hitting SOAP webservice request

I am consuming one service which only establishes the connection over TLSv1.2 protocol.
In SoapUI
-Dsoapui.https.protocols=TLSv1.2 :- This parameter works fine and able to get the response from the service in SOAP UI tool.
Need something similiar like above parameter on the mule ESB flow which allows my request to use TLSv1.2 protocol explicitly during proxing.
I am using Mule 3.7 CE & JDK 7. The message flow uses CXF proxies(cxf:proxy-service) to direct SOAP based requests over Https to the end client. When a request is sent to Mule it is throwing an exception as below.
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding: TLS is not enabled {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}HttpsToken {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179) ~[cxf-rt-ws-policy-2.7.15.jar:2.7.15]
Already tried enabling protocol through tls-default.conf file also adding system arguments and server arguments did not work.
Here is the snippet of wsdl using security policy -
<wsp:Policy wsu:Id="XYSPolicyID">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Any help would be much appreciated !!

You can configure your cryptographic protocols and cipher suites I'm MULE_HOME/tls-default.conf

As stated in the previous reply, enabledProtocols=TLSv1.2 should do the trick.
If you continue having problems, you can use the following to troubleshoot:
Start Mule with the following flag -M-Djavax.net.debug=ssl:handshake:verbose
In that way you will be able to see the actual handshake process.
Another useful tool is TestSSLServer to determine supported protocols and cipher suites of the target system.
Also, you may consider installing the Java Cryptography Extension package.
HTH, Nahuel.

Importing wsdl using svcutil fails for security config

I try to access a java-webservice which uses ws-security (wsse). I tried to consume it using svcutil:
svcutil *.wsdl *.xsd /language:C# /tcv:Version35
This works well, but I get an error importing this block in wsdl-file
<wsp:Policy wsu:Id="myServiceRequestResponseSoapBindingPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
saying
An unsupported security policy assertion was detected
So this gets ignored.
As you may expect communicating with the service returns an error saying "unauthorized". The information I got from the webservice owner pointed out that my message contains no WSSecurity-part.
I found this thread svcutil getting stuck on usernameToken Policy but the policy seems to differ because I don't have any certificate. So I don't get anywhere on this path.
I installed WSE3 cos I had the impression I'd need it for something, but I'm quite unsure now if this is the case and how this needs to interact with my wcf-client.
Any suggestions appreciated, thank you.

Don't worry about that warning, the WSDL section is not relevant (you can even remove it). What you should have is a sample working SOAP request from a wroking client (e.g. Java) or from a sample of the vendor, with the security in it. Then you can configure your binding to support it. Just from the WSDL section you published you might want to try basicHttpBinding with security mode of TransportWithMessageCredential.

Googling for wcf and usernametoken brought me to this solution - it's so easy if you get the right search words...
http://weblog.west-wind.com/posts/2012/Nov/24/WCF-WSSecurity-and-WSE-Nonce-Authentication

How to write Simple Security in WSO2 ESB Using Security Policy's?

I wish to provide security to my Proxy using simple Username and password but my client has fixed request which is entirely different with what wso2esb policies provide Wso2 esb Support for Username Token authentication .I m also want to check just Username&Password.But the pain is my request is not meet to wso2 esb Username Token format.
Difference between messages what wso2 expecting ..
My Client Message is
<soapenv:Header>
<pr:authentication soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:pr="http://webservices.eeeee.com/ProxyService">
<pr:user>mw_ssp</pr:user>
<pr:password>MW_ssp003</pr:password>
</pr:authentication>
</soapenv:Header>
Actual message which wso2 esb expecting is
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-4">
<wsu:Created>2014-06-02T07:15:21Z</wsu:Created>
<wsu:Expires>2014-06-02T08:38:41Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">byWKVY4stEATvTqaoNMswQ==</wsse:Nonce>
<wsu:Created>2014-06-02T07:15:21.304Z</wsu:Created>
</wsse:UsernameToken>
</wsse: >
</soapenv:Header>
I just want change Header as per the Username Token works.How would i achieve this
Any help much appreciated.
Thanks in Advance.

Setting up authentication for SSL protected WSIT / Metro web service and client

I'm kind of confused about setting up standard authentication for my SSL protected service. I have tried the HTTP header way, but that's non standard, and WS-I is important for me. It is possible to set up the Authentication Token to be Username on method level. This is the resulted BindingPolicy in the WSIT XML:
<wsp:Policy wsu:Id="DataStoreWSPortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="false"/>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:Wss10/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DataStoreWSPortBinding_hello_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
SvcUtil warnings:
<!-- WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'http://webServices/': -->
<!-- <wsdl:binding name='DataStoreWSPortBinding'> -->
<!-- <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">..</sp:SupportingTokens> -->
I want to set credentials in the WCF client via ClientCredentials and then authenticate on the service side via database. What are the steps to achieve that?

If you want to have standard way on transport level why don't you use HTTP Basic authentication? That is the common standardized authentication mechanism for HTTP protocol and it works with web services as well.
The error you got is most probably because of SupportingTokens assertion. Even it is correct assertion WCF doesn't support it. Try to use SignedSupportingTokens or SignedEncryptedSupportingTokens. If you are not able to modify your service to produce such WSDL you can even try to modify the WSDL you got manually.
What you meant by WS-I? There are multiple WS-I standards and some of them don't expect policies at all - just plain SOAP services where headers are described in WSDL directly.

How to encrypt WS-Addressing headers

Scenario: I am writing a WCF client to access a Java/Metro webservice which requires several SOAP headers to be signed and encrypted:
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Namespace="... application specific headers ..."/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Namespace="... application specific headers ..."/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
It works for the application specific headers (the ProtectionLevel attribute is applied on the respective proxy type members). The WS-Addressing headers, however, are signed but not encrypted.
I tried to add them programmatically to the ChannelProtectionRequirements message parts collection(s) through contract or endpoint behaviors (e.g. like described here). No success.
Any ideas how to do this?

Ok, sackcloth & ashes coming up. I'm not sure what went wrong in my tests, but it does work when I add the respective headers to the IncomingSignatureParts and IncomingEncryptionParts of the service endpoint through a contract behavior.