Re: WS-Security interoperability with Websphere 5.1 and .NET WSE
From: Jorge Balderas (jorgerbf_at_NO_SPAM.hotmail.com)
Date: 03/24/04
- Next message: Alvaro: "Problem signing SOAP body"
- Previous message: Luis Abreu: "Re: Custom Security Tokens"
- Next in thread: Byron KIM: "Re: WS-Security interoperability with Websphere 5.1 and .NET WSE"
- Reply: Byron KIM: "Re: WS-Security interoperability with Websphere 5.1 and .NET WSE"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 23 Mar 2004 21:52:09 -0500
Thanks Bill for your post, I didn't see your message until now in Google,
apparently it didn't make it all the way through the ibm news server.
I'm using WSE 2.0 (I also tried WSE 1.0 sp1). I tried setting the
mustUnderstand tag to false programmatically as follows:
ws.RequestSoapContext.Security.MustUnderstand = false;
However this didn't seem to really set the mustUnderstand attribute to false
in the output SOAP request (I successfully used this approach to disable
WS-Addressing which is not supported by WAS)... do you know of another way
of removing this tag?
Additionally WSE 2.0, apparently allows you to override the default schema
through the web.config file adding these tags:
<microsoft.web.services>
<protocols>
<security version="http://schemas.xmlsoap.org/ws/2003/06/secext" />
<timestamp version="http://schemas.xmlsoap.org/ws/2003/06/utility"
/>
</protocols>
</microsoft.web.services>
This does work in the sense that the outgoing SOAP request shows the
namespaces I entered in the config file, but it doesn't seem to really be
working, since WAS still complains about the body not being signed. If you
have any other suggestions or input I would appreciate them, I'm somewhat
surprised not to see much activity around this topic.
Thanks in advanced,
Jorge
> From: billylo@yahoo.com (Billy Lo)
> Date: 12 Feb 2004 11:54:58 -0800
>
> Hi, Jorge, which version of WSE are you using?
>
> If you are using WSE 1.0sp1, then you will have to disable the
> mustUnderstand tag on your .NET request. WAS502 and WAS51 supports a
later
> version of the WS-Security schema.
>
> WAS http://schemas.xmlsoap.org/ws/2003/06/secext
> .NET http://schemas.xmlsoap.org/ws/2002/07/secext
>
> The problem is that mustUnderstand is turned on by default. With .NET,
you
> can programmatically remove the mustUnderstand tag. But, this is a bigger
> problem when you need to get .NET to accept WAS signed messages because
you
> have no control over the mustUnderstand tag on the WebSphere side.
>
> Hope this helps.
>
> Billy.
>
>
"Jorge Balderas" <jorgerbf@hotmail.com> wrote in message
news:Oz6v1iS6DHA.712@tk2msftngp13.phx.gbl...
> I'm trying to consume a Websphere 5.1 web service (created using Websphere
> Studio Application Developer 5.1.1) with a .NET framework 1.1 client
(using
> WSE).
> I'm getting the a SOAP Fault exception from the Websphere web service with
> this error:
>
> com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC5061E: The SOAP Body
is
> not signed.; null
> at
>
com.ibm.wsspi.wssecurity.SoapSecurityException.format(SoapSecurityException.
> java:180)
> at
>
com.ibm.xml.soapsec.dsig.SignedPartChecker.invoke(SignedPartChecker.java:83)
>
> Having enabled the trace option in WSE I'm able to see that the body is
> signed in the SOAP request:
>
> <soap:Body wsu:Id="Id-d0c42bcd-5c59-4e1c-b78d-1560e0c5ad42"
> xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
> <getArray xmlns="..." />
> </soap:Body>
>
> Just to make sure, I added the "IncludeSoapBody" option to the
> SignatureOptions of the signature to my code...
>
> Microsoft.Web.Services.Security.Signature sig = new
> Signature(signatureToken);
> sig.SignatureOptions = SignatureOptions.IncludeSoapBody;
> soapRequestContext.Security.Elements.Add(sig);
>
> To discard that I was getting a wrong error message (i.e. invalid
signature
> vs. body not signed), in WSAD, on the Web Services Editor
(webservices.xml),
> in the Binding Configuration, inside the Signing Information of the
Request
> Receiver Binding Configuration Details, I chose the option to trust any
> certificate, but still received the same error.
>
> I created a sample web service client on Websphere to see what a valid
> signed message would look like, and I didn't see any outstanding
difference
> between the use of WS-Security in both.
>
> It seems to me that the problem is that the Websphere Web service is not
> trusting my certificate. I tried exporting the default certificate store
> used by the Websphere web service (in a file name intca2.cer) and have the
> .NET client use that certificate to sign the message, but then I lose the
> ability to sign the message because I do not have the private key. I tried
> using IBM's KeyMan tool to add my certificate to its certificate store,
but
> I was not succesful, since the certificate's private key I'm using I
believe
> is somewhere stored in the windows registry, while IBM's certificates are
> usually in the file system having their private key protected by a
password.
>
> If someone has been succesful at getting this to work I would appreaciate
> any suggestions.
>
> Thanks,
> Jorge Balderas
>
>
- Next message: Alvaro: "Problem signing SOAP body"
- Previous message: Luis Abreu: "Re: Custom Security Tokens"
- Next in thread: Byron KIM: "Re: WS-Security interoperability with Websphere 5.1 and .NET WSE"
- Reply: Byron KIM: "Re: WS-Security interoperability with Websphere 5.1 and .NET WSE"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
