Re: WSE2005: Protection requirements in MutualCertificate11Asserti
- From: "Pablo Cibraro" <pcibraro@xxxxxxxxxxx>
- Date: Tue, 11 Jul 2006 16:58:08 -0400
Yes, but you have to restart the application because WSE keeps the policy in
a cache.
Now, you are having another problem.
Exception thrown: WSE2005: Protection
requirements in MutualCertificate11Assertion are not satisfied.">
The Web service is using different security requeriments. (It is not signing
or encrypting some header).
Regards,
Pablo Cibraro.
"Chris Fink" <ChrisFink@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1BEBC7E1-FD10-46B0-B32C-7BE644C639CA@xxxxxxxxxxxxxxxx
I can change the wse3policyCache.config directly without recompiling the
app,
right?
"Chris Fink" wrote:
Pablo,
I made the change to the policy file as noted, did an IISRESET for kicks,
and reran my client - still the same error (attached below). The odd
thing
is notice this faultstring in the trace file:
<faultstring>Server unavailable, please try later</faultstring>. When I
run
my client (which is a webservice), the response page is a browser page
with
the following text, no reference to any kind
of HTTP status code.... Your solution makes perfect sense, I am not sure
why it is not working for me? Is it a possible firewall problem?
=====WEB PAGE RESPONSE ======
Microsoft.Web.Services3.ResponseProcessingException: WSE910: An error
happened during the processing of a response message, and you can find
the
error in the inner exception. You can also find the response message in
the
Response property. ---> Microsoft.Web.Services3.Security.SecurityFault:
WSE2005: Protection requirements in MutualCertificate11Assertion are not
satisfied.
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientInputFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)
at
Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecurityFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security)
at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)
at
Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClientMessage
message, String messageContentType)
--- End of inner exception stack trace ---
at
Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClientMessage
message, String messageContentType)
at
Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessage(SoapClientMessage
message, Int32 bufferSize)
at
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage
message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
at ApplicationMessagingWS.Dispatch(String messageType, String
correlationId, String messageBody, String userName, String
applicationName,
String instance, String postBackUrl)
at ConsumeDellMSS.Dispatch(String messageType, String correlationId,
String messageBody, String userName, String applicationName, String
instance,
String postBackUrl)
======POLICY FILE==============
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="DellPolicy">
<mutualCertificate11Security establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<clientToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=DellHBTClient" findType="FindBySubjectDistinguishedName" />
</clientToken>
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="AddressBook"
findValue="E=webfarm@xxxxxxxx, CN=MSS Spore, OU=Information Technology,
O=Dell Inc., L=Austin, S=TX, C=US"
findType="FindBySubjectDistinguishedName"
/>
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
</policies>
=======Trace================
<?xml version="1.0" encoding="utf-8"?>
<log>
<inputMessage utc="7/11/2006 7:59:07 PM">
<processingStep description="Unprocessed message">
<soap:Envelope
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsa:Action>http://schemas.xmlsoap.org/ws/2004/03/addressing/fault</wsa:Action>
<wsa:MessageID>uuid:e66736ab-9f7c-4922-8a5d-b35370631a16</wsa:MessageID>
<wsa:RelatesTo>uuid:ead7386e-e527-4185-9c06-725b9798b576</wsa:RelatesTo>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:To>
<wsse:Security>
<wsu:Timestamp
wsu:Id="Timestamp-e076efbe-3a08-41f2-9852-5ee6644fd9d8">
<wsu:Created>2006-07-11T20:00:45Z</wsu:Created>
<wsu:Expires>2006-07-11T20:05:45Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Server unavailable, please try
later</faultstring>
<faultactor>http://ausicwfsit01.us.dell.com/mss/webservices/ApplicationMessagingWS.asmx</faultactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientInputFilter"
/>
<processingStep description="Exception thrown: WSE2005: Protection
requirements in MutualCertificate11Assertion are not satisfied."> at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientInputFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)
at
Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecurityFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security)
at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)</processingStep>
</inputMessage>
</log>
"Pablo Cibraro" wrote:
Hi Chris,
I found the problem, it is related to the signature confirmation
feature.
Below is the error message,
processor="Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientInputFilter"
description="Protection requirements not satisfied: signature
confirmation
is
not present or not protected properly" />
Your client application is expecting a signature confirmation but the
service is not sending it. You have to modify your client policy file
to
turn off the signature confirmation. (It must be
requireSignatureConfirmation="false")
Let me know if that helps
Regards,
Pablo Cibraro.
"Chris Fink" <ChrisFink@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1205D5C6-032C-4F07-94D6-C74894E33923@xxxxxxxxxxxxxxxx
Hi Pablo,
Again, I appreciate your help. Following are the trace files:
InputTrace.webinfo
<?xml version="1.0" encoding="utf-8"?>
<log>
<inputMessage utc="7/11/2006 2:44:52 PM">
<processingStep description="Unprocessed message">
<soap:Envelope
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsa:Action>http://schemas.xmlsoap.org/ws/2004/03/addressing/fault</wsa:Action>
<wsa:MessageID>uuid:2772387a-eecc-4ed7-bffe-c582fc8299fe</wsa:MessageID>
<wsa:RelatesTo>uuid:d53e4ab6-386d-426d-96d6-1774a4c739f6</wsa:RelatesTo>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:To>
<wsse:Security>
<wsu:Timestamp
wsu:Id="Timestamp-6d2b27e9-fb3c-45a8-b169-fe1c529792a9">
<wsu:Created>2006-07-11T14:46:28Z</wsu:Created>
<wsu:Expires>2006-07-11T14:51:28Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Server unavailable, please try
later</faultstring>
<faultactor>http://ausicwfsit01.us.dell.com/mss/webservices/ApplicationMessagingWS.asmx</faultactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientInputFilter"
/>
<processingStep
processor="Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientInputFilter"
description="Protection requirements not satisfied: signature
confirmation
is
not present or not protected properly" />
<processingStep description="Exception thrown: WSE2005: Protection
requirements in MutualCertificate11Assertion are not satisfied.">
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientInputFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)
at
Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecurityFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security)
at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at
Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)</processingStep>
</inputMessage>
</log>
OutputTrace.webinfo
<?xml version="1.0" encoding="utf-8"?>
<log>
<outputMessage utc="7/11/2006 2:44:51 PM"
messageId="urn:uuid:6e4a5893-db1a-47ef-aad2-1b2bae431280">
<processingStep description="Unprocessed message">
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<soap:Body>
<Dispatch xmlns="http://mss.dell.com/webservices/";>
<messageType>test</messageType>
<correlationId>test</correlationId>
<messageBody>test</messageBody>
<userName>test</userName>
<applicationName>test</applicationName>
<instance>test</instance>
<postBackUrl>test</postBackUrl>
</Dispatch>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientOutputFilter"
/>
<processingStep description="Exited SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientOutputFilter"
/>
<processingStep description="Processed message">
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<soap:Header>
<wsa:Action
wsu:Id="Id-71145cba-ca5d-4781-be18-accf02bfc47e">http://mss.dell.com/webservices/Dispatch</wsa:Action>
<wsa:MessageID
wsu:Id="Id-f02a6698-e9ff-49da-bc70-c2268e051d70">urn:uuid:6e4a5893-db1a-47ef-aad2-1b2bae431280</wsa:MessageID>
<wsa:ReplyTo
wsu:Id="Id-c7982cf4-5295-4808-948b-6677f5a147b2">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To
wsu:Id="Id-2a54d179-0597-4ec2-90ba-d96d07963d78">http://ausicwfsit01.us.dell.com/mss/webservices/ApplicationMessagingWS.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp
wsu:Id="Timestamp-b81bea48-77ff-4bcd-b3ba-0a2514952b9c">
<wsu:Created>2006-07-11T14:44:51Z</wsu:Created>
<wsu:Expires>2006-07-11T14:49:51Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="SecurityToken-b9447a41-eee1-4c8a-adc4-2db925fc6ed2">MIIBcTCCAR+gAwIBAgIQkTbqUU/PS5pI2eMxsHhYwzAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA2MDYyMjEzNTM1M1oXDTM5MTIzMTIzNTk1OVowGDEWMBQGA1UEAxMNRGVsbEhCVENsaWVudDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDbonpefL2fVkE+v/EApT+ZnpqD4iINrQNBkuQPr92nzy8X7wyaWb3elOj3jITQwK5Ponfg9v7asM0XmCF5NM6LAgMBAAGjSzBJMEcGA1UdAQRAMD6AEBLkCS0GHR1PAI1hIdwWZGOhGDAWMRQwEgYDVQQDEwtSb290IEFnZW5jeYIQBjdsAKoAZIoRz7jUqlw19DAJBgUrDgMCHQUAA0EAbrpSbv5fD/nuxJbODAkiQhjGZ8RCVs9isZaqHOPQTz4YfGiisjPsCj+bhB0ueBzoTrTU9xYN6i2QE2w4c6jTCA==</wsse:BinarySecurityToken>
<xenc:EncryptedKey
Id="SecurityToken-bd835689-3bda-498b-a2c8-5dfaefd7dc64"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
.
- Follow-Ups:
- Re: WSE2005: Protection requirements in MutualCertificate11Asserti
- From: Chris Fink
- Re: WSE2005: Protection requirements in MutualCertificate11Asserti
- References:
- Re: WSE2005: Protection requirements in MutualCertificate11Assertion..
- From: Pablo Cibraro
- Re: WSE2005: Protection requirements in MutualCertificate11Asserti
- From: Chris Fink
- Re: WSE2005: Protection requirements in MutualCertificate11Asserti
- From: Pablo Cibraro
- Re: WSE2005: Protection requirements in MutualCertificate11Asserti
- From: Chris Fink
- Re: WSE2005: Protection requirements in MutualCertificate11Asserti
- From: Chris Fink
- Re: WSE2005: Protection requirements in MutualCertificate11Assertion..
- Prev by Date: Re: WSE2005: Protection requirements in MutualCertificate11Asserti
- Next by Date: Re: Ws-Addressing - WSE and vanilla Web Service Proxies
- Previous by thread: Re: WSE2005: Protection requirements in MutualCertificate11Asserti
- Next by thread: Re: WSE2005: Protection requirements in MutualCertificate11Asserti
- Index(es):
Relevant Pages
|
