Our organization has upgrade the PKI environment recently. And the secure web services does not work any more with following error message.
Failed to derive subject from
token.javax.security.auth.login.LoginException:
[Security:090377]Identity Assertion Failed,
weblogic.security.spi.IdentityAssertionException:
[Security:090377]Identity Assertion Failed,
weblogic.security.spi.IdentityAssertionException: [Security:090833]No certificates found in the LDAP directory.
We've enable security trace by add following parameter into weblogic server startup script "-Dweblogic.security.verbose=* -Djava.security.verbose=* -Dweblogic.wsee.verbose=*"
It show in the log that we have passed encryption and signature validation successfully and the error is right after the validations.
Then we have enabled weblogic server debug for the security, and we have traced the ladp lookup query statement, it turns out our LDAP X509 Identity Assertion Provider in WebLogic was configured to expect "userCertificate;binary" which seems does not supported by our new PKI environment.
By changed the "userCertificate;binary" to "userCertificate", the secure web services is back to work.
Also please check my new web site Scan2D QR Code Mobile Solution
Working on some free QR Code solution recently.
https://www.ibm.com/developerworks/community/blogs/70d4c7ae-7b21-490d-b6f2-5fdbaa1dbcd5/entry/5_BENEFITS_OF_QR_CODES_FOR_SMALL_BUSINESS?lang=en
Thursday, June 30, 2011
Monday, May 10, 2010
Weblogic web services security -- java.lang.ClassNotFoundException: weblogic.wsse.security.bst.ServerBSTCredentialProvider
An expection occurred today when we're deploying the web services to our QC environment.
java.lang.ClassNotFoundException: weblogic.wsse.security.bst.ServerBSTCredentialProvider
weblogic.wsse.security.bst.ServerBSTCredentialProvider
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:169)
at weblogic.wsee.security.configuration.WssConfiguration.createInstance(WssConfiguration.java:411)
at weblogic.wsee.security.configuration.WssConfiguration.createInstancesFromMBean(WssConfiguration.java:404)
at weblogic.wsee.security.configuration.WssConfiguration.init(WssConfiguration.java:126)
at weblogic.wsee.security.configuration.WssConfiguration.getSupprotedTokens(WssConfiguration.java:182)
at weblogic.wsee.security.policy.SecurityPolicyCustomizer.init(SecurityPolicyCustomizer.java:56)
at weblogic.wsee.security.policy.SecurityPolicyCustomizer.process(SecurityPolicyCustomizer.java:75)
at weblogic.wsee.policy.runtime.PolicyServer.processAssertions(PolicyServer.java:199)
at weblogic.wsee.policy.runtime.PolicyFinder.readPolicyFromStream(PolicyFinder.java:99)
at weblogic.wsee.policy.runtime.PolicyFinder.loadPolicies(PolicyFinder.java:179)
at weblogic.wsee.policy.runtime.PolicyFinder.loadPolicesFromZip(PolicyFinder.java:200)
I am very sure that file is in the weblogic.jar, so I had enable the classloader information by add "-verbose:class" as jvm argument. And it actually did load the class from the weblogic.jar.
By further investigation, more than ten times re-deploy and re-configure. The weblogic eventually gives a good error message, can not find key alias to establish the SSL connection. So I go back to the Server -> Key Store and SSL tag, guess that our lovely Miss Weblogic Admin has forgetten to specify the SSL key alias[Our web services are protected by message level security plus SSL, please do not ask me why :-(].
So I am note this exception here, in case you see same error message, go check your configuration first!
Also please check my new web site Scan2D QR Code Mobile Solution
java.lang.ClassNotFoundException: weblogic.wsse.security.bst.ServerBSTCredentialProvider
weblogic.wsse.security.bst.ServerBSTCredentialProvider
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:169)
at weblogic.wsee.security.configuration.WssConfiguration.createInstance(WssConfiguration.java:411)
at weblogic.wsee.security.configuration.WssConfiguration.createInstancesFromMBean(WssConfiguration.java:404)
at weblogic.wsee.security.configuration.WssConfiguration.init(WssConfiguration.java:126)
at weblogic.wsee.security.configuration.WssConfiguration.getSupprotedTokens(WssConfiguration.java:182)
at weblogic.wsee.security.policy.SecurityPolicyCustomizer.init(SecurityPolicyCustomizer.java:56)
at weblogic.wsee.security.policy.SecurityPolicyCustomizer.process(SecurityPolicyCustomizer.java:75)
at weblogic.wsee.policy.runtime.PolicyServer.processAssertions(PolicyServer.java:199)
at weblogic.wsee.policy.runtime.PolicyFinder.readPolicyFromStream(PolicyFinder.java:99)
at weblogic.wsee.policy.runtime.PolicyFinder.loadPolicies(PolicyFinder.java:179)
at weblogic.wsee.policy.runtime.PolicyFinder.loadPolicesFromZip(PolicyFinder.java:200)
I am very sure that file is in the weblogic.jar, so I had enable the classloader information by add "-verbose:class" as jvm argument. And it actually did load the class from the weblogic.jar.
By further investigation, more than ten times re-deploy and re-configure. The weblogic eventually gives a good error message, can not find key alias to establish the SSL connection. So I go back to the Server -> Key Store and SSL tag, guess that our lovely Miss Weblogic Admin has forgetten to specify the SSL key alias[Our web services are protected by message level security plus SSL, please do not ask me why :-(].
So I am note this exception here, in case you see same error message, go check your configuration first!
Also please check my new web site Scan2D QR Code Mobile Solution
Monday, April 26, 2010
Disable stack traces in web services SOAP Fault message
Do not want show the exception stack traces in web services SOAP fault? Add this into the JVM arguments,
-Dcom.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace=false
-Dcom.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace=false
Enable weblogic web services security verbose
To enable webservice security verbose in weblogic server, you need specifying the JVM argument -Dweblogic.wsee.verbose=* . It works on both server and client side.
Monday, April 19, 2010
Web Services STR-Transform an interoperability problem between WCF and Weblogic 10.3
An error message occured when try a .Net client connect to a secure web services on Weblogic 10.3.
System.Security.Cryptography.CryptographicException: Unsupported
transform or canonicalization algorithm.
Here, http://forums.java.net/jive/thread.jspa?messageID=321019 explains the reason and the cause.
To fix this, simply remove "<sp:ProtectTokens>" tag from the policy file.
-- Unzip, weblogic.jar
-- looking for a policy file, e.g. Wssp1.2-Wss1.1-X509-Basic256.xml
-- Remove
-- Save with other name (say, Wssp1.2-Wss1.1-X509-Basic256-Token.xml) in your war file's /WEB-INF/classes/policies folder
-- then refer it as @Policy(uri = "policy:Wssp1.2-Wss1.1-X509-Basic256-Token.xml")
-- then enjoy the rest of the day.
Also please check my new web site Scan2D QR Code Mobile Solution
System.Security.Cryptography.CryptographicException: Unsupported
transform or canonicalization algorithm.
Here, http://forums.java.net/jive/thread.jspa?messageID=321019 explains the reason and the cause.
To fix this, simply remove "<sp:ProtectTokens>" tag from the policy file.
-- Unzip, weblogic.jar
-- looking for a policy file, e.g. Wssp1.2-Wss1.1-X509-Basic256.xml
-- Remove
-- Save with other name (say, Wssp1.2-Wss1.1-X509-Basic256-Token.xml) in your war file's /WEB-INF/classes/policies folder
-- then refer it as @Policy(uri = "policy:Wssp1.2-Wss1.1-X509-Basic256-Token.xml")
-- then enjoy the rest of the day.
Also please check my new web site Scan2D QR Code Mobile Solution
Friday, April 9, 2010
Problem when using customer web service security policy in weblogic 10.3
When I am using an customer security policy for my webservices in weblogic 10.3 today. I got an error "com.sun.xml.ws.policy.PolicyException: [failed to localize] WSP_0010_UNEXPANDED_POLICY_REFERENCE_NODE_FOUND_REFERENCING"
The weblogic document is kind of misleading me, when it talks about using the policy as '
@Policy(uri = "Wssp1.2-2007-SignBody-Fault.xml")'. Finally I have figured it out, without put the policy like '
@Policy(uri = "policy:Wssp1.2-EncryptBody.xml")', it actually reference a resource on the file system.
So if you want using a policy file from a deploy war file, you need put it in the /WEB-INF/policies/ and reference it as @Policy(uri = "policy:Wssp1.2-2007-SignBody-Fault.xml")'.
The weblogic document is kind of misleading me, when it talks about using the policy as '
@Policy(uri = "Wssp1.2-2007-SignBody-Fault.xml")'. Finally I have figured it out, without put the policy like '
@Policy(uri = "policy:Wssp1.2-EncryptBody.xml")', it actually reference a resource on the file system.
So if you want using a policy file from a deploy war file, you need put it in the /WEB-INF/policies/ and reference it as @Policy(uri = "policy:Wssp1.2-2007-SignBody-Fault.xml")'.
.NET web services client accept secure response and non-secure fault with Weblogic web services -- Interoperability with Microsoft WCF/.NET
I can not find a way to configure a secure web services on the weblogic server to return a secured soap fault message in a secure webservices. That causes some problem when the webservices client built by .NET. It gives same error message as non-synchronized clock, "an unsecured or incorrectly secured fault...".
But I found in the .NET 3.5 sp2, you can set the security level for the request, response and fault seperately
But I found in the .NET 3.5 sp2, you can set the security level for the request, response and fault seperately
Subscribe to:
Posts (Atom)