Web services Rampart:用私有/密钥证书标记soap消息失败
我们正在运行WSO2 ESB 5.0服务器。我们希望创建一个服务,将普通SOAP消息转换为签名版本,并将其传递给端点 我们得到的信息是: 原因:org.apache.ws.security.WSSecurityException:常规 安全错误(找不到的用户wso2carbon的证书) (签名) 为什么我会收到这个消息?我不明白这是什么意思 更新:我发现rampart配置中的用户应该是您想要用来签名的密钥的别名。密码处理程序应该返回别名密钥的密码 synapse(wso2 esb)服务是:Web services Rampart:用私有/密钥证书标记soap消息失败,web-services,soap,ssl-certificate,sign,rampart,Web Services,Soap,Ssl Certificate,Sign,Rampart,我们正在运行WSO2 ESB 5.0服务器。我们希望创建一个服务,将普通SOAP消息转换为签名版本,并将其传递给端点 我们得到的信息是: 原因:org.apache.ws.security.WSSecurityException:常规 安全错误(找不到的用户wso2carbon的证书) (签名) 为什么我会收到这个消息?我不明白这是什么意思 更新:我发现rampart配置中的用户应该是您想要用来签名的密钥的别名。密码处理程序应该返回别名密钥的密码 synapse(wso2 esb)服务是:
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="__mke_siging_out"
startOnLoad="true"
statistics="disable"
trace="disable"
transports="https">
<target>
<inSequence>
<send>
<endpoint>
<address uri="http://foo.bar.host/services/default/Echo/echo_client_ep">
<enableSec policy="gov:/policies/__mke_sign_out.xml"/>
</address>
</endpoint>
</send>
</inSequence>
<outSequence>
<header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
action="remove"
name="wsse:Security"
scope="default"/>
<send/>
</outSequence>
<faultSequence/>
</target>
<description/>
</proxy>
rampart配置是,指向一个JKS密钥库,在该密钥库中加载私有/发布证书并受密码保护:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigOnly">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</sp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>wso2carbon</rampart:user>
<rampart:passwordCallbackClass>nl.rsg.it.igw.passwordcallback.Handler</rampart:passwordCallbackClass>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>false</rampart:timestampStrict>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
<rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
<rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:Policy>
WSO2碳
nl.rsg.it.igw.passwordcallback.Handler
用户eqsigcert
真的
300
300
假的
org.wso2.carbon.security.util.SecurityTokenStore
300
myAlias
myPrivate.jks
-1234
myPrivate.jks
myAlias
myPrivate.jks
-1234
myPrivate.jks
我发现,rampart配置中的用户应该是要用于签名的密钥的别名。密码处理程序应该返回别名密钥的密码