TIBCO BusinessWorks: Understanding Web Services Security 26
8 Second Test X.509 Identification Like the previous successful test, this wont look any different than a plain SOAP process. 8.1 Request Contents BinarySecurityToken <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header> <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> MIICMzCCAd0CAQIwDQYJKoZIhvcNAQEEBQAwgasxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp m9ybmlhMRMwEQYDVQQHEwp1cy1lbmdsaXNoMRUwEwYDVQQKEwxUZXN0IENvbXBhbnkxGTAXBgNV BAsUEGNsaWVudF9yb290IFVuaXQxFDASBgNVBAMUC2NsaWVudF9yb290MSowKAYJKoZIhvcNAQkB FhtjbGllbnRfcm9vdEB0ZXN0Y29tcGFueS5jb20wHhcNMDMwNDI0MjE0NDIzWhcNMTMwNDIxMjE0 NDIzWjCBnDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCnVzLWVu Z2xpc2gxFTATBgNVBAoTDFRlc3QgQ29tcGFueTEUMBIGA1UECxMLY2xpZW50IFVuaXQxDzANBgNV BAMTBmNsaWVudDElMCMGCSqGSIb3DQEJARYWY2xpZW50QHRlc3Rjb21wYW55LmNvbTBcMA0GCSqG SIb3DQEBAQUAA0sAMEgCQQC9biqm9QKA/ltM3syV7sqS+eBKWu433MpqMGH90wzyH780CjpaRrjm ck+jqIurPBSR7Sn491M2335oWV/+3epLAgMBAAEwDQYJKoZIhvcNAQEEBQADQQBxjIk+4i0qhiiS LzuvG1G+CuU6AyLVKhlTOylVb2v+21qfjIaDBN2P9ohfQlYdjjnqZIICuk07cREgTwFMv1cm Document TIBCO BusinessWorks: Understanding Web Services Security 27 </wsse:BinarySecurityToken> </wsse:Security> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns0:Inquiry xmlns:ns0="http://xmlns.example.com/unique/default/namespace/1154630967053">What Time is it?</ns0:Inquiry> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 8.2 Troubleshooting Bad X.509 Private Key Password Change the password from password to something else, and re-run the test you will see that the Client fails to communicate with the Server, and you will get the following error:
8.3 Troubleshooting Missing Trusted CA Cert in Trusted Certificates Folder You will get the same error as the inability to validate credentials with the Administrator when using UserName Tokens, though using X509 Tokens does NOT involve the Administrator in any fashion; just as the Admi nistrator was a trusted authority for UserName Tokens, so is the Trusted Certificates Folder is the authority for X.509 Tokens. <Data> <defaultFaultElement> <faultcode>SOAP-ENV:Server</faultcode> <faultstring>WS Security Error : 111000</faultstring> <faultactor/> </defaultFaultElement> </Data> Document TIBCO BusinessWorks: Understanding Web Services Security 28 8.4 Troubleshooting Mismatched Token Types Edit the Outbound Policy back to UserNameToken and see what happens when it gets authenticated against an Inbound Policy that is expecting a Certificate you get the SOAPPLUGIN100023 error with this in the Console: <Data> <defaultFaultElement> <faultcode>SOAP-ENV:Server</faultcode> <faultstring>WS Security Error : 181201</faultstring> <faultactor/> </defaultFaultElement> </Data>
However, if you have a mismatch where a Certificate is sent by the Client and a UserName is expected by the Server, you get the same SOAPPLUGIN-100023, but a different WS Security Error:
9 Adding Integrity and Confidentiality Should I do these one-at-a-time? 10 Third Test Identification, Integrity, and Confidentiality 10.1 Troubleshooting One obvious trouble is mixing expected Direct Reference and Subject Key Identities, missing chain verificationCould be a good point to bring up the use of Java Keystore as a hybrid solution for explicit identities and trusted certificates as now being interchangeable.