Document

TIBCO BusinessWorks: Understanding Web Services Security 26

8 Second Test X.509 Identification
Like the previous successful test, this wont look any different than a plain SOAP process.
8.1 Request Contents BinarySecurityToken
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
MIICMzCCAd0CAQIwDQYJKoZIhvcNAQEEBQAwgasxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
m9ybmlhMRMwEQYDVQQHEwp1cy1lbmdsaXNoMRUwEwYDVQQKEwxUZXN0IENvbXBhbnkxGTAXBgNV
BAsUEGNsaWVudF9yb290IFVuaXQxFDASBgNVBAMUC2NsaWVudF9yb290MSowKAYJKoZIhvcNAQkB
FhtjbGllbnRfcm9vdEB0ZXN0Y29tcGFueS5jb20wHhcNMDMwNDI0MjE0NDIzWhcNMTMwNDIxMjE0
NDIzWjCBnDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCnVzLWVu
Z2xpc2gxFTATBgNVBAoTDFRlc3QgQ29tcGFueTEUMBIGA1UECxMLY2xpZW50IFVuaXQxDzANBgNV
BAMTBmNsaWVudDElMCMGCSqGSIb3DQEJARYWY2xpZW50QHRlc3Rjb21wYW55LmNvbTBcMA0GCSqG
SIb3DQEBAQUAA0sAMEgCQQC9biqm9QKA/ltM3syV7sqS+eBKWu433MpqMGH90wzyH780CjpaRrjm
ck+jqIurPBSR7Sn491M2335oWV/+3epLAgMBAAEwDQYJKoZIhvcNAQEEBQADQQBxjIk+4i0qhiiS
LzuvG1G+CuU6AyLVKhlTOylVb2v+21qfjIaDBN2P9ohfQlYdjjnqZIICuk07cREgTwFMv1cm
Document
TIBCO BusinessWorks: Understanding Web Services Security 27
</wsse:BinarySecurityToken>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns0:Inquiry xmlns:ns0="http://xmlns.example.com/unique/default/namespace/1154630967053">What
Time is it?</ns0:Inquiry>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
8.2 Troubleshooting Bad X.509 Private Key Password
Change the password from password to something else, and re-run the test you will see that the Client fails to
communicate with the Server, and you will get the following error:


8.3 Troubleshooting Missing Trusted CA Cert in Trusted Certificates Folder
You will get the same error as the inability to validate credentials with the Administrator when using UserName Tokens,
though using X509 Tokens does NOT involve the Administrator in any fashion; just as the Admi nistrator was a trusted
authority for UserName Tokens, so is the Trusted Certificates Folder is the authority for X.509 Tokens.
<Data>
<defaultFaultElement>
<faultcode>SOAP-ENV:Server</faultcode>
<faultstring>WS Security Error : 111000</faultstring>
<faultactor/>
</defaultFaultElement>
</Data>
Document
TIBCO BusinessWorks: Understanding Web Services Security 28
8.4 Troubleshooting Mismatched Token Types
Edit the Outbound Policy back to UserNameToken and see what happens when it gets authenticated against an
Inbound Policy that is expecting a Certificate you get the SOAPPLUGIN100023 error with this in the Console:
<Data>
<defaultFaultElement>
<faultcode>SOAP-ENV:Server</faultcode>
<faultstring>WS Security Error : 181201</faultstring>
<faultactor/>
</defaultFaultElement>
</Data>

However, if you have a mismatch where a Certificate is sent by the Client and a UserName is expected by the Server,
you get the same SOAPPLUGIN-100023, but a different WS Security Error:

<Data>
<defaultFaultElement>
<faultcode>SOAP-ENV:Server</faultcode>
<faultstring>WS Security Error : 181101</faultstring>
<faultactor/>
</defaultFaultElement>
</Data>

9 Adding Integrity and Confidentiality
Should I do these one-at-a-time?
10 Third Test Identification, Integrity, and Confidentiality
10.1 Troubleshooting
One obvious trouble is mixing expected Direct Reference and Subject Key Identities, missing chain verificationCould
be a good point to bring up the use of Java Keystore as a hybrid solution for explicit identities and trusted certificates as
now being interchangeable.