Digital Signature of SOAP message does not work when using own keystore
Hi,
The point was to use own keystore and key pair for digital signature of Web Services.
I have build a simple client and server and deployed on two WebLogic servers.
Steps taken:
1. In Weblogic console in <summary of servers> keystores changed to Custom Identity and Custom Trust and own keystore path.
2. Then edited in base domain the Web Service Security policies tab, by creating new configuration which use own key pair. The view or the table there was empty before my editing, so no Web Service Security configuration existed there. Also, I did not know what name to give.
3. In Enterprise manager I have attached the policies to Web services -client and server being deployed - so I attached oracle/wss10_message_protection_client_policy, respectively oracle/wss10_message_protection_service_policy
But when testing I get the following error on client part:
"oracle.wsm.security.SecurityException: WSM-00101 : The specified keystore file C:\Oracle\MW_HOME\user_projects\domains\base_domain\config\fmwconfig\default-keystore.jks cannot be found; it either does not exist or its path is not included in the application classpath"
It appears that step 2 went wrong because Weblogic tries to find the keystore in different path. But I can't figure what how to fix the configuration there.
Also, enabling SSL on Weblogic with own keystore it worked nicely - by using Admin tutorial.
Any help is much appreciated,
Lucia
The point was to use own keystore and key pair for digital signature of Web Services.
I have build a simple client and server and deployed on two WebLogic servers.
Steps taken:
1. In Weblogic console in <summary of servers> keystores changed to Custom Identity and Custom Trust and own keystore path.
2. Then edited in base domain the Web Service Security policies tab, by creating new configuration which use own key pair. The view or the table there was empty before my editing, so no Web Service Security configuration existed there. Also, I did not know what name to give.
3. In Enterprise manager I have attached the policies to Web services -client and server being deployed - so I attached oracle/wss10_message_protection_client_policy, respectively oracle/wss10_message_protection_service_policy
But when testing I get the following error on client part:
"oracle.wsm.security.SecurityException: WSM-00101 : The specified keystore file C:\Oracle\MW_HOME\user_projects\domains\base_domain\config\fmwconfig\default-keystore.jks cannot be found; it either does not exist or its path is not included in the application classpath"
It appears that step 2 went wrong because Weblogic tries to find the keystore in different path. But I can't figure what how to fix the configuration there.
Also, enabling SSL on Weblogic with own keystore it worked nicely - by using Admin tutorial.
Any help is much appreciated,
Lucia
[Last edited Apr 29, 2011 11:39:44]
page
1
2 replies
Hi Lucia,
I am not very much aware of Enterprise Manager.
You can follow this link to set up keystore for message protection.
http://download.oracle.com/docs/cd/E12839_01/web.1111/b32511/configuring.htm#BABHIBHA
Let me know if it helps.
Thanks,
Faisal
I am not very much aware of Enterprise Manager.
You can follow this link to set up keystore for message protection.
http://download.oracle.com/docs/cd/E12839_01/web.1111/b32511/configuring.htm#BABHIBHA
Let me know if it helps.
Thanks,
Faisal
Hi Faisal,
As per instructions in the link above, I've finally found on Enterprise Manager page, the place where to edit: Weblogic Domain > Security > Security Provider Configuration (Apropos, you need to RIGHT click on domain to get the menu written above - and thus it was a bit cumbersome for me to find it).
So by following the instructions given, I have now configured the keystore path to my generated keystore in the Security Provider Configuration, as well Signature key and Encryption key.
Now, while loading of own keystore appears to be OK, there are some errors which I did not manage to solve. Here is the excerpt from server log: "The certificate, orakey, is not retrieved." Notice there was no place where to configure the recipient key.
I am now stuck with this error - just copied some excerpts from WebLogic log.
..................................
[...]
Configuration property keystore.enc.csf.key value is null
[J2EE_APP.name:] Successfully loaded keystore [path:C:\Oracle\mykeystore.jks,]
...
[arg:] The certificate, orakey, is not retrieved.
...
[arg:] Failure in getting recipient certificate using recipient key alias orakey
...
Cannot obtain a valid recipient cert for client message sending
...
Error in sending the request.
................................................
Any help is much appreciated.
Thank You,
Lucia
As per instructions in the link above, I've finally found on Enterprise Manager page, the place where to edit: Weblogic Domain > Security > Security Provider Configuration (Apropos, you need to RIGHT click on domain to get the menu written above - and thus it was a bit cumbersome for me to find it).
So by following the instructions given, I have now configured the keystore path to my generated keystore in the Security Provider Configuration, as well Signature key and Encryption key.
Now, while loading of own keystore appears to be OK, there are some errors which I did not manage to solve. Here is the excerpt from server log: "The certificate, orakey, is not retrieved." Notice there was no place where to configure the recipient key.
I am now stuck with this error - just copied some excerpts from WebLogic log.
..................................
[...]
Configuration property keystore.enc.csf.key value is null
[J2EE_APP.name:] Successfully loaded keystore [path:C:\Oracle\mykeystore.jks,]
...
[arg:] The certificate, orakey, is not retrieved.
...
[arg:] Failure in getting recipient certificate using recipient key alias orakey
...
Cannot obtain a valid recipient cert for client message sending
...
Error in sending the request.
................................................
Any help is much appreciated.
Thank You,
Lucia
[Last edited May 03, 2011 08:45:21]
Login below to reply:
