Whilst experimenting with security I decided to use the predefined WebLogic 9.2 policies to secure a service endpoint on the bus and ran into a bit of an issue when trying to configure SoapUI to adhere to the predefined "sign.xml" policy. If we look at the policy we can see that it requires that the Timestamp, Body and BinarySecurityToken (well actually system headers) to be signed:
<wsp:Policy WL5G3N0:Id="Sign.xml"> <wssp:Integrity> <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <wssp:CanonicalizationAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"/> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"/> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part"> wls:SystemHeaders() </wssp:MessageParts> </wssp:Target> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"/> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part"> wls:SecurityHeader(wsu:Timestamp) </wssp:MessageParts> </wssp:Target> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1"/> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part"> wsp:Body() </wssp:MessageParts> </wssp:Target> <wssp:SupportedTokens> <wssp:SecurityToken IncludeInMessage="true" TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"> <wssp:TokenIssuer>CN=CACERT,OU=FOR TESTING ONLY...</wssp:TokenIssuer> </wssp:SecurityToken> </wssp:SupportedTokens> </wssp:Integrity> <wssp:MessageAge Age="60"/> </wsp:Policy>I am specifically not going to cover how to configure SoapUI for Web Service Security (WSS) profiles in this blog post as I want to focus on the issue I encountered and its solution, rather than making this post too verbose. I may add another post if there is demand and I have time but it is reasonably well covered in the SoapUI documentation.
The particular issue that I encountered was configuring SoapUI (I was using version 3.6.1) to sign all the items to match the predefined policy described above (specifically the BinarySecurityToken element).
Leaving the BinarySecurityToken unsigned gave the following SOAP fault error message:
"Could not validate signature using any of the supported token types"
However attempting to specify the Binary Security Token directly in the parts configuration resulted in SoapUI raising the following error and not performing any signing:
General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd, BinarySecurityToken)], see error log for details
The solution was hinted at in this post on the OTN forums. Using Axis2 there is a "special"Token keyword which instructs the stack to encrypt the security token. This seems to be what is being used by SoapUI as if this is added as though it is an element to the configuration then this then works.
In the outgoing WSS configuration I needed the following WSS entries:
- Timestamp
- Signature
- Keystore: <keystore.jks>
- Alias: <alias>
- Password: <password>
- Key Identifier Type: Binary Security Token
- Signature Algorithm: http://www.w3.org/2009/09/xmldsig#rsa-sha1
- Signature Canonicalization: http://www.w3.org/2001/10/xml-exc-c14n#
- Parts
- Name: Body, Namespace: http://schemas.xmlsoap.org/soap/envelope/
- Name: Timestamp, Namespace: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
- Name: Token
Screenshot of SoapUI with the correct outbound WSS configuration applied.
I hope this helps anyone who has been fighting with using SoapUI with the predefined WLS 9.2 Sign policy in either Oracle Service Bus or straight WLS web services.
