cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hart, Andrew B." <>
Subject RE: CXF (WS-Security) + SoapUI
Date Tue, 22 Apr 2014 16:59:49 GMT
OK, so I saw your earlier message where you stated you wanted to use both a user token and
a cert, and Colm replied with "Try using 'signatureUser' for the 'myclientkey' entry".

In my setup I am only using mutual x.509 certificate authentication.  I am not sure why you
need to use both UserNameToken and a certificate, since the cert provides identification.

Given that, there has to be some mismatch between your server outbound interceptor configuration
and your SoapUi inbound configuration.  You provided your client configuration.  What does
your server outbound interceptor configuration look like?  Here is mine:

  <bean id="Sign_Response" class="">



        <entry key="action" value="Timestamp Signature Encrypt"/>

        <entry key="user" value=""/>

        <entry key="SignaturePropRefId"  value="propertiesRef"/> <!-- bug prior to
1.6: the starting 'S' is capitalized -->

        <entry key="encryptionPropRefId"  value="propertiesRef"/>

        <entry key="propertiesRef"  value-ref="ConfigLoader"/>

        <entry key="encryptionUser" value="useReqSigCert"/>

        <entry key="signatureKeyIdentifier" value="DirectReference"/>

        <entry key="encryptionKeyIdentifier" value="DirectReference" />

        <entry key="passwordCallbackRef">

              <beans:ref bean="ConfigLoader"/>


        <entry key="signatureParts" value="{Content}{}Timestamp;{Element}{}Body"/>

        <entry key="encryptionParts" value="{Content}{}Body"/>

        <!-- <entry key="encryptionKeyTransportAlgorithm" value=""/>

        <entry key="encryptionKeyTransportAlgorithm" value=""/>

        <entry key="encryptionSymAlgorithm" value=""/>

        <entry key="signatureAlgorithm" value=""/>




Here is one of the web pages I used:

In my particular case, the WSS4J (and CXF) used on the Server is constrained to be a much
earlier version than what is bundled in SoapUi.  In that earlier version of WSS4J on the server
you could not have separate keystore and truststore files, so on the server I just have one:
 a keystore that contains the server public/private key pair, and the client public key. 
  In SoapUi, I split them out because I thought it would help me understand what was required,
and where.  I have a client keystore that contains the client public/private key, and a truststore
that contains the server public key.  One key thing I had to do to get X.50 mutual certificate
authentication working was to use encryptionUser="useReqSigCert", which told the server to
encrypt the server response using the cert that was used to sign the request.

n  Andy

From: Paul Avijit []
Sent: Tuesday, April 22, 2014 10:58 AM
To:; Hart, Andrew B.
Subject: Re: CXF (WS-Security) + SoapUI

Thanks Andrew for the detailed response. I have done pretty much as you have explained. The
difference being I have just one client keystore. Let me explain what I have done.

I have created the client and service keystores using the following commands:


keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myservicekey -keypass
skpass -storepass sspass -keystore serviceKeystore.jks -dname "cn=localhost"

keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myclientkey -keypass
ckpass -storepass cspass -keystore clientKeystore.jks -dname "cn=clientuser"

keytool -export -rfc -keystore clientKeystore.jks -storepass cspass -alias myclientkey -file

keytool -import -trustcacerts -keystore serviceKeystore.jks -storepass sspass -alias myclientkey
-file MyClient.cer -noprompt

keytool -export -rfc -keystore serviceKeystore.jks -storepass sspass -alias myservicekey -file

keytool -import -trustcacerts -keystore clientKeystore.jks -storepass cspass -alias myservicekey
-file MyService.cer -noprompt


In SoapUI - WS-SecurityConfigurations - Keystores I have the following:

Source: path to clientKeystore.jks

Status: OK

Password: cspass

Default Alias: myclientkey

Alias Password: ckpass

In SoapUI - WS-SecurityConfigurations - Truststores I have the following:

Source: path to clientKeystore.jks

Status: OK

Password: cspass

In SoapUI - Outgoing WS-SecurityConfigurations - Encryption I have the following:

Keystore: clientKeystore.jks

Alias: myclientkey

Password: ckpass

In CXF client I have the following in WSS4JOutInterceptor:

<bean id="TimestampSignEncrypt_Request" class="">



                                    <entry key="action" value="UsernameToken Timestamp
Signature Encrypt"/>

                                    <entry key="passwordType" value="PasswordDigest"/>

                                    <entry key="user" value="POC-Username"/>

                                    <entry key="signatureUser" value="myclientkey"/>

                                    <entry key="passwordCallbackClass" value=""/>

                                    <entry key="signaturePropFile" value=""/>

                                    <entry key="signatureAlgorithm" value=""/>

                                    <entry key="signatureParts" value="{Element}{}Timestamp;{Element}{}Body"/>

                                    <entry key="encryptionPropFile" value=""/>

                                    <entry key="encryptionUser" value="myservicekey"/>

                                    <entry key="encryptionParts" value="{Element}{}Signature;{Content}{}Body"/>

                                    <entry key="encryptionSymAlgorithm" value=""/>

                                    <entry key="encryptionKeyTransportAlgorithm" value=""/>



            <property name="allowMTOM" value="true"/>


This works perfectly fine when tested using CXF client.

All of the above has also been configured in SoapUI except.

                                    <entry key="encryptionUser" value="myservicekey"/>

When I test using SoapUI, when the request goes to the server, I get the following error in
the server logs:

[ERROR][[ACTIVE] ExecuteThread: '23' for queue: 'weblogic.kernel.Default (self-tuning)'][2014-04-22
- Cannot find key for alias: [myclientkey] in keystore of type [jks] from provider [SUN version
1.6] with size [2] and aliases: {myservicekey, myclientkey}

Apr 22, 2014 11:16:28 AM handleMessage

WARNING: The signature or decryption was invalid

When I only secure my web service using UsernameToken Timestamp and Signature, it works fine
when tested with SoapUI. I get the above error when Encrypt is also used to secure it.



On Tuesday, April 22, 2014 10:50 AM, "Hart, Andrew B." <<>>

It took me quite a bit of trial and error to figure out what went where in SoapUi.    I find
their documentation to be lacking.

I'll just tell you how I have it set up in the hope that it helps:

a)  Under Keystores you have the path to the keystore that contains your client public and
private key.  Password is the keystore password.  The default client alias in the keystore,
then the password for the private key.
b)  Under Truststores you have the path to the keystore that contains the public cert of the
server.  The Password is the truststore password.  I left the default alias and password blank.
c)  Under "Incoming" the "Decrypt" keystore is the path to the  keystore (a).  The "Signature"
is (b).  The password is for the keystore.
d)  Under "Outgoing" the default alias is the alias for your client key in (a).  If you have
a signature action set up, the Keystore specified will be (a).  The "alias" and "password"
will be the alias for the client private key.

Now to associate these configurations with SoapUi requests, there are several places to do
this.  You can do it globally for a particular service endpoint by double clicking on the
green hourglass for the interface in the tree.  In the window that comes up, select the "Service
Endpoints" tab.  Put the outgoing and incoming ws-configurations there, and they will apply
to all operations.

Or, for each request, you double click to open the request window.  In the bottom left there
is a menu for "Authentication and Security related settings".  You can specify your incoming
and outgoing profile there.  You can also right click directly in the window where your request
xml appears, select the "Outgoing WSS" from the context menu and then either "Apply" or "Remove

So, it sounds like SoapUi is not finding the "Incoming" ws configuration, or your truststore.
   When you get the response back, look in the bottom of that window and there is the WSS
log.  Click on it and you should see "WS-Security processing results" there that will help
you debug your problem.    If I had to guess, you might have the keystore and truststore switched
around in (c).

Also, SoapUi caches things up.  I found it difficult to trust it, so when I made changes to
WS-Security configuration in SoapUi, I often closed the project and opened it back up to make
sure it was using my latest changes.

Hope this helped.

-- Andy

-----Original Message-----
From: Paul Avijit [<>]
Sent: Monday, April 21, 2014 5:36 PM
Subject: CXF (WS-Security) + SoapUI


I have a Web service implemented using CXF which is secured with WS-Security (X.509 Encryption).

I have tested it successfully using a CXF client. I have configured WS-Security in SoapUI.
But when I test using SoapUI I get the following error: The signature or decryption was invalid

All configuration that I have done in CXF client is present in SoapUI. I could not find in
SoapUI the equivalent of the following configuration (constructor argument of WSS4JOutInterceptor)
that I have in CXF client, which is resulting in the error. I know it is this configuration
as when I delete this configuration from the CXF client I get the same error.

<entry key="encryptionUser" value="myservicekey"/>

Can anyone please let me know how to test this using SoapUI. Thanks in advance for the help
to CXF experts in this mailing list.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message