Using Apache Rampart for Signature with JKS and Binary Security Token key identifier

Question

I have to call a web service that was provided by a customer (some information below is masked for this reason). I've been provided with a java keystore that contains the private key that I need to use to generate a signature to include in the WSSecurity header of my request.

Additionally, I've been sent a working SoapUI project that implements this service with the proper security configuration. The outgoing security configuration in soapUI has the "Key Identifier Type" set to "Binary Security Token"

I am trying to set this call up in my Java application using Apache Rampart. I noticed that there is no equivalent to "Binary Security Token" key identifier in the OutflowSecurity configuration, so I'm trying the following. Here is the relevant snippet from my axis2.xml file:

<module ref="rampart" />
<parameter name="OutflowSecurity">
    <action>
        <items>Signature</items>
        <user>*******</user>
        <passwordCallbackClass>*******.PWCBHandler</passwordCallbackClass>
        <signaturePropFile>crypto.properties</signaturePropFile>
        <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
    </action>
</parameter>

And here are the contents of my crypto.properties file:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.file=C:/rampart/*****.jks
org.apache.ws.security.crypto.merlin.keystore.alias=******
org.apache.ws.security.crypto.merlin.alias.password=**********
org.apache.ws.security.crypto.merlin.keystore.password=********* (same as above)

The issue is that when I try to execute the service with this configuration, I get the following error:

org.apache.axis2.AxisFault: Error during Signature: 
at org.apache.rampart.handler.WSDoAllSender.processMessage(WSDoAllSender.java:75)
at org.apache.rampart.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:72)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:427)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:406)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
... (removed)
Caused by: org.apache.ws.security.WSSecurityException: Error during Signature: 
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:64)
at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:202)
at org.apache.rampart.handler.WSDoAllSender.processBasic(WSDoAllSender.java:212)
at org.apache.rampart.handler.WSDoAllSender.processMessage(WSDoAllSender.java:72)
... 13 more
Caused by: org.apache.ws.security.WSSecurityException: Signature creation failed
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:558)
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:478)
at org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java:384)
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:61)
... 16 more
Caused by: org.apache.ws.security.WSSecurityException: General security error (The private key for the supplied alias does not exist in the keystore)
at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:725)
at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:501)
... 19 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(Unknown Source)
at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(Unknown Source)
at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:711)
... 20 more

I've tried all of the different signatureKeyIdentifiers options without any luck. Could anyone help me perhaps figure out where to go from here to debug this issue?

Thank you!

Answer 1

I'm not sure about your overall configuration, but the obvious problem is that the alias that you use to load the key from keystore is invalid. Maybe you use alias of some public key instead of private? Rampart will use user as key alias when alias itself is not provided, so I would make sure that both, user in service configuration and alias in properties, are set to the same value.

You can verify which one to use by listing keystore contents using keytool from JDK:

JDK/bin/keytool -list -keystore path/to/keystore

It should print:

alias1, 13-May-2013, trustedCertEntry, (public key only, used to verify signature)
Certificate fingerprint (SHA1): *****
alias2, 13-May-2013, PrivateKeyEntry, (private/public key pair, used to sign messages)
Certificate fingerprint (SHA1): *****

Answer 2

Questions: 1. Do we need to make any other configurations other than the policy files. 2. If so, where we need to add it. 3. Can you review the policy file is fine for the requirement with binary security token.

        <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
            <ramp:user>***</ramp:user>
            <ramp:passwordCallbackClass>com.sosnoski.ws.library.adb.PWCBHandler</ramp:passwordCallbackClass>

            <ramp:signatureCrypto>
                <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.file">com/sosnoski/ws/library/adb/***.jks</ramp:property>
                    <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">******</ramp:property>
                </ramp:crypto>
            </ramp:signatureCrypto>
        </ramp:RampartConfig>
    </wsp:All>
</wsp:ExactlyOne>

Answer 3

Fixed. I had the wrong username in my password callback handler. It wasn't able to find the password to use to access the key.. Thanks for the help. Sorry for the late answer. I had it as a comment to the originating question before.