Reputation: 677
WSSecurityException: The security token could not be authenticated or authorized
i have a working soap connection but my certificate is ending. so i only want to change the certificate. for my soap connection i use a keystore which i generate using openssl.
with my old keystore it works fine. but with my new one i get this stacktrace:
Caused by: org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized
at org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:86)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:187)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:105)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1612)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1503)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1310)
at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:628)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
so i guess there is something wrong with my keystore generation. although i can send the message and it goes wrong with recieving. this is the code and on the last line i get the above exeption.
AanleverServiceV12_Service service = new AanleverServiceV12_Service();
log.trace("aanleverService created");
AanleverServiceV12 aanleverServicePort = service.getAanleverServicePortV12();
log.trace("aanleverServicePort created");
AanleverRequest aanleverRequest = createAanleverRequest(belastingFormulier);
log.trace("AanleverRequest: {}", aanleverRequest);
AanleverResponse response = aanleverServicePort.aanleveren(aanleverRequest);
this is my config file:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=****
org.apache.ws.security.crypto.merlin.keystore.file=keystore.p12
org.apache.ws.security.crypto.merlin.keystore.alias={csr_request_finished}
any help would be welcome!
i tried to recreate the keystore which works but i get the same error. so i guess the error is in making the keystore.
i do this:
openssl pkcs12 -export -out keystore.p12 -inkey server.key -in cert.pem -name "{csr_request_finished}"
i updated my generation to this but with the same error (i split the certificate in my own and the supporting certificates:
openssl pkcs12 -export -out kdeb5.p12 -inkey key.pem -in cert.pem -name "{csr_request_finished}" -certfile certRest.pem
Upvotes: 1
Views: 15021
Answers (1)
Reputation: 677
ok found it. it seems that when there is no friendly name this will be the error:
org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized
so to avoid that at least one certificate needs a name it can even be emtpy like this:
openssl pkcs12 -export -out keystore.p12 -inkey key.pem -in cert.pem -name "{CSR_Request_Finished}" -certfile certRest.pem -caname ""
above works but best is off course to do:
openssl pkcs12 -export -out keystore.p12 -inkey key.pem -in cert.pem -name "{CSR_Request_Finished}" -certfile certRest.pem -caname "cert one" -caname "cert intermediate" -caname "cert root" etc....
the diff is with no caname given you get this:
Bag Attributes: <No Attributes>
with an emtpy name you get this:
Bag Attributes
friendlyName:
you can view this info with this command:
openssl pkcs12 -info -in keystore.p12
Upvotes: 1
Related Questions
- What does "Could not find or load main class" mean?
- java.lang.NoSuchMethodError: org.apache.cxf.common.jaxb.JAXBContextCache$CachedContextAndSchemas.getContext()Ljavax/xml/bind/JAXBContext
- The https URL hostname does not match the Common Name (CN) on the server certificate in the client's truststore
- Https CXF timeout
- SOAPFAULTEXCEPTION while trying to consume a webservice
- Open JDK 7 and Oracle JDK 7 Soap client