JAX-WS webservice security issue

Question

I'm trying to create a JAX-WS webservice with security enabled. I followed this tutorial and done it with a previously built webservice of my own. It's just a simple webservice that returns the current time. So the client is on a stand alone Java application and the client code goes as:

public class CallWS {
    public static void main(String[] args) {
        TimeService ts = new TimeService();
        Time time = ts.getTimePort();
        System.out.println(time.timeOfDay());
    }
}

but I'm getting the below exception:

SEVERE: WSSTUBE0023: Error in creating new instance of SecurityClientTube
java.lang.RuntimeException: WSSTUBE0016: TrustStore URL was obtained as NULL from ConfigAssertion.
    at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.populateTruststoreProps(SecurityTubeBase.java:1411)
    at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.populateConfigProperties(SecurityTubeBase.java:1314)
    at com.sun.xml.wss.jaxws.impl.SecurityClientTube.configureClientHandler(SecurityClientTube.java:779)
    at com.sun.xml.wss.jaxws.impl.SecurityClientTube.<init>(SecurityClientTube.java:170)
    at com.sun.xml.wss.provider.wsit.SecurityTubeFactory.createTube(SecurityTubeFactory.java:227)
    at com.sun.xml.ws.assembler.TubeCreator.createTube(TubeCreator.java:77)
    at com.sun.xml.ws.assembler.TubelineAssemblerFactoryImpl$MetroTubelineAssembler.createClient(TubelineAssemblerFactoryImpl.java:121)
    at com.sun.xml.ws.client.Stub.createPipeline(Stub.java:224)
    at com.sun.xml.ws.client.Stub.<init>(Stub.java:201)
    at com.sun.xml.ws.client.Stub.<init>(Stub.java:174)
    at com.sun.xml.ws.client.sei.SEIStub.<init>(SEIStub.java:81)
    at com.sun.xml.ws.client.WSServiceDelegate.createEndpointIFBaseProxy(WSServiceDelegate.java:602)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:344)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:326)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:308)
    at javax.xml.ws.Service.getPort(Service.java:99)
    at wsclient.TimeService.getTimePort(TimeService.java:72)
    at main.CallWS.main(CallWS.java:19)

Exception in thread "main" java.lang.RuntimeException: WSSTUBE0023: Error in creating new instance of SecurityClientTube
    at com.sun.xml.wss.jaxws.impl.SecurityClientTube.<init>(SecurityClientTube.java:175)
    at com.sun.xml.wss.provider.wsit.SecurityTubeFactory.createTube(SecurityTubeFactory.java:227)
    at com.sun.xml.ws.assembler.TubeCreator.createTube(TubeCreator.java:77)
    at com.sun.xml.ws.assembler.TubelineAssemblerFactoryImpl$MetroTubelineAssembler.createClient(TubelineAssemblerFactoryImpl.java:121)
    at com.sun.xml.ws.client.Stub.createPipeline(Stub.java:224)
    at com.sun.xml.ws.client.Stub.<init>(Stub.java:201)
    at com.sun.xml.ws.client.Stub.<init>(Stub.java:174)
    at com.sun.xml.ws.client.sei.SEIStub.<init>(SEIStub.java:81)
    at com.sun.xml.ws.client.WSServiceDelegate.createEndpointIFBaseProxy(WSServiceDelegate.java:602)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:344)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:326)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:308)
    at javax.xml.ws.Service.getPort(Service.java:99)
    at wsclient.TimeService.getTimePort(TimeService.java:72)
    at main.CallWS.main(CallWS.java:19)
Caused by: java.lang.RuntimeException: WSSTUBE0016: TrustStore URL was obtained as NULL from ConfigAssertion.
    at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.populateTruststoreProps(SecurityTubeBase.java:1411)
    at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.populateConfigProperties(SecurityTubeBase.java:1314)
    at com.sun.xml.wss.jaxws.impl.SecurityClientTube.configureClientHandler(SecurityClientTube.java:779)
    at com.sun.xml.wss.jaxws.impl.SecurityClientTube.<init>(SecurityClientTube.java:170)
    ... 14 more
Java Result: 1

I used the same security mechanism as mention in the tutorial (Username Authentication with Symmetric Keys) and followed exactly the same steps both client and server side environment.

I'm using

• Netbeans 7.0.1
• Glassfish 3.1
• Java EE 6
• JDK 7
• Metro 2.0 libraries

wsit-ws.Time

<?xml version="1.0" encoding="UTF-8"?> 
 <definitions 
 xmlns="http://schemas.xmlsoap.org/wsdl/" 
 xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" 
 xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
 xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="TimeService" targetNamespace="http%3A%2F%2Fns.soacookbook.com" xmlns:tns="http%3A%2F%2Fns.soacookbook.com" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:sc="http://schemas.sun.com/2006/03/wss/server" xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy" xmlns:wsp1="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsaw="http://www.w3.org/2005/08/addressing" xmlns:fi="http://java.sun.com/xml/ns/wsit/2006/09/policy/fastinfoset/service" xmlns:tcp="http://java.sun.com/xml/ns/wsit/2006/09/policy/soaptcp/service" xmlns:sp1="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" 
 >
    <message name="timeOfDay"/>
    <message name="timeOfDayResponse"/>
    <portType name="Time">
        <operation name="timeOfDay">
            <input message="tns:timeOfDay"/>
            <output message="tns:timeOfDayResponse"/>
        </operation>
    </portType>
    <binding name="TimePortBinding" type="tns:Time">
        <wsp1:PolicyReference URI="#TimePortBindingPolicy"/>
        <operation name="timeOfDay">
            <input>
                <wsp1:PolicyReference URI="#TimePortBinding_timeOfDay_Input_Policy"/>
            </input>
            <output>
                <wsp1:PolicyReference URI="#TimePortBinding_timeOfDay_Output_Policy"/>
            </output>
        </operation>
    </binding>
    <service name="TimeService">
        <port name="TimePort" binding="tns:TimePortBinding"/>
    </service>
    <wsp1:Policy wsu:Id="TimePortBindingPolicy">
        <wsp1:ExactlyOne>
            <wsp1:All>
                <wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" wsp1:Optional="false"/>
                <sp1:SymmetricBinding>
                    <wsp1:Policy>
                        <sp1:ProtectionToken>
                            <wsp1:Policy>
                                <sp1:X509Token sp1:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                                    <wsp1:Policy>
                                        <sp1:WssX509V3Token10/>
                                        <sp1:RequireIssuerSerialReference/>
                                    </wsp1:Policy>
                                </sp1:X509Token>
                            </wsp1:Policy>
                        </sp1:ProtectionToken>
                        <sp1:Layout>
                            <wsp1:Policy>
                                <sp1:Strict/>
                            </wsp1:Policy>
                        </sp1:Layout>
                        <sp1:IncludeTimestamp/>
                        <sp1:OnlySignEntireHeadersAndBody/>
                        <sp1:AlgorithmSuite>
                            <wsp1:Policy>
                                <sp1:Basic128/>
                            </wsp1:Policy>
                        </sp1:AlgorithmSuite>
                    </wsp1:Policy>
                </sp1:SymmetricBinding>
                <sp1:Wss11>
                    <wsp1:Policy>
                        <sp1:MustSupportRefIssuerSerial/>
                        <sp1:MustSupportRefThumbprint/>
                        <sp1:MustSupportRefEncryptedKey/>
                    </wsp1:Policy>
                </sp1:Wss11>
                <sp1:SignedSupportingTokens>
                    <wsp1:Policy>
                        <sp1:UsernameToken sp1:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                            <wsp1:Policy>
                                <sp1:WssUsernameToken10/>
                            </wsp1:Policy>
                        </sp1:UsernameToken>
                    </wsp1:Policy>
                </sp1:SignedSupportingTokens>
                <sc:KeyStore wspp:visibility="private" location="/home/oshadha/.netbeans/7.0/config/GF3_113/domain1/config/keystore.jks" type="JKS" storepass="changeit" alias="xws-security-server"/>
            </wsp1:All>
        </wsp1:ExactlyOne>
    </wsp1:Policy>
    <wsp1:Policy wsu:Id="TimePortBinding_timeOfDay_Input_Policy">
        <wsp1:ExactlyOne>
            <wsp1:All>
                <sp1:EncryptedParts>
                    <sp1:Body/>
                </sp1:EncryptedParts>
                <sp1:SignedParts>
                    <sp1:Body/>
                    <sp1:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="AckRequested" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
                    <sp1:Header Name="SequenceAcknowledgement" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
                    <sp1:Header Name="Sequence" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
                    <sp1:Header Name="CreateSequence" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
                </sp1:SignedParts>
            </wsp1:All>
        </wsp1:ExactlyOne>
    </wsp1:Policy>
    <wsp1:Policy wsu:Id="TimePortBinding_timeOfDay_Output_Policy">
        <wsp1:ExactlyOne>
            <wsp1:All>
                <sp1:EncryptedParts>
                    <sp1:Body/>
                </sp1:EncryptedParts>
                <sp1:SignedParts>
                    <sp1:Body/>
                    <sp1:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp1:Header Name="AckRequested" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
                    <sp1:Header Name="SequenceAcknowledgement" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
                    <sp1:Header Name="Sequence" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
                    <sp1:Header Name="CreateSequence" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>
                </sp1:SignedParts>
            </wsp1:All>
        </wsp1:ExactlyOne>
    </wsp1:Policy>
</definitions>

Answer 1

When you are configuring certificates using Netbeans for webservice clients (as with development defaults) sometimes the correct configurations are not written to the configuration files. So in that case you have to manually add the correct configuration.

In this scenario the missing case was the location to the keystore file within the client configuration. So you have to explicitly add the location to the wsit-client.xml or another configuration file it importing from.

<sc:KeyStore wspp:visibility="private" location="/home/username/.netbeans/7.0/config/GF3_113/domain1/config/keystore.jks" type="JKS" storepass="changeit" alias="xws-security-server"/>

This can be done either from the UI interface provided by Netbeans or you can always use a file editor. The location can be obtained from wsit-ws.[Servicename] from webservice implementation.