Skip to main content

ERROR: Federated Service with STS

29 replies [Last post]
gsogol
Offline
Joined: 2008-02-27

I'm calling a WCF (.NET) federated service which also has a STS. I generated the stub in NB 6.1 and get:

com.sun.xml.ws.api.security.trust.WSTrustException: WST0017:Could not obtain STS metadata. MEX call to STS http://vhv000020.saxonmtg.com/TokenIssuer/Service.svc failed.

I'm not sure why it needs MetadaExchange, but I added a Mex binding to my STS service although it's the same url as above only with additional "/mex"

I set all the properties including the metadata property by right-clicking on the service and setting those under STS.

PLEASE HELP!

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Jiandong Guo

Not sure where you are now?

So you need to import the certificates (not the pkcs12 files) to the
client trust store.
When you follow the NB to configure the clients you need use the alias
for the STS for the STS client and ...

Thanks!

metro@javadesktop.org wrote:

>Thanks. so with 2 aliases where do i reference the 2. again, I see where i can reference 1 sts and 1 truststore under quality of service tab in NB. Also, importing the actual cer type file using -imporcert flag and -trustcacerts flag gives me an error that pkcs12 is not supported
>[Message sent by forum member 'gsogol' (gsogol)]
>
>http://forums.java.net/jive/thread.jspa?messageID=266952
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

I think I'm good now from the metro side. Here are my lessons learned. Hopefully it'll help others:
1. use jdk 6+ keytool and use -importkeystore for .pfx files and use the appropriate alias when importing. I ran the command twice to add two pfx (1 for sts and 1 for the service) and added them to the same keystore file with extension jks. It actually adds them to one file and does not replace the file each time (had to learn that)
2. use keytool -importcert to import the actual .cer files to the truststore. Do not specify --trustcacerts flag and do not specify storetype of PKCS12
3. create [b][u]two[/u][/b] clients. one for sts and one for the actual service. I read the tutorial multiple times, but this did not register with me. In the .Net world, you don't have to add two service references.
4. in the client's quality of service tab for sts, enter the keystore filename (case-sensitive) and the appropriate alias and same for the service qos tab with a different alias though but same keystore. same for the truststore which contains the certs.

The problem I'm having now is that I can't get to the STS's mex endpoint (my original post in this thread). I've enabled it and metro can see it but somehow it's looking for a custom principal in the authorization context (.NET world). I've found an article (http://www.codeprof.com/dev-archive/125/153-118-1253129.shtm) that discusses how to disable authentication/authorization for a mex endpoint in .NET. So I think my issue is now on the .NET side unless someone feels that my 4 steps above are incorrect.

For now, thank you to Shyam, Clemens, Jiandong and jdj6688 for helping me out. I really appreciate it. Hopefully what I shared here will help others.

shyam_rao
Offline
Joined: 2006-05-05

Please have a look at the "Example : STS Issued Token(STS)" here : https://wsit-docs.dev.java.net/releases/1.1/ahiei.html#ahiey

gsogol
Offline
Joined: 2008-02-27

I've been playing around with the keytool from jdk 6 and I'm able to generate the keystore. I have 2 certs and 2 pfx files generated via makecert for sts and the actual service.

Do I have to generate 2 keystores then? Where does the trsustore come into the picture. In NB, I have ot point to one keystore and one truststore. I am authenticating to a STS first which provides me a signed SAML token and then I need to call the actual service (hence I have two certs and two pfx files). I used keytool -importkeystore command and generated two files. What do I do with them now? PLEASE HELP!

Jiandong Guo

metro@javadesktop.org wrote:

>I've been playing around with the keytool from jdk 6 and I'm able to generate the keystore. I have 2 certs and 2 pfx files generated via makecert for sts and the actual service.
>
>Do I have to generate 2 keystores then? Where does the trsustore come into the picture. In NB, I have ot point to one keystore and one truststore. I am authenticating to a STS first which provides me a signed SAML token and then I need to call the actual service (hence I have two certs and two pfx files). I used keytool -importkeystore command and generated two files. What do I do with them now? PLEASE HELP!
>
>
import the two certificates into the client truststore with different
alias using |***-importcert. Truststore contains the certificates
of the other parties.

*|

>[Message sent by forum member 'gsogol' (gsogol)]
>
>http://forums.java.net/jive/thread.jspa?messageID=266896
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

Thanks. So with 2 aliases where do i reference the 2. again, I see where i can reference 1 keystore (1 alias) and 1 truststore under quality of service tab, security section in NB.

Looks like I sort of corrected importing my certificate. I removed the storetype of PKCS12 and it did import. So I have 1 keystore with 2 aliases and 1 truststore with 2 aliases. Again, 1 alias for sts and 1 for the actual service. NB only allows me to enter one alias and one keystore (same for the truststore).

So i need to know:
1) how do I reference 2 aliases in NB?
2) Why it can't initialize my keystore? I solved this issue by correcting file case-sensitivity. Load Liases Works now. Question 1 remains unsolved.

Message was edited by: gsogol

gsogol
Offline
Joined: 2008-02-27

Anyone? PLEASE PLEASE HELP. I have a dealine this week. See my question above.

V B Kumar Jayanti

Jiandong Guo wrote:

> key stores are java besed files for managing certificates and keys.
> Create keystores using jav Keytool:
> http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html
> and then put the certificates there,

Please use JDK 6 Keytool since it has many more options that aid in
importing and exporting certs and key-pairs.

Thanks

>
>
> metro@javadesktop.org wrote:
>
>> Looking at some blogs including Shyam's blog, I see how you guys are
>> creating a client and entering all the information about the keystore
>> and the truststore on the client side inside NB. So my question
>> basically comes down to: I have a Java library that I will be using
>> inside Oracle Forms and it will be outside of any server container so
>> I won't have access to a keystore and a truststore. So assuming
>> that's the case, using the encoded public certificate key (generated
>> by WSIT) [u]without[/u] keystore/truststore is not enough? If that's
>> the case, what are my options? Let's just assume that a client
>> doesn't have access to any app server's container. There's gotta be a
>> way. I have faith :). Anyways, thanks ahead.
>> [Message sent by forum member 'gsogol' (gsogol)]
>>
>> http://forums.java.net/jive/thread.jspa?messageID=266621
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

But will the keystore be packaged wih the jar? I can't have anything outside of the jar

gsogol
Offline
Joined: 2008-02-27

This is to respond to jdg6688's:

Just when I thought I was finally getting it, I'm back to square one. So you're saying NB will generate the client but I would also have to add SAML callback handler and dynamically pass in user information with password inside there? Looking at the sample handler and I see they reference the keystore with the truststore. Don't I just need the public key? Why do I need the key/trust store information. This is just a client (jar) that I will be using outside of a glassfish server. Please help me understand this better.

jdg6688
Offline
Joined: 2005-11-02

You don't need to specify the SAML call nback handler.

But you need to specify how to get the credentials for secuing the messages
to the STS:

1. You need to pass the username/password to the STS client.

using
use com.sun.xml.wss.XWSSConstants.USERNAME_PROPERTY & com.sun.xml.wss.XWSSConstants.PASSWORD_PROPERTY
with BindProvider is fine. These will be passed to the STS client.

2. You need to use the sts cert to secure the message. The STS cert should be
be in the client Truststore.

gsogol
Offline
Joined: 2008-02-27

Happy to hear about not needing the SAML callback handler. Ok, so when you say you need a cert in client's truststore, is that something that gets packaged within the jar and simply a base-64 encoded public key that gets generated by the stub? Or is this something that I manually have to enter somewhere? I have seen this under the client service's properties but I first don't get the idea and second, don't know what to put in there. All I have right now is a cert that I generated via makecert on my windows box (one for sts and one for the actual target service).

jdg6688
Offline
Joined: 2005-11-02

use the java Keytool you can import the STS cert and the service cert into
client trust key store.

gsogol
Offline
Joined: 2008-02-27

Ok, so that's the step that I'm confused about. What parameters do I pass? How does that relate to my Java metro client? when you use keytool, I'm assuming you'll have to pass in various parameters. How does my client in NB know about them? Hopefully it's not confusing you. But do you have step-by-step instructions with the keytool but also what do I do inside NB?

Clemens Vasters

If you have authentication turned on for the MEX endpoint you are using the wrong binding for that endpoint. MEX is commonly assumed to be non-authenticated.

Clemens

-----Original Message-----
From: metro@javadesktop.org [mailto:metro@javadesktop.org]
Sent: Friday, March 28, 2008 9:36 AM
To: users@metro.dev.java.net
Subject: Re: RE: ERROR: Federated Service with STS

Awesome idea (I'm getting too excited to get this stuff to work :). Tried to generate the stub off of the mex binding and got an error in regards to authentication. Tried to generated another stub off of a second mex endpoint that is non-STS and it generated fine. So the issue at this point is not Metro but my WCF service and its authentication.

>From a Metro + NB perspective, just generating the stub by simply pointing to my service wsdl should be enough? It obviously knows about the STS service. Just wondering from the perspective that in order to authenticate to my STS I use membership api, do I simply use the following code to pass in my username and password?

BindingProvider portBP = (BindingProvider) port;
portBP.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "jsogolo");
portBP.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "trinity");
[Message sent by forum member 'gsogol' (gsogol)]

http://forums.java.net/jive/thread.jspa?messageID=266447

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

I will try the new constants. Thanks.

The mex endpoint is not authenticated but the sts itself is through membership api. I will try to fix my authentication issues and try again and reply to this group. Hopefully this will help others as well.

shyam_rao
Offline
Joined: 2006-05-05

> BindingProvider portBP = (BindingProvider) port;
> portBP.getRequestContext().put(BindingProvider.USERNAM
> E_PROPERTY, "jsogolo");
> portBP.getRequestContext().put(BindingProvider.PASSWOR
> D_PROPERTY, "trinity");

You can use com.sun.xml.wss.XWSSConstants.USERNAME_PROPERTY & com.sun.xml.wss.XWSSConstants.PASSWORD_PROPERTY instead of BindingProvider.USERNAME_PROPERTY & BindingProvider.PASSWORD_PROPERTY respectively.

gsogol
Offline
Joined: 2008-02-27

Looking at some blogs including Shyam's blog, I see how you guys are creating a client and entering all the information about the keystore and the truststore on the client side inside NB. So my question basically comes down to: I have a Java library that I will be using inside Oracle Forms and it will be outside of any server container so I won't have access to a keystore and a truststore. So assuming that's the case, using the encoded public certificate key (generated by WSIT) [u]without[/u] keystore/truststore is not enough? If that's the case, what are my options? Let's just assume that a client doesn't have access to any app server's container. There's gotta be a way. I have faith :). Anyways, thanks ahead.

Jiandong Guo

key stores are java besed files for managing certificates and keys.
Create keystores using jav Keytool:
http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html
and then put the certificates there,

metro@javadesktop.org wrote:

>Looking at some blogs including Shyam's blog, I see how you guys are creating a client and entering all the information about the keystore and the truststore on the client side inside NB. So my question basically comes down to: I have a Java library that I will be using inside Oracle Forms and it will be outside of any server container so I won't have access to a keystore and a truststore. So assuming that's the case, using the encoded public certificate key (generated by WSIT) [u]without[/u] keystore/truststore is not enough? If that's the case, what are my options? Let's just assume that a client doesn't have access to any app server's container. There's gotta be a way. I have faith :). Anyways, thanks ahead.
>[Message sent by forum member 'gsogol' (gsogol)]
>
>http://forums.java.net/jive/thread.jspa?messageID=266621
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

Great document. Thanks. So the keystore is just a file then. In NB, there is a place where you need to enter the file location. Will it get packaged with the jar?

jdg6688
Offline
Joined: 2005-11-02

Is your STS WSIT-based?
You need MEX because you only know which STS to call in the run time
as specified in the service WSDL. You need mex call to teh STS to get the STS WSDL.

There is an issue come up with today's nightly build with MEX. This has been fixed.
Please try with tomorrow's build.

gsogol
Offline
Joined: 2008-02-27

Thanks for the response. Both the Service and the STS are done in .NET.

I downloaded the latest nightly and same error. I think that it's not finding the actual mex endpoint unless you feel the message states otherwise. My mex endpoint is the url + "/mex", which I've set by right-clicking on the service and setting the Metadata property (I'm assuming by Metadata they mean Mex and that could be the problem if it's not) but it's still looking at the issuer url which is not the Mex endpoint. Take a look at the attached file to see what I've set in NB. I've also attached my service's wsdl.

So if I change the issuer on my actual service only then I could see the code looking for the new url. Setting properties in NB seems like it's not picking it up at all. I think it's looking at the wsdl run-time and then picks up the issuer url which is not a mex endpoint and I feel like it shouldn't be. If it needs one like you say, fine and I do have but it's url + "/mex. It's just looking athe url.

Anyways, if you have any thoughts, I'm willing to try anything. I've come far in using Metro and overcame a few hurdles but this should be the last one. Thanks ahead.

Message was edited by: gsogol

jdg6688
Offline
Joined: 2005-11-02

> Thanks for the response. Both the Service and the STS
> are done in .NET.
Ok.
On the client side this is the order to find the STS infor:

1. Check the Issuer in the IssueToken policy assertion in the service WSDL.
2. Check the local configuration with PreConfiguredSTS.

The standard way to o set the MEX address of the STS in the Issuer element is to use the following element:










You need the to put it in the Issuer element in the service policy. Check the .Net plugfest
service WSDL for example. http://131.107.72.15/Security_Federation_FederatedService_Indigo/Symmetr...

gsogol
Offline
Joined: 2008-02-27

Got it. I found a way in WCF to set the issuer Metadata and have done so and it added exactly the section you're talking about. Attached is my new service wsdl. Amazingly, still the same error message. When I try to browse to the url + "/mex". The browser has problem opening it. It's different from the 404 error. It actually finds the address fine just unable to display it. From other forums, I found that it's normal behavior and you can't really browse to a mex endpoint. I updated my client and it now points to the mex endpoint but still same error. Any ideas?

Clemens Vasters

You are right; MEX is a SOAP only protocol that the browser can't make sense of; if you need an alternate client that can evaluate MEX you can use WCF's

svcutil.exe [mex-url]

and see whether that spits out a C# file and a config file. If it does, your MEX endpoint is likely ok. Just to make sure: If you are configuring the MEX endpoint in code you should use one of the bindings returned from the System.ServiceMode.Description.MetadataExchangeBindings factory. If you are doing so in config, you should use one of the config bindings listed in [1] steps 6 and 7.

[1] http://msdn2.microsoft.com/en-us/library/system.servicemodel.description...

Clemens

-----Original Message-----
From: metro@javadesktop.org [mailto:metro@javadesktop.org]
Sent: Friday, March 28, 2008 9:12 AM
To: users@metro.dev.java.net
Subject: Re: ERROR: Federated Service with STS

Got it. I found a way in WCF to set the issuer Metadata and have done so and it added exactly the section you're talking about. Attached is my new service wsdl. Amazingly, still the same error message. When I try to browse to the url + "/mex". The browser has problem opening it. It's different from the 404 error. It actually finds the address fine just unable to display it. From other forums, I found that it's normal behavior and you can't really browse to a mex endpoint. I updated my client and it now points to the mex endpoint but still same error. Any ideas?
[Message sent by forum member 'gsogol' (gsogol)]

http://forums.java.net/jive/thread.jspa?messageID=266442

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

gsogol
Offline
Joined: 2008-02-27

Awesome idea (I'm getting too excited to get this stuff to work :). Tried to generate the stub off of the mex binding and got an error in regards to authentication. Tried to generated another stub off of a second mex endpoint that is non-STS and it generated fine. So the issue at this point is not Metro but my WCF service and its authentication.

From a Metro + NB perspective, just generating the stub by simply pointing to my service wsdl should be enough? It obviously knows about the STS service. Just wondering from the perspective that in order to authenticate to my STS I use membership api, do I simply use the following code to pass in my username and password?

BindingProvider portBP = (BindingProvider) port;
portBP.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "jsogolo");
portBP.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "trinity");

gsogol
Offline
Joined: 2008-02-27

Also, the STS and the service use certificates. Does the metro client need to install certificates or simply use the public key that got generated by a stub? The previous question in regards to hwo to pass credentials still applies.

Hopefully someone knows. Thanks ahead.

jdg6688
Offline
Joined: 2005-11-02

It will be helpful if you can post your STS WSDL.

In any case you need also create the client configuration for the STS:

see the steps 6 to 13 from the the wsit tutorial:

https://wsit-docs.dev.java.net/releases/1.1/ahiei.html#gfrls,
To Secure the Example Web Service Client Application (STS)

gsogol
Offline
Joined: 2008-02-27

Just when I thought I was finally getting it, I'm back to square one. So you're saying NB will generate the client but I would also have to add SAML callback handler and dynamically pass in user information with password inside there? Looking at the sample handler and I see they reference the keystore with the truststore. Don't I just need the public key? Why do I need the key/trust store information. This is just a client (jar) that I will be using outside of a glassfish server. Please help me understand this better.