Skip to main content

KeyStore TrustStore not read by client from wsit-client.xml file

10 replies [Last post]
begzo
Offline
Joined: 2009-08-28
Points: 0

I'm using tomcat6, metro 2.0 (nightly build) and java6 update 14.

I want to use the mcs (mutual certificate security) and have developed my server and client according the examples, that i have also run successfully, found in wsit source code.

But, i have found a strange problem with the client.

If i specify the keystore and trustore information in the wsit-client.xml they are not used in any way and my client exits with the exception:

[java] INFO: WSP5018: Loaded WSIT configuration from file: file:/home/XX/project/client/classes/META-INF/wsit-client.xml.
[java] Aug 31, 2009 11:44:10 AM com.sun.xml.wss.impl.misc.DefaultCallbackHandler getDefaultPrivKeyCert
[java] SEVERE: WSS1505: IO Exception occured: failed to get key/certificate from keystore (not necesaarily i/o excep)
[java] java.lang.NullPointerException
[java] at com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(DefaultCallbackHandler.java:1427)

....

[java] Aug 31, 2009 11:44:10 AM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getDefaultPrivKeyCertRequest
[java] SEVERE: WSS0216: An Error occurred using Callback Handler for : SignatureKeyCallback.DefaultPrivKeyCertRequest
[java] Aug 31, 2009 11:44:10 AM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getDefaultPrivKeyCertRequest
[java] SEVERE: WSS0217: An Error occurred using Callback Handler handle() Method.

...

[java] Aug 31, 2009 11:44:10 AM com.sun.xml.wss.impl.filter.SignatureFilter process
[java] SEVERE: WSS1417: Error while processing signature java.lang.RuntimeException: java.lang.NullPointerException
[java] Aug 31, 2009 11:44:10 AM com.sun.xml.wss.jaxws.impl.SecurityTubeBase secureOutboundMessage
[java] SEVERE: WSSTUBE0024: Error in Securing Outbound Message.
...

Ok, i have then try to set the properties about private and public keys and server public key with:

((BindingProvider) port).getRequestContext().put(XWSSConstants.CERTIFICATE_PROPERTY, cert);
((BindingProvider) port).getRequestContext().put(XWSSConstants.PRIVATEKEY_PROPERTY, key);
((BindingProvider) port).getRequestContext().put(XWSSConstants.SERVER_CERTIFICATE_PROPERTY, serverCert);

and this is half working.
The client send a signed request to server, the server give a signed response back and then i got
a exception:

[java] Aug 31, 2009 11:48:55 AM com.sun.xml.wss.impl.misc.DefaultCallbackHandler$X509CertificateValidatorImpl validate
[java] SEVERE: WSS1518: Failed to validate certificate
[java] java.lang.NullPointerException: the keystore parameter must be non-null
[java] at java.security.cert.PKIXParameters.(PKIXParameters.java:128)
[java] at java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:113)
....

AFAIK, the wsit-client.xml file should be read by a non-glasfish client if the wsit-client.xml file is in the classpath. This is also made (as we can see in the trace above) but the property KeyStore and TrustStore are null when the application is comming to the DefaultCallbackHandler.

Why the information from the wsit-client.xml file are not right interpreted by the wsit ?

In both cases the keystore/trustore entries are presented in the wsit-client.xml file.

I have also try to add KeyStore- and TrustStoreCallbackHandler instead of specifiing the hard-coded information, but this also not helps.

Any suggestions ? Thanks in advance.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
suresh

try with today's(sep 16th) metro nightly build..
it may help to overcome your first exception...
thanks
suresh
metro@javadesktop.org wrote:
> I'm using tomcat6, metro 2.0 (nightly build) and java6 update 14.
>
> I want to use the mcs (mutual certificate security) and have developed my server and client according the examples, that i have also run successfully, found in wsit source code.
>
> But, i have found a strange problem with the client.
>
> If i specify the keystore and trustore information in the wsit-client.xml they are not used in any way and my client exits with the exception:
>
> [java] INFO: WSP5018: Loaded WSIT configuration from file: file:/home/XX/project/client/classes/META-INF/wsit-client.xml.
> [java] Aug 31, 2009 11:44:10 AM com.sun.xml.wss.impl.misc.DefaultCallbackHandler getDefaultPrivKeyCert
> [java] SEVERE: WSS1505: IO Exception occured: failed to get key/certificate from keystore (not necesaarily i/o excep)
> [java] java.lang.NullPointerException
> [java] at com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(DefaultCallbackHandler.java:1427)
>
> ....
>
> [java] Aug 31, 2009 11:44:10 AM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getDefaultPrivKeyCertRequest
> [java] SEVERE: WSS0216: An Error occurred using Callback Handler for : SignatureKeyCallback.DefaultPrivKeyCertRequest
> [java] Aug 31, 2009 11:44:10 AM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getDefaultPrivKeyCertRequest
> [java] SEVERE: WSS0217: An Error occurred using Callback Handler handle() Method.
>
> ...
>
> [java] Aug 31, 2009 11:44:10 AM com.sun.xml.wss.impl.filter.SignatureFilter process
> [java] SEVERE: WSS1417: Error while processing signature java.lang.RuntimeException: java.lang.NullPointerException
> [java] Aug 31, 2009 11:44:10 AM com.sun.xml.wss.jaxws.impl.SecurityTubeBase secureOutboundMessage
> [java] SEVERE: WSSTUBE0024: Error in Securing Outbound Message.
> ...
>
>
> Ok, i have then try to set the properties about private and public keys and server public key with:
>
> ((BindingProvider) port).getRequestContext().put(XWSSConstants.CERTIFICATE_PROPERTY, cert);
> ((BindingProvider) port).getRequestContext().put(XWSSConstants.PRIVATEKEY_PROPERTY, key);
> ((BindingProvider) port).getRequestContext().put(XWSSConstants.SERVER_CERTIFICATE_PROPERTY, serverCert);
>
> and this is half working.
> The client send a signed request to server, the server give a signed response back and then i got
> a exception:
>
> [java] Aug 31, 2009 11:48:55 AM com.sun.xml.wss.impl.misc.DefaultCallbackHandler$X509CertificateValidatorImpl validate
> [java] SEVERE: WSS1518: Failed to validate certificate
> [java] java.lang.NullPointerException: the keystore parameter must be non-null
> [java] at java.security.cert.PKIXParameters.(PKIXParameters.java:128)
> [java] at java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:113)
> ....
>
>
> AFAIK, the wsit-client.xml file should be read by a non-glasfish client if the wsit-client.xml file is in the classpath. This is also made (as we can see in the trace above) but the property KeyStore and TrustStore are null when the application is comming to the DefaultCallbackHandler.
>
> Why the information from the wsit-client.xml file are not right interpreted by the wsit ?
>
> In both cases the keystore/trustore entries are presented in the wsit-client.xml file.
>
> I have also try to add KeyStore- and TrustStoreCallbackHandler instead of specifiing the hard-coded information, but this also not helps.
>
> Any suggestions ? Thanks in advance.
> [Message sent by forum member 'begzo' (bo@oglasi.com)]
>
> http://forums.java.net/jive/thread.jspa?messageID=362409
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Kumar Jayanti

Hi,

as suresh mentioned you might be fine with sep-17th build, there was
a regression caused while implementing another feature and our QE has
reported the same problem :
https://wsit.dev.java.net/issues/show_bug.cgi?id=1194

For the second approach where you used the Properties, there is a bug,
i guess we never expect server response to contain a cert that needs
validation. I will fix that issue today but can you show me your
service WSDL policies.

regards,
kumar

suresh wrote:
> try with today's(sep 16th) metro nightly build..
> it may help to overcome your first exception...
> thanks
> suresh
> metro@javadesktop.org wrote:
>> I'm using tomcat6, metro 2.0 (nightly build) and java6 update 14.
>> I want to use the mcs (mutual certificate security) and have
>> developed my server and client according the examples, that i have
>> also run successfully, found in wsit source code.
>>
>> But, i have found a strange problem with the client.
>>
>> If i specify the keystore and trustore information in the
>> wsit-client.xml they are not used in any way and my client exits with
>> the exception:
>>
>> [java] INFO: WSP5018: Loaded WSIT configuration from file:
>> file:/home/XX/project/client/classes/META-INF/wsit-client.xml.
>> [java] Aug 31, 2009 11:44:10 AM
>> com.sun.xml.wss.impl.misc.DefaultCallbackHandler getDefaultPrivKeyCert
>> [java] SEVERE: WSS1505: IO Exception occured: failed to get
>> key/certificate from keystore (not necesaarily i/o excep)
>> [java] java.lang.NullPointerException
>> [java] at
>> com.sun.xml.wss.impl.misc.DefaultCallbackHandler.getDefaultPrivKeyCert(DefaultCallbackHandler.java:1427)
>>
>> ....
>>
>> [java] Aug 31, 2009 11:44:10 AM
>> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl
>> getDefaultPrivKeyCertRequest
>> [java] SEVERE: WSS0216: An Error occurred using Callback Handler
>> for : SignatureKeyCallback.DefaultPrivKeyCertRequest
>> [java] Aug 31, 2009 11:44:10 AM
>> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl
>> getDefaultPrivKeyCertRequest
>> [java] SEVERE: WSS0217: An Error occurred using Callback Handler
>> handle() Method.
>> ...
>>
>> [java] Aug 31, 2009 11:44:10 AM
>> com.sun.xml.wss.impl.filter.SignatureFilter process
>> [java] SEVERE: WSS1417: Error while processing signature
>> java.lang.RuntimeException: java.lang.NullPointerException
>> [java] Aug 31, 2009 11:44:10 AM
>> com.sun.xml.wss.jaxws.impl.SecurityTubeBase secureOutboundMessage
>> [java] SEVERE: WSSTUBE0024: Error in Securing Outbound Message.
>> ...
>>
>>
>> Ok, i have then try to set the properties about private and public
>> keys and server public key with:
>>
>> ((BindingProvider)
>> port).getRequestContext().put(XWSSConstants.CERTIFICATE_PROPERTY, cert);
>> ((BindingProvider)
>> port).getRequestContext().put(XWSSConstants.PRIVATEKEY_PROPERTY, key);
>> ((BindingProvider)
>> port).getRequestContext().put(XWSSConstants.SERVER_CERTIFICATE_PROPERTY,
>> serverCert);
>> and this is half working.
>> The client send a signed request to server, the server give a signed
>> response back and then i got
>> a exception:
>>
>> [java] Aug 31, 2009 11:48:55 AM
>> com.sun.xml.wss.impl.misc.DefaultCallbackHandler$X509CertificateValidatorImpl
>> validate
>> [java] SEVERE: WSS1518: Failed to validate certificate
>> [java] java.lang.NullPointerException: the keystore parameter
>> must be non-null
>> [java] at
>> java.security.cert.PKIXParameters.(PKIXParameters.java:128)
>> [java] at
>> java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:113)
>>
>> ....
>>
>>
>> AFAIK, the wsit-client.xml file should be read by a non-glasfish
>> client if the wsit-client.xml file is in the classpath. This is also
>> made (as we can see in the trace above) but the property KeyStore and
>> TrustStore are null when the application is comming to the
>> DefaultCallbackHandler.
>>
>> Why the information from the wsit-client.xml file are not right
>> interpreted by the wsit ?
>>
>> In both cases the keystore/trustore entries are presented in the
>> wsit-client.xml file.
>> I have also try to add KeyStore- and TrustStoreCallbackHandler
>> instead of specifiing the hard-coded information, but this also not
>> helps.
>>
>> Any suggestions ? Thanks in advance.
>> [Message sent by forum member 'begzo' (bo@oglasi.com)]
>>
>> http://forums.java.net/jive/thread.jspa?messageID=362409
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

This is an area of code where i have changed some code recently and there was a regression.

if you wish to use Nightlies then try the nightly that comes out on 1st September, i have hopefully fixed all the issues. A more stable Metro 2.0 would come out soon since we have hit code-freeze.

Otherwise try using 1.5 and you should not see the first issue that you mention.

begzo
Offline
Joined: 2009-08-28
Points: 0

Thanks for your answer.

I have now installed metro1.5 and when i run the client i got a new, strange, exception:

SEVERE: Could not locate KeyStore, check keystore assertion in WSIT configuration

I have my keystore in my META-INF directory and the parent directory of the META-INF directory is in the classpath.

Also, the path to the keystores is hard-codes and is unix style (location="/home/xxx/client/classes/META-INF/xws-security/")

I will try tommorow the nightly build from 1. September, hope this helps.

kumarjayanti
Offline
Joined: 2003-12-10
Points: 0

Show me your keystore and truststore assertions in wsit-client.xml.

If you are expecting the META-INF thing to work then the location should be a relative location (relative to META-INF) and not absolute. The location in your keystore assertion should just be the following :

begzo
Offline
Joined: 2009-08-28
Points: 0

Hi again.

I have installed the metro nightly build from:

https://metro.dev.java.net/files/documents/7107/142534/metro-2_0-install...

And have generated my client, but the problem is the same.

Here is the exception:

[java] Sep 1, 2009 12:15:01 PM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
[java] INFO: WSP5018: Loaded WSIT configuration from file: file:/home/bo/client/classes/META-INF/wsit-client.xml.
[java] Sep 1, 2009 12:15:06 PM com.sun.xml.wss.impl.misc.DefaultCallbackHandler getKeyStore
[java] SEVERE: Could not locate KeyStore, check keystore assertion in WSIT configuration
[java] Sep 1, 2009 12:15:06 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getDefaultPrivKeyCertRequest
[java] SEVERE: WSS0216: An Error occurred using Callback Handler for : SignatureKeyCallback.DefaultPrivKeyCertRequest
[java] Sep 1, 2009 12:15:06 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getDefaultPrivKeyCertRequest
[java] SEVERE: WSS0217: An Error occurred using Callback Handler handle() Method.
[java] com.sun.xml.wss.impl.XWSSecurityRuntimeException: Could not locate KeyStore, check keystore assertion in WSIT configuration

....

Here is my Policy part from wsit-client.xml:

xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client" >


xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
wspp:visibility="private"
location="xws-security/etc/client-keystore.jks"
type="JKS"
alias="xws-security-client"
storepass="changeit">

xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
wspp:visibility="private"
location="xws-security/etc/client-truststore.jks"
type="JKS"
storepass="changeit"
peeralias="xws-security-server">



Hope you can help. Thanks in advance.

begzo
Offline
Joined: 2009-08-28
Points: 0

OK,
i have manage this stuff now, thanks for your help, you have point me to the right direction.

ptn77
Offline
Joined: 2012-11-27
Points: 0

Hello,

I have the same problem. How did you resolve this issue?

Thanks in advance!

gmazza
Offline
Joined: 2005-01-14
Points: 0
spamfoodie
Offline
Joined: 2011-02-23
Points: 0

Hi,
and what was the solution ?
I have the same problem (Metro version 2.0.1). Only the keystore and truststore configuration is not load from wsit-client.xml. If i use wsit-client.xml and client-security-env.properties it works.
The client-security-env.properties looks like:
keystore.url=C:/Glassfish_v3/glassfish/domains/domain1/config/keystore.jks
keystore.type=JKS
keystore.password=changeit
my.alias=myclientkeyalias
my.password=changeit
truststore.url=C:/Glassfish_v3/glassfish/domains/domain1/config/keystore.jks
truststore.type=JKS
truststore.password=changeit
peerentity.alias=myservicekeyalias
If i put the keystore/trusstore configuration into the wsit-client.xml, the properties were not read and they are null.
Can anybody explain me this behaviour ?????????????????
Thanks in advance !!!

Here´s the part of the DefaultCallbackHandler class were the assertions properties are null:

public DefaultCallbackHandler(String clientOrServer, Properties assertions) throws XWSSecurityException {

Properties properties = null;
if (assertions != null && !assertions.isEmpty()) {
properties = assertions;
} else {
//fallback option
properties = new Properties();
String resource = clientOrServer + "-security-env.properties";
InputStream in = Thread.currentThread().getContextClassLoader().getResourceAsStream(resource);
if (in != null) {
try {
properties.load(in);
} catch (IOException ex) {
throw new XWSSecurityException(ex);
}
} else {
//throw new XWSSecurityException("Resource " + resource + " could not be located in classpath");
}
}

this.keyStoreURL = properties.getProperty(KEYSTORE_URL);
this.keyStoreURL = resolveHome(this.keyStoreURL);
this.keyStoreType = properties.getProperty(KEYSTORE_TYPE);
this.keyStorePassword = properties.getProperty(KEYSTORE_PASSWORD);
this.keyPwd = properties.getProperty(KEY_PASSWORD);
this.myAlias = properties.getProperty(MY_ALIAS);
this.myUsername = properties.getProperty(MY_USERNAME);
this.myPassword = properties.getProperty(MY_PASSWORD);

this.trustStoreURL = properties.getProperty(TRUSTSTORE_URL);
this.trustStoreURL = resolveHome(this.trustStoreURL);
this.keyStoreType = properties.getProperty(KEYSTORE_TYPE);
this.trustStoreType = properties.getProperty(TRUSTSTORE_TYPE);
this.trustStorePassword = properties.getProperty(TRUSTSTORE_PASSWORD);
this.peerEntityAlias = properties.getProperty(PEER_ENTITY_ALIAS);