Sunday, March 14, 2010

Securing WLI processes and Web Services

add this annotation to your process:

@WSSecurityService(file="mypolicy.xml")


and the file contains:


<?xml version="1.0" ?>
<wsSecurityPolicy xsi:schemaLocation="WSSecurity-policy.xsd"
xmlns="http://www.bea.com/2003/03/wsse/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<wsSecurityIn>
<token tokenType="username" />
<encryptionRequired>
<decryptionKey>
<alias>client1</alias>
<password>password</password>
</decryptionKey>
</encryptionRequired>
<signatureRequired>true</signatureRequired>
</wsSecurityIn>
</wsSecurityPolicy>


The entire XSD is here: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd

you will get this exception when invoking your process from SOAP client:


weblogic.webservice.server.ConfigException: Key for alias 'client1' does not exist in server key store (C:\beawli\WLSERV~1.3\server\lib\DemoIdentity.jks)
    at weblogic.webservice.util.ServerKeyStore.getPrivateKeyInternal(ServerKeyStore.java:68)
    at weblogic.webservice.util.ServerKeyStore.getPrivateKey(ServerKeyStore.java:87)
    at com.bea.wli.knex.runtime.jws.wssecurity.inbound.WLWInboundWSSEImpl.initDecryptionKey(WLWInboundWSSEImpl.java:655)


Let's check which keys are in the DemoIdentity keystore:

cd C:\beawli\jrockit_160_05\bin

C:\beawli\jrockit_160_05\bin>keytool -list -keystore c:\beawli\wlserver_10.3\server\lib\DemoIdentity.jks
Enter keystore password:  (enter DemoIdentityKeyStorePassPhrase)

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

demoidentity, Feb 24, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): 7B:C7:C0:7C:91:13:6C:CB:8B:EA:AD:C4:4E:1D:A8:0E


I find the password here
http://kingsfleet.blogspot.com/2008/11/using-demoidentity-and-demotrust.html



At this point I change mypolicy.xml file this way:


<?xml version="1.0" ?>
<wsSecurityPolicy xsi:schemaLocation="WSSecurity-policy.xsd"
    xmlns="http://www.bea.com/2003/03/wsse/config"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <wsSecurityIn>
        <token tokenType="username" />
        <encryptionRequired>
            <decryptionKey>
                <alias>demoidentity</alias>
                <password>DemoIdentityKeyStorePassPhrase</password>
            </decryptionKey>
        </encryptionRequired>
        <signatureRequired>true</signatureRequired>
    </wsSecurityIn>
</wsSecurityPolicy>


and I  get this new error:

java.rmi.RemoteException: EJB Exception: ; nested exception is:
    com.bea.wli.knex.runtime.jws.wssecurity.exception.WLWWSSEException: weblogic.webservice.server.ConfigException: Failed to load key for alias demoidentity
Caused by: com.bea.wli.knex.runtime.jws.wssecurity.exception.WLWWSSEException: weblogic.webservice.server.ConfigException: Failed to load key for alias demoidentity
    ... 19 more
Caused by: weblogic.webservice.server.ConfigException: Failed to load key for alias demoidentity
    ... 27 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
    ... 29 more


and we learn that :


The error “java.security.UnrecoverableKeyException: Cannot recover key” occurs when the keystore and keyEntry passwords are different. To resolve this issue, you must remove all traces of the past certificate and request file.
You must generate a new keystore, keyEntry and CSR and specify the same password for the keystore and the keyEntry.

 WTF ?????!!!! I think this is simply insane.


Incidentally, the keystore configuration is located under server/configuration/keystores


At this point, I don't give up and I create a new KeyStore with a custom Identity Key, giving same password for keystore and key:

keytool -genkeypair -alias acme -keystore acmeks.jks -storepass weblogic -keypass weblogic

I set the keystore to "Custom Identity and Command Line Trust" (CustomIdentityAndCommandLineTrust)

and when I restart the server I get:

java.lang.RuntimeException: Trust KeyStore is not configured!

At this point I read this documentation

http://download.oracle.com/docs/cd/E15051_01/wls/docs103/ConsoleHelp/taskhelp/security/ConfigureKeystoresAndSSL.html

The default password for the Java default keystore file $JAVA_HOME/lib/security/cacerts is ‘changeit’

 keytool -list -keystore c:\beawli\jrockit_160_05\jre\lib\security\cacerts
Enter keystore password: (enter changeit)

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 51 entries

aolrootca1, Jan 17, 2008, trustedCertEntry,
Certificate fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
verisignclass3g2ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
entrustclientca, Jan 9, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 0C:41:2F:13:5B:A0:54:F5:96:66:2D:7E:CD:0E:03:F4
thawtepersonalbasicca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
globalsignca, Aug 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): AB:BF:EA:E3:6B:29:A6:CC:A6:78:35:99:EF:AD:2B:80
addtrustclass1ca, May 2, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
digicertassuredidrootca, Jan 7, 2008, trustedCertEntry,
Certificate fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
verisignclass2g3ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
blablabla
blablabla



After having configured the Keystore as "custom identity and custom trust"
    <key-stores>CustomIdentityAndCustomTrust</key-stores>
    <custom-identity-key-store-file-name>c:\beawli\wlserver_10.3\server\lib\acmeks.jks</custom-identity-key-store-file-name>
    <custom-identity-key-store-type>JKS</custom-identity-key-store-type>
    <custom-identity-key-store-pass-phrase-encrypted>{3DES}BJ5VpGM7nC0xjFy7L6sAsQ==</custom-identity-key-store-pass-phrase-encrypted>
    <custom-trust-key-store-file-name>c:\beawli\jrockit_160_05\jre\lib\security\cacerts</custom-trust-key-store-file-name>
    <custom-trust-key-store-type>JKS</custom-trust-key-store-type>
    <custom-trust-key-store-pass-phrase-encrypted>{3DES}pUeTIrard92wCNotuoJb/g==</custom-trust-key-store-pass-phrase-encrypted>



and AT LAST I get an expected error - since the SOAP message was not encrypted:

ava.rmi.RemoteException: EJB Exception: ; nested exception is:
    com.bea.wli.knex.runtime.jws.wssecurity.exception.WLWWSSEException: Policy requires Message to be encrypted, Message was not encrypted.
Caused by: com.bea.wli.knex.runtime.jws.wssecurity.exception.WLWWSSEException: Policy requires Message to be encrypted, Message was not encrypted.
    ... 19 more

No comments: