Question

我们正在运行WSO2 ESB 5.0服务器。我们希望创建一种服务，将普通SOAP消息转换为签名版本并将其传递给端点。

我们收到的消息是：

引起：org.apache.ws.security.WSSecurityException：常规安全错误（找不到用户wso2carbon的证书签名）

为什么我会收到此消息？我不明白这个意思。

更新：我发现，垒图配置中的用户应该是您要用于签名的密钥的别名。密码处理程序应该返回别名密钥的密码

synapse（wso2 esb）服务是：

    <?xml version="1.0" encoding="UTF-8"?>
    <proxy xmlns="http://ws.apache.org/ns/synapse"
           name="__mke_siging_out"
           startOnLoad="true"
           statistics="disable"
           trace="disable"
           transports="https">
       <target>
          <inSequence>
             <send>
                <endpoint>
                   <address uri="http://foo.bar.host/services/default/Echo/echo_client_ep">
                      <enableSec policy="gov:/policies/__mke_sign_out.xml"/>
                   </address>
                </endpoint>
             </send>
          </inSequence>
          <outSequence>
             <header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                     action="remove"
                     name="wsse:Security"
                     scope="default"/>
             <send/>
          </outSequence>
          <faultSequence/>
       </target>
       <description/>
    </proxy>

rampart配置指向一个JKS密钥库，其中私有/ pub证书被加载并受密码保护：

<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigOnly">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:InitiatorToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:RequireThumbprintReference />
                                    <sp:WssX509V3Token10 />
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:InitiatorToken>
                    <sp:RecipientToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                                <wsp:Policy>
                                    <sp:RequireThumbprintReference />
                                    <sp:WssX509V3Token10 />
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:RecipientToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256 />
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Strict />
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp />
                    <sp:OnlySignEntireHeadersAndBody />
                </wsp:Policy>
            </sp:AsymmetricBinding>
            <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <sp:Policy>
                    <sp:MustSupportRefKeyIdentifier />
                    <sp:MustSupportRefIssuerSerial />
                </sp:Policy>
            </sp:Wss10>
            <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <sp:Body />
            </sp:SignedParts>
        </wsp:All>
    </wsp:ExactlyOne>
    <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
        <rampart:user>wso2carbon</rampart:user>
        <rampart:passwordCallbackClass>nl.rsg.it.igw.passwordcallback.Handler</rampart:passwordCallbackClass>
        <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
        <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
        <rampart:timestampTTL>300</rampart:timestampTTL>
        <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
        <rampart:timestampStrict>false</rampart:timestampStrict>
        <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
        <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
        <rampart:encryptionCrypto>
            <rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
                <rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
                <rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
                <rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
                <rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
            </rampart:crypto>
        </rampart:encryptionCrypto>
        <rampart:signatureCrypto>
            <rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
                <rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
                <rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
                <rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
                <rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
            </rampart:crypto>
        </rampart:signatureCrypto>
    </rampart:RampartConfig>
</wsp:Policy>

Answer 1

我发现，rampart配置中的用户应该是您要用于签名的密钥的别名。密码处理程序应该返回别名密码。

Rampart：使用私钥/密钥证书签署肥皂消息

1 个答案: