2 Replies Latest reply: Jun 26, 2012 8:01 PM by 945477 RSS

    Error encountered with SAML Token for inbound sync web service

    945477
      Hi,

      I am trying to use the SAML (v1.1) for authenticating inbound IB web service call to a synchronous service operation.
      If I send a basic message (with SOAPUI) without signed SAML token (i.e. no WSSE header), it works (i.e. server response with correct xml message).
      If I send a message with signed SAML token header, i got a SOAP Fault response from server with error "SAML Authentication failed for Service Operation XXXX".
      Can someone advise what am i missing? App serv log shows only a single entry without much elaboration:
      PS@JavaClient IntegrationSvc](3) WssecAuthenticateIBSAML function: VerifySignature failed.

      Following are details of the logs and what i did/have.

      Tools Used: SOAPUI v4.5.0.1
      JDK 1.6 (Generate self-signed certificate)
      Server Info: Peopletools 8.51

      What I have done.
      - create a test service with single synchronous service operation
      - generated private key in client keystore. (key algo=RSA, key size=1024, sig algo=SHA1WithRSA)
      - exported public cert to file.
      - import public cert into server keystore (i.e. ..\PSIGW.war\WEB-INF\classes\interop.jks)
      - import public cert into digital cert (i.e. PIA > Peopletools > Security > Security Objects > Digital Certs) as Root CA
      - import public cert into digital cert (i.e. PIA > Peopletools > Security > Security Objects > Digital Certs) as Remote cert
      - Restarted Web and App servers
      - Configure SAML IB Setup to map cert alias to local server user profile.
      - I have checked that the cert alias is set to same in all the keystores
      - Setup SOAPUI to send message with SAML(Form)

      ************************
      REQUEST MESSAGE - Request Message generated by SOAPUI. Replaced lengthy cert/sign binary data with '.....'
      ************************
      <soapenv:Envelope
           xmlns:n="http://xmlns.oracle.com/Enterprise/Tools/schemas/N_TEST_WS_REQ_MSG.1"
           xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
           <wsse:Security soapenv:mustUnderstand="1"
                xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                     ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
                     wsu:Id="CertId-12B5F387F5EA1B.....+djdAxdoHEba+
                </wsse:BinarySecurityToken>
                <saml1:Assertion AssertionID="12B5F387F5EA1B2DAD13407218448691" IssueInstant="2012-06-26T14:44:04.729Z"
                     Issuer="TEST3" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType"
                     xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                     <saml1:Conditions NotBefore="2012-06-26T14:44:04.885Z" NotOnOrAfter="2012-06-26T14:49:04.885Z"/>
                     <saml1:AuthenticationStatement AuthenticationInstant="2012-06-26T14:44:04.885Z"
                          AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
                          xsi:type="saml1:AuthenticationStatementType">
                          <saml1:Subject>
                               <saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="TEST.SAML">
                                    CN=TEST_SELF3, OU=TEST_SELF3, O=TEST_SELF3, L=TEST_SELF3, ST=TEST_SELF3, C=SG
                               </saml1:NameIdentifier>
                               <saml1:SubjectConfirmation>
                                    <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml1:ConfirmationMethod>
                               </saml1:SubjectConfirmation>
                          </saml1:Subject>
                     </saml1:AuthenticationStatement>
                     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                          <ds:SignedInfo>
                               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                               <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                               <ds:Reference URI="#12B5F387F5EA1B2DAD13407218448691">
                                    <ds:Transforms>
                                         <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                    </ds:Transforms>
                                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                    <ds:DigestValue>2zaWFj5SG+sfrMegFeRWmvPqGnM=</ds:DigestValue>
                               </ds:Reference>
                          </ds:SignedInfo>
                          <ds:SignatureValue>YMob0+KseNLn.....DY6IkxcVV1jy+9Q=</ds:SignatureValue>
                          <ds:KeyInfo>
                               <ds:X509Data>
                                    <ds:X509Certificate>MIICYzCCAcygA.....+djdAxdoHEba+</ds:X509Certificate>
                               </ds:X509Data>
                          </ds:KeyInfo>
                     </ds:Signature>
                </saml1:Assertion>
                <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
                     wsu:Id="STRSAMLId-12B5F387F5EA1B2DAD13407218451505"
                     xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                     <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">
                          12B5F387F5EA1B2DAD13407218448691
                     </wsse:KeyIdentifier>
                </wsse:SecurityTokenReference>
                <ds:Signature Id="SIG-1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                     <ds:SignedInfo>
                          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                               <ec:InclusiveNamespaces PrefixList="n soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                          </ds:CanonicalizationMethod>
                          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                          <ds:Reference URI="#id-184">
                               <ds:Transforms>
                                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                         <ec:InclusiveNamespaces PrefixList="n" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                    </ds:Transform>
                               </ds:Transforms>
                               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                               <ds:DigestValue>7MYt+AgNrdj48Kl+AKGkmwj+XzA=</ds:DigestValue>
                          </ds:Reference>
                          <ds:Reference URI="#STRSAMLId-12B5F387F5EA1B2DAD13407218451505">
                               <ds:Transforms>
                                    <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                         <wsse:TransformationParameters>
                                              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                         </wsse:TransformationParameters>
                                    </ds:Transform>
                               </ds:Transforms>
                               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                               <ds:DigestValue>kXrBKY+585tz3cSgudWUnOvQvP8=</ds:DigestValue>
                          </ds:Reference>
                     </ds:SignedInfo>
                     <ds:SignatureValue>LBdNW7QAZpcvCy.....BLlhZ3rIMcuY=</ds:SignatureValue>
                     <ds:KeyInfo Id="KeyId-12B5F387F5EA1B2DAD13407218451502">
                          <wsse:SecurityTokenReference wsu:Id="STRId-12B5F387F5EA1B2DAD13407218451503">
                               <wsse:Reference URI="#CertId-12B5F387F5EA1B2DAD13407218451504"
                                    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                          </wsse:SecurityTokenReference>
                     </ds:KeyInfo>
                </ds:Signature>
           </wsse:Security>
      </soapenv:Header>
      <soapenv:Body wsu:Id="id-184" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <n:N_TEST_WS_REQ_MSG>
      <n:FieldTypes>
      <!--You may enter the following 2 items in any order-->
      <n:N_WS_TEST class="R">
      <n:EMPLID type="CHAR"/>
      <n:ACAD_PROG type="CHAR"/>
      </n:N_WS_TEST>
      <n:PSCAMA class="R">
      <!--Optional:-->
      <n:LANGUAGE_CD type="CHAR"/>
      <!--Optional:-->
      <n:AUDIT_ACTN type="CHAR"/>
      <!--Optional:-->
      <n:BASE_LANGUAGE_CD type="CHAR"/>
      <!--Optional:-->
      <n:MSG_SEQ_FLG type="CHAR"/>
      <!--Optional:-->
      <n:PROCESS_INSTANCE type="NUMBER"/>
      <!--Optional:-->
      <n:PUBLISH_RULE_ID type="CHAR"/>
      <!--Optional:-->
      <n:MSGNODENAME type="CHAR"/>
      </n:PSCAMA>
      </n:FieldTypes>
      <n:MsgData>
      <!--Zero or more repetitions:-->
      <n:Transaction>
      <!--You may enter the following 2 items in any order-->
      <!--Optional:-->
      <n:N_WS_TEST class="R">
      <n:EMPLID IsChanged="?">TEST</n:EMPLID>
      <n:ACAD_PROG IsChanged="?">TEST</n:ACAD_PROG>
      </n:N_WS_TEST>
      <n:PSCAMA class="R">
      <!--Optional:-->
      <n:LANGUAGE_CD IsChanged="?">?</n:LANGUAGE_CD>
      <!--Optional:-->
      <n:AUDIT_ACTN IsChanged="?">?</n:AUDIT_ACTN>
      <!--Optional:-->
      <n:BASE_LANGUAGE_CD IsChanged="?">?</n:BASE_LANGUAGE_CD>
      <!--Optional:-->
      <n:MSG_SEQ_FLG IsChanged="?">?</n:MSG_SEQ_FLG>
      <!--Optional:-->
      <n:PROCESS_INSTANCE IsChanged="?">?</n:PROCESS_INSTANCE>
      <!--Optional:-->
      <n:PUBLISH_RULE_ID IsChanged="?">?</n:PUBLISH_RULE_ID>
      <!--Optional:-->
      <n:MSGNODENAME IsChanged="?">?</n:MSGNODENAME>
      </n:PSCAMA>
      </n:Transaction>
      </n:MsgData>
      </n:N_TEST_WS_REQ_MSG>
      </soapenv:Body>
      </soapenv:Envelope>

      ************************
      ERRORS - APPSRV_xxxx.LOG
      ************************
      Only a single line of error found in application server log:
      PSAPPSRV.620 (13) [06/26/12 00:09:46 PS@JavaClient IntegrationSvc](3) WssecAuthenticateIBSAML function: VerifySignature failed.

      ************************
      ERRORS - PIA_servletsX.LOG
      ************************
      Web server log shows normal entries:
      6/26/12 12:09:46 AM SGT     52     -2145221434     64     INFO     com.peoplesoft.pt.security.wss.PSGatewayReceiverHandler     invoke     Receiving incoming SOAP Message.
      6/26/12 12:09:46 AM SGT     53     -2145221434     64     INFO     com.peoplesoft.pt.security.wss.processor.PSSAMLTokenProcessor     handleToken     Completed SAML Token Process.
      6/26/12 12:09:46 AM SGT     54     -2145221434     64     INFO     com.peoplesoft.pt.security.wss.processor.PSSignatureProcessor     verifyXMLSignature     Verify XML Signature.
      6/26/12 12:09:46 AM SGT     55     -2145221434     64     INFO     com.peoplesoft.pt.security.wss.processor.PSSignatureProcessor     handleToken     Completed Signature Token Process.
      6/26/12 12:09:46 AM SGT     56     -2145221434     64     INFO     com.peoplesoft.pt.security.wss.PSGatewayReceiverHandler     invoke     Completed Process Received Message.

      ************************
      ERRORS - ErrorLog.html
      ************************
      ** STACK TRACE
      com.peoplesoft.pt.integrationgateway.common.GeneralFrameworkException
           at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftServiceListeningConnector.service(PeopleSoftServiceListeningConnector.java:429)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
           at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
           at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
           at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
           at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
           at com.peoplesoft.pt.integrationgateway.common.IBFilter.doFilter(IBFilter.java:85)
           at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
           at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
           at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
           at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
           at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
           at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
           at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
           at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
           at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
           at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
           
      **REQUEST RECEIVED ON SERVER
      Message-ID: <27569945.1340640586419.JavaMail.ccelaicc@w7x64>
      Date: Tue, 26 Jun 2012 00:09:46 +0800 (SGT)
      Mime-Version: 1.0
      Content-Type: multipart/related;
           boundary="----=_Part_26_26890791.1340640586378"
      Content-ID: PeopleSoft-Integration-Broker-Internal-Mime-Message
      PeopleSoft-ToolsRelease: 8.48

      ------=_Part_26_26890791.1340640586378
      Content-Type: text/plain; charset=UTF-8
      Content-Transfer-Encoding: 8bit
      Content-Disposition: inline
      Content-ID: IBInfo

      <?xml version="1.0"?><IBInfo><ExternalOperationName><![CDATA[N_GET_STD.v1]]></ExternalOperationName><HttpSession><SessionID><![CDATA[]]></SessionID></HttpSession><From><Protocol>https</Protocol><ExternalUserName><![CDATA[CN=TEST_SELF3, OU=TEST_SELF3, O=TEST_SELF3, L=TEST_SELF3, ST=TEST_SELF3, C=SG]]></ExternalUserName><WS-Security><WSTokenType><![CDATA[STSD]]></WSTokenType><WSTokenEncrypted>N</WSTokenEncrypted><WSTokenSigned>Y</WSTokenSigned><WSTokenEncryptLevel></WSTokenEncryptLevel><WSRequestAliasName><![CDATA[test_self3]]></WSRequestAliasName></WS-Security><SAML-CertAlias><![CDATA[test_self3]]></SAML-CertAlias><SAML-QualifierName><![CDATA[TEST.SAML]]></SAML-QualifierName><SAML-Issuer><![CDATA[TEST3]]></SAML-Issuer><SAML-SubjectName><![CDATA[CN=TEST_SELF3, OU=TEST_SELF3, O=TEST_SELF3, L=TEST_SELF3, ST=TEST_SELF3, C=SG]]></SAML-SubjectName><SAML-Signature><![CDATA[Vn7YdLdZHo3G/fQoic+gsaKu5OlFj+d+pZ9vMYMziwDSZq0HnuJmdvF6fV6WBwf5rL1sX/OCopiAZg7Y9f6QnKlH742xD9rGvEmhj4gCGwqj0BH6Ym0lj6wy5dhDlNxs9ni9WZGK5bz2e39pEkzQoXhor/vw+GGRWIexDjXg1vw=]]></SAML-Signature><SAML-TokenData>***deleted for security purposes****</SAML-TokenData></From><ContentSections><ContentSection><ID>ContentSection0</ID><NonRepudiation>N</NonRepudiation><Headers><Content-Type><![CDATA[text/xml;charset=UTF-8]]></Content-Type><Accept-Encoding><![CDATA[gzip,deflate]]></Accept-Encoding><SOAPAction><![CDATA["N_GET_STD.v1"]]></SOAPAction><Host><![CDATA[localhost]]></Host><Connection><![CDATA[Keep-Alive]]></Connection><User-Agent><![CDATA[Apache-HttpClient/4.1.1 (java 1.5)]]></User-Agent></Headers></ContentSection></ContentSections><AttachmentSection ResponseAsAttachment="N"></AttachmentSection></IBInfo>
      ------=_Part_26_26890791.1340640586378
      Content-Type: text/plain; charset=UTF-8
      Content-Transfer-Encoding: 8bit
      Content-Disposition: inline
      Content-ID: ContentSection0

      <?xml version="1.0"?>
      <n:N_TEST_WS_REQ_MSG xmlns:n="http://xmlns.oracle.com/Enterprise/Tools/schemas/N_TEST_WS_REQ_MSG.1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <n:FieldTypes>
           .....
      </n:MsgData>
      </n:N_TEST_WS_REQ_MSG>

      **RESPONSE FROM SERVER
      SOAP FAULT with message "SAML Authentication failed for Service Operation"