This discussion is archived
2 Replies Latest reply: Jun 26, 2012 6:01 PM by 945477 RSS

Error encountered with SAML Token for inbound sync web service

945477 Newbie
Currently Being Moderated
Hi,

I am trying to use the SAML (v1.1) for authenticating inbound IB web service call to a synchronous service operation.
If I send a basic message (with SOAPUI) without signed SAML token (i.e. no WSSE header), it works (i.e. server response with correct xml message).
If I send a message with signed SAML token header, i got a SOAP Fault response from server with error "SAML Authentication failed for Service Operation XXXX".
Can someone advise what am i missing? App serv log shows only a single entry without much elaboration:
PS@JavaClient IntegrationSvc](3) WssecAuthenticateIBSAML function: VerifySignature failed.

Following are details of the logs and what i did/have.

Tools Used: SOAPUI v4.5.0.1
JDK 1.6 (Generate self-signed certificate)
Server Info: Peopletools 8.51

What I have done.
- create a test service with single synchronous service operation
- generated private key in client keystore. (key algo=RSA, key size=1024, sig algo=SHA1WithRSA)
- exported public cert to file.
- import public cert into server keystore (i.e. ..\PSIGW.war\WEB-INF\classes\interop.jks)
- import public cert into digital cert (i.e. PIA > Peopletools > Security > Security Objects > Digital Certs) as Root CA
- import public cert into digital cert (i.e. PIA > Peopletools > Security > Security Objects > Digital Certs) as Remote cert
- Restarted Web and App servers
- Configure SAML IB Setup to map cert alias to local server user profile.
- I have checked that the cert alias is set to same in all the keystores
- Setup SOAPUI to send message with SAML(Form)

************************
REQUEST MESSAGE - Request Message generated by SOAPUI. Replaced lengthy cert/sign binary data with '.....'
************************
<soapenv:Envelope
     xmlns:n="http://xmlns.oracle.com/Enterprise/Tools/schemas/N_TEST_WS_REQ_MSG.1"
     xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
     <wsse:Security soapenv:mustUnderstand="1"
          xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
          xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
               ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
               wsu:Id="CertId-12B5F387F5EA1B.....+djdAxdoHEba+
          </wsse:BinarySecurityToken>
          <saml1:Assertion AssertionID="12B5F387F5EA1B2DAD13407218448691" IssueInstant="2012-06-26T14:44:04.729Z"
               Issuer="TEST3" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType"
               xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
               <saml1:Conditions NotBefore="2012-06-26T14:44:04.885Z" NotOnOrAfter="2012-06-26T14:49:04.885Z"/>
               <saml1:AuthenticationStatement AuthenticationInstant="2012-06-26T14:44:04.885Z"
                    AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
                    xsi:type="saml1:AuthenticationStatementType">
                    <saml1:Subject>
                         <saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="TEST.SAML">
                              CN=TEST_SELF3, OU=TEST_SELF3, O=TEST_SELF3, L=TEST_SELF3, ST=TEST_SELF3, C=SG
                         </saml1:NameIdentifier>
                         <saml1:SubjectConfirmation>
                              <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml1:ConfirmationMethod>
                         </saml1:SubjectConfirmation>
                    </saml1:Subject>
               </saml1:AuthenticationStatement>
               <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:SignedInfo>
                         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                         <ds:Reference URI="#12B5F387F5EA1B2DAD13407218448691">
                              <ds:Transforms>
                                   <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                   <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                              </ds:Transforms>
                              <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                              <ds:DigestValue>2zaWFj5SG+sfrMegFeRWmvPqGnM=</ds:DigestValue>
                         </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>YMob0+KseNLn.....DY6IkxcVV1jy+9Q=</ds:SignatureValue>
                    <ds:KeyInfo>
                         <ds:X509Data>
                              <ds:X509Certificate>MIICYzCCAcygA.....+djdAxdoHEba+</ds:X509Certificate>
                         </ds:X509Data>
                    </ds:KeyInfo>
               </ds:Signature>
          </saml1:Assertion>
          <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
               wsu:Id="STRSAMLId-12B5F387F5EA1B2DAD13407218451505"
               xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
               <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">
                    12B5F387F5EA1B2DAD13407218448691
               </wsse:KeyIdentifier>
          </wsse:SecurityTokenReference>
          <ds:Signature Id="SIG-1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
               <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                         <ec:InclusiveNamespaces PrefixList="n soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:CanonicalizationMethod>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#id-184">
                         <ds:Transforms>
                              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                   <ec:InclusiveNamespaces PrefixList="n" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                              </ds:Transform>
                         </ds:Transforms>
                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                         <ds:DigestValue>7MYt+AgNrdj48Kl+AKGkmwj+XzA=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#STRSAMLId-12B5F387F5EA1B2DAD13407218451505">
                         <ds:Transforms>
                              <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                   <wsse:TransformationParameters>
                                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                   </wsse:TransformationParameters>
                              </ds:Transform>
                         </ds:Transforms>
                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                         <ds:DigestValue>kXrBKY+585tz3cSgudWUnOvQvP8=</ds:DigestValue>
                    </ds:Reference>
               </ds:SignedInfo>
               <ds:SignatureValue>LBdNW7QAZpcvCy.....BLlhZ3rIMcuY=</ds:SignatureValue>
               <ds:KeyInfo Id="KeyId-12B5F387F5EA1B2DAD13407218451502">
                    <wsse:SecurityTokenReference wsu:Id="STRId-12B5F387F5EA1B2DAD13407218451503">
                         <wsse:Reference URI="#CertId-12B5F387F5EA1B2DAD13407218451504"
                              ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                    </wsse:SecurityTokenReference>
               </ds:KeyInfo>
          </ds:Signature>
     </wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-184" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<n:N_TEST_WS_REQ_MSG>
<n:FieldTypes>
<!--You may enter the following 2 items in any order-->
<n:N_WS_TEST class="R">
<n:EMPLID type="CHAR"/>
<n:ACAD_PROG type="CHAR"/>
</n:N_WS_TEST>
<n:PSCAMA class="R">
<!--Optional:-->
<n:LANGUAGE_CD type="CHAR"/>
<!--Optional:-->
<n:AUDIT_ACTN type="CHAR"/>
<!--Optional:-->
<n:BASE_LANGUAGE_CD type="CHAR"/>
<!--Optional:-->
<n:MSG_SEQ_FLG type="CHAR"/>
<!--Optional:-->
<n:PROCESS_INSTANCE type="NUMBER"/>
<!--Optional:-->
<n:PUBLISH_RULE_ID type="CHAR"/>
<!--Optional:-->
<n:MSGNODENAME type="CHAR"/>
</n:PSCAMA>
</n:FieldTypes>
<n:MsgData>
<!--Zero or more repetitions:-->
<n:Transaction>
<!--You may enter the following 2 items in any order-->
<!--Optional:-->
<n:N_WS_TEST class="R">
<n:EMPLID IsChanged="?">TEST</n:EMPLID>
<n:ACAD_PROG IsChanged="?">TEST</n:ACAD_PROG>
</n:N_WS_TEST>
<n:PSCAMA class="R">
<!--Optional:-->
<n:LANGUAGE_CD IsChanged="?">?</n:LANGUAGE_CD>
<!--Optional:-->
<n:AUDIT_ACTN IsChanged="?">?</n:AUDIT_ACTN>
<!--Optional:-->
<n:BASE_LANGUAGE_CD IsChanged="?">?</n:BASE_LANGUAGE_CD>
<!--Optional:-->
<n:MSG_SEQ_FLG IsChanged="?">?</n:MSG_SEQ_FLG>
<!--Optional:-->
<n:PROCESS_INSTANCE IsChanged="?">?</n:PROCESS_INSTANCE>
<!--Optional:-->
<n:PUBLISH_RULE_ID IsChanged="?">?</n:PUBLISH_RULE_ID>
<!--Optional:-->
<n:MSGNODENAME IsChanged="?">?</n:MSGNODENAME>
</n:PSCAMA>
</n:Transaction>
</n:MsgData>
</n:N_TEST_WS_REQ_MSG>
</soapenv:Body>
</soapenv:Envelope>

************************
ERRORS - APPSRV_xxxx.LOG
************************
Only a single line of error found in application server log:
PSAPPSRV.620 (13) [06/26/12 00:09:46 PS@JavaClient IntegrationSvc](3) WssecAuthenticateIBSAML function: VerifySignature failed.

************************
ERRORS - PIA_servletsX.LOG
************************
Web server log shows normal entries:
6/26/12 12:09:46 AM SGT     52     -2145221434     64     INFO     com.peoplesoft.pt.security.wss.PSGatewayReceiverHandler     invoke     Receiving incoming SOAP Message.
6/26/12 12:09:46 AM SGT     53     -2145221434     64     INFO     com.peoplesoft.pt.security.wss.processor.PSSAMLTokenProcessor     handleToken     Completed SAML Token Process.
6/26/12 12:09:46 AM SGT     54     -2145221434     64     INFO     com.peoplesoft.pt.security.wss.processor.PSSignatureProcessor     verifyXMLSignature     Verify XML Signature.
6/26/12 12:09:46 AM SGT     55     -2145221434     64     INFO     com.peoplesoft.pt.security.wss.processor.PSSignatureProcessor     handleToken     Completed Signature Token Process.
6/26/12 12:09:46 AM SGT     56     -2145221434     64     INFO     com.peoplesoft.pt.security.wss.PSGatewayReceiverHandler     invoke     Completed Process Received Message.

************************
ERRORS - ErrorLog.html
************************
** STACK TRACE
com.peoplesoft.pt.integrationgateway.common.GeneralFrameworkException
     at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftServiceListeningConnector.service(PeopleSoftServiceListeningConnector.java:429)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
     at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
     at com.peoplesoft.pt.integrationgateway.common.IBFilter.doFilter(IBFilter.java:85)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
     
**REQUEST RECEIVED ON SERVER
Message-ID: <27569945.1340640586419.JavaMail.ccelaicc@w7x64>
Date: Tue, 26 Jun 2012 00:09:46 +0800 (SGT)
Mime-Version: 1.0
Content-Type: multipart/related;
     boundary="----=_Part_26_26890791.1340640586378"
Content-ID: PeopleSoft-Integration-Broker-Internal-Mime-Message
PeopleSoft-ToolsRelease: 8.48

------=_Part_26_26890791.1340640586378
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Content-ID: IBInfo

<?xml version="1.0"?><IBInfo><ExternalOperationName><![CDATA[N_GET_STD.v1]]></ExternalOperationName><HttpSession><SessionID><![CDATA[]]></SessionID></HttpSession><From><Protocol>https</Protocol><ExternalUserName><![CDATA[CN=TEST_SELF3, OU=TEST_SELF3, O=TEST_SELF3, L=TEST_SELF3, ST=TEST_SELF3, C=SG]]></ExternalUserName><WS-Security><WSTokenType><![CDATA[STSD]]></WSTokenType><WSTokenEncrypted>N</WSTokenEncrypted><WSTokenSigned>Y</WSTokenSigned><WSTokenEncryptLevel></WSTokenEncryptLevel><WSRequestAliasName><![CDATA[test_self3]]></WSRequestAliasName></WS-Security><SAML-CertAlias><![CDATA[test_self3]]></SAML-CertAlias><SAML-QualifierName><![CDATA[TEST.SAML]]></SAML-QualifierName><SAML-Issuer><![CDATA[TEST3]]></SAML-Issuer><SAML-SubjectName><![CDATA[CN=TEST_SELF3, OU=TEST_SELF3, O=TEST_SELF3, L=TEST_SELF3, ST=TEST_SELF3, C=SG]]></SAML-SubjectName><SAML-Signature><![CDATA[Vn7YdLdZHo3G/fQoic+gsaKu5OlFj+d+pZ9vMYMziwDSZq0HnuJmdvF6fV6WBwf5rL1sX/OCopiAZg7Y9f6QnKlH742xD9rGvEmhj4gCGwqj0BH6Ym0lj6wy5dhDlNxs9ni9WZGK5bz2e39pEkzQoXhor/vw+GGRWIexDjXg1vw=]]></SAML-Signature><SAML-TokenData>***deleted for security purposes****</SAML-TokenData></From><ContentSections><ContentSection><ID>ContentSection0</ID><NonRepudiation>N</NonRepudiation><Headers><Content-Type><![CDATA[text/xml;charset=UTF-8]]></Content-Type><Accept-Encoding><![CDATA[gzip,deflate]]></Accept-Encoding><SOAPAction><![CDATA["N_GET_STD.v1"]]></SOAPAction><Host><![CDATA[localhost]]></Host><Connection><![CDATA[Keep-Alive]]></Connection><User-Agent><![CDATA[Apache-HttpClient/4.1.1 (java 1.5)]]></User-Agent></Headers></ContentSection></ContentSections><AttachmentSection ResponseAsAttachment="N"></AttachmentSection></IBInfo>
------=_Part_26_26890791.1340640586378
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Content-ID: ContentSection0

<?xml version="1.0"?>
<n:N_TEST_WS_REQ_MSG xmlns:n="http://xmlns.oracle.com/Enterprise/Tools/schemas/N_TEST_WS_REQ_MSG.1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<n:FieldTypes>
     .....
</n:MsgData>
</n:N_TEST_WS_REQ_MSG>

**RESPONSE FROM SERVER
SOAP FAULT with message "SAML Authentication failed for Service Operation"