2 Replies Latest reply on May 29, 2013 1:48 AM by litpuvn

    SSL > incoming msg not SSL enabled

    litpuvn
      Hi All,

      I am trying to implement SSL for my web service and write a client to consume the server.

      I generated keystore, and added to trusted list as recommendation.

      But when i run my client the following error occur:

      compile-single:
      run-single:
      May 28, 2013 4:35:05 PM [com.sun.xml.internal.ws.policy.EffectiveAlternativeSelector]  selectAlternatives
      WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding" was evaluated as "UNKNOWN".
      May 28, 2013 4:35:05 PM [com.sun.xml.internal.ws.policy.EffectiveAlternativeSelector]  selectAlternatives
      WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10" was evaluated as "UNKNOWN".
      May 28, 2013 4:35:05 PM [com.sun.xml.internal.ws.policy.EffectiveAlternativeSelector]  selectAlternatives
      WARNING: WSP0019: Suboptimal policy alternative selected on the client side with fitness "PARTIALLY_SUPPORTED".
      ***
      found key for : xws-security-server
      chain [0] = [
      [
        Version: V3
        Subject: CN=xwssecurityserver, OU=SUN, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
        Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
      
        Key:  Sun RSA public key, 1024 bits
        modulus: 134380884586947569142825510026957928705259114787295999460299304319999556741376176410521840240185200127360341811174579859559994224484465126310840116632395426094038541933377168542195870651060761615431789862699562179055428897933368389743032967628136767342402913821910863199535693252320451216466183837201122780179
        public exponent: 65537
        Validity: [From: Mon Mar 12 17:18:05 ICT 2007,
                     To: Thu Mar 09 17:18:05 ICT 2017]
        Issuer: CN=SUNCA, OU=JWS, O=SUN, ST=Some-State, C=AU
        SerialNumber: [    02]
      
      Certificate Extensions: 4
      [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
      Extension unknown: DER encoded OCTET string =
      0000: 04 1F 16 1D 4F 70 65 6E   53 53 4C 20 47 65 6E 65  ....OpenSSL Gene
      0010: 72 61 74 65 64 20 43 65   72 74 69 66 69 63 61 74  rated Certificat
      0020: 65                                                 e
      
      
      [2]: ObjectId: 2.5.29.35 Criticality=false
      AuthorityKeyIdentifier [
      KeyIdentifier [
      0000: 67 BA 65 C6 CE 95 C8 E3   8E 4D 21 72 A2 30 D5 D3  g.e......M!r.0..
      0010: F6 18 8C 95                                        ....
      ]
      [CN=SUNCA, OU=JWS, O=SUN, ST=Some-State, C=AU]
      SerialNumber: [    db1e425a aba2a28e]
      ]
      
      [3]: ObjectId: 2.5.29.19 Criticality=false
      BasicConstraints:[
        CA:false
        PathLen: undefined
      ]
      
      [4]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 75 51 36 F7 2B 32 15 6F   E2 0F 59 5A DD D7 5E 3F  uQ6.+2.o..YZ..^?
      0010: 33 3A 21 6A                                        3:!j
      ]
      ]
      
      ]
        Algorithm: [MD5withRSA]
        Signature:
      0000: 56 A4 FC D5 96 41 94 19   AA D6 73 48 21 A1 BE 76  V....A....sH!..v
      0010: 82 F5 96 8D 8A 10 FF 66   F5 CC 7A 94 70 B1 AD D5  .......f..z.p...
      0020: F1 8A 73 04 B4 9B 6D CF   30 25 A3 C1 C4 EF E0 02  ..s...m.0%......
      0030: B3 E1 90 2D CA 62 BD C5   EF 54 3A 83 24 26 DF 8D  ...-.b...T:.$&..
      0040: F5 2B 8E 6A 31 B3 2A FA   5F ED E5 DA 0B 97 7E 09  .+.j1.*._.......
      0050: C1 A6 22 14 43 2F EF 04   C7 3F 43 56 A2 C3 8B C3  ..".C/...?CV....
      0060: 15 1D DF 28 32 0F D6 78   FD 9C D2 AD 13 08 3C 57  ...(2..x......<W
      0070: 98 04 E7 EA 7F 61 0B 46   9B 38 38 7C 70 B5 21 ED  .....a.F.88.p.!.
      
      ]
      ***
      
      ***
      found key for : s1as
      chain [0] = [
      [
        Version: V3
        Subject: CN=PC-201203140816, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
        Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
      
        Key:  Sun RSA public key, 2048 bits
        modulus: 28400613207294617681010945908603413267104853798461554944576952700520255684028669643165870070168328655476584842153676908571504869540350981114848199659458099354201173778188200812855447593075171675833688335827365185370722252675616679491984303385952415700429186644367414120555799053824229294291823666644335816203670319118177305999099976030541741764487787493343695249356879024059678970565112410741755490642744680765718861124221082659028236260426335272972131613635099450603286488429394425028471716654135639573217796607854088594755542510609229923552878196284910805623086475496682253964652613821088797660209722295694019944313
        public exponent: 65537
        Validity: [From: Wed Nov 07 14:16:16 ICT 2012,
                     To: Sat Nov 05 14:16:16 ICT 2022]
        Issuer: CN=PC-201203140816, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
        SerialNumber: [    03c2af57]
      
      Certificate Extensions: 1
      [1]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 14 F2 0B D0 8B E4 65 B1   FA FE 00 8C 48 D2 E0 F2  ......e.....H...
      0010: 91 BD 97 54                                        ...T
      ]
      ]
      
      ]
        Algorithm: [SHA256withRSA]
        Signature:
      0000: B4 2C 88 7C 13 58 B4 3A   F9 DE A4 48 92 D0 EA AE  .,...X.:...H....
      0010: 66 D9 7B CC F0 96 03 1D   CE C9 AB 41 EF 0B A1 CF  f..........A....
      0020: 37 1C DA 4D 76 41 35 2B   30 F4 CC 46 9A 1D 93 C7  7..MvA5+0..F....
      0030: F7 06 F5 E0 F3 DE 03 A0   32 CC 0D B9 DD 2B 45 90  ........2....+E.
      0040: B6 63 79 38 58 EE FF ED   E7 9F 13 68 99 7A 51 CE  .cy8X......h.zQ.
      0050: 8E E0 D2 91 B8 93 9C B8   FD 6D FD FF 1B 72 0B 28  .........m...r.(
      0060: 05 47 0F 99 80 91 2F C6   25 A0 85 88 B6 48 F3 88  .G..../.%....H..
      0070: 27 8D C3 24 A8 6F 42 5C   E9 DC 7F 2E 54 6B E2 6D  '..$.oB\....Tk.m
      0080: 6B 67 46 AC 09 F4 C2 0E   5D C6 7B 97 37 2E BF 44  kgF.....]...7..D
      0090: C8 0A 6F FF BF 10 DF 38   FD 73 58 4C E6 B8 9F F4  ..o....8.sXL....
      00A0: 0D BD 49 E7 DF 51 DC CC   12 0B ED 1A 18 2D 62 50  ..I..Q.......-bP
      00B0: 95 E4 EB DD 27 E7 43 AE   C1 43 5D 61 77 99 51 1A  ....'.C..C]aw.Q.
      00C0: EA EF 30 68 C4 2E 21 50   AF 7A A1 BC AC D1 38 FE  ..0h..!P.z....8.
      00D0: 10 C3 38 AD 03 74 7B 2C   1E 4A 19 0D 41 02 46 61  ..8..t.,.J..A.Fa
      00E0: 6E 05 2C 05 67 8F 4C 46   BF 33 27 5C FD ED 8E 65  n.,.g.LF.3'\...e
      00F0: 8D 4D BA ED 10 5D 4C FF   3A F9 03 46 D4 EF D3 8D  .M...]L.:..F....
      
      ]
      ***
      trigger seeding of SecureRandom
      done seeding SecureRandom
      keyStore is : 
      keyStore type is : jks
      keyStore provider is : 
      init keystore
      init keymanager of type SunX509
      trustStore is: cacerts.jks
      trustStore type is : jks
      trustStore provider is : 
      init truststore
      adding as trusted cert:
        Subject: CN=SUNCA, OU=JWS, O=SUN, ST=Some-State, C=AU
        Issuer:  CN=SUNCA, OU=JWS, O=SUN, ST=Some-State, C=AU
        Algorithm: RSA; Serial number: 0x9436d26db68dd3b8
        Valid from Wed Mar 12 14:13:29 ICT 2008 until Tue Mar 07 14:13:29 ICT 2028
      
      adding as trusted cert:
        Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
        Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
        Algorithm: RSA; Serial number: 0x4eb200670c035d4f
        Valid from Wed Oct 25 15:36:00 ICT 2006 until Sat Oct 25 15:36:00 ICT 2036
      
      *** adding as trusted cert alots here ***
      Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
      Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
      
      *** ECDH ServerKeyExchange
      Server key: Sun EC public key, 256 bits
        public x coord: 13092472382617897418680293553019695575657838247487389413277426788203849920781
        public y coord: 105606623941038948933956148662962940949343598467647948644145571700946524577823
        parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
      *** ServerHelloDone
      *** ECDHClientKeyExchange
      ECDH Public value:  { 4, 22, 21, 243, 176, 119, 103, 69, 3, 0, 60, 107, 190, 75, 0, 165, 231, 165, 73, 206, 254, 6, 45, 218, 106, 171, 155, 200, 47, 237, 13, 192, 209, 35, 152, 226, 186, 243, 240, 178, 103, 216, 120, 104, 31, 141, 122, 47, 150, 60, 95, 178, 234, 133, 30, 150, 71, 220, 92, 62, 31, 161, 232, 0, 19 }
      main, WRITE: TLSv1 Handshake, length = 70
      SESSION KEYGEN:
      PreMaster Secret:
      0000: 52 9B C7 E2 90 94 C9 7B   1F 4A 15 09 E3 67 16 2C  R........J...g.,
      0010: 75 86 F4 FB D4 05 F9 2F   E2 E5 67 69 6B 5A 59 AA  u....../..gikZY.
      CONNECTION KEYGEN:
      Client Nonce:
      0000: 51 A4 7A 4B FD C1 A8 91   98 75 8A 9D 21 F7 0C B9  Q.zK.....u..!...
      0010: 87 2E 36 55 E5 6B BA E5   CC 7B AA 73 00 55 FD 41  ..6U.k.....s.U.A
      Server Nonce:
      0000: 51 A4 7A 4B 40 63 11 9D   F5 F6 EF 18 5C 34 0D 2E  Q.zK@c......\4..
      0010: 74 04 4D 2C D1 85 09 67   A5 46 95 E0 22 F7 2A FA  t.M,...g.F..".*.
      Master Secret:
      0000: 8E 3B 7F 1C 8D 7B A3 AC   94 D2 25 D4 4E 8D 89 B5  .;........%.N...
      0010: 28 41 FB 97 C6 D5 3C DF   C8 BB 5D 07 6A 59 89 A6  (A....<...].jY..
      0020: B5 E5 4F 85 DA CD AF 2B   80 90 6E A0 72 DA 9F 37  ..O....+..n.r..7
      Client MAC write Secret:
      0000: BA E0 84 B8 6E 85 B1 4C   96 96 DD 5C FF FA 98 7A  ....n..L...\...z
      0010: A6 20 A3 D7                                        . ..
      Server MAC write Secret:
      0000: 5E A2 9C 1A 58 1A 01 EB   AF F1 D2 13 FC 58 EE 9E  ^...X........X..
      0010: 96 27 7C 9A                                        .'..
      Client write key:
      0000: 02 D4 DA 7C BD 53 E2 B0   03 C8 71 D9 DB 70 64 70  .....S....q..pdp
      Server write key:
      0000: 06 C0 9A E7 D9 25 98 34   D2 D0 EA CA D8 E4 EE 6A  .....%.4.......j
      Client write IV:
      0000: 5D FE A1 56 D0 CD CA D0   FF 37 59 92 C4 24 D5 33  ]..V.....7Y..$.3
      Server write IV:
      0000: C1 B4 9F B8 24 E6 58 FA   66 7F 6C 0B B2 58 43 71  ....$.X.f.l..XCq
      main, WRITE: TLSv1 Change Cipher Spec, length = 1
      *** Finished
      verify_data:  { 45, 95, 97, 253, 48, 127, 125, 37, 184, 78, 31, 147 }
      ***
      main, WRITE: TLSv1 Handshake, length = 48
      main, READ: TLSv1 Change Cipher Spec, length = 1
      main, READ: TLSv1 Handshake, length = 48
      *** Finished
      verify_data:  { 199, 52, 80, 221, 97, 96, 121, 209, 107, 244, 183, 239 }
      ***
      %% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
      main, WRITE: TLSv1 Application Data, length = 320
      main, WRITE: TLSv1 Application Data, length = 32
      main, WRITE: TLSv1 Application Data, length = 2560
      main, READ: TLSv1 Application Data, length = 784
      main, READ: TLSv1 Application Data, length = 32
      main, READ: TLSv1 Application Data, length = 400
      main, READ: TLSv1 Application Data, length = 32
      main, READ: TLSv1 Application Data, length = 32
      main, called close()
      main, called closeInternal(true)
      main, SEND TLSv1 ALERT:  warning, description = close_notify
      main, WRITE: TLSv1 Alert, length = 32
      main, called closeSocket(selfInitiated)
      Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Invalid Security Header
           at com.sun.xml.internal.ws.fault.SOAP12Fault.getProtocolException(SOAP12Fault.java:214)
           at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:111)
           at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108)
           at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
           at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:129)
           at $Proxy41.mssSignature(Unknown Source)
           at vtcaclient.SignClient.testMSSSignature(SignClient.java:281)
           at vtcaclient.SignClient.main(SignClient.java:117)
      Java Result: 1
      BUILD SUCCESSFUL (total time: 3 seconds)
      and the server error log is:
      SEVERE: WSS1601: Security Requirements not met - Transport binding configured in policy but incoming message was not SSL enabled
      SEVERE: WSITPVD0035: Error in Verifying Security in Inbound Message.
      com.sun.xml.wss.impl.XWSSecurityRuntimeException: WSS1601: Security Requirements not met - Transport binding configured in policy but incoming message was not SSL enabled
           at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:125)
           at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1003)
           at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:248)
           at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:588)
           at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:361)
           at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:264)
      i googled around but i have not succeeded with any solution.

      i don't know if you know what the problem exactly is from the log and a workaround.

      thank you for your help.

      p/s: I am running java 7, glassfish 3.1.2.2 for my server

      -HL