2 Replies Latest reply: May 28, 2013 8:48 PM by 859967 RSS

    SSL > incoming msg not SSL enabled

    859967
      Hi All,

      I am trying to implement SSL for my web service and write a client to consume the server.

      I generated keystore, and added to trusted list as recommendation.

      But when i run my client the following error occur:

      compile-single:
      run-single:
      May 28, 2013 4:35:05 PM [com.sun.xml.internal.ws.policy.EffectiveAlternativeSelector]  selectAlternatives
      WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding" was evaluated as "UNKNOWN".
      May 28, 2013 4:35:05 PM [com.sun.xml.internal.ws.policy.EffectiveAlternativeSelector]  selectAlternatives
      WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10" was evaluated as "UNKNOWN".
      May 28, 2013 4:35:05 PM [com.sun.xml.internal.ws.policy.EffectiveAlternativeSelector]  selectAlternatives
      WARNING: WSP0019: Suboptimal policy alternative selected on the client side with fitness "PARTIALLY_SUPPORTED".
      ***
      found key for : xws-security-server
      chain [0] = [
      [
        Version: V3
        Subject: CN=xwssecurityserver, OU=SUN, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
        Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
      
        Key:  Sun RSA public key, 1024 bits
        modulus: 134380884586947569142825510026957928705259114787295999460299304319999556741376176410521840240185200127360341811174579859559994224484465126310840116632395426094038541933377168542195870651060761615431789862699562179055428897933368389743032967628136767342402913821910863199535693252320451216466183837201122780179
        public exponent: 65537
        Validity: [From: Mon Mar 12 17:18:05 ICT 2007,
                     To: Thu Mar 09 17:18:05 ICT 2017]
        Issuer: CN=SUNCA, OU=JWS, O=SUN, ST=Some-State, C=AU
        SerialNumber: [    02]
      
      Certificate Extensions: 4
      [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
      Extension unknown: DER encoded OCTET string =
      0000: 04 1F 16 1D 4F 70 65 6E   53 53 4C 20 47 65 6E 65  ....OpenSSL Gene
      0010: 72 61 74 65 64 20 43 65   72 74 69 66 69 63 61 74  rated Certificat
      0020: 65                                                 e
      
      
      [2]: ObjectId: 2.5.29.35 Criticality=false
      AuthorityKeyIdentifier [
      KeyIdentifier [
      0000: 67 BA 65 C6 CE 95 C8 E3   8E 4D 21 72 A2 30 D5 D3  g.e......M!r.0..
      0010: F6 18 8C 95                                        ....
      ]
      [CN=SUNCA, OU=JWS, O=SUN, ST=Some-State, C=AU]
      SerialNumber: [    db1e425a aba2a28e]
      ]
      
      [3]: ObjectId: 2.5.29.19 Criticality=false
      BasicConstraints:[
        CA:false
        PathLen: undefined
      ]
      
      [4]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 75 51 36 F7 2B 32 15 6F   E2 0F 59 5A DD D7 5E 3F  uQ6.+2.o..YZ..^?
      0010: 33 3A 21 6A                                        3:!j
      ]
      ]
      
      ]
        Algorithm: [MD5withRSA]
        Signature:
      0000: 56 A4 FC D5 96 41 94 19   AA D6 73 48 21 A1 BE 76  V....A....sH!..v
      0010: 82 F5 96 8D 8A 10 FF 66   F5 CC 7A 94 70 B1 AD D5  .......f..z.p...
      0020: F1 8A 73 04 B4 9B 6D CF   30 25 A3 C1 C4 EF E0 02  ..s...m.0%......
      0030: B3 E1 90 2D CA 62 BD C5   EF 54 3A 83 24 26 DF 8D  ...-.b...T:.$&..
      0040: F5 2B 8E 6A 31 B3 2A FA   5F ED E5 DA 0B 97 7E 09  .+.j1.*._.......
      0050: C1 A6 22 14 43 2F EF 04   C7 3F 43 56 A2 C3 8B C3  ..".C/...?CV....
      0060: 15 1D DF 28 32 0F D6 78   FD 9C D2 AD 13 08 3C 57  ...(2..x......<W
      0070: 98 04 E7 EA 7F 61 0B 46   9B 38 38 7C 70 B5 21 ED  .....a.F.88.p.!.
      
      ]
      ***
      
      ***
      found key for : s1as
      chain [0] = [
      [
        Version: V3
        Subject: CN=PC-201203140816, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
        Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
      
        Key:  Sun RSA public key, 2048 bits
        modulus: 28400613207294617681010945908603413267104853798461554944576952700520255684028669643165870070168328655476584842153676908571504869540350981114848199659458099354201173778188200812855447593075171675833688335827365185370722252675616679491984303385952415700429186644367414120555799053824229294291823666644335816203670319118177305999099976030541741764487787493343695249356879024059678970565112410741755490642744680765718861124221082659028236260426335272972131613635099450603286488429394425028471716654135639573217796607854088594755542510609229923552878196284910805623086475496682253964652613821088797660209722295694019944313
        public exponent: 65537
        Validity: [From: Wed Nov 07 14:16:16 ICT 2012,
                     To: Sat Nov 05 14:16:16 ICT 2022]
        Issuer: CN=PC-201203140816, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
        SerialNumber: [    03c2af57]
      
      Certificate Extensions: 1
      [1]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 14 F2 0B D0 8B E4 65 B1   FA FE 00 8C 48 D2 E0 F2  ......e.....H...
      0010: 91 BD 97 54                                        ...T
      ]
      ]
      
      ]
        Algorithm: [SHA256withRSA]
        Signature:
      0000: B4 2C 88 7C 13 58 B4 3A   F9 DE A4 48 92 D0 EA AE  .,...X.:...H....
      0010: 66 D9 7B CC F0 96 03 1D   CE C9 AB 41 EF 0B A1 CF  f..........A....
      0020: 37 1C DA 4D 76 41 35 2B   30 F4 CC 46 9A 1D 93 C7  7..MvA5+0..F....
      0030: F7 06 F5 E0 F3 DE 03 A0   32 CC 0D B9 DD 2B 45 90  ........2....+E.
      0040: B6 63 79 38 58 EE FF ED   E7 9F 13 68 99 7A 51 CE  .cy8X......h.zQ.
      0050: 8E E0 D2 91 B8 93 9C B8   FD 6D FD FF 1B 72 0B 28  .........m...r.(
      0060: 05 47 0F 99 80 91 2F C6   25 A0 85 88 B6 48 F3 88  .G..../.%....H..
      0070: 27 8D C3 24 A8 6F 42 5C   E9 DC 7F 2E 54 6B E2 6D  '..$.oB\....Tk.m
      0080: 6B 67 46 AC 09 F4 C2 0E   5D C6 7B 97 37 2E BF 44  kgF.....]...7..D
      0090: C8 0A 6F FF BF 10 DF 38   FD 73 58 4C E6 B8 9F F4  ..o....8.sXL....
      00A0: 0D BD 49 E7 DF 51 DC CC   12 0B ED 1A 18 2D 62 50  ..I..Q.......-bP
      00B0: 95 E4 EB DD 27 E7 43 AE   C1 43 5D 61 77 99 51 1A  ....'.C..C]aw.Q.
      00C0: EA EF 30 68 C4 2E 21 50   AF 7A A1 BC AC D1 38 FE  ..0h..!P.z....8.
      00D0: 10 C3 38 AD 03 74 7B 2C   1E 4A 19 0D 41 02 46 61  ..8..t.,.J..A.Fa
      00E0: 6E 05 2C 05 67 8F 4C 46   BF 33 27 5C FD ED 8E 65  n.,.g.LF.3'\...e
      00F0: 8D 4D BA ED 10 5D 4C FF   3A F9 03 46 D4 EF D3 8D  .M...]L.:..F....
      
      ]
      ***
      trigger seeding of SecureRandom
      done seeding SecureRandom
      keyStore is : 
      keyStore type is : jks
      keyStore provider is : 
      init keystore
      init keymanager of type SunX509
      trustStore is: cacerts.jks
      trustStore type is : jks
      trustStore provider is : 
      init truststore
      adding as trusted cert:
        Subject: CN=SUNCA, OU=JWS, O=SUN, ST=Some-State, C=AU
        Issuer:  CN=SUNCA, OU=JWS, O=SUN, ST=Some-State, C=AU
        Algorithm: RSA; Serial number: 0x9436d26db68dd3b8
        Valid from Wed Mar 12 14:13:29 ICT 2008 until Tue Mar 07 14:13:29 ICT 2028
      
      adding as trusted cert:
        Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
        Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
        Algorithm: RSA; Serial number: 0x4eb200670c035d4f
        Valid from Wed Oct 25 15:36:00 ICT 2006 until Sat Oct 25 15:36:00 ICT 2036
      
      *** adding as trusted cert alots here ***
      Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
      Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
      
      *** ECDH ServerKeyExchange
      Server key: Sun EC public key, 256 bits
        public x coord: 13092472382617897418680293553019695575657838247487389413277426788203849920781
        public y coord: 105606623941038948933956148662962940949343598467647948644145571700946524577823
        parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
      *** ServerHelloDone
      *** ECDHClientKeyExchange
      ECDH Public value:  { 4, 22, 21, 243, 176, 119, 103, 69, 3, 0, 60, 107, 190, 75, 0, 165, 231, 165, 73, 206, 254, 6, 45, 218, 106, 171, 155, 200, 47, 237, 13, 192, 209, 35, 152, 226, 186, 243, 240, 178, 103, 216, 120, 104, 31, 141, 122, 47, 150, 60, 95, 178, 234, 133, 30, 150, 71, 220, 92, 62, 31, 161, 232, 0, 19 }
      main, WRITE: TLSv1 Handshake, length = 70
      SESSION KEYGEN:
      PreMaster Secret:
      0000: 52 9B C7 E2 90 94 C9 7B   1F 4A 15 09 E3 67 16 2C  R........J...g.,
      0010: 75 86 F4 FB D4 05 F9 2F   E2 E5 67 69 6B 5A 59 AA  u....../..gikZY.
      CONNECTION KEYGEN:
      Client Nonce:
      0000: 51 A4 7A 4B FD C1 A8 91   98 75 8A 9D 21 F7 0C B9  Q.zK.....u..!...
      0010: 87 2E 36 55 E5 6B BA E5   CC 7B AA 73 00 55 FD 41  ..6U.k.....s.U.A
      Server Nonce:
      0000: 51 A4 7A 4B 40 63 11 9D   F5 F6 EF 18 5C 34 0D 2E  Q.zK@c......\4..
      0010: 74 04 4D 2C D1 85 09 67   A5 46 95 E0 22 F7 2A FA  t.M,...g.F..".*.
      Master Secret:
      0000: 8E 3B 7F 1C 8D 7B A3 AC   94 D2 25 D4 4E 8D 89 B5  .;........%.N...
      0010: 28 41 FB 97 C6 D5 3C DF   C8 BB 5D 07 6A 59 89 A6  (A....<...].jY..
      0020: B5 E5 4F 85 DA CD AF 2B   80 90 6E A0 72 DA 9F 37  ..O....+..n.r..7
      Client MAC write Secret:
      0000: BA E0 84 B8 6E 85 B1 4C   96 96 DD 5C FF FA 98 7A  ....n..L...\...z
      0010: A6 20 A3 D7                                        . ..
      Server MAC write Secret:
      0000: 5E A2 9C 1A 58 1A 01 EB   AF F1 D2 13 FC 58 EE 9E  ^...X........X..
      0010: 96 27 7C 9A                                        .'..
      Client write key:
      0000: 02 D4 DA 7C BD 53 E2 B0   03 C8 71 D9 DB 70 64 70  .....S....q..pdp
      Server write key:
      0000: 06 C0 9A E7 D9 25 98 34   D2 D0 EA CA D8 E4 EE 6A  .....%.4.......j
      Client write IV:
      0000: 5D FE A1 56 D0 CD CA D0   FF 37 59 92 C4 24 D5 33  ]..V.....7Y..$.3
      Server write IV:
      0000: C1 B4 9F B8 24 E6 58 FA   66 7F 6C 0B B2 58 43 71  ....$.X.f.l..XCq
      main, WRITE: TLSv1 Change Cipher Spec, length = 1
      *** Finished
      verify_data:  { 45, 95, 97, 253, 48, 127, 125, 37, 184, 78, 31, 147 }
      ***
      main, WRITE: TLSv1 Handshake, length = 48
      main, READ: TLSv1 Change Cipher Spec, length = 1
      main, READ: TLSv1 Handshake, length = 48
      *** Finished
      verify_data:  { 199, 52, 80, 221, 97, 96, 121, 209, 107, 244, 183, 239 }
      ***
      %% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
      main, WRITE: TLSv1 Application Data, length = 320
      main, WRITE: TLSv1 Application Data, length = 32
      main, WRITE: TLSv1 Application Data, length = 2560
      main, READ: TLSv1 Application Data, length = 784
      main, READ: TLSv1 Application Data, length = 32
      main, READ: TLSv1 Application Data, length = 400
      main, READ: TLSv1 Application Data, length = 32
      main, READ: TLSv1 Application Data, length = 32
      main, called close()
      main, called closeInternal(true)
      main, SEND TLSv1 ALERT:  warning, description = close_notify
      main, WRITE: TLSv1 Alert, length = 32
      main, called closeSocket(selfInitiated)
      Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Invalid Security Header
           at com.sun.xml.internal.ws.fault.SOAP12Fault.getProtocolException(SOAP12Fault.java:214)
           at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:111)
           at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108)
           at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
           at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:129)
           at $Proxy41.mssSignature(Unknown Source)
           at vtcaclient.SignClient.testMSSSignature(SignClient.java:281)
           at vtcaclient.SignClient.main(SignClient.java:117)
      Java Result: 1
      BUILD SUCCESSFUL (total time: 3 seconds)
      and the server error log is:
      SEVERE: WSS1601: Security Requirements not met - Transport binding configured in policy but incoming message was not SSL enabled
      SEVERE: WSITPVD0035: Error in Verifying Security in Inbound Message.
      com.sun.xml.wss.impl.XWSSecurityRuntimeException: WSS1601: Security Requirements not met - Transport binding configured in policy but incoming message was not SSL enabled
           at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:125)
           at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1003)
           at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:248)
           at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:588)
           at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:361)
           at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:264)
      i googled around but i have not succeeded with any solution.

      i don't know if you know what the problem exactly is from the log and a workaround.

      thank you for your help.

      p/s: I am running java 7, glassfish 3.1.2.2 for my server

      -HL
        • 1. Re: SSL > incoming msg not SSL enabled
          EJP
          Your title is incorrect. There is no SSL problem in evidence here. Your problem is a SOAP security problem, as the stack trace shows clearly. If it was an SSL problem you would have got an SSL exception and you wouldn't have got to the 'TLSv1 Change Cipher Spec' message at all.
          • 2. Re: SSL > incoming msg not SSL enabled
            859967
            could you tell me what the problem of SOAP is? I thought that because i configured it with SSL enabled and hence i got this error.

            the SOAP works normally if SSL security disabled.

            What i should do more with SOAP to resolve this error?