I’m using a .NET 2.0 Client to communicate with an AXIS Web service. The web service is not in my control and I can’t request any modifications to it either.
Now, I’m using WSE 3.0 to implement the Security piece, but I’m having quite a few issues to get them to talk to each other. My current problem seems to be this exception –
Security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: General security error (Unexpected number of X509Data: for decryption (KeyId))
I’ve implemented a custom WSE policy on the client side (Created a custom SecurityPolicyAssertion, overrode CreateClientOutputFilter(FilterCreationContext context) and called a custom SendSecurityFilter from it. In the SendSecurityFilter, I overrode the SecureMessage method and I’ve added the following –
public override void SecureMessage(SoapEnvelope envelope, Security security)
{
clientToken = GetClientToken();
serverToken = GetServerToken();
// Sign the SOAP message with the client's security token.
security.Tokens.Add(clientToken);
security.Elements.Add(new MessageSignature(clientToken));
// Encrypt the SOAP message with the client's security token.
security.Elements.Add(new Microsoft.Web.Services3.Security.EncryptedData(serverToken));
// Store the client and server security tokens in the request state.
RequestState state = new RequestState(clientToken, serverToken);
// Store the request state in the proxy's operation state.
// This makes these tokens accessible when SOAP responses are
// verified to have sufficient security requirements.
envelope.Context.OperationState.Set(state);
}
This generates the following XML output –
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://b2bsys17-ssl.uhc.com/NASApp/phase2/services/SecureHIPAAService" xmlns:types="http://b2bsys17-ssl.uhc.com/NASApp/phase2/services/SecureHIPAAService/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action>
</wsa:Action>
<wsa:MessageID>urn:uuid:e67780b6-dff4-4c41-8587-0a8980fa50ef</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>https://www.uhgdirectconnect.uhc.com/NASApp/phase2/services/SecureHIPAAService</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-f6270878-1ad2-4635-9acc-6989f87f35e0">
<wsu:Created>2011-01-21T20:56:44Z</wsu:Created>
<wsu:Expires>2011-01-21T21:01:44Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-3f9b54ee-0048-440a-84ec-d1af150ba35f">MIICGjCCAYMCBEv9XCAwDQYJKoZIhvcNAQEEBQAwVDEaMBgGA1UEChMRcGF0aWVudHBvaW50a2lvc2sxGjAYBgNVBAsTEXBhdGllbnRwb2ludGtpb3NrMRowGAYDVQQDExFwYXRpZW50cG9pbnRraW9zazAeFw0xMDA1MjYxNzM2MzJaFw0yMDA1MjMxNzM2MzJaMFQxGjAYBgNVBAoTEXBhdGllbnRwb2ludGtpb3NrMRowGAYDVQQLExFwYXRpZW50cG9pbnRraW9zazEaMBgGA1UEAxMRcGF0aWVudHBvaW50a2lvc2swgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANEIOOGH+TbllK+Ayz7fEv9RkgrGtQHZNq0ibhwvkRU6Cv6on7pBIwj/jbha0H5U3gKiwyL1JGccHnhq4pWbOvFiR2zZDDXMCi5krwxfaIh7CYHDYOlaEymq+XbppblIefeScVTHoeghyMytESytQ9konB9DMK+rMNNZSLfebGs7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAK9hC0wnujuAAILJNPEkfNOeZT6NFvKl2UByo62ejFlhskas4KYBU+D03FR45MJsaMCYa+rQJmAbQc7vrbowy+pN/1N7yap30KpGAhozuIOOI3TJtrMCT0elxzFZ2fktYO8ZnHTudDODODKOv/7kkiCfr+XvEs18OqLKDIA8lRpE=</wsse:BinarySecurityToken>
<xenc:EncryptedKey Id="SecurityToken-b29770db-3e56-46fe-8e73-030e1271568e" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</xenc:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">YA3uSedFpwuFDpxOeGAudur3kJ0=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>bZUxKs60Nrp5VzGGors9R5WZharm4uwSzLsFP6YvKCyHzXen2N/eARM+MVqXnXktncVIlK8wBahZhX6i1Vq6FkaOrOj8bjkXN4gdLrmFsXYD/v2sEFizMfEzhDo1tIItochTAr7ainJ8Hp6Nd/57lgaDzXDqO6Zxk1zK7tmJhaI=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#Enc-d07f984f-8a57-4bf5-80c2-ce5d18dfa509" />
<xenc:DataReference URI="#Enc-07efb4f6-d5c4-4deb-b66e-f027b0f4cf00" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<xenc:EncryptedData Id="Enc-d07f984f-8a57-4bf5-80c2-ce5d18dfa509" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<xenc:CipherData>
<xenc:CipherValue>9qU0pd9g9YSHarlMHmx8+h+QQJOKvAQYbaktoMpZ0RPjKghp3pLbjps7Sa3MAKwmX6CzXHG2PWM5NBjzlgEDr4/nT5PcSBiPk1xEVdBRSQEjHrP/FmMfFtfMGZUN/O+BhCakNZy3FM8rx6ypo0hzoTHevoCEelT1Qom/mOYyyxqmpSXmLTqEvIxKGuP2IzcU13GBDnastZR1gcu2s2W+/PfQxoguXbluLNr62Pil0nw7Z/DkdPwDht2/1CNwFFB2LTftR650xTc4a/SqSIe3fiFvD7FPa8wqedieh6LEILtGQzG9hf8mz1SKq23rU1UEaW8DyGgxm7i389WGYNPiAhMGyX58pZ0jH939Sdv0Oy6GyjsVQ4wl5cmslJ2A4WZB3yoy2psXQjz6Y/4LUpiuwXryLYSZmeG1v8l+MPo9ijtcsjTHKWSIxHVbC4jqvOxA7R629UtGhh2OB3wiUe7dvtA4c6yrbLJVwiLCkd4LQubbR13xHR41gCC53fhhZWw4kSwh2w0VnmfZAshbsvGsdmXfWVlrwpT6HETz/U2Ue1n79/1hCYYnh4fPlSPrrwXCaG/7STy+t7GIVP1pAwIVtb0TdgFAtgc1xcCfWZl/VfoS8wIHD7raP2UXk51CDk/OdDxQ9ehxOfzr/MCVwM2f3l0oKfVifYQSCFaeKdmPOqm0YQEmbl9SQ/eieNN9dpdZlkkT1bDmakmLY1GoOnN6URy3UjTpXXLsQXlsoDdkdXQCOUqlSkqM2Zw1UJSF+g/QbaDXGKahQy6LtEVP1ZTCLB1DXlm4yiO6gWQUlAsYH0zMaDm0MwAxP6tKfYMQouCBJHXVEe3CY1U3kMPh74uKYjOXZR7EYLUdac0ngwSYKhI7LT2JuCdOSFj1sqXQtRp2FPPZKjNK1WNTlX9lrXksmonDSTwzLmlW48pKRFO6lcFS8yjh0kMOSx7CAnnmatjaXnLb6yRD/TIMq0EShaRTWn4nK9WHXQRkIgexG11hEsTfwxzlnZGDZAFeUgAMU3YMOmaI77IrHr8kdZRaeut5VUa+3zmTlArvn0D0EvHLkCGL28epkZyb9LVgQ/PUrDLUEsFgycrMH9wF4NLwF8EiOfNmfpSB/Lsxcku2zZNHZ7/pvZBLyDMO2nl74BWnCo1wMNVPxcFoFGbA983ghdruiIyBtMvUWLuc886m5Im0Jdz7QK2/Qk0ALAn4A32tyhVjuqnlAjsxBV7g+ePxjGlUKbNieXVxrnG23JpKNH0HtuxpDBab3azcQQbjRTIS18OFQ/Oj6tp81R57oswY7rbqVK4/X5wSU50vTNQeFbeTmlYWZm5fHjdYZ5sKV275CH3IB4BQqADjytOsyKh2uFqFbCovG7i/rq66b8LR5/WQQRQ=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Sig-1f8972b5-c8ca-40cb-a3b9-73b77907a16f">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>BqLTeIy97kFa+tO+gxVqVycpoNo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>xR4sJyQV0D05l4LAlDhV3BITnogNS1MwTv+Y6RBE4viKqYEywikx0fjhxOK+URZNXVRHkvzwSD8VhEHkG7SOqkF1ja5uixgRlyYQ/bMPOQGqTKrypdVhvJOvniNXV5Rk9Kw9QfGwUoIrj80CMgT/i1CMJcTzv4bknKV+/pyGLdo=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-3f9b54ee-0048-440a-84ec-d1af150ba35f" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" wsu:Id="Id-ea44fad0-920a-4a3f-b4d0-39a7e7e510fa">
<xenc:EncryptedData Id="Enc-07efb4f6-d5c4-4deb-b66e-f027b0f4cf00" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<xenc:CipherData>
<xenc:CipherValue>uEvS6L3N0hNJJnKwXHfBhHqGhx9EjdKCtMmQ6afhvUmApaXvtNLjfQQMdD1QeFiLAtl5MIM4eL2zbabW9wkJL9LXal927uv/gDCoQTRy2wkDLtfpOD0KpueobvVDgUDNQ4T/80tdUbDrTAVU54Omk5G5V2Ib3jxhXe3gqLt3rBtwh7gQlRKiU+bz265bW2wl+jaI5E91QmNEpdnICp3kGwabXOmnO4RCu9571Qj+7h/Y9ZOd8kfV0dGDQ1uNva9uW7lnuZtweghQ1IAzKDfaGT83byagTYZxq9zUJ1kJXWJMrpGjSTSonv78BvQ+O6AAVXJmwALWoz+kNhob+SDJRMqefEk9GH++s7v10KKUA8mzcwz6J1/HfxGgSTJHWcAkctynos2hegwYP3cXNj6ODHwr6nsIcvVhZsDXo6CS5ffYBrBlA5PVabW2tPFlfm7AytpZsF67A8pkwSDXTPzMpjUOJL+BUDYln2kcgjJ+MQ7eiRzCfsMMZ54FHmLDlCjfpp1h6lkN3QWQjgp7oXsKo1dZKdo7o0V5YmZT+6LZYzpN5nySAu3mLo40paxb4+PsBXDlvUyUqnOKtuFmDFwwR+dp4Kf+MD6Jy1uHE8Z00z/x43jUKlxdNzcrlN/UJ6kXcOez6j+1JV13yWNGK3U9aDkp9urYUphl3oqtlvmi4pC9CJqC+EKs8a0vKLNKWzjRVt5RIbrRlOd6qH4XYgQp/qnQV8/pEHLQt8+S8u4pjrryDJ9JDjbixi5KPwFGjZlsHmMf1pvnex/bvribGdWF3v29zejI8kNerXe5H2BKSuBGrViVQ/1kcgwjejjrqX4junCLVbbjgBQmUAToxkpu/gzBi02O/CW4GbUzjhI8n4Et+nQiBSyhunlI1PNU3OfdooZ1aS0iPYmYoWpvSkiORazXwsn4nVhXYrm8gNEKvHCk3Ed3lI25i6vMnxBYSUJMDV5lvEgUaYsrwy32t/COpylKOzNL2pk15DGbfM+zzRgJmT2EYWkJbNX0nN9rV0il8MTjPOaQmw6Hwo4GU4AMBJXih1xwO+v1+sx9taGwlGBPzmxEO2dPJAlBu+OdpZsk2nMEwWo1dF3FSpEmKTEhnBm2t0e3miOno0bMBP3xBy3gllEKOTJ80wd65Fg5fgjKaCbz+CJY5EnoGz6CyWhjKErnYrq/jzkdBOuA/TV+ZAHg53+PTi31ZdYPtnX7fDAFl3SxUjc8h8cKtILNpC9kWSgmK6cfvojLFifphdZmbSXL1b6P40XMVftK1oHItmtH3a73Ud0SAm6Bunyz/x6DrX+0fwOIevBLNTPy7sfNXhmS+YgulSyPTHpH0ip4mGomJEjjaWCGj+5tH9AX3Sd9Omd0jqmjYeTvAsu3071neSMrsPzTpRVOcOe+tOyWK1kTxk7ZE6qnrFup36Cpahd3+pa+eA2aVYcKz0Z4PPj1orNtoL20dwfSVGCq5xaux+mGAX45gNgZemPEq7v8C4G58Lk/UxqIWIrwEiSHmw+drTQ9QEixaY1ZBPftIGVOOJJT5XhfNvXy3LzoCMBUa775K57nfUqrxVgorETyzXhCGmzpkkWeEjBKH3W/UVd+aHX5Umo+9xe+82kpQLv3HvHRcodNq+2QtoEwLUrTD+D9t5rboJT/X7u6faaZqYbePEpgEKfX9O0ErBnpBUYUcEiUg/QQ8vKXGpZk+K6kOdjOxR20JFDkcULXmya1FM6AwWS4DMfINVtADWE7xd7nLjlhtDzWOj0wbFRQ95qaqgHfAqlUNTcpVobibVJZ75XeZsWt+o+dkvgA3wAQTfEOa6iyvpUsv3JXY2DKe8Sr1DFY31g9uZdvqaRIX8ALLymebVnAKq0FL45R13Ffp1VSep+FXly4Gm9cHBIknQNfyegsd1mi4r5qEoeZLTIlybsG5qHLrWlOTp16qRZU+0XvdXj8QK8mOy9LiVnXVdP94ehYIj1sgWIKpfsUDHFj2Xm6xPll</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
and the AXIS returns the error message that reads –
Security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: General security error (Unexpected number of X509Data: for decryption (KeyId))
The error message is particularly unhelpful, I’m not even sure what it means, so any help on this is much appreciated!
Thanks,
Teja.
Answering my question after a while. It turns out what
Unexpected Number of X509 Datameans is -that the server is receiving some section of your Soap message that it doesn’t like. In my case, it turned out to bewsa:tags. I dynamically removed various tags that the server didn’t like while working with the people that made the Web service, but that didn’t seem to help.Ended up writing the client in Java.