Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
14 replies Latest Post - ‏2012-12-19T11:53:31Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic Web Service Proxy encryption/decryption example, tutorial

‏2011-05-03T23:55:49Z |
Hi guys,
I'm trying to develop a Web Services which must be have the body encrypted by the application(WID & Process Server) and decrypted by Datapower X50. I'm able to perform a WS-Security Basic Authentication(UsernameToken) and Signature, but I can't get encryption working. The application is encrypting the SOAP message, but Datapower is failing to decrypt it.
The error message I'm getting is:

source-https (SSLICC_handle): WS-Proxy icc_services operation retrievePolicyDetails does not match SOAP operation as required by WS-I BP1.0/1.1 R2744 or R2745: received (RequestSecurityToken) required (retrievePolicyDetails). Received protocol 'http://schemas.xmlsoap.org/wsdl/soap/', required protocol 'http://schemas.xmlsoap.org/wsdl/soap/'. Received SOAPAction (http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT) required SOAPAction (). SOAPAction policy is lax.

This is what I've on my WSDL:
....
<wsdl:operation name="retrievePolicyDetails">
<soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT"/>
....

I guess I missing something but I can't find any info about what I'm missing. By the error message it looks like I've to do something with "RequestSecurityToken", may put it in my WSDL but I can't find anything that would guide me on that.

Do anyone know where I can find a tutorial or sample of how to set Web Services encryption on Datapower? I found one using .Net but it doesn't work to me. I've googled a lot and found a few pieces and bits which I tried to put together without much success.

Tkx!
Updated on 2012-12-19T11:53:31Z at 2012-12-19T11:53:31Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: Web Service Proxy encryption/decryption example, tutorial

    ‏2011-05-04T18:04:18Z  in response to SystemAdmin
    The error message you quote here regards the mismatch between what is in the WSDL used to configure the WSP and the SOAPAction header in the request; turn this Off on the Proxy Settings tab of the WSP or alternatively send a blank value in this header.

    However, to address your direct question regarding decrypting an encrypted request, the WSP has the ability to automatically decrypt the body of the message. Go to the Proxy Settings tab of the WSP config screen and there you will find a place to identify a Decrypt key. If the right key is given, then the WSP will automatically decrypt the message.

    Further down on that page there are inputs to use the key embedded in the EncryptedData block rather than the key identified above.

    InfoCenter at http://publib.boulder.ibm.com/infocenter/wsdatap/v3r8m1/index.jsp?topic=/xa35/welcome.htm and search for Web Service Proxy Decrypt Key.

    Is the message emitted from DataPower supposed to be decrypted? If that is so and the above methods don't do the trick, you then need to add a Decrypt action at the topmost level of the Processing Policy of the WSP, in the Request rule. There again you will need the correct key.
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Web Service Proxy encryption/decryption example, tutorial

      ‏2011-05-05T02:00:33Z  in response to SystemAdmin
      Hi DShute,
      Thank you for your help!
      As far as I know the certificate/descryption is correct because it's the same I use to sign the message and it works fine.
      The problem is when I encrypt the message.

      The error message changed a bit as the SOAPAction matches, but the operation still not matching as the message is encrypted and the operation name is not visible. If I use Usertoken and Signature only everything works great, Datapower extracts the user and password and matches it against a LDAP server and check the message signature against the certificate.

      I already have a decrypt action in my Processing Policy, but it's failing even before getting to my Processing Policy, because it can't find the right operation.

      The client sends a encrypted message to Datapower, Datapower decrypt, validate the user and signature and then send the message to the backend without any security headers.
      Log:

      
      source-https (SSLXXX_handle): No WS-Proxy service endpoints match operation in SOAP request as required by WS-I BP1.0/1.1 R2744 or R2745. source-https (SSLXXX_handle): WS-Proxy XXX_services operation XXXXXX does not match SOAP operation as required by WS-I BP1.0/1.1 R2744 or R2745: received (RequestSecurityToken) required (XXXXXXX). Received protocol 
      'http://schemas.xmlsoap.org/wsdl/soap/', required protocol 
      'http://schemas.xmlsoap.org/wsdl/soap/'. Received SOAPAction (http:
      //docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT) required SOAPAction (http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT). SOAPAction policy is lax. xmlmgr (
      
      default): patterns Compilation Request: Found in cache (expr:
      ////*[local-name()='Envelope']/*[local-name()='Body']/*) xmlmgr (
      
      default): patterns Compilation Request: Checking cache 
      
      for URL expr:
      ////*[local-name()='Envelope']/*[local-name()='Body']/* xmlmgr (
      
      default): Data decryption succeeded xmlmgr (
      
      default): The same ephemeral key was decrypted already; using the cached ephemeral key. xmlmgr (
      
      default): Data decryption succeeded xmlmgr (
      
      default): Ephemeral key decryption succeeded xmlmgr (
      
      default): xslt Compilation Request: Found in cache (store:
      ///decrypt.xsl) xmlmgr (
      
      default): xslt Compilation Request: Checking cache 
      
      for URL store:
      ///decrypt.xsl xmlmgr (
      
      default): Stylesheet URL to compile is 
      'store:///decrypt.xsl' xmlmgr (
      
      default): Stylesheet URL to compile is 
      'store:///identity.xsl' xmlmgr (
      
      default): Finished parsing: https:
      //XXXXX:9443/XXXXXX xmlmgr (
      
      default): Parsing document: 
      'https://XXXX:9443/XXXXXX' xmlmgr (
      
      default): xslt Compilation Request: Found in cache (store:
      ///identity.xsl) xmlmgr (
      
      default): xslt Compilation Request: Checking cache 
      
      for URL store:
      ///identity.xsl xmlmgr (
      
      default): Stylesheet URL to compile is 
      'store:///identity.xsl' source-https (SSLXXXX_handle): Decrypting message to identify web service operation. xmlmgr (
      
      default): Parsing https:
      //XXXXX:9443/XXXXXX stopped on XPath match xmlmgr (
      
      default): Parsing document: 
      'https://XXXXXX:9443/XXXXXX' xmlmgr (
      
      default): patterns Compilation Request: Found in cache (expr:
      ////*[local-name()='Envelope']/*[local-name()='Body']/*) xmlmgr (
      
      default): patterns Compilation Request: Checking cache 
      
      for URL expr:
      ////*[local-name()='Envelope']/*[local-name()='Body']/* source-https (SSLXXX_handle): WS-Proxy XXX_services operation XXXXXXXX matches address (XXXXXX:9443) url (/XXXXXXX). SOAP operation and Action will be evaluated. source-https (SSLXXX_handle): Generating chunked response stream to front source-https (SSLXXX_handle): Found content length 8779 HTTP input source-https (SSLXXX_handle): HTTP Transaction # 1 on 
      
      this TCP connection source-https (SSLXXX_handle): Received HTTP/1.1 POST 
      
      for /XXXXXX from XXXXXXX valcred (CryptoVC): certificate validation succeeded 
      
      for 
      '/C=XX/ST=XXX/L=XXXXX/O=XXX/OU=XX/CN=XX' against 
      'CryptoVC'
      

      sample encrypted Message attached. This message works fine with WebSphere Process Server, I mean I have a WPS server which is able to decrypt and validate the message, but we want to do that on Datapower.

      The same WSDL is used on both WPS and Datapower.
      
      <?xml version=
      "1.0" encoding=
      "UTF-8"?> <wsdl:definitions name=
      "XXXXXX_Service" targetNamespace=
      "http://XXXX" xmlns:soap=
      "http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc=
      "http://schemas.xmlsoap.org/soap/encoding/" xmlns:this=
      "http://XXXX" xmlns:wsdl=
      "http://schemas.xmlsoap.org/wsdl/"> <wsdl:
      
      import location=
      "XXXXX.wsdl" namespace=
      "http://XXXX"/> <wsdl:binding name=
      "XXXXXHttpBinding" type=
      "this:XXXXX"> <soap:binding style=
      "document" transport=
      "http://schemas.xmlsoap.org/soap/http"/> <wsdl:operation name=
      "XXXXXXX"> <soap:operation soapAction=
      "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT"/> <wsdl:input name=
      "XXXXXRequest"> <soap:body use=
      "literal"/> </wsdl:input> <wsdl:output name=
      "XXXXResponse"> <soap:body use=
      "literal"/> </wsdl:output> <wsdl:fault name=
      "runtimeFault"> <soap:fault name=
      "runtimeFault" use=
      "literal"/> </wsdl:fault> </wsdl:operation> </wsdl:binding> <wsdl:service name=
      "XXXXHttpService"> <wsdl:port binding=
      "this:XXXXHttpBinding" name=
      "XXXXHttpPort"> <soap:address location=
      "http://XXXXX:9080/XXXXX_WS"/> </wsdl:port> </wsdl:service> </wsdl:definitions>
      
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: Web Service Proxy encryption/decryption example, tutorial

        ‏2011-05-05T02:08:08Z  in response to SystemAdmin
        By the Datapower message looks like it's still missing a WS Policy to be set or decryption layer to be configured, because it wasn't able to decrypt the message deep enough to get the operation name.

        "received (RequestSecurityToken) required (XXXXXXX)"
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: Web Service Proxy encryption/decryption example, tutorial

          ‏2011-05-05T06:47:19Z  in response to SystemAdmin
          something I forgot to mention before is that what we are trying to do is to config Datapower for a WS-SecureConversation. I've tried to set the extra policies to the Policy Parameters, Source, etc and nothing works.

          I found this though http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.ibm.iea.wdatapower/wdatapower/1.0/xa35/380DataPowerWCFIntegration.pdf but it's for .Net. So, I don't know which policy to attach to my WSDL or even if I need to create a new WSDL adding the policy reference(which one?) embedded in the WSDL or do I have to create a new(extra) WSDL just to use WS-SecureConversation? I can't find anything explaining what needs to be done.

          Any help would very appreciated.

          Tkx!
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: Web Service Proxy encryption/decryption example, tutorial

          ‏2011-05-05T06:47:25Z  in response to SystemAdmin
          something I forgot to mention before is that what we are trying to do is to config Datapower for a WS-SecureConversation. I've tried to set the extra policies to the Policy Parameters, Source, etc and nothing works.

          I found this though http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.ibm.iea.wdatapower/wdatapower/1.0/xa35/380DataPowerWCFIntegration.pdf but it's for .Net. So, I don't know which policy to attach to my WSDL or even if I need to create a new WSDL adding the policy reference(which one?) embedded in the WSDL or do I have to create a new(extra) WSDL just to use WS-SecureConversation? I can't find anything explaining what needs to be done.

          Any help would be very appreciated.

          Tkx!
          • SystemAdmin
            SystemAdmin
            6772 Posts
            ACCEPTED ANSWER

            Re: Web Service Proxy encryption/decryption example, tutorial

            ‏2011-05-05T13:57:02Z  in response to SystemAdmin
            The encrypted message has referenced the SCT token which is not included in the message. That would cause the decryption not able to identify the key in order to process the DereivedKeyToken.

            <wsse:Reference URI="uuid:EC5CAB59DB3C27BE471304557041300"
            ValueType="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct"
            />

            There might be a missing link between the ways using secure conversation.
            Maybe you can find some info at http://www.ibm.com/developerworks/webservices/library/ws-offloadpart4/index.html?S_TACT=105AGX04&S_CMP=EDU

            Thanks,

            -Fred Chen
            • SystemAdmin
              SystemAdmin
              6772 Posts
              ACCEPTED ANSWER

              Re: Web Service Proxy encryption/decryption example, tutorial

              ‏2011-05-06T00:30:26Z  in response to SystemAdmin
              Thank you for your help!
              I suspected that as well and I found that article too and it's pretty much the same information found here http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.ibm.iea.wdatapower/wdatapower/1.0/xa35/380DataPowerWCFIntegration.pdf

              However, it's related to .Net and I don't know which policy to attach to my service and/or which one to reference on my WSDL. I've everything almost identical as those articles with exception that my service interoperable with WAS and WS-SecureConversation Version is 1.3.
              So, I'm not sure which policy to put here:
              <wsp:PolicyReference URI="?????”/>
              as the article points to wsp-sp-1-2-wsFederationHttpBinding.xml which is .Net.

              <wsp:PolicyReference URI=
              "store:///policies/templates/dotnet/
              wsp-sp-1-2-wsFederationHttpBinding.xml#BindingPolicy”/>

              I've attached wsp-sp-1-1-was-wssecureconversation.xml to my WS-Policy Sources and nothing. It also doesn't have the BindingPolicy, InputPolicy and OutpuPolicy.

              So, I can't find one equivalent to the wsFederationHttpBinding not for Microsoft.

              I found some other examples and even in the infocenter is all .Net. Does this only works with Microsoft?
              Looks like that they forgot to create a document integrating WebSphere Process Server and others webservices clients with Datapower and focused a bit more on Microsoft.

              Cheers,
              Tkx!
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: Web Service Proxy encryption/decryption example, tutorial

    ‏2011-05-05T14:38:40Z  in response to SystemAdmin
    The top two lines of your log complain about SOAPAction and WSDL operation not matching still (and the WSDL snippet you sent has the real name of the operation XXXX out). Just to eliminate this for the time being, can you turn SOAPAction matching OFF altogether in the Proxy?
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Web Service Proxy encryption/decryption example, tutorial

      ‏2011-05-05T23:06:26Z  in response to SystemAdmin
      Hi DShute,
      Thanks again!
      I've done that and even with the SOAPAction matching it doesn't work complaining about the operation.
      What FredChen is saying above makes a lot of sense to me.
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: Web Service Proxy encryption/decryption example, tutorial

        ‏2011-05-06T00:36:53Z  in response to SystemAdmin
        I've worked out that I've to create a new WSDL to deal with the RequestSecurityToken(WS Secure Conversation) but I still don't know which policy I've to attach to it or if there is one.
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: Web Service Proxy encryption/decryption example, tutorial

    ‏2011-05-06T01:42:52Z  in response to SystemAdmin
    You should be able to get the policy reference from the WAS server.

    A typical approach to get this interoperability working is to first setup the WAS server to handle the requests from WAS client (without DataPower in picture). When this is working, you should able to get the wsdl and the policy references from the WAS service by doing ?wsdl at the WAS service endpoint url. You can then copy the policy references into an xml file on the local: directory on DataPower and point the wsdl to it. This way DataPower replaces the WAS server and handles all the requests from the client transparently.

    If you are using standard policy sets on the WAS service and client (like Kerbers v5 HTTPS, etc,..), DataPower provides corresponding policy references in template files located at store:///policies/templates/was directory. You can also refer them and modify them as required to suit the policies configured at your WAS client.

    Thanks,
    Krithika
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Web Service Proxy encryption/decryption example, tutorial

      ‏2011-05-06T04:08:26Z  in response to SystemAdmin
      Thanks for your response but I've already tried and it doesn't work.
      I've tried embedded policy in the WSDL as it comes out of Process server:
      
      <?xml version=
      "1.0" encoding=
      "UTF-8"?> <wsdl:definitions name=
      "XXXXXXXXXXXXXXXXXXXXXXHttp_Service" targetNamespace=
      "XXXXXXXXXXXXXXXXXXXXXXXXXX" xmlns:wsp=
      "http://www.w3.org/ns/ws-policy" xmlns:wsdl=
      "http://schemas.xmlsoap.org/wsdl/" xmlns:wsu=
      "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soap=
      "http://schemas.xmlsoap.org/wsdl/soap/" xmlns:this=
      "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" xmlns:soapenc=
      "http://schemas.xmlsoap.org/soap/encoding/"> <wsdl:
      
      import namespace=
      "XXXXXXXXXXXXXXXXXXXXXXXXX" location=
      "PXXXXXXXXXXXXXXXXX.wsdl"> </wsdl:import> <wsdl:binding name=
      "XXXXXXXXXXXXXXXXXXXXXHttpBinding" type=
      "this:XXXXXXXXXXXXXXXXX"> <soap:binding style=
      "document" transport=
      "http://schemas.xmlsoap.org/soap/http"/> <wsp:PolicyReference URI=
      "#9e4a4048-85af-44cd-9d12-6edde736c304"/> <wsdl:operation name=
      "XXXXXXXXXXXXXXXDetails"> <soap:operation soapAction=
      ""/> <wsdl:input name=
      "XXXXXXXXXXXXXXXXDetailsRequest">   <soap:body use=
      "literal"/> <wsp:PolicyReference URI=
      "#5a19d053-2005-4b1c-b7a0-9da5be1315c3"/> </wsdl:input> <wsdl:output name=
      "XXXXXXXXXXXXXXDetailsResponse"> <soap:body use=
      "literal"/> <wsp:PolicyReference URI=
      "#ee6fd158-69af-4c9b-af68-088919652b96"/> </wsdl:output> <wsdl:fault name=
      "XXXXXXXXXXXXXXXXXXXXXXXFault"> <soap:fault name=
      "XXXXXXXXXXXXXFault" use=
      "literal"/>   </wsdl:fault> <wsdl:fault name=
      "XXXXXXXXXXXXXXXXXXXFault"> <soap:fault name=
      "XXXXXXXXXXXXXXXXXXFault" use=
      "literal"/> </wsdl:fault> <wsdl:fault name=
      "XXXXXXXXXXXXXXXXXXXXFault"> <soap:fault name=
      "XXXXXXXXXXXXXXXXXXXFault" use=
      "literal"/> </wsdl:fault> <wsdl:fault name=
      "XXXXXXXXXXXXXXXXXXXXFault"> <soap:fault name=
      "XXXXXXXXXXXXXXXXXXFault" use=
      "literal"/>   </wsdl:fault> </wsdl:operation> </wsdl:binding> <wsdl:service name=
      "XXXXXXXXXXXXXXXXXXXXXXXXXHttpService"> <wsdl:port name=
      "XXXXXXXXXXXXXXXXXXXXXXXXXXHttpPort" binding=
      "this:XXXXXXXXXXXXXXXXXXXXXXXXXXHttpBinding"> <soap:address location=
      "http://localhost/XXXXXXXXXXXXXXXXXXXXXX_WS"/> </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id=
      "9e4a4048-85af-44cd-9d12-6edde736c304"> <wsp:ExactlyOne> <wsp:All> <addressing:Addressing xmlns:addressing=
      "http://www.w3.org/2007/05/addressing/metadata"> <wsp:Policy> <wsp:ExactlyOne> <wsp:All/> </wsp:ExactlyOne> </wsp:Policy> </addressing:Addressing> </wsp:All> <wsp:All> <addressing:Addressing xmlns:addressing=
      "http://www.w3.org/2007/05/addressing/metadata"> <wsp:Policy> <wsp:ExactlyOne> <wsp:All> <addressing:AnonymousResponses/> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </addressing:Addressing> </wsp:All> <wsp:All> <addressing:Addressing xmlns:addressing=
      "http://www.w3.org/2007/05/addressing/metadata"> <wsp:Policy> <wsp:ExactlyOne> <wsp:All> <addressing:NonAnonymousResponses/> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </addressing:Addressing> </wsp:All> </wsp:ExactlyOne> <ns1:SymmetricBinding xmlns:ns1=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <ns1:ProtectionToken> <wsp:Policy> <ns1:SecureConversationToken ns1:IncludeToken=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <ns1:RequireDerivedKeys/> <ns1:RequireExternalUriReference/> <ns1:BootstrapPolicy> <wsp:Policy> <ns1:AsymmetricBinding> <wsp:Policy> <ns1:InitiatorToken> <wsp:Policy> <ns1:X509Token ns1:IncludeToken=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <ns1:WssX509V3Token10/> </wsp:Policy> </ns1:X509Token> </wsp:Policy> </ns1:InitiatorToken> <ns1:RecipientToken> <wsp:Policy> <ns1:X509Token ns1:IncludeToken=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator"> <wsp:Policy> <ns1:WssX509V3Token10/> </wsp:Policy> </ns1:X509Token> </wsp:Policy> </ns1:RecipientToken> <ns1:AlgorithmSuite> <wsp:Policy> <ns1:Basic128Rsa15/> </wsp:Policy> </ns1:AlgorithmSuite> <ns1:Layout> <wsp:Policy> <ns1:Strict/> </wsp:Policy> </ns1:Layout> <ns1:IncludeTimestamp/> <ns1:EncryptSignature/> </wsp:Policy> </ns1:AsymmetricBinding> <ns1:Wss11> <wsp:Policy> <ns1:RequireSignatureConfirmation/> <ns1:MustSupportRefKeyIdentifier/> </wsp:Policy> </ns1:Wss11> <ns1:SignedParts> <ns1:Body/> <ns1:Header Namespace=
      "http://schemas.xmlsoap.org/ws/2004/08/addressing"/> <ns1:Header Namespace=
      "http://www.w3.org/2005/08/addressing"/> </ns1:SignedParts> <ns1:EncryptedParts> <ns1:Body/> </ns1:EncryptedParts> </wsp:Policy> </ns1:BootstrapPolicy> <ns1:MustNotSendAmend/> </wsp:Policy> </ns1:SecureConversationToken> </wsp:Policy> </ns1:ProtectionToken> <ns1:Layout> <wsp:Policy> <ns1:Strict/> </wsp:Policy> </ns1:Layout> <ns1:AlgorithmSuite> <wsp:Policy> <ns1:Basic128Rsa15/> </wsp:Policy> </ns1:AlgorithmSuite> <ns1:IncludeTimestamp/> <ns1:EncryptSignature/> </wsp:Policy> </ns1:SymmetricBinding> <ns1:Wss11 xmlns:ns1=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <ns1:RequireSignatureConfirmation/> <ns1:MustSupportRefExternalURI/> </wsp:Policy> </ns1:Wss11> <ns1:Trust13 xmlns:ns1=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <ns1:MustSupportIssuedTokens/> <ns1:RequireClientEntropy/> <ns1:RequireServerEntropy/> </wsp:Policy> </ns1:Trust13> </wsp:Policy>   <wsp:Policy wsu:Id=
      "5a19d053-2005-4b1c-b7a0-9da5be1315c3"> <ns1:EncryptedParts xmlns:ns1=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <ns1:Body/> </ns1:EncryptedParts> <ns1:SignedParts xmlns:ns1=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <ns1:Body/> <ns1:Header Namespace=
      "http://schemas.xmlsoap.org/ws/2004/08/addressing"/> <ns1:Header Namespace=
      "http://www.w3.org/2005/08/addressing"/> </ns1:SignedParts> <wsp:ExactlyOne> <wsp:All> <ns1:SignedEncryptedSupportingTokens xmlns:ns1=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <ns1:X509Token ns1:IncludeToken=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always"> <wsp:Policy> <ns1:WssX509V3Token10/> </wsp:Policy> </ns1:X509Token> </wsp:Policy> </ns1:SignedEncryptedSupportingTokens> </wsp:All> <wsp:All> <ns1:SignedEncryptedSupportingTokens xmlns:ns1=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <ns1:UsernameToken ns1:IncludeToken=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <ns1:WssUsernameToken10/> </wsp:Policy> </ns1:UsernameToken> </wsp:Policy> </ns1:SignedEncryptedSupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id=
      "ee6fd158-69af-4c9b-af68-088919652b96"> <ns1:EncryptedParts xmlns:ns1=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <ns1:Body/> </ns1:EncryptedParts> <ns1:SignedParts xmlns:ns1=
      "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <ns1:Body/> <ns1:Header Namespace=
      "http://schemas.xmlsoap.org/ws/2004/08/addressing"/> <ns1:Header Namespace=
      "http://www.w3.org/2005/08/addressing"/> </ns1:SignedParts> </wsp:Policy> </wsdl:definitions>
      


      And I've tried to copy the policy to a file and still no joy. I'm still getting the same error as above, the operation doesn't match:

      source-https (SSLICC_handle): WS-Proxy icc_services operation retrievePolicyDetails does not match SOAP operation as required by WS-I BP1.0/1.1 R2744 or R2745: received (RequestSecurityToken) required (XXXXXXXXXXXXXXDetails). Received protocol 'http://schemas.xmlsoap.org/wsdl/soap/', required protocol 'http://schemas.xmlsoap.org/wsdl/soap/'. Received SOAPAction (http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT) required SOAPAction (http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT). SOAPAction policy is lax.
      We are not using Kerberos and the only file I can see under store-> policies-> templates-> was is wsp-sp-1-2-was7-kerberos.xml.
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: Web Service Proxy encryption/decryption example, tutorial

        ‏2011-05-10T06:00:42Z  in response to SystemAdmin
        After creating a new WSDL to handle the RequestSecurityToken, Datapower is throwing a different error which I've checked and the my policies encryption key matches the one in the request message.

        As per my policy above, look at my post above, the policy defines the AlgorithmSuite as Basic128Rsa15 which has got KwRsa15 for asymmetric key-wrap and KwAes128 for symmetric key-wrap algorithm.
        I'm getting this error from Datapower, however the same request works fine against my WebSphere Process Server. It's set to decrypt the message and returns an expected response.

        
        Invalid key encryption algorithm with message using http:
        //www.w3.org/2001/04/xmlenc#rsa-1_5 and policy dictates http://www.w3.org/2001/04/xmlenc#kw-aes128
        


        request message:
        
        <soapenv:Envelope xmlns:soapenv=
        "http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <s:Security xmlns:d=
        "http://www.w3.org/2000/09/xmldsig#" xmlns:e=
        "http://www.w3.org/2001/04/xmlenc#" xmlns:s=
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:u=
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:x=
        "http://www.w3.org/2001/10/xml-exc-c14n#" soapenv:mustUnderstand=
        "1"> <u:Timestamp u:Id=
        "w_20"> <u:Created>2011-05-10T04:34:52.511Z</u:Created> </u:Timestamp> <s:BinarySecurityToken EncodingType=
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" u:Id=
        "x509bst_25" >MIIC8DCCAlmgAwIBAgIEB+eGKjANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDDAKBgNVBAoTA0NHVTEMMAoGA1UECxMDSUNDMQwwCgYDVQQDEwNpY2MwHhcNMTEwNDE0MDQyMTIzWhcNMTIwNDEzMDQyMTIzWjBZMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDDAKBgNVBAoTA0NHVTEMMAoGA1UECxMDSUNDMQwwCgYDVQQDEwNpY2MwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALu3uO2okp79dBBWmgpz3lOWH38k8hdjHV9jAdEnFb3BJ2OD4kbtFvzpCvC8UBqAtOaEUOmSOYjYtUlZOiUKaM4LqQGUF6ESOItfv12/hXM26F9o46YNbh7UgKEsFfuYfd55j0agPq46ZjsG8aP4yCPwBsJOmuddfIvmNnBWvmFvAgMBAAGjgcQwgcEwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUU6wiVWCciZ6eWk/D2W0sozQ1j5AwgYQGA1UdIwR9MHuAFFOsIlVgnImenlpPw9ltLKM0NY+QoV2kWzBZMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDDAKBgNVBAoTA0NHVTEMMAoGA1UECxMDSUNDMQwwCgYDVQQDEwNpY2OCBAfnhiowCwYDVR0PBAQDAgK8MA0GCSqGSIb3DQEBBQUAA4GBAC+IOsTN0KgG98Vayp5wjPvO5mh4uKOfISzoivme+KZei0SjfnXjQw76R3VsG3tzTPqGjZ4yS6jpawO6B3WB83bQ5nqdfwHit5qqRQ1qKNOdCvdpYDr9UibCIoVHeCAHMJSPrVysP3V1ELN6VEB07JQkG9uUZMJ4kM1NaJavC3O8</s:BinarySecurityToken> <e:EncryptedKey> <e:EncryptionMethod Algorithm=
        "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <d:KeyInfo> <s:SecurityTokenReference> <s:KeyIdentifier EncodingType=
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" >U6wiVWCciZ6eWk/D2W0sozQ1j5A=</s:KeyIdentifier> </s:SecurityTokenReference> </d:KeyInfo> <e:CipherData> <e:CipherValue>EUmaEgBK+d3afwSHwpVH6kPgAqBXPS6FP8smurz3dtGlYbWWRuTmFrTO8oPMG9mq8ZunUFvgf+OV1kFo5yhSOU5eO2vZMJq+QyWkJotQCbqxR7z8IdHm+l/wLhrVbC7vbuUStDq8LC2eyXo0KTNk+MuLmAIiiEP3dg8U1xsAfZs=</e:CipherValue> </e:CipherData> <e:ReferenceList> <e:DataReference URI=
        "#w_26"/> <e:DataReference URI=
        "#w_27"/> </e:ReferenceList> </e:EncryptedKey> <e:EncryptedData Id=
        "w_27" Type=
        "http://www.w3.org/2001/04/xmlenc#Element"> <e:EncryptionMethod Algorithm=
        "http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <e:CipherData> <e:CipherValue>d198eceWnWaGaMR6mnPcE6yhbMLGqEc/H3wy3BL4YWz80mKCvmWR6fPkKbR9DdmdnjnUNAYWH6VXva/oTdwhg5hJzB+Egb+pKwO7ugy+EDNXd8Z4pEUfncLFDMoBygYF3KjCDwg3x4cPuo56pDGaTWCKxd/aLOvW5A6VPJNll9InfupvpIMzuPojIG9fh49crtfrelJtzDO+9vE2e65fwleLWKr1fXYoTfrEQPYE3zLrZuPpmvJp0pNPECLlW5DqbpUBt+e6hM8E9VUo99F1VrKFPnRILvN8POwzghBFr9R+af1xUkHQsDO3uYKj19p8tijvNZQU74j+49tQnFe+EKouB9qXCVJezLr9AQmBl/ZfeayxMjPg1ZRTji7cmKJyRxNI60YBd6thIerc2hNjPa40Y79kPQMUGgB+Cgj+zTqsfuscPtVyOi8Q3ozo4fKV1WZfJurn/KhoVn2HSMsAHa9H/dGvff+FHMLIYrpC0qQ98U/588RFdA4V7RZUxX5jTp5fwwb+HLQ9MJHjSvlpxfCSZf6SOH3p3XwQGOQZcXa1mgWDF1v0A3OL+/yKMNhUhsw3bNYWoDkZ2arxzJp41UO6qVzM9a6vUz9hrWdqAA05zh4/qZNk6WMbAx7j6gupMy5b+z3DElfw3Dw0o6ud+LOOiJJDZn2naUoAjP1e0mvvFOkZoMcwPl76nJnorgajNEUrZqOnc+DHPNEzTTrYnheJQ0q/jRzEFujC7mmxNuhKZ5bbEwPZ9ci0tnyMRh6jrEt/1npL6JaeJrQKYoO
        //iLCjvdCy5svuzM+uz6+MCyERqkGqnd2vgBpfip7+nUckG73gm4w5yrFqllFuEt41b/0+tCBukaodnHv7KwSt0otx08hcw2A9BR6sIUkX/zEuuoaV48c8k16dDwR8Z7tk46xZRpR9c550Y2fqceAJFSW+DV9sMl6E9ZuZI9hMiiJJF786QzKbq+mvXqefMPDkPbHFFD0bF8y3r9JfRe7lqtDnKJjLaf4S2zkzbaWVw7fL5J2FdIsOgHvvs8axhkiP4rmUUtEEpuka3LZK+TbYBDG95RhOXIAYEVmCm8n/eiL6QUPkI2LFGrtJ+POslUd7MNTCyzADhAO7EbB7t40eaVMLPuoqEJ81HXoK9atEHjVBM1+wuUTmx0akjKEIVfJLmRTHCyXiRb/DhoLBYsrdkRfLCMUAkvw/3R3A8I46cKUBuVrnUxt8sOpaft/5jhZpGF8O550akUQjmmH4NKcxdse13rninKPiJPrQ8yDUjjGG7a9XIIgRAP46fiPBJh4aeMPsp/f4SVEuOrsDaE6BGABhU9c8C4q0GD5CCP3hPkqQqHqGtbpnSR4T2+5N9OPALhpfIIvdtCJ+vRnOcmeZ4N5gnRACNu2Xgi4exO6zk7iUGtEuGggJHAPqxIqGuf7s0+o2s79e3EHlgU3ZpcrG/O6uKI4D/P7URbxImdKTQ1AUIiipjFPjk57NmRIoHlj8hNV7uxop2lmJSZdvFFPFSMYOz9YElO4cGqxLw4E+E6/Q/4E2xjmVLKNO9yWMIHZumo/n6ruoPttkvra/INUIudE+ms5TsZOoDNf4hTvi3SZwvWw8Mn7OAEegB/lb3boMCoxR3W/1PSr/CHxrBtt2XIDMM+cOsYd6MyvyG8lppBlUDAnlQ/gZX2lpfW3WJ6DcejqVA6KtmJfsRz7xma8dLCGKunGYMbsgnLwFkEf9TU5qARQ5u73UplyvXj5bHnOxT4T5oSC74EDNEPBdujV5y/GQQlAhmSUWBD7tPlHRyGCDqmkp1/YNiBhAkQN4Jff0DWuVUSNyY6OhIz8AR88krOgO7FyrXrP45eLnJQ3kWvUyYilwPljzzhYVZv7sRO0nRvIi8TMZwf0cCX2LcR26MSF+ToiWf+3xZJgDHs3cKuKwphZ2SSX3fcWxLS0FFnPtilLhlO6k38mr9W4Bp0eW/38M50W6BQW5st7BQ2XZvr5O0gnCUA0TZTukw9SWi8m0A2flLWWc9+psMPwpPqQe2fESHM0CrLir4zBK6Af3VixNLXlC404b0hY8zmvyISBqnO4Qd/9HPBd/S68GqGLmH54Gi8iMxrcIedJDMOU8UMYh2aCdOkisZNecMkkCgF+aU7ZnUwVSs35rompqKes95KA5BNh9Cyt+vuBRMpDY3b2kS9ANk93PbBopyE1+M0DW6KDEmoWxALL17s8w/q77LY01YO4R968fkKvceg6KsyOjK5j1D7uNROn2iIe8nMg+5YHZnOHFjc5OgZ4BU0FuDFHKW1NY3ZoaSKcuCtkDzguGjR/INbQKgYdCRa9IXLsVcdSC5CubLXdKq3aXFkGMqBgwTBaKcm29Pd7RDHMXUM3GomL9TOptYEdNcVhL5ondRxAvAXYCtF709LOCx511FBbk9Mm0mB+7fBGInmFOI6nHrbQBfK1OZQR5g4XyrBr11e5jGRRHS35nbQLaGuJ2etOPXhuHs0LLz1T3tw3o2+Inbbex1zA1doRULEsfoejxTUGCtKAxlUVEEynUXXxZQAi8QZD7NLKy50y58chcKNlDYx9Ta35XkU3+V/OAioEVLL+caEMb1upQ1a7T9xxxY9e4MFhTCv+AaqvIjdM7JSAOBX0UxTp8TIqpaCSp0ldl0Gk49yGtvW4A78hMrqXS995o3e3f26tm6vw+iJN2s1P4dY5058P9SJOC6U2kyQXcZ/D+do7jyHiwzH2g0I0hPKZaOikKU3FHX7pwgcBpAGEkGd6rcv3xDGUMKhBgOg21GLMwbm2NqUyvttxw3MXsNPvvGBzg943hLbJuCY341bRBLVf/8oUVLaXYVOBie8UQDFVLl+nHgpXvMjPxJvqMiqeHbkXojWndtiPGk9BwmrvsnrJOfgOtATQTM7URyooEqnfbgkQZDTvOo8DUF9fFV18wvUwhpIl1H0GEzRQFhNUtR2wvjAZI85N9+AHHWZkuQmONM2FY7YFUgUUXVwN+/pFrFfquQtO4spjUpldw3UJ+iRpBg1iRQp7Gyo2JATEL319P++MzTWRwcRHEHN8OeqC6FAGUEHfz/yhVn4cydvyOsvV0UrGvxGtFYlIowZ8N57XNK8drWrruqqROHs/XIJ0Gy9lgMee7YW54FriSf7tUJ0bp+FhmI+448vP1V+nUw==</e:CipherValue> </e:CipherData> </e:EncryptedData> </s:Security> <wsa:To xmlns:wsa=
        "http://www.w3.org/2005/08/addressing" xmlns:wsu=
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand=
        "0" wsu:Id=
        "w_22" >https:
        //datapowerhost:9443/EA_PolicyManagement</wsa:To> <wsa:MessageID xmlns:wsa=
        "http://www.w3.org/2005/08/addressing" xmlns:wsu=
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand=
        "0" wsu:Id=
        "w_23" >7b2ea80c6c244895:-2d9fa521:12fd827f23d:-7efc</wsa:MessageID> <wsa:Action xmlns:wsa=
        "http://www.w3.org/2005/08/addressing" xmlns:wsu=
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand=
        "0" wsu:Id=
        "w_24" >http:
        //docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</wsa:Action> </soapenv:Header> <soapenv:Body xmlns:wsu=
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id=
        "w_21"> <e:EncryptedData xmlns:e=
        "http://www.w3.org/2001/04/xmlenc#" Id=
        "w_26" Type=
        "http://www.w3.org/2001/04/xmlenc#Content"> <e:EncryptionMethod Algorithm=
        "http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <e:CipherData> <e:CipherValue>46PR1L0wm19apttorJp0Oo5HAXllYmbwcJk7BYdR87mH9kbi6CxSnkl+TMNf9VXkfmpo2ATFuH2XHgpYUvLtw5i+VUqF/fXUPWL6/1Hvi4FhQBPp4zcI7gebiLSatEv/OdzhSGh96VRMELoER5Jlw8kclLH/IIu5AykqBvF5mJ+/0rr01sPxFqkDe/tAT+FFyIY6igsPJ+hsNv129c9pUwW++3ToZawSQDRxRYU9U6WqxxVctPCIy0h1XU5jwLis0CQmBTBCn1PRKLy4waRLhABnneOwBKWurSM5TMyPU6Hx+vzSAfvw3TMzi/01fEmcy8/GkS/1jwWDA48mzrkSbfyKDw/lbUrgKnaQrjZsTDNB0Lg1FKCDzqZC4aoL5b9lymZdV8yZPCecm2MRwiF8LmSNVIbyaq9rcV9Dipo2UzFE2sn14JJVazv+GHnUOYtCpFb80Y372MQC3DkmKJMj1vMlpMlu1t1DKV3E8FX4144GoHwUnrE6mbe5teqN/IHZlJ5FWdz2GypA2mg+Id+4XlC6Ig0n6csKL8RKDou+4vc9dULkx9ZofjHSwUVEwT7O8Pa5e9OTbseJeJPl4m+BSoTH9b44fBL9hc7A+m1LCDYf65pDDJPduRX169RKjdz4Ff5uWrYzQpI1fl/hSiDpGaL0pMO4givLPLdmHHR8GZGZ5DBwkXTCwKID1dTQLLlQYPhpjDSF7FomtP2MBH8edHn0Sb8sC/UDcePUJjMLkdljMxxTFh1/WPP40s1hXVLTMmSAD1YVKpDk2OX/8aDAVEDZBCfWonLaZPqoS1OBpf+6du4lEBYr87ZJZ9ObHVxGCTxeRpEJVWf+E72vEbzrrDYlMK1QH5QVudwwqxrTUqKYUa6DkN5FfO6SWW0Czi565bP7LznLIhI90
        //EmkBXLlSDqc5/MSVvPqoP++uhHszLDtdQzjWSuq8Ka9RGzp5I8tk1U314unT6H4b5TU1sFO8Uspf0t9ghG+a4cFoAuFGN1mVIDb07QTbjhZ7v74jGtDxbVVZmNWfSbBH3SQK/2kJrAvbB37FLT38pCCVO482SEfY1A7Yqa43gEOI9y65ckuxFjJsImASzj171JRrFvKbd07ORFmXlt4L+iRIBtDS/NyS68RIZ+uMa92za15BfzHFFzCpCkLXpd4ac/x1BwaSnQXMt1IWJC34+6Oun1dbPaQ0HYOIgLf/ebBlvE1qThIrDruI774YEjr5ubPo77dhGIDZ0xNSAxQY2na3Zd4SnGRNhQ3OPyPNeFw/1S7r7yZ1zrV00WTZ/t1JF/XQL3/QjOixyCPiq1L/XJiVmrl2ex8LXzC8EICnX190mPQfzP62Us1OjVmiFI0A0qlCj5iwAJdJxfeQAwq/L5NGATA4AXxYcyoKiZ566gTKudkI7yWb0QN1B9Hk/0Y7aExLdo1YuIgL3ePHQGNFNF31lbDho0b05BPO6luWS5vn6o4AaSO4Poitoj6L+cW8bbz037hykZ3FXLvwjXqvrNMN1J3K/SEFXAHw8UHJ8O+mUaI3G</e:CipherValue> </e:CipherData> </e:EncryptedData> </soapenv:Body> </soapenv:Envelope>
        


        The EncryptedKey> is using Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" and datapower is expecting http://www.w3.org/2001/04/xmlenc#kw-aes128.

        Also, I've tried changing the algorithm suite to Basic128Sha256 and then datapower complains that:

        
        Invalid key encryption algorithm with message using http:
        //www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p and policy dictates http://www.w3.org/2001/04/xmlenc#kw-aes128
        


        So, how can I set the correct algorithm to datapower recognize it? the same request message works fine with the same algorithm and setup in Process Server. Before making any changes to the WSDL or Policies I make the changes in my WPS and test the changes there and then I try it on datapower.
        Is there any IBM support that can create a simple sample where there is a secure conversation between datapower and WPS/WAS and post it here?

        Any help would be really appreciated!

        TKX!
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: Web Service Proxy encryption/decryption example, tutorial

    ‏2012-12-19T11:53:31Z  in response to SystemAdmin
    how do I decrypt the soap request in wsp operation level rule using soapaction???

    I am sending the encrypted soap request to wsp. I have added the soapAction header with the value of particular operation name. In wsdl also i specified the same soapAction name. i want to decrypt this request in operation level rule. but it is showing the following error in
    fsh...

    source-http (calculator_FSH): No WS-Proxy service endpoints match operation in SOAP request as required by WS-I BP1.0/1.1 R2744 or R2745.