Support Forums : WSS4J x.509 security problem Fuse 4.4.1 ...

FuseSource is now a part of Red Hat!

For any other questions, please do not hesitate to contact Red Hat.

Forum Home » Fuse Distributions » Fuse ESB

Thread: WSS4J x.509 security problem Fuse 4.4.1

Welcome, Guest

Guest Settings

Reply to this Thread

Search Forum

Back to Thread List

Replies: 12 - Last Post: Jun 9, 2012 1:04 PM Last Post By: gertv

jpepalmero

Posts: 53
Registered: 11/24/11

WSS4J x.509 security problem Fuse 4.4.1
Posted: Mar 9, 2012 8:52 PM

Hi all,

Currently I have the problem described in this issue.

[1]http://fusesource.com/issues/browse/ESB-1245

This bug is solved, I put my file in the folder etc?.

Thank´s

ffang

Posts: 1,286
Registered: 12/24/07

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Mar 12, 2012 1:11 AM

in response to: jpepalmero

Hi,

To configuration WSS4JIn/OutInterceptor, you actually have two ways to configure
signature properties(or other wss4j properties) file

1. use signaturePropFile
This generally pass in a url for the properties file, that's could cause problems in OSGi world as it need the properties files available on the classpath of another bundle(cxf or wss4j), but we can't specify all necessary resources for a given bundle(cxf or wss4j) beforehand, so during runtime you could see such
java.lang.RuntimeException: CryptoFactory: Cannot load properties: MyKeystore.properties
As the solution posted in ESB-1245, you need put those properties files in a fragment bundle and attach it to cxf bundle, here cxf bundle play the role as host bundle.

Or
2. use signaturePropRefId instead.
This way you just pass a java.util.Properties or org.apache.ws.security.components.crypto.Crypto object, which works more graceful in OSGi world

Freeman

jpepalmero

Posts: 53
Registered: 11/24/11

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Mar 12, 2012 7:40 PM

in response to: ffang

Thank´s.

Is there any method to define a single bus.xml for all my cxf-bc components, and only one file. jks and keystore.properties ?

watermelonjam

Posts: 3
Registered: 05/24/12

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: May 25, 2012 7:53 PM

in response to: jpepalmero

Just a note on option 1:

I've got a fragment bundle with the requisite security artifacts as part of a feature definition. The feature installed fine on FUSE 4.3.x, and the CXF bundle got refreshed automatically to pick up the fragment. On FUSE ESB 4.4, there's now a problem installing the feature:

caused by: Unable to resolve 281.0: missing requirement http://281.0] host; (&(bundle-symbolic-name=org.apache.cxf.bundle)(bundle-version>=2.4.3)(!(bundle-version>=3.0.0)))

...where 281 is the id of the security fragment bundle. I suspect (perhaps wrongly) that this may be related to the new "You are about to access system bundle ..." console behaviour that requires confirmation. If I put the security fragment bundle in the deploy directory, and refresh the CXF bundle, type yes at the prompt - the fragment is properly attached with no error.

I can then remove the security bundle entry from the feature file, and the feature installs properly thereafter.

D.

ffang

Posts: 1,286
Registered: 12/24/07

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: May 27, 2012 5:42 AM

in response to: watermelonjam

Hi,

I think the error comes from that when you install the feature which have the fragment bundle, the CXF bundle not get installed yet, so that run into such error. You can add cxf feature in your customer feature also which ensure CXF bundle get installed when install your customer feature.

Besides the fragment bundle way to pick properties, I really recommend the way to use
signaturePropRefId in OSGi container(The option2 I mentioned before, which is more graceful in OSGi container), the configuration looks like

<bean id="wss4jInInterceptor"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Signature"/>
<entry key="signaturePropRefId" value="wsCryptoProperties"/>
<entry key="wsCryptoProperties" value-ref="wsCryptoProperties"/>
</map>
</constructor-arg>
</bean>

<util:properties id="wsCryptoProperties">

<prop
key="org.apache.ws.security.crypto.provider">org.apache.ws.security.components.crypto.Merlin</prop>

<prop
key="org.apache.ws.security.crypto.merlin.keystore.type">jks</prop>

<prop
key="org.apache.ws.security.crypto.merlin.keystore.password">${KeystorePassword}</prop>

<prop
key="org.apache.ws.security.crypto.merlin.file">${KeystoreLocation}</prop>
</util:properties>

Freeman

jpepalmero

Posts: 53
Registered: 11/24/11

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 6, 2012 5:25 PM

in response to: ffang

Good afternoon,

I have made this choice and is the most correct. The problem is that it can not find the path specified in $ {KeystoreLocation} . I am using fuse esb 4.4.1 .

What is the problem?

ffang

Posts: 1,286
Registered: 12/24/07

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 12:00 AM

in response to: jpepalmero

Hi,

I guess you use signaturePropRefId way, right?
If so, you need put $ {KeystoreLocation} in your bundle, for an instance, the $ {KeystoreLocation} is server-truststore.jks, then you need have something like
./src/main/resources/server-truststore.jks
in your bundle.

Freeman

jpepalmero

Posts: 53
Registered: 11/24/11

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 11:04 AM

in response to: ffang

You can not outsource and use one common to several services?

ffang

Posts: 1,286
Registered: 12/24/07

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 12:33 PM

in response to: jpepalmero

Hi,

Yes, you can.

For example if you put server-truststore.jks in $FUSE_ESB/etc folder, then you can use
<prop
key="org.apache.ws.security.crypto.merlin.file">etc/server-truststore.jks</prop>

Freeman

jpepalmero

Posts: 53
Registered: 11/24/11

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 12:47 PM

in response to: ffang

No, I've tried but not working. Do I need defined any environment variables in fuse?

ffang

Posts: 1,286
Registered: 12/24/07

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 12:51 PM

in response to: jpepalmero

Hi,

It works for me?

How you start FUSE ESB?

I start FUSE ESB like
cd $FUSE_ESB/bin
./servicemix

Freeman

jpepalmero

Posts: 53
Registered: 11/24/11

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 1:12 PM

in response to: ffang

I've tried it on multiple machines, and only works in one machine.

gertv

Posts: 167
Registered: 06/18/08

Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 9, 2012 1:04 PM

in response to: jpepalmero

L.S.,

Are those two machines on the same OS/JVM/... versions? If not, it would be good to know about the differences so we can start looking at a platform-specific issue for that particular setup.

Regards,

Gert Vanthienen

Back to Thread List

FUSE Open Source Community is a community resource for open source service oriented architecture (SOA) and application integration products and technologies. FUSE offers products based on Apache ServiceMix, Apache ActiveMQ, Apache CXF and Apache Camel which are certified, productized and fully supported by the people who wrote the code. Learn about ActiveMQ with our training, support, and consulting on ActiveMQ performance. FUSE also offers integration software that allows developers to service-enable existing components or build new services with preconfigured enterprise integration patterns. FUSE ESB 4 for enterprise service bus is an open source integration platform for BPEL components that supports the latest emerging standards like OSGi and JBI 2.0. FUSE Services Framework allows Java developers to create reusable RESTful services using front-end programming APIs like JAX-WS. Our powerful message oriented middleware solution, FUSE Message Broker, offers a cost-effective and flexible open source messaging platform. FUSE also works to enhance your SOA using content based routing with FUSE Mediation Router.