Forum Home » Fuse Distributions » Fuse ESB

Thread: WSS4J x.509 security problem Fuse 4.4.1

 

Permlink Replies: 12 - Last Post: Jun 9, 2012 1:04 PM Last Post By: gertv
jpepalmero

Posts: 53
Registered: 11/24/11
WSS4J x.509 security problem Fuse 4.4.1
Posted: Mar 9, 2012 8:52 PM
  Click to reply to this thread Reply
Hi all,

Currently I have the problem described in this issue.

[1]http://fusesource.com/issues/browse/ESB-1245

This bug is solved, I put my file in the folder etc?.

Thank´s
ffang

Posts: 1,320
Registered: 12/24/07
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Mar 12, 2012 1:11 AM   in response to: jpepalmero in response to: jpepalmero
  Click to reply to this thread Reply
Hi,

To configuration WSS4JIn/OutInterceptor, you actually have two ways to configure
signature properties(or other wss4j properties) file

1. use signaturePropFile
This generally pass in a url for the properties file, that's could cause problems in OSGi world as it need the properties files available on the classpath of another bundle(cxf or wss4j), but we can't specify all necessary resources for a given bundle(cxf or wss4j) beforehand, so during runtime you could see such
java.lang.RuntimeException: CryptoFactory: Cannot load properties: MyKeystore.properties
As the solution posted in ESB-1245, you need put those properties files in a fragment bundle and attach it to cxf bundle, here cxf bundle play the role as host bundle.

Or
2. use signaturePropRefId instead.
This way you just pass a java.util.Properties or org.apache.ws.security.components.crypto.Crypto object, which works more graceful in OSGi world

Freeman
jpepalmero

Posts: 53
Registered: 11/24/11
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Mar 12, 2012 7:40 PM   in response to: ffang in response to: ffang
  Click to reply to this thread Reply
Thank´s.

Is there any method to define a single bus.xml for all my cxf-bc components, and only one file. jks and keystore.properties ?
watermelonjam

Posts: 3
Registered: 05/24/12
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: May 25, 2012 7:53 PM   in response to: jpepalmero in response to: jpepalmero
  Click to reply to this thread Reply
Just a note on option 1:

I've got a fragment bundle with the requisite security artifacts as part of a feature definition. The feature installed fine on FUSE 4.3.x, and the CXF bundle got refreshed automatically to pick up the fragment. On FUSE ESB 4.4, there's now a problem installing the feature:

caused by: Unable to resolve 281.0: missing requirement http://281.0] host; (&(bundle-symbolic-name=org.apache.cxf.bundle)(bundle-version>=2.4.3)(!(bundle-version>=3.0.0)))

...where 281 is the id of the security fragment bundle. I suspect (perhaps wrongly) that this may be related to the new "You are about to access system bundle ..." console behaviour that requires confirmation. If I put the security fragment bundle in the deploy directory, and refresh the CXF bundle, type yes at the prompt - the fragment is properly attached with no error.

I can then remove the security bundle entry from the feature file, and the feature installs properly thereafter.

D.
ffang

Posts: 1,320
Registered: 12/24/07
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: May 27, 2012 5:42 AM   in response to: watermelonjam in response to: watermelonjam
  Click to reply to this thread Reply
Hi,

I think the error comes from that when you install the feature which have the fragment bundle, the CXF bundle not get installed yet, so that run into such error. You can add cxf feature in your customer feature also which ensure CXF bundle get installed when install your customer feature.

Besides the fragment bundle way to pick properties, I really recommend the way to use
signaturePropRefId in OSGi container(The option2 I mentioned before, which is more graceful in OSGi container), the configuration looks like

<bean id="wss4jInInterceptor"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Signature"/>
<entry key="signaturePropRefId" value="wsCryptoProperties"/>
<entry key="wsCryptoProperties" value-ref="wsCryptoProperties"/>
</map>
</constructor-arg>
</bean>

<util:properties id="wsCryptoProperties">

<prop
key="org.apache.ws.security.crypto.provider">org.apache.ws.security.components.crypto.Merlin</prop>

<prop
key="org.apache.ws.security.crypto.merlin.keystore.type">jks</prop>

<prop
key="org.apache.ws.security.crypto.merlin.keystore.password">${KeystorePassword}</prop>

<prop
key="org.apache.ws.security.crypto.merlin.file">${KeystoreLocation}</prop>
</util:properties>

Freeman

jpepalmero

Posts: 53
Registered: 11/24/11
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 6, 2012 5:25 PM   in response to: ffang in response to: ffang
  Click to reply to this thread Reply
Good afternoon,

I have made &#8203;&#8203;this choice and is the most correct. The problem is that it can not find the path specified in $ {KeystoreLocation} . I am using fuse esb 4.4.1 .

What is the problem?
ffang

Posts: 1,320
Registered: 12/24/07
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 12:00 AM   in response to: jpepalmero in response to: jpepalmero
  Click to reply to this thread Reply
Hi,

I guess you use signaturePropRefId way, right?
If so, you need put $ {KeystoreLocation} in your bundle, for an instance, the $ {KeystoreLocation} is server-truststore.jks, then you need have something like
./src/main/resources/server-truststore.jks
in your bundle.

Freeman
jpepalmero

Posts: 53
Registered: 11/24/11
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 11:04 AM   in response to: ffang in response to: ffang
  Click to reply to this thread Reply
You can not outsource and use one common to several services?
ffang

Posts: 1,320
Registered: 12/24/07
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 12:33 PM   in response to: jpepalmero in response to: jpepalmero
  Click to reply to this thread Reply
Hi,

Yes, you can.

For example if you put server-truststore.jks in $FUSE_ESB/etc folder, then you can use
<prop
key="org.apache.ws.security.crypto.merlin.file">etc/server-truststore.jks</prop>

Freeman

jpepalmero

Posts: 53
Registered: 11/24/11
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 12:47 PM   in response to: ffang in response to: ffang
  Click to reply to this thread Reply
No, I've tried but not working. Do I need defined any environment variables in fuse?
ffang

Posts: 1,320
Registered: 12/24/07
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 12:51 PM   in response to: jpepalmero in response to: jpepalmero
  Click to reply to this thread Reply
Hi,

It works for me?

How you start FUSE ESB?

I start FUSE ESB like
cd $FUSE_ESB/bin
./servicemix

Freeman
jpepalmero

Posts: 53
Registered: 11/24/11
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 7, 2012 1:12 PM   in response to: ffang in response to: ffang
  Click to reply to this thread Reply
I've tried it on multiple machines, and only works in one machine.
gertv

Posts: 167
Registered: 06/18/08
Re: WSS4J x.509 security problem Fuse 4.4.1
Posted: Jun 9, 2012 1:04 PM   in response to: jpepalmero in response to: jpepalmero
  Click to reply to this thread Reply
L.S.,

Are those two machines on the same OS/JVM/... versions? If not, it would be good to know about the differences so we can start looking at a platform-specific issue for that particular setup.

Regards,

Gert Vanthienen