Friday, March 12, 2010

X509 Certificate Testing

Strategy

  1. Generate a keystore for the "Service Provider"
  2. Extract the "service provider's" certificate 
  3. Generate a separate keystore for the "Service Consumer"
  4. Import the "service provider's" certificate into the service consumer's keystore
  5. Configure the SOAP UI to perform Encryption, Signature, Password, DateTime as shown below.
  6. Create a policy at the OWSM(copy from the system provided ones)
  7. Add Assertions. Enforce logging as one of the assertions
  8. Register the webservice and attach this policy with the web service.
  9. Test the request with the SOAP UI.
Concepts
  • It is important to understand what happens during an outbound request
  • For Authentication - the consumer provides the "userid" and "password" which is used by the Provider to authenticate through the Security provider(by connecting to the LDAP or custom repository)
  • For Authorization - the consumer provides the "userid" and "password" which is used by the Provider to authenticate through the Security provider(by connecting to the LDAP or custom repository)
  • For Confidentiality - the message is encrypted by the public key of the Provider. Due to this reason you need to select the provider's certificate that has been imported by providing the alias
  • Based on the policy that is being enforced at the provider's OWSM, provide the corresponding "Key Identifier Type", "Encoding Algorithm", "Key Encryption Algorithm"
  • For Integrity - the message should be signed with the private key of the consumer. So provide the corresponding alias.
Generate a Keystore


Execute the following command in a single line

keytool -genkey -dname "cn=Chandu Sankuratri, ou=soa, o=CrystalTrain, c=US" -alias dssoa -keypass iag12345 -keystore C:\chandu\Keystore -storepass iag12345 -validity 365 -keyalg "RSA"

Note : Enusre that the Key Algorithm is "RSA" as SOAP UI expects this. If you do not provide this, the default is DSA and you will see an exception java.lang.IllegalArgumentException: not an RSA key

You should verify the certificate by executing the following commands

keytool -export -alias dssoa -file dssoa.cer -keystore C:\chandu\Keys\keystore -storepass iag12345

keytool -printcert -file C:\chandu\Keys\dssoa.cer

This should print out

Serial number: 4b9abe40

Valid from: Fri Mar 12 17:20:48 EST 2010 until: Sat Mar 12 17:20:48 EST 2011
Certificate fingerprints:
MD5: 53:DB:0B:86:71:2E:5D:95:E8:EA:8C:D6:89:B2:D2:06
SHA1: EA:B0:90:F5:A9:12:FF:E9:A0:7A:96:F9:77:79:71:6B:18:62:86:3F
Signature algorithm name: SHA1withRSA
Version: 3

Add the generated keystore to SoapUI



Configure the outgoing SOAP request for encryption with X509 certificate. Similarly, you can also add "user Name" ,"Password" and the Signature.



Associate the configured security to the request

3 comments:

  1. Hi ,

    I am trying to configure the SOAP UI for OWSM x.509, I register my keystore to SOAP UI and configure signature and encryption attributes.
    On trying to invoke the policy enforce endpoints

    I am facing problem. I am getting the following exception on server side

    Can you tell us how we can configure the soap ui to invoke X.509 certificate

    #### <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <1305565563746>
    #### <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <1305565692825>

    ReplyDelete
  2. Caused By: javax.crypto.BadPaddingException: Data must start with zero
    at sun.security.rsa.RSAPadding.unpadOAEP(RSAPadding.java:393)
    at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:257)
    at com.sun.crypto.provider.RSACipher.a(DashoA13*..)
    at com.sun.crypto.provider.RSACipher.engineDoFinal(DashoA13*..)
    at javax.crypto.Cipher.doFinal(DashoA13*..)

    ReplyDelete
  3. I am facing problem.Can you tell us how we can configure the soap ui to invoke X.509 certificate.

    sap testing

    ReplyDelete