Calling a service hosted on a XI50 box. The service is secured by a X.509 public cert, I can import the keystore and have defined the signature for the within the keystore. It fails AAA every time.I have started SOAPUI with Sun and IBM's JSSE and doesn't make a difference.I took a look between a WAS app that makes the call and gets through and SOAPUI and major difference seems to be the Value Type. The message that work have X509v3 as the valueType.#1 could that be the issue, and is there a way to modify this type.#2 what else could it be.. Very frustrated.. Please help.

Are you using the Verify step in datapower to secure the messages, or an AAA step?What's the actual error DP gives you?The verify step is pretty flexible - you can try a different signature type. We generally use Subject Key Identifier. If you have a requirement to use BST, though, that doesn't help much.

It is failing in the AAA step.. Attached is a dump from DP.We do not have a requirement for BinaryToken, but other apps using WAS and JUNIT have the message working with BT ( See good messages below).I have attached a message from another application that is working correctly.I have also submitted this to IBM datapower team and have recieved the following response:There is one known issue with SOAPUI and DP, and above information will help us confirm if we are encountering the same problem. This known issue occurs when HTTP header Content-Type has params whose values are not double-quoted. Popular tools such as SoapUI automatically generate Content-Type headers w/o the double-quotes, which causes requests to fail in DataPower. The device adhere the RFC 822.I did check the raw log for SOAP UI and nothing did seem to be double-quoted. I don't believe this has anything to do with the AAABut how would I modify the content to be double-quoted to eliminate these concerns. MIICXjCCAhygAwIBAgIERv0f1zALBgcqhkjOOAQDBQAwEjEQMA4GA1UEAxMHQ0FQVGVzdDAeFw0wNzA5MjgxNTM3NTlaFw0xNzA5MjUxNTM3NTlaMBIxEDAOBgNVBAMTB0NBUFRlc3QwggG4MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhQACgYEAzkwA4iRA2MxFhsBJNEVe8NZk8qJ7TZqlQZWjDO5FWL4dICH+E+ln/2xV+SEXH2xE3Cqmj2zShcg0DD7FmOUIiO+E+wd9mUmlShKFqxr81L87xf/uePOTGREgYXy7tHgG+lanzjR1QtdzwiECr+COOaukvQFYfjmu3eKswefNbR8wCwYHKoZIzjgEAwUAAy8AMCwCFEm0Iz0Oss4/jGvzF2A/9fg3QBL2AhQFjmfu1U9tV0kcdL2BU6EeN0OQLA== IYAxeIIPAHtdrA60MHrYrm3VjAQ= JSm0SvVIB8bl2dRdwZADTwH2Gao= NXgrzcLFv0Qdc/qAQV+uOv2+zVxi9y0DKEIrQcpMW8yyaXjGkYiR4w== 2008-09-11T22:17:59.735Z 2008-09-11T22:22:59.735Z 011 474310285 069

Hi!well, I can easily add an option to quote the Content-Type header if that would help!?regards,/Oleeviware.com

Hi Mark,the 2.5-beta1 should correctly detect the valuetype to be X509v3, could you try it out to see if it works better?regards!/Oleeviware.com

Still seems to be using the same value type.ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"Attached the raw message as sent and failed AAA.Also running the newest beta copy and the type is still not double-quoted as mentioned above. 2008-10-06T15:52:45.836Z2008-10-06T15:57:45.836ZMIICYjCCAl4wggIcoAMCAQICBEb9H9cwCwYHKoZIzjgEAwUAMBIxEDAOBgNVBAMTB0NBUFRlc3QwHhcNMDcwOTI4MTUzNzU5WhcNMTcwOTI1MTUzNzU5WjASMRAwDgYDVQQDEwdDQVBUZXN0MIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAM5MAOIkQNjMRYbASTRFXvDWZPKie02apUGVowzuRVi+HSAh/hPpZ/9sVfkhFx9sRNwqpo9s0oXINAw+xZjlCIjvhPsHfZlJpUoShasa/NS/O8X/7njzkxkRIGF8u7R4BvpWp840dULXc8IhAq/gjjmrpL0BWH45rt3irMHnzW0fMAsGByqGSM44BAMFAAMvADAsAhRJtCM9DrLOP4xr8xdgP/X4N0AS9gIUBY5n7tVPbVdJHHS9gVOhHjdDkCw=4TF2svtBZ2Idy6H4hwt0Y0fHb28=DJCUgJFQqzrsXcfhJFrQTBfzx8JRZ4xXUw6eA16/aYwjC2gwoMspwA== 011 TEST5 069

X.509 Cert Failing Triple AAA | SmartBear Community

17 Replies

Mark_Hansen
Occasional Contributor
16 years ago
Additional information from IBM datapower support for support that SOAPUI uses for the token type

(IBM Writes)
Thank you for the additional information.
I am still working on the recreate. However, I would like to confirm that DataPower does support X509PKIPathv1 token. However if we can reproduce that, I can forward it to engineering team to evaluate for possibly bug.
I will contact you again within 2 days with some update or any additional question.
Mark_Hansen
Occasional Contributor
16 years ago
Has there been a resolution to this??
omatzura
Super Contributor
16 years ago
Hi Mark,

sorry for the silence, I'm working on this and will let you know when I have more info.. Monday presumably!

regards,

/Ole
eviware.com
Mark_Hansen
Occasional Contributor
16 years ago
Thanks.. I apperciate the help.. I'll look for something Monday.. HAGW..
omatzura
Super Contributor
16 years ago
Hi Mark,

ok, I've dug into this a little; it seems that you get the correct V3 ValueType if you t select the "Use Single Certificate" option only; if you don't select it the wss4j uses the V1 ValueType since there may be other certificates in the certificate chain that are of this type. I'm not sure if this is correct behavior and I could fix this by checking all certificates, but on the other hand which valuetype should it be if there are both V1 and V3 certificates in the chain? The type of the "last" certificate?

Before I dig in more and try to work around this I wanted to check if you could use the "Use Single Certificate" option as I have to get the V3 ValueType!?

I'll send you screen-shots of my settings via mail!

regards,

/Ole
eviware.com
Mark_Hansen
Occasional Contributor
16 years ago
Per your e-mail we tried the "Use Single Cert" and SOAPUI submits 2 transactions. 1 fails AAA and the other gets passed it. Also, I'm getting a 500 return code to SOAPUI due to the second sumbit.

Not sure why it's submitting more than one request for this option.. Can you take a look at it. Thanks. If we got it to only submit one request it'd probably work.
omatzura
Super Contributor
16 years ago
Hi,

ok.. at least we're getting somewhere.. I have no idea why you are getting 2 submits.. can you try the latest build available from http://www.eviware.com/nightly-builds/2008-10-13/?

regards,

/Ole
eviware.com

Forum Discussion

X.509 Cert Failing Triple AAA

17 Replies

Related Content

X.509 Encryption

New Collaborator install fails to load page.

TestComplete Playback Failing

-- rerun failed scenarios

Test Fails When Running with Tag: Double Parameter Default Issue

Recent Discussions

Multiple Kafka consumers performance test

Multipart requests getting blocked by the Azure WAF 200003

Automated Regression / Health-checks?

command line on how to retrieve license file ?

How to avoid JDBC connection password saving/visibility in exported .xml ready API file of project.