cancel
Showing results for 
Search instead for 
Did you mean: 

Web Services - WS Security (Decryp and Sig) for responses

Highlighted
Occasional Contributor

Web Services - WS Security (Decryp and Sig) for responses

We use SOAP UI for testing all our services. Our external services are secured using WS-Security (X509), encrypting and signing the message content.
- Consumer encrypts the message with Service public key and then signs the message with Consumer's private key
- The service then validates the signature using consumer's public key and decryps the message using Service's private key
- The service then processes the request and prepares the response for sending
- The service then encrypts the message with Consumer's public key and signs the message with Service's private key
- The consumer then validates the signature with Service's public key and decrypts the message with it's private key

We're trying to setup SOAP UI to test these secured services and are trying to do following -
1. For request (Outgoing): SOAP UI encrypts the request message with Service public key and signing the message with Consumer's private key
2. For response (Incoming): SOAP UI validates the signature with Service's public key and decrypts the message with consumer's private key

We're able to do #1 above that is adding encrypting and signature for outgoing message. Bur for response XML, we're unable to add details for signature validation and decryption, and SOAP UI shows the response in decrypted form.

So the question is that how can we set WS-Security (Signature validation and Decryption settings) for response (Incoming message) so that we can see the actual response (and not cryptic response).


Refer to following article that lists setting up WS-Security -
http://www.soapui.org/SOAP-and-WSDL/applying-ws-security.html
Refer to Section 3 Outgoing WSS and Section 4 Incoming WSS. Please note that Section 3 refers to Encryption and Signature but Section 4 does not provide this information. I want to understand how to setup security for responses.
6 REPLIES 6
Highlighted

Re: Web Services - WS Security (Decryp and Sig) for response

Hi,

for responses you need to create an incoming wss configuration and specify with keystores soapUI should use for decrypting and veriifying signatures (in the "Incoming WS-Security Configurations" tab) - then specify this incoming WSS configuration in the requests AUT tab. When the response is received soapUI will try to decrypt and validate using the specified keystores...

Does that help?

regards!

/Ole
SmartBear Stockholm


Did my reply answer your question? Give Kudos or Accept it as a Solution to help others. ⬇️⬇️⬇️
Highlighted
Occasional Contributor

Re: Web Services - WS Security (Decryp and Sig) for response

Thanks for your reply.

From Outgoing WS-Security Configurations tab, I see options for setting security for Encryption and Signature where I can specify which keys to use for encryption and signing the message.

However, for Incoming WS-Security Configurations tab, I only see option for specifying key store, there is no option to specify the keys. See screen shot 1. So for decryption, even if we specify the keystore that needs to be used for decryption and signature validation, how will we specify which keys to be used for decryption and signature validation?

In our case, we have only one keystore with two keys. Key1 (our private key) and Key2 (web service provider public key). For Outgoing we use Key1 for signing and Key2 for encryption. For Incoming, we want to specify use Key1 for decryption and Key2 for signature verification? Any documentation/suggestions that how to accomplish this?
Highlighted

Re: Web Services - WS Security (Decryp and Sig) for response

Hi,

hmm.. I guess you would have to create and add two separate keystores each containing the desired keys...!?

regards,

/Ole
SmartBear Stockholm


Did my reply answer your question? Give Kudos or Accept it as a Solution to help others. ⬇️⬇️⬇️
Highlighted
Occasional Contributor

Re: Web Services - WS Security (Decryp and Sig) for response

It's not a good idea to have one key store for every key. However, for testing I tried to do what you said. So I made two copies of the keystore. From first I deleted the client's public key and from second I deleted the provider's private key.

Then I added the keystores to SoapUI. It added the store with private key but when I added the store that only had the public key, SoapUI complained that <error: java.security.KeyStoreException: No private keys found in keystore!>.

Please advise.

I want to provide some more information like screen shots etc. but I can't do that here as this is an open forum. Can you please provide me your email address and I can email you those. Also, if you can provide a phone number then it will help to resolve this issue faster. This process is taking lot of time.
Highlighted
Occasional Contributor

Re: Web Services - WS Security (Decryp and Sig) for response

SOAPUI Support team -

Any suggestions?
Highlighted
New Contributor

Re: Web Services - WS Security (Decryp and Sig) for responses

Have you found the solution? I'm also facing the same issue 

New Here?
Join us and watch the welcome video:
Announcements
Top Kudoed Authors