cancel
Showing results for 
Search instead for 
Did you mean: 

X.509 Cert Failing Triple AAA

Occasional Contributor

X.509 Cert Failing Triple AAA

Calling a service hosted on a XI50 box.  The service is secured by a X.509 public cert, I can import the keystore and have defined the signature for the within the keystore.  It fails AAA every time.

I have started SOAPUI with Sun and IBM's JSSE and doesn't make a difference.

I took a look between a WAS app that makes the call and gets through and SOAPUI and major difference seems to be the Value Type.  The message that work have X509v3 as the valueType.



#1 could that be the issue, and is there a way to modify this type.
#2 what else could it be..

Very frustrated.. Please help.
17 REPLIES 17
Occasional Contributor

Re: X.509 Cert Failing Triple AAA

Are you using the Verify step in datapower to secure the messages, or an AAA step?

What's the actual error DP gives you?

The verify step is pretty flexible - you can try a different signature type. We generally use Subject Key Identifier.

If you have a requirement to use BST, though, that doesn't help much.
Occasional Contributor

Re: X.509 Cert Failing Triple AAA

It is failing in the AAA step.. Attached is a dump from DP.

We do not have a requirement for BinaryToken, but other apps using WAS and JUNIT have the message working with BT ( See good messages below).

I have attached a message from another application that is working correctly.

I have also submitted this to IBM datapower team and have recieved the following response:
There is one known issue with SOAPUI and DP, and above information will help us confirm if we are encountering the same problem.
This known issue occurs when  HTTP header Content-Type has params whose values are not double-quoted.
Popular tools such as SoapUI automatically generate Content-Type headers w/o the double-quotes, which causes requests to fail in DataPower.
The device adhere the RFC 822.

I did check the raw log for SOAP UI and nothing did seem to be double-quoted.  I don't believe this has anything to do with the AAA
But how would I modify the content to be double-quoted to eliminate these concerns.










MIICXjCCAhygAwIBAgIERv0f1zALBgcqhkjOOAQDBQAwEjEQMA4GA1UEAxMHQ0FQVGVzdDAeFw0wNzA5MjgxNTM3NTlaFw0xNzA5MjUxNTM3NTlaMBIxEDAOBgNVBAMTB0NBUFRlc3QwggG4MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhQACgYEAzkwA4iRA2MxFhsBJNEVe8NZk8qJ7TZqlQZWjDO5FWL4dICH+E+ln/2xV+SEXH2xE3Cqmj2zShcg0DD7FmOUIiO+E+wd9mUmlShKFqxr81L87xf/uePOTGREgYXy7tHgG+lanzjR1QtdzwiECr+COOaukvQFYfjmu3eKswefNbR8wCwYHKoZIzjgEAwUAAy8AMCwCFEm0Iz0Oss4/jGvzF2A/9fg3QBL2AhQFjmfu1U9tV0kcdL2BU6EeN0OQLA==









IYAxeIIPAHtdrA60MHrYrm3VjAQ=






JSm0SvVIB8bl2dRdwZADTwH2Gao=


NXgrzcLFv0Qdc/qAQV+uOv2+zVxi9y0DKEIrQcpMW8yyaXjGkYiR4w==







2008-09-11T22:17:59.735Z
2008-09-11T22:22:59.735Z





011
474310285
069


Super Contributor

Re: X.509 Cert Failing Triple AAA

Hi!

well, I can easily add an option to quote the Content-Type header if that would help!?

regards,

/Ole
eviware.com
Super Contributor

Re: X.509 Cert Failing Triple AAA

Hi Mark,

the 2.5-beta1 should correctly detect the valuetype to be X509v3, could you try it out to see if it works better?

regards!

/Ole
eviware.com
Occasional Contributor

Re: X.509 Cert Failing Triple AAA

Still seems to be using the same value type.

ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"

Attached the raw message as sent and failed AAA.

Also running the newest beta copy and the type is still not double-quoted as mentioned above.




   




2008-10-06T15:52:45.836Z
2008-10-06T15:57:45.836Z

MIICYjCCAl4wggIcoAMCAQICBEb9H9cwCwYHKoZIzjgEAwUAMBIxEDAOBgNVBAMTB0NBUFRlc3QwHhcNMDcwOTI4MTUzNzU5WhcNMTcwOTI1MTUzNzU5WjASMRAwDgYDVQQDEwdDQVBUZXN0MIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAM5MAOIkQNjMRYbASTRFXvDWZPKie02apUGVowzuRVi+HSAh/hPpZ/9sVfkhFx9sRNwqpo9s0oXINAw+xZjlCIjvhPsHfZlJpUoShasa/NS/O8X/7njzkxkRIGF8u7R4BvpWp840dULXc8IhAq/gjjmrpL0BWH45rt3irMHnzW0fMAsGByqGSM44BAMFAAMvADAsAhRJtCM9DrLOP4xr8xdgP/X4N0AS9gIUBY5n7tVPbVdJHHS9gVOhHjdDkCw=


















4TF2svtBZ2Idy6H4hwt0Y0fHb28=



DJCUgJFQqzrsXcfhJFrQTBfzx8JRZ4xXUw6eA16/aYwjC2gwoMspwA==







   

     

         
011
         
TEST5
         
069
     

   
Occasional Contributor

Re: X.509 Cert Failing Triple AAA

Any update to this topic??? 

this still did not apply when useing the beta 1 build.

Your Comments
the 2.5-beta1 should correctly detect the valuetype to be X509v3, could you try it out to see if it works better?

regards!

/Ole
eviware.com
Super Contributor

Re: X.509 Cert Failing Triple AAA

Hi Mark,

no comments yet, I need to create a v3 certificate and debug into the wss4j code to see why this is going wrong.. sorry for the delay..

regards!

/Ole
eviware.com
Occasional Contributor

Re: X.509 Cert Failing Triple AAA

I have just a test self signed cert that I can send to you if that would help
Super Contributor

Re: X.509 Cert Failing Triple AAA

Hi!

please do, it would save me some time.. (ole@eviware.com)

regards!

/Ole
eviware.com
New Here?
Join us and watch the welcome video:
Watch the New Interview
APITestingMistake#2
Top Kudoed Authors