I am up to tuning TLS ciphers for my application that runs on Jetty-9 server and OpenJDK 1.8.0_u212 and have the following question.
I have retained all the default Java's security settings (java.security file under ${JRE_HOME}/lib/security); and I use BouncyCastleFIPS provider in FIPS mode. And SunJSSE in FIPS mode (parameterized to use BCFIPS as the provider).
I also have a self-signed RSA 2048-bit certificate attached to my server port. (signature algorithm = sha256RSA).
And I limit my app only to use TLS1.2 protocol and exclude some weak ciphers with these settings in jetty-ssl-context.xml:
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>.*DES.*</Item>
<Item>.*RC4.*</Item>
<Item>.*MD5.*</Item>
<Item>.*DSS.*</Item>
</Array>
</Set>
<Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv2</Item>
<Item>SSLv3</Item>
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
</Array>
</Set>
The selected cipher suites after resolving for include/exclude settings is this (dump from after the server starts) –
[java] 2019-08-23 10:39:46.589+0100 DEBUG o.e.j.u.s.SslContextFactory - Selected Ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] of [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
In summary, there are 37 ENABLED ciphers out of 43 SUPPORTED ciphers.
Of the 37, there are:
12 x TLS_RSA.* / TLS_ECDHE_RSA.*
12 x TLS_ECDH_RSA.* / TLS_DHE_RSA.*
01 x EMPTY_RENEGOTIATION_INFO_SCSV
However, when I scan the server port with openssl s_client, I find only the following 12 ciphers TLS_RSA.* / TLS_ECDHE_RSA. that shows up. I gather that the certificate Au algorithm plays a role in selection of ciphers - which in this case selects RSA. over .ECDSA..
Rest are missing. Notably, I am interested in the TLS_DHE_RSA.* which are not coming through.
A. Would someone be able to tell me why? I suspect there are additional layers of filtering that happens which are not apparent here. Jetty dump after start doesnt print the detials when FIPS mode is enabled. (for reasons unknown)
B. And how to get those missing ciphers enabled on the wire? Specifically the TLS_DHE_RSA.*
Much appreciate your insights.
root#hostname:~# cat test.sh
for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
openssl s_client -connect $host:$port\
-cipher $c -tls1_2 < /dev/null > /dev/null 2>&1 && echo -e "\t$c"
done
root#hostname:~# ./test.sh
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
I was able to solve for this and get all the desired ".DHE_." by setting this property in java.security file.
-Djdk.tls.ephemeralDHKeySize=2048
This property can also be injected via call to System.setProperty() in application code or via JVM args.
The reason was that my providers BC were set to operate in FIPS mode which requires a minimum DH Ephemeral key size of 2048 bits.
This is my WS-Security configuration with SoapUI
Server Keystore - contains server's private key + server's public key + Client's public key
Client Keystore - contains client's private key + client's public key + server's public key
2.WS-Security Configuration – Keystore
Source: path to client keystore
Password - client keystore password
and
Source: path to server keystore
Password - server keystore password
Outgoing WS-Security Configuration
*Encryption
Keystore - server keystore
Alias - alias of server's public key
Password - Empty (no password required for public key)
Key Identifier Type - X.509
Parts - Name:Body, Namespace:http://schemas.xmlsoap.org/soap/envelope/, Encode:Content
*Signature
Keystore - client keystore
Alias - alias of client's private key
Password - password of client's private key
Key Identifier Type - X.509
Parts - Name:Body, Namespace:http://schemas.xmlsoap.org/soap/envelope/, Encode:Element
Ingoing WS-Security Configuration
Decrypt Keystore - client keystore
Signature Keystore - server keystore
Password - password of client's private key
Applying the ws-security
But the following exception is thrown:
19:17:35,494 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-3) Interceptor for {http://soap.aaa.com/}HelloWorldService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:216)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:79)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108)
at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134)
at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: BSP:R5424: Any ENC_KEY_INFO MUST have exactly one child element
at org.apache.wss4j.common.bsp.BSPEnforcer.handleBSPRule(BSPEnforcer.java:56)
at org.apache.wss4j.dom.processor.ReferenceListProcessor.checkBSPCompliance(ReferenceListProcessor.java:231)
at org.apache.wss4j.dom.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:151)
at org.apache.wss4j.dom.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:103)
at org.apache.wss4j.dom.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:67)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:344)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280)
... 42 more
And These are the raw type of soapmessage
POST http://localhost:8080/SOAPSecurityWeb/HelloWorld HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 4354
Host: localhost:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:soap="http://soap.aaa.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference URI="#ED-762310919C4F29F7D9146737020258012"/></xenc:ReferenceList><ds:Signature Id="SIG-762310919C4F29F7D9146737020256711" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="soap soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-762310919C4F29F7D9146737020256710"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>CQMC6AlBzVr4GlcwEgCTuaLepn4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>TuzMIyUtSxayHLjfq0TGEEsVXkJdwpL+MGSwwuSQF+9J2t8brCkRvLlNGNvypsORlIPCXPwnxrYG
iFebfSFkIx2hke+Jt9/rRc6stg/iBfeVUrXPn0frOTyi3c7VNZpQIRv7+YE21XXuzxLqMNNoejb4
lDiFnc0VmnNU6GvM/WBf5FXhxr+E2amGcpYbi2yOKMe8pfsj5sRTDUWLkjt4qYU3LmnRpl3kYg8j
ZIF9CgryM5phxrTm18baYwZOWf2whdhNxkd6iEBt/+OMF+uVuW4YStxzKINaR2lSdHquFef3FheA
993frgWKXz8s63nLBLjJXXfLskqhdZdLj7s8Zg==</ds:SignatureValue><ds:KeyInfo Id="KI-762310919C4F29F7D914673702025678"><wsse:SecurityTokenReference wsu:Id="STR-762310919C4F29F7D914673702025679"><wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIDazCCAlOgAwIBAgIEJaiHjTANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLUjESMBAGA1UECBMJS3lvdW5nTmFtMQ4wDAYDVQQHEwVQdXNhbjESMBAGA1UEChMJTXkgZmFtaWx5MQwwCgYDVQQLEwNERVAxETAPBgNVBAMTCEppbmEgS2ltMB4XDTE2MDUxNTA3MTIyOVoXDTE2MDgxMzA3MTIyOVowZjELMAkGA1UEBhMCS1IxEjAQBgNVBAgTCUt5b3VuZ05hbTEOMAwGA1UEBxMFUHVzYW4xEjAQBgNVBAoTCU15IGZhbWlseTEMMAoGA1UECxMDREVQMREwDwYDVQQDEwhKaW5hIEtpbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIb7rclNqyRSJDuKBYNqO+I50Lf7AK/ccZgXePGsDVCA5QVmimQgPdvW9fILdJ13rNGyC06BexDC6lGpfhE6Bu3Arz5EkydQKKDWsa3hcY/EuyAK2blr9BAfOHz9wBaWtc3ro1p3gZBaVBPkA6q9DHJjFIHVeKjbzK0m8ipGiXpYcL4B/Nexac7W60n6dVPK5hoa5769ZI7oqN/n2DJNw8HGxbZMAjBvqegvtAkx3qGXPbdNmpEoS8Jd72Tg0KKlbmxUoG2p5ol+urSbKAeyq45+loINN1uIjcVGHvJfVCy3pQSkfaS7eXwbReFa2ok7GMywwGxamT1H6xTIYdHCdKsCAwEAAaMhMB8wHQYDVR0OBBYEFLkqHMaCP8EXbZTkaByzh9bH9vMFMA0GCSqGSIb3DQEBCwUAA4IBAQBj1Lovsj/AGirxDd6cBqTR25c9lDGB8vBlkfHxusL/L/AVYkiNKJR72GrK3PP+w0eblmfBqGYXaOeBIvW+KqOOUWiWIaSsOQUpzOUUqvvIvmdya8s8PhAcI8nYD50SdRCjUq9SXaSxZSQ9hZ87OFBQ5icXhHS4CCjZ8Jh46rZvrBL7tZbKDhVz5LwCtGgAkgq3/rcf2W6gKFYU4g1+KEB+4+57HBuPtGkbjSwaj5oFvv7+sTyJvdxvRBvTh2UEEEK1QtCMtQULGYjb4imOwHQbSM/UKtRgRVFcOnVzx34Pvib06PX0aNuW2AWEu+G/IJ4sS5KYvLujM+wxraxH1Ad1</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-762310919C4F29F7D9146737020256710" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:EncryptedData Id="ED-762310919C4F29F7D9146737020258012" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><xenc:CipherData><xenc:CipherValue>driG0+hdn4kuBUL545mLKBioB7Cm57Bm0XwyVjkBV8f0VcxPUu4OqkHtRaJYv6MIhmEDDfYiLm5Y2JaijNh7WQnAzWkhh/gfyoXJ4XzVDSOlUPZ1+C4kFgF24zmPHsLhl4oUiLWCDJ3cuAsDNRRzHSHI3T9ONYX9RbekAUwvKFspsAIbYE3YXQuNr7Ux/9GySNxIwBwnd50VvjLaqGNseeBDDAJyKrgSg2REqk9v8IJfh6ue0haLVIMF/xCIO+Qsgvwcpyd5/emSqbXkaFx+d9OCLFgKNs+sTHHy1BybfElsOIamLU9TEdD2PSVP7Frf3ESR2wOBiz0XWBiT1a/1zkjWCh72jbsFzd48x/FXywKbTlF+s5rhCqhBt6lLctlHRIxN8IpQesMNS/jFpc9A3b6dHOvOSx8y5ex4KWIK/Ms=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body>
</soapenv:Envelope>
HTTP/1.1 500 Internal Server Error
Connection: keep-alive
X-Powered-By: Undertow/1
Server: WildFly/10
Content-Type: text/xml;charset=UTF-8
Content-Length: 299
Date: Fri, 01 Jul 2016 10:50:02 GMT
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode xmlns:ns1="http://ws.apache.org/wss4j">ns1:SecurityError</faultcode><faultstring>A security error was encountered when verifying the message</faultstring></soap:Fault></soap:Body></soap:Envelope>
That's much better than the last try with the stacktrace in the comments :-)
Change the Key Identifier Type for the encryption to Binary Security Token then everything should work.
The reason for the exception is that encryption is done with a symmetric key. You could exchange this key over a secure second channel or (most often) it is encrypted with the clients public key and attached to the request. To get this behaviour in SopaUI you have to change the key identifier type to the mentioned value.
UPDATE
To make this work you have to save your changes with "save all" and close and reopen the request window as SoapUI is sometimes a little bit "lazy" about reloading configuration changes. Check the "Raw"-tab of the request to see if your changes have been applied. If not: restart the whole SoapUI and verify that the settings for the Key Identifier Type are still Binary Security Token.
UPDATE 2
Be sure that the option "Indicates wether to encrypt the symmetric key into an EncryptedKey or not" is checked. Otherwise you will still have an empty KeyInfo-Element.
And change your encryption back to "Content". Encrypting the whole body-element compared to the body-content is seldom preferable.
I'm getting the error in gradle test code. An exception is being generated on this line of code: account.setAccountNumber(encryptor.encrypt("999999999")).
This post may be related:
What is the correct way to configure a spring TextEncryptor for use on Heroku
com.distributedfinance.mbi.bai.lookup.AccountLookupSpec > constructor missing encryptor FAILED
19:05:00.431 [DEBUG] [TestEventLogger] java.lang.IllegalArgumentException: Unable to initialize due to invalid secret key
19:05:00.431 [DEBUG] [TestEventLogger] at org.springframework.security.crypto.encrypt.CipherUtils.initCipher(CipherUtils.java:110)
19:05:00.431 [DEBUG] [TestEventLogger] at org.springframework.security.crypto.encrypt.AesBytesEncryptor.encrypt(AesBytesEncryptor.java:65)
19:05:00.431 [DEBUG] [TestEventLogger] at org.springframework.security.crypto.encrypt.HexEncodingTextEncryptor.encrypt(HexEncodingTextEncryptor.java:36)
19:05:00.431 [DEBUG] [TestEventLogger] at com.distributedfinance.mbi.bai.lookup.AccountLookupSpec.setup(AccountLookupSpec.groovy:26)
19:05:00.431 [DEBUG] [TestEventLogger]
19:05:00.431 [DEBUG] [TestEventLogger] Caused by:
19:05:00.431 [DEBUG] [TestEventLogger] java.security.InvalidKeyException: Illegal key size
19:05:00.431 [DEBUG] [TestEventLogger] at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1034)
19:05:00.431 [DEBUG] [TestEventLogger] at javax.crypto.Cipher.implInit(Cipher.java:800)
19:05:00.431 [DEBUG] [TestEventLogger] at javax.crypto.Cipher.chooseProvider(Cipher.java:859)
19:05:00.432 [DEBUG] [TestEventLogger] at javax.crypto.Cipher.init(Cipher.java:1370)
19:05:00.432 [DEBUG] [TestEventLogger] at javax.crypto.Cipher.init(Cipher.java:1301)
19:05:00.432 [DEBUG] [TestEventLogger] at org.springframework.security.crypto.encrypt.CipherUtils.initCipher(CipherUtils.java:105)
19:05:00.432 [DEBUG] [TestEventLogger] ... 3 more
I'm running Java 1.8 in IntelliJ Idea
$ gradle -version
------------------------------------------------------------
Gradle 2.3-20141027185330+0000
------------------------------------------------------------
Build time: 2014-10-27 18:53:30 UTC
Build number: none
Revision: f8200ecfed690fe7e2183d60a2afa85069678fa3
Groovy: 2.3.6
Ant: Apache Ant(TM) version 1.9.3 compiled on December 23 2013
JVM: 1.8.0_05 (Oracle Corporation 25.5-b02)
OS: Mac OS X 10.11 x86_64
$ gradle clean build
...
:test
com.distributedfinance.mbi.bai.lookup.AccountLookupSpec > constructor missing encryptor FAILED
java.lang.IllegalArgumentException at AccountLookupSpec.groovy:26
Caused by: java.security.InvalidKeyException at AccountLookupSpec.groovy:26
The exception is in Groovy code:
AccountLookup accountLookup
List<Account> accounts
AccountRepository accountRepository
TextEncryptor encryptor
def setup() {
accountRepository = Mock()
encryptor = Encryptors.text("password", "blahblahbla")
***account.setAccountNumber(encryptor.encrypt("999999999"))***
...
def "constructor missing encryptor"() {
when:
new AccountLookup(null, accountRepository)
then:
IllegalArgumentException e = thrown()
e.getMessage() == "Encryptor is null"
}
I tried debugging this from IntelliJ Idea by setting breakpoints in the Groovy Code (in 'attach' and also 'listen' mode):
$ export GRADLE_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=5005"
$ gradle build
Listening for transport dt_socket at address: 5005
But I never reached my breakpoints.
Any ideas?
Looks like your salt is bad, unless that's just a bad example?
From the docs: https://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/apidocs/org/springframework/security/crypto/encrypt/Encryptors.html
The 2nd arg is a "salt", which is defined as:
salt - a hex-encoded, random, site-global salt value to use to generate the key
Yours is "blahblahbla"... which isn't hex-encoded.
I'm trying to set disableCNCheck to true for my web service. I'm using Grails 2.2.0 with the Cxf Client plugin.
I found this question:
wsdl2java CXF command line error about disableCNCheck option
with this piece of code:
protected void disableCNCheck(Object port) {
Client client = ClientProxy.getClient(port)
TLSClientParameters params = new TLSClientParameters()
params.setDisableCNCheck(true)
HTTPConduit httpConduit = (HTTPConduit) client?.getConduit()
httpConduit?.setTlsClientParameters(params)
}
In which class would this code belong and where would the method be called? Is there a configuration parameter for the Cxf Client plugin that I could set instead?
Instead of the code you can achieve the disableCNCheck by adding the below xml config to grails-app/conf/spring/resources.xml [ Grails 2.2.3 , cxf-client plugin 1.6.1
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
">
<http:conduit name="*.http-conduit">
<http:tlsClientParameters disableCNCheck="true" />
</http:conduit>
</beans>
I have a secure web service (message authentification over ssl) bundeled in a war and I'm trying to use jdbcRealm to authentificate the user.
The jdbcRealm work fine with other ear apps but not for this .war
Actually glassfish is still using the fileRealm despite the configuration done in the web.xml
web.xml:
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/xoxoServer/secondWS/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<!--<auth-constraint>
<role-name>EMPLOYEE</role-name>
</auth-constraint>-->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>my_realm</realm-name>
</login-config>
</web-app>
In the console I get this :
FIN: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /secondWS POST)
FIN: JMAC: UnsupportedCallback : javax.security.auth.callback.NameCallback
FIN: JMAC: In PasswordValidationCallback Processor
FIN: jmac login user [test] into realm: file using JAAS module: fileRealm
FIN: Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
FIN: JAAS authentication aborted.
INFO: SEC5046: Audit: Authentication refused for [test].
INFO: SEC1201: Login failed for user: test
How to fix this ?
Thanks.
ps:I'm using Glassfish 3.1.2.2 b5 with jdk6
I solved this by:
packaging the war into an ear
adding the realm in the glassfish-application.xml ( in the ear)