WSO2 Test API across https with certificate having password - wso2

My API server runs over https with a custom certificate with the password. When I configure WSO2 API manager to use my API server, I am unable to provide the password. WIth postman things work but unable to make API manager work below is the error when I hit the test button.
[2018-04-16 17:58:15,904] ERROR - APIProviderHostObject Error occurred while connecting to backend : https://localhost:8443/ABC/rest/searches, reason : peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
When I load the certificate, I get the below error
[2018-04-16 18:19:20,905] ERROR - CertificateMgtUtils Error loading certificate.
java.security.cert.CertificateParsingException: signed fields invalid
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1791)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
at org.wso2.carbon.apimgt.impl.utils.CertificateMgtUtils.addCertificateToTrustStore(CertificateMgtUtils.java:85)
at org.wso2.carbon.apimgt.impl.certificatemgt.CertificateManagerImpl.addCertificateToParentNode(CertificateManagerImpl.java:51)
at org.wso2.carbon.apimgt.impl.APIProviderImpl.addCertificate(APIProviderImpl.java:5070)
at org.wso2.carbon.apimgt.impl.UserAwareAPIProvider.addCertificate(UserAwareAPIProvider.java:43)
at org.wso2.carbon.apimgt.hostobjects.APIProviderHostObject.jsFunction_uploadCertificate(APIProviderHostObject.java:5076)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386)
at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
at org.jaggeryjs.rhino.publisher.modules.api.c3._c_anonymous_11(/publisher/modules/api/add.jag:254)
at org.jaggeryjs.rhino.publisher.modules.api.c3.call(/publisher/modules/api/add.jag)
at org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430)
at org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269)

Related

How to disable ThrottlingConfigurations from deployment.toml in WSO2 3.0.0

I am configuring Apache DS user store in WSO2 3.0.0. All the user store configuration I have given in deployment.toml file. But while starting the server it is giving the below error. After searching that looks like this error is coming as is enable in api-manager.xml, but I am not able to disable it from deployment.toml. Can anyone help me with the configuration I should provide in deployment.toml to make it disabled. Also from the error log it seems like server is also searching for JMS but not enable. Please help me with this also. Error given below:
[2020-01-28 18:39:57,261] WARN - DataEndpointGroup No receiver is reachable at reconnection, will try to reconnect every 30 sec
[2020-01-28 18:39:57,263] INFO - DataBridge user admin connected
[2020-01-28 18:39:57,269] ERROR - AuthenticationServiceImpl Invalid User : admin
[2020-01-28 18:39:57,270] ERROR - DataEndpointConnectionWorker Error while trying to connect to the endpoint. Cannot borrow client for ssl://<local_machine_ip>:9711.
org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Cannot borrow client for ssl://<local_machine_ip>:9711.
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:145) ~[org.wso2.carbon.databridge.agent_5.2.12.jar:?]
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:59) [org.wso2.carbon.databridge.agent_5.2.12.jar:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_112]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Error while trying to login to data receiver :/<local_machine_ip>:9711
at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:50) ~[org.wso2.carbon.databridge.agent_5.2.12.jar:?]
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:139) ~[org.wso2.carbon.databridge.agent_5.2.12.jar:?]
... 6 more
Caused by: org.wso2.carbon.databridge.commons.exception.AuthenticationException: org.wso2.carbon.identity.authentication.AuthenticationException: Invalid User : admin
at sun.reflect.GeneratedConstructorAccessor269.newInstance(Unknown Source) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:1.8.0_112]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_112]
at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryEventSender.processResponse(BinaryEventSender.java:163) ~[org.wso2.carbon.databridge.agent_5.2.12.jar:?]
at org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:44) ~[org.wso2.carbon.databridge.agent_5.2.12.jar:?]
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:139) ~[org.wso2.carbon.databridge.agent_5.2.12.jar:?]
... 6 more
Please Note: I am running WSO2 3.0.0 in local windows machine for POC.
Thanks,
Surodip
This is the configuration to disable data publishing to the traffic manager, and the JMS listener.
[apim.throttling]
enable_data_publishing = false
enable_decision_connection = false

WSO2 EI 6.0 non blocking local transport

I've been following this link from wso2 documentation in order to enable non blocking local transport for my project, but after restarting the server I'm unable to log in the management console.
In the console, I have the following error output:
[2017-04-18 11:55:56,039] [] INFO - HTTPSender Unable to sendViaPost to url[https://10.1.2.68:9443/services/AuthenticationAdmin]
java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:193)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:659)
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451)
...
Can anyone shed a light on what is wrong with my configuration? I have followed the doc instructions step by step.
There were some port issues in EI 600 and please use EI 610 [1]. It working properly with local transport scenario. And please use these documentations [2, 3] as EI having some directory changes.
[1]https://docs.wso2.com/display/EI610/About+this+Release
[2]https://docs.wso2.com/display/EI610/Local+Transport
[3]https://docs.wso2.com/display/EI610/Sample+268%3A+Proxy+Services+with+the+Local+Transport

WSO2-APIM/IS How to make custom authenticator load after JNDI component

I am writing a custom authenticator which require to lookup datasource from JNDI at startup. I got NameNotFoundException error during startup
[2017-02-25 12:01:39,071] [Component Resolve Thread] ERROR {com.kbank.carbon.identity.authenticator.KBankAuthenticator} - Exception while looking up datasource[jdbc/API_SERVICE_DB]
javax.naming.NameNotFoundException: Name [jdbc/API_SERVICE_DB] is not bound in this Context. Unable to find [jdbc].
at org.apache.naming.NamingContext.lookup(NamingContext.java:819)
at org.apache.naming.NamingContext.lookup(NamingContext.java:167)
at org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.lookup(CarbonContextDataHolder.java:709)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at com.kbank.carbon.identity.authenticator.KBankAuthenticator.getDataSource(KBankAuthenticator.java:478)
at com.kbank.carbon.identity.authenticator.KBankAuthenticator.<clinit>(KBankAuthenticator.java:79)
at com.kbank.carbon.identity.authenticator.internal.KBankAuthenticatorServiceComponent.activate(KBankAuthenticatorServiceComponent.java:23)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:345)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.buildNewlySatisfied(Resolver.java:473)
at org.eclipse.equinox.internal.ds.Resolver.enableComponents(Resolver.java:217)
at org.eclipse.equinox.internal.ds.SCRManager.performWork(SCRManager.java:816)
at org.eclipse.equinox.internal.ds.SCRManager$QueuedJob.dispatch(SCRManager.java:783)
at org.eclipse.equinox.internal.ds.WorkThread.run(WorkThread.java:89)
at java.lang.Thread.run(Thread.java:745)
I looked up the data source using following code.
DataSource dataSource = (DataSource) new InitialContext().lookup(dsName);
If I moved this code from static block/constructor and put inside a method, it works fine.
I think it is because my custom authenticator was loaded before JNDI (or JDBC) features. How can I make my custom authenticator lookup datasource from JNDI during startup.
Thank you very much.

Handshake exception in java webservice client

i am trying to implement a webclient for a secure https connection. I imported the server certificates and added it to java keystore. but when i try to run the client i got the following exceptions:--
Oct 18, 2013 3:25:25 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging WARNING: Interceptor for
{http://tempuri.org/}Service#{http://tempuri.org/}GetUserInformation has thrown exception,
unwinding now org.apache.cxf.interceptor.Fault: Could not send Message.
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
at $Proxy29.getUserInformation(Unknown Source)
at
org.tempuri.ServiceSoap_ServiceSoap_Client.main(ServiceSoap_ServiceSoap_Client.java:78)
Caused by: java.io.IOException: IOException invoking
myurl/**/**/asmx: The https URL hostname does not
match the Common Name (CN) on the server certificate in the client's truststore. Make sure
server certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
... 9 more
Caused by: java.io.IOException: The https URL hostname does not match the Common Name (CN)
on the server certificate in the client's truststore. Make sure server certificate is
correct, or to disable this check (NOT recommended for production) set the CXF client TLS
configuration property "disableCNCheck" to true.
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1241) at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295)
... 12 more
Exception in thread "main" javax.xml.ws.WebServiceException: Could not send Message.
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
at $Proxy29.getUserInformation(Unknown Source)
at
org.tempuri.ServiceSoap_ServiceSoap_Client.main(ServiceSoap_ServiceSoap_Client.java:78)
Caused by: java.io.IOException: IOException invoking
myurl/**/**/asmx: The https URL hostname does not
match the Common Name (CN) on the server certificate in the client's truststore. Make sure
server certificate is correct, or to disable this check (NOT recommended for production) set
the CXF client TLS configuration property "disableCNCheck" to true.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
... 2 more
Caused by: java.io.IOException: The https URL hostname does not match the Common Name (CN)
on the server certificate in the client's truststore. Make sure server certificate is
correct, or to disable this check (NOT recommended for production) set the CXF client TLS
configuration property "disableCNCheck" to true.
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1241)
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295)
Can someone help me with this. Thanks in advance...
Depending on the type of CXF client you have to options. If you have Spring-based client configuration you have to add attribute to your http:conduit configuration:
<http:conduit name="{http://apache.org/hello_world_soap_http}SoapPort.http-conduit">
<http:tlsClientParameters disableCNCheck="true">
<!-- other tls configuration parameters, like trustManagers -->
</http:tlsClientParameters>
</http:conduit>
name has to match namespace and port name from your WSDL.
If you create your client programmaticaly then use the following code:
HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port).getConduit();
TLSClientParameters tlsCP = new TLSClientParameters();
// other TLS/SSL configuration like setting up TrustManagers
tlsCP.setDisableCNCheck(true);
httpConduit.setTlsClientParameters(tlsCP);
where port is actual client proxy that you call.
Both options can be found working in CXF example that I modified here
BTW. There is a real threat in using this property on production environment, so please consider issuing new certificate with correct CN for production server instead of depending on this hack.

wso2 getting org.apache.rampart.RampartException: Unsupported SignedSupportingToken

We are trying to do a poc in wso2 esb to invoke our BE service which is ws-security enabled. We have setup a pass thru proxy in wso2 and configured the endpoint according to www.soasecurity.org. However, we keep getting the below error when trying to use the pass thru proxy. Please advise if we are doing anything wrong...
ERROR - Axis2Sender Unexpected error during sending message out
rg.apache.axis2.AxisFault: Unsupported SignedSupportingToken : "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken"
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:481)
at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:57)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:342)
at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:329)
at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:59)
at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:173)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:404)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:184)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: org.apache.rampart.RampartException: Unsupported SignedSupportingToken : "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken"
at org.apache.rampart.builder.TransportBindingBuilder.build(TransportBindingBuilder.java:103)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:140)
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
... 20 more
What is the security policy you are using to secure the BE service?
Seems like the ESB cannot understand the security policy that is being used for the BE service.
Follow the blog and you will be able to resolve your concern.
Manisha