Rampart:使用私有/密钥证书筛选soap消息失败

Question

我们正在运行一个WSO2 ESB5.0服务器。我们希望创建一个将普通SOAP消息转换为签名版本并将其传递给端点的服务。

我们正在收到这样的信息：

由:org.apache.ws.security.WSSecurityException引起:一般安全错误(未找到用于用户wso2carbon的证书以供签名)

我为什么要收到这条消息？我不明白这是甚麽意思。

更新:我知道了，在壁垒配置中的用户应该是您想要用来签名的密钥的别名。并且密码处理程序应该返回别名密钥的密码。

synapse (wso2 esb)服务是：

    <?xml version="1.0" encoding="UTF-8"?>
    <proxy xmlns="http://ws.apache.org/ns/synapse"
           name="__mke_siging_out"
           startOnLoad="true"
           statistics="disable"
           trace="disable"
           transports="https">
       <target>
          <inSequence>
             <send>
                <endpoint>
                   <address uri="http://foo.bar.host/services/default/Echo/echo_client_ep">
                      <enableSec policy="gov:/policies/__mke_sign_out.xml"/>
                   </address>
                </endpoint>
             </send>
          </inSequence>
          <outSequence>
             <header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                     action="remove"
                     name="wsse:Security"
                     scope="default"/>
             <send/>
          </outSequence>
          <faultSequence/>
       </target>
       <description/>
    </proxy>

该插件配置指向一个JKS密钥存储库，其中加载私有/发布证书并使用密码进行保护：

<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigOnly">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:InitiatorToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:RequireThumbprintReference />
                                    <sp:WssX509V3Token10 />
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:InitiatorToken>
                    <sp:RecipientToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                                <wsp:Policy>
                                    <sp:RequireThumbprintReference />
                                    <sp:WssX509V3Token10 />
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:RecipientToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256 />
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Strict />
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp />
                    <sp:OnlySignEntireHeadersAndBody />
                </wsp:Policy>
            </sp:AsymmetricBinding>
            <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <sp:Policy>
                    <sp:MustSupportRefKeyIdentifier />
                    <sp:MustSupportRefIssuerSerial />
                </sp:Policy>
            </sp:Wss10>
            <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <sp:Body />
            </sp:SignedParts>
        </wsp:All>
    </wsp:ExactlyOne>
    <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
        <rampart:user>wso2carbon</rampart:user>
        <rampart:passwordCallbackClass>nl.rsg.it.igw.passwordcallback.Handler</rampart:passwordCallbackClass>
        <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
        <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
        <rampart:timestampTTL>300</rampart:timestampTTL>
        <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
        <rampart:timestampStrict>false</rampart:timestampStrict>
        <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
        <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
        <rampart:encryptionCrypto>
            <rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
                <rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
                <rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
                <rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
                <rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
            </rampart:crypto>
        </rampart:encryptionCrypto>
        <rampart:signatureCrypto>
            <rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
                <rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
                <rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
                <rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
                <rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
            </rampart:crypto>
        </rampart:signatureCrypto>
    </rampart:RampartConfig>
</wsp:Policy>

Answer 1

我明白了，在“壁垒”配置中的用户应该是您想要用来签名的密钥的别名。并且密码处理程序应该返回别名密钥的密码。