Providing keystore to webService client - eclipse

Hi I have created a web service client in eclipse from wsdl file. But when I try to access the service from client it says.
No SSL configuration available for the endpoint. And then the address of my endpoint.
Please let me know how can I provide ssl configuration through key store to my webservice client.
I have standalone client and keystore provided by the client.
TIA


You can do this by using Apache CXF and set up the client conduit. Refer to the Configuring SSL Support section in this great tutorial.
Hope this helps.


You may start by checking whats there in your keystore:
keytool -list -keystore D:\Tomcat\ukdp.keystore -storepass 123456
A sample of what your conduit definition might look like:-
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
xsi:schemaLocation="
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<http:conduit name="{http://apache.org/hello_world}HelloWorld.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Morpit.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Truststore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>
<sec:UserName>Betty</sec:UserName>
<sec:Password>password</sec:Password>
</http:authorization>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
</beans>
Also I found some Threads which could help you:-
Apache CXF wsdl download via SSL/TLS
Problems accessing a HTTPS Webservice
No SSL configuration is available for endpoint
SSL configuration for fedex web service using command line

Related

Apache Knox for SAML2 authentication keeps using NameIDFormat entity instead of what is configured

I am trying to enable SSO capabilities for Apache Zeppelin, using Apache Knox, which is configured to redirect auth requests to a Siteminder IdP.
The issue I am having is related to the NameID format configuration, and the signing configuration.
No matter what I configure in the sp/idp metadata, the NameID format used is
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
And the requests are always being sent with Signed requests set to true.
My SP configuration is as follows:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"/>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="1" isDefault="true" Location="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"/>
</SPSSODescriptor>
I activated a SAML tracer and attempted the logon user journey. The AuthNRequest being sent to the Siteminder IdP based on this configuration looks like this:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"
Destination="https://test-siteminder.com/test/saml2sso"
ForceAuthn="false"
ID="_yp52mio0oj4ho2niijmnnaikgbkid9tnc5h5ear"
IsPassive="false"
IssueInstant="2020-02-17T10:19:24.279Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="pac4j-saml"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
NameQualifier="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"
>https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client</saml2:Issuer>
I can see a signature value in the Parameters section of the request, which is why I'm assuming that the AuthNRequest is signed (though my understanding of this is minimal, so that could be a wrong assumption!).
Can anyone help explain why the NameIDFormat is coming through as entity, as opposed to unspecified?
Does Apache knox support SAML1 protocols?
Thanks in advance!

You mentioned NameID format to be urn:oasis:names:tc:SAML:2.0:nameid-format:entity in your post but in the code you pasted it is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, just a copy paste error ? Looks like protocolSupportEnumeration is also referencing SAML 1 protocol. Knox uses Pac4J under the hood which does not support SAML 1, this might be the reason.

OKTA(IdP) - Shibboleth(SP) with reverse proxy to Tomcat

I am spinning a big wheel now. please shed some light.
Reverse proxy is working with Apache. So, when I access https://hostname/app/default.html, it opens Tomcat app url. No issue.
The tomcat app currently redirects to https://hostname/app/login.html which has a login box.
1) Do I need to disable UserDatabase on Tomcat server.xml ?
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
2) Is this Shibboleth configuration correct ?
But, when I try configure this with OKTA- Shibboleth(3.0), it's looping OKTA SSO url.
In shibboleth2.xml
<ApplicationDefaults id="default"
entityID="https://hostname/shibboleth-sp"
REMOTE_USER="userid" >
<SSO entityID="http://www.okta.com/~~~~">
OKTA's metadata is downloaded and located with shibboleth2.xml file.
cert is also generated and placed in the same folder.
3) Is this OKTA configuration correct ?
In OKTA widget configuration menu,
- Single sign on url :https://hostname/Shibboleth.sso/SAML2/POST
- recipient url : https://hostname/Shibboleth.sso/SAML2/POST
- destination url :https://hostname/Shibboleth.sso/SAML2/POST
- audience restriction :https://hostname/shibboleth-sp <-- above SP entityID
- default relay state : ??
right now, when I click on the widget on OKTA, it's looping.
https://hostname/Shibboleth.sso/SAML2/POST
contains SAML response.
then, it redirects to OKTA SSO url. It never ends.
https:// xxx.oktapreview.com/app/xx_reverse_proxy_/xxxx/sso/saml?SAMLRequest=~~~&RelayState=~~~
This contains SAML request but it looks like this.
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://hostname/Shibboleth.sso/SAML2/POST"
Destination="https://okta sso/sso/saml"
ID="xx"
IssueInstant="2018-11-02T15:39:24Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://hostname/shibboleth-sp
</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="1"/>
Is this Issuer url correct? Why is it looping and how to fix ?

Re Q#1: You only need Tomcat users if you're going to protect an application with it, such as the Tomcat manager. Otherwise, no.
Re Q#2: You list <SSO entityID="http://www.okta.com/~~~~"> but Destination="https://okta sso/sso/saml" from the SAML. You might want to check http/https. This is a very common cause of looping. Eliminate any potential http/https inconsistency.
FWIW Issuer looks correct to me... that's what you specify in entityID="https://hostname/shibboleth-sp"

Issue while configuring Kerberos on Websphere Application Server

Team,
I have a question on Single Sign On using Kerberos Authentication.
We have generated a keytab file for the domain like "POC.MAIL.COM" and our server is hosted on "SW.MAIL.COM". As our application runs on Websphere Application Server, we tried to set the Kerberos configuration as given in the document (page no:167)http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf .
We are facing the an error saying that "Cannot get credential for principal service HTTP/server1.SW.MAIL.COM#SW.MAIL.COM". Can someone help me in resolving the issue..?
Please post a comment if any additional information is required..
When I try to set the krb5.conf and keytab file on "Kerberos Authentication Mechanism page", we are getting this error.
When I ran the command klist as per your input, I got the output as below
"Key table: /etc/krb5/pocsso.keytab
Number of entries: 1
[1.] principal: HTTP/server1.sw.mail.com#POC.MAIL.COM
KVNO: 12
"
UPDATE
.
Ticket cache: FILE:/tmp/krb5cc_38698
Default principal: pocsso1#POC.MAIL.COM
Valid starting Expires Service principal
01/09/2014 16:15 02/09/2014 02:21 krbtgt/POC.MAIL.COM#POC.MAIL.COM
renew until 08/09/2014 16:15

Specify it only on the Global security > SPNEGO web authentication, not on the Kerberos configuration page. If keytab path is correct in your krb5.conf file, it is enough to provide just path to conf file (keytab is optional).
UPDATE
In the filter definition you should have:
Host name: server1.sw.mail.com
Kerberos realm name: POC.MAIL.COM
Filter criteria: yourFilterCriteria
Trim Kerberos realm from principal name - checked
See configuration details here: Enabling and configuring SPNEGO web authentication using the administrative console
Minimal configuration in web.xml for Java EE security. And you have to have Application Security enabled in the server configuration, and mapped userRole to some users/groups from registry.
<security-constraint>
<display-name>constraint</display-name>
<web-resource-collection>
<web-resource-name>all resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>userRole</role-name>
</auth-constraint>
</security-constraint>

A bit of a late answer.
Regenerate the keytab file by running the ktpass command as:
ktpass -out file.keytab -princ HTTP/server1.SW.MAIL.COM#POC.MAIL.COM -mapuser your-user -pass your-pwd -ptype KRB5_NT_PRINCIPAL
Solving the error:
org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Cannot get credential for principal HTTP/appserver.example.com#EXAMPLE.COM
boils downs to the following rules when generating the keytab file:
The principal service must follow the format
<service name>/<fully qualified hostname>#KerberosRealm
Double check the spelling of the principal service
The service name must be all upper case, that is HTTP and not http
The Kerberos realm must also be all upper case, and
The host name must be found in the /etc/host file or the DNS server.
Sources:
http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/usec_kerb_auth_mech.html
http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf (page 477)

How to write the Custom Policy in wso2esb for simple username & passward

I wish to write custom policy .How would i start .
I couldn't find any blogs about that .
My issue is my client has been fixed header request for authentication.So The Username-token authentication scenario is perfect for me .But client unable to send the Proper format request as per the Scenario needed .
Its sending username password in some other format
<soapenv:Header>
<pr:authentication soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:pr="http://webservices.im.com/ProxyService">
<pr:user>mwp</pr:user>
<pr:password>MWp003</pr:password>
</pr:authentication>
</soapenv:Header>
But its not working in wso2 ESB Username-token scenario.Expecting input Header is like this
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-4">
<wsu:Created>2014-06-02T07:15:21Z</wsu:Created>
<wsu:Expires>2014-06-02T08:38:41Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">byWKVY4stEATvTqaoNMswQ==</wsse:Nonce>
<wsu:Created>2014-06-02T07:15:21.304Z</wsu:Created>
</wsse:UsernameToken>
</wsse: >
</soapenv:Header
So what is the solution for this how would achieve this.
Thanks in advance.

ESB uses WS-Security specification to secure Web services. Therefore, client need to send messages according to that specification. But in your case, It seems to be your client sending user/password in custom SOAP headers. Then these can not be validated by ESB. There can be two solutions.
You need to modify your client to compliant with WS-Security spec.
You can write some custom handler (axis2 handler) to read custom headers in your message and validate user/password against the user store.
Basically WS-Security messages are also validated by a axis2 handler called Apache Rampart.

SAML 2.0 AuthnRequest AudienceRestriction

During a AuthnRequest, is there a case where the AudienceRestriction
<saml:AudienceRestriction>
<saml:Audience>http://serviceprovider.com/</saml:Audience>
</saml:AudienceRestriction>
would be different from the Issuer in the AuthnRequest
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://serviceprovider.com/acs/web/sso/receiveSamlAuthentication"
Destination="http://idp.net/idp/SSOPOST/metaAlias/realm2/IDP"
ID="http://serviceprovider.com/acsdata/data/AcsConfiguration/821212" IssueInstant="2010-08-20T14:48:27.620Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://serviceprovider.com/</saml2:Issuer>
....
</saml2p:AuthnRequest>

The SAML 2.0 Web Browser SSO Profile (from saml-profiles-2.0-os.pdf:566/577):
The assertion(s) containing a bearer
subject confirmation MUST contain an
AudienceRestriction including the
service provider's unique identifier
as an Audience
So, it seems as though it should always be the case that they are the same, at least to be conformant to the published profile.

Perhaps if you have one login application at one URL, and a "real" application at a different URL? Maybe not common, but hardly impossible; say, having login functionality over HTTPS and the application over HTTP.