We are running a WSO2 ESB 5.0 server. We want to create a service that transforms a normal SOAP message to a signed version and delivers this to an endpoint.
We are getting the message:
Caused by: org.apache.ws.security.WSSecurityException: General security error (No certificates for user wso2carbon were found for signature)
Why do I get this message? I do not understand the meaning of this.
Update: I figured out, that the user in the rampart config should be the Alias of the key that you want to use to sign. And the password handler Should return the password of the alias key
The synapse (wso2 esb) service is:
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="__mke_siging_out"
startOnLoad="true"
statistics="disable"
trace="disable"
transports="https">
<target>
<inSequence>
<send>
<endpoint>
<address uri="http://foo.bar.host/services/default/Echo/echo_client_ep">
<enableSec policy="gov:/policies/__mke_sign_out.xml"/>
</address>
</endpoint>
</send>
</inSequence>
<outSequence>
<header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
action="remove"
name="wsse:Security"
scope="default"/>
<send/>
</outSequence>
<faultSequence/>
</target>
<description/>
</proxy>
The rampart configuration is, pointing to a JKS keystore in which private/pub certificate is loaded and protected by a password:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigOnly">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</sp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>wso2carbon</rampart:user>
<rampart:passwordCallbackClass>nl.rsg.it.igw.passwordcallback.Handler</rampart:passwordCallbackClass>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>false</rampart:timestampStrict>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
<rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
<rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:Policy>
I figured out, that the user in the rampart config should be the Alias of the key that you want to use to sign. And the password handler Should return the password of the alias key.