Jan 24

In this document I explore the effects of selected web services security policies on SOAP message exchange in the GlassFish ESB v2.x.

This is a work-in-progress document, now at rev 0.4.1.

To provide early access I intend to release revisions of this document as significant new sections become available.

Rev 0.1: Content
•    Assumptions and Notes
•    Person Service XML Schema and WSDL Interface
•    Common XML Project
•    PersonSvc BPEL Module
•    PersonCli BPEL Module
•    JBI-based Person Service – Plain End-to-End
•    JBI-based Person Service – SSL with Server-side Authentication

Rev 0.2: Additional Content
•    JBI-based Person Service – SSL with Mutual Authentication (broken)
•    EJB-based Person Service – No security
•    EJB-based Person Service – SSL with Server-side Authentication

Rev 0.3: Additional Content
•    EJB-based Person Service – SSL with Mutual Authentication
•    JBI-based Person Service – Exploring WS-Addressing

Rev 0.4: Additional and Changed Content
•    Modified sections 5.8 and 5.9 (SSL Server side and mutual authentication)
•    Using WS-Addressing for Explicit Dynamic Routing
•    Pre-requisite Cryptographic Objects [TBC]
•    Upgrading Metro to version 1.5 [TBC]
•    Username Token Profile 1.0 (2004) Policy [TBC]

More in CH05_WSSecurityExploration_r0.4.1.pdf at http://blogs.czapski.id.au/wp-content/uploads/2010/03/CH05_WSSecurityExploration_r0.4.1.pdf

The archive, CH05_WSSecurityExploration_r0.4.1.zip, containing all projects developed so far is to be found at http://blogs.czapski.id.au/wp-content/uploads/2010/03/CH05_WSSecurityExploration_r0.4.1.zip.

13 Responses to “GlassFish ESB, v2.x – BPEL SSL Mutual Auth Mk.II and using JBI WS-Addressing for explicit routing – Exploring Effects of Security Policies, Rev.0.4.1”

  1. Bob says:

    Hi Michael,
    I am trying this mutual ssl authentication on two pc.
    Refer to r0.4.1.pdf, I successfully implemented the steps until I reached to page chapter 5, 62 . I have copied the Person.xsd, PersonAbsSvc.wsdl and casaPort1.wsdl to “Process Files”, and changed the location value in new casaPort1.wsdl, also have imported the server certificate to client cacerts.jks, when I deployed the client application PersonCli_CA_SSLServerAuth, I got below errors:

    run-jbi-deploy:
    [undeploy-service-assembly]
    Undeploying a service assembly…
    host=localhost
    port=4848
    name=PersonCli_CA_SSLServerAuth
    [deploy-service-assembly]
    Deploying a service assembly…
    host=localhost
    port=4848
    file=C:\Documents and Settings\xiaohua.xiong\My Documents\NetBeansProjects\PersonCli_CA_SSLServerAuth/dist/PersonCli_CA_SSLServerAuth.zip
    ERROR: Successful execution of Deploy: C:\Documents and Settings\xiaohua.xiong\My Documents\NetBeansProjects\PersonCli_CA_SSLServerAuth/dist/PersonCli_CA_SSLServerAuth.zip
    WARNING: (JBIMA0404) Deployment of service assembly PersonCli_CA_SSLServerAuth succeeded partially; some service units failed to deploy.
    * Component: sun-http-binding
    ERROR: (SOAPBC_DEPLOY_2) HTTPBC-E00201: Deployment failed. javax.wsdl.WSDLException: WSDLException (at /definitions/import): faultCode=OTHER_ERROR: Unable to resolve imported document at ”https://10.1.3.21:9181/PersonSvc_CA_SSLServerAuth-sun-http-binding/PersonAbsSvc.wsdl”, relative to ”file:/E:/JavaCAPS62/appserver/domains/domain1/jbi/service-assemblies/PersonCli_CA_SSLServerAuth.2/PersonCli_CA_SSLServerAuth-sun-http-binding/sun-http-binding/FS-EAS-D1QSYQ1S_9181/casaService1/casaPort1.wsdl”: java.io.IOException: HTTPS hostname wrong: should be
    Cleaning up…
    [undeploy-service-assembly]
    Undeploying a service assembly…
    host=localhost
    port=4848
    name=PersonCli_CA_SSLServerAuth
    C:\Documents and Settings\xiaohua.xiong\My Documents\NetBeansProjects\PersonCli_CA_SSLServerAuth\nbproject\build-impl.xml:201: Deployment failure.

    It complains HTTPS hostname wrong. Did I miss any steps or any other files need to be modified?
    Thanks a lot.

    Bob

  2. Bob says:

    Hi Michael,
    Thanks a lot for your reply. I re-issued the certificates for client and server, still go the same problem.
    I found that when i created new “external wsdl document”, after i specifed the url like: https://FS-EAS-D1QSYQ1S:9181/casaService1/casaPort1?WSDL, I got 2 folders under “Process Files”: one folder name is 10.1.3.21_9181, another folder name is FS-EAS-D1QSYQ1S_9181, and FS-EAS-D1QSYQ1S is the server name for 10.1.3.21. According to the tutorial, there should be only one folder with sever name generated.
    why are two folders generated on my machine, is it the reason?
    Thanks.

    Bob

  3. Bob says:

    Hi Michael,
    I figured it out. As mentioned above, when I import the external wsdl file, two folders are generated, one is with IP address in folder name, another one with server name in folder name.
    So i replace all occurance of https://10.1.3.21:9181/PersonSvc_CA_SSLServerAuth-sun-http-binding with https://FS-EAS-D1QSYQ1S:9181/PersonSvc_CA_SSLServerAuth-sun-http-binding,
    then it works. I think it is because the certificate is tied to server name instead of ip address, and thus deployment failed because of it can’t verify the url containing ip address.
    Thanks for your help.

    Bob

    • Hello, Bob.

      I am glad you resolved the issue.
      I noticed some anomalies in the way the web services infrastructure in the GalssFish ESB kit treated IP addresses/host names. I put up a fight with the development team but lost :-(

      Regards

      Michael

  4. Marcelo says:

    Hi Michael,

    I am using software to capture the traffic generated by the Web Services, the configuration is as follows:
    http://localhost:9080/PersonSvc_CA_Plain/PersonSvc_CA_Plain/casaPort1

    And within Glassfish, configure:
    Proxy Type: HTML
    Proxy Host: localhost
    Proxy Port: 12345

    When I begin to capture the files, just capture the following:

    GET http://143.106.24.166:9080/PersonSvc_CA_Plain-sun-http-binding/META-INF/PersonSvc/src/_references/_projects/CommonXML/src/Person.xsd HTTP/1.1
    User-Agent: Java/1.6.0_10
    Host: 143.106.24.166:9080
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    Proxy-Connection: keep-alive

    Somehow, the rest of the SOAP message does not go through the proxy, how I can configure for the rest of
    Proxy passes the message or any suggestions?

    Thanks,

    • Hello, Marcelo.

      I don;t know what software you are using to invoke the service so I can’t say why it is not behaving the way you are expecting it to behave. I use tcpmon to capture SOAP exchanges when I need to and it works well for me when using non-SSL HTTP exchanges.

      All the best

      Michael

  5. Dustin says:

    Hello Michael,

    First of all, I just want to comment that this article is more valuable than anything I have found online to learn the basics of creating, configuring and deploying BPEL and EJB projects. However, I am running into an issue with section “5.10 EJB-based Person Svc with No Channel Security” that I hope you have some time to help me with.

    1. When creating the EJB project, what Java EE version (Java EE 5 or J2EE 1.4) did you select and why? I selected Java EE 5 because I believe it uses the Metro stack instead of JAX-RPC.

    2. Another issue I had was after creating the “New WebService From WSDL”, the auto-generated source code is missing some statements when compare to your code. They are:

    import org.netbeans.j2ee.wsdl.commonxml.src.personabssvc.GetPersonDetailsFault;
    import org.netbeans.j2ee.wsdl.commonxml.src.personabssvc.PersonAbsSvcPortType;

    “implements PersonAbsSvcPortType” statement.

    Can you help me resolve this issue?

    3. Last but most importantly, I am very interested in learning how to digitally sign the soap message with a certificate (in the header section), could you please refer me to an article you may have already written on this topic?

    Thank you so much for your help and by the way, I learned JCAPS after purchasing your excellent book “Java CAPS Basic”.

    Dustin

    • Thanks for the good word, Dustin.

      Alas, this is a pretty old article, as IT developments go, and I moved on a fair way away from this topic area in the intervening years. So did OpenESB, I gather – I don’t know for sure since I have been out of touch with it for over 2 years. So, unfortunately, I can’t help you.

      Good luck

      Michael

    • Hello, Dustin.

      Thanks for the good word :-)

      ALas, I moved a pretty far away from this topic area in the last 3 years so I can’t really help. OpenESB has moved along pretty far as well, I gather – I don;t know for sure since I have not been keeping up with it for years.

      Good luck

      Michael

Leave a Reply

preload preload preload