We have been able to replicate the issue using SOAP UI by following these steps –
1) Create 3 level key pair using keystore explorer.
A -- B (A) -- C(B)
2)Use this jks as keystore in SOAP UI.
3) Export certificates A.cer (root), B.cer (immediate), C.cer (leaf) fom keystore explorer.
4) Create a jks file and import B.cer into this. Use this jks file as truststore in the ws-security profile instance.
5) Use this ws-secuirty profile to enable web security for a SOAP service.
6) The web security configuration uses in-flow as below
Signature Algorithm -RSA-SHA1
Signature Key Identifier - Binary Security Token
7) Invoke the soap service from soap-ui using that keystore in outgoing WS-Secuirty configuration. Use B as alias so that the signature has to check certificate B
We raised an SR for this and got the following reply –
Have you tried to install fix pack mentioned in IBM site i.e APAR PM78686? are you facing same exception in logs are different exception? please help us with the stack trace and mean while re open the SR for further investigation.