Question

1
Replies
167
Views
Deepankar Das (DeepankarD)
Capgemini India Pvt. Ltd.

Capgemini India Pvt. Ltd.
SE
DeepankarD Member since 2009 3 posts
Capgemini India Pvt. Ltd.
Posted: October 13, 2017
Last activity: October 16, 2018
Posted: 13 Oct 2017 10:21 EDT
Last activity: 16 Oct 2018 12:03 EDT
Closed

WS-Security Certificate validation failed

Hi,

We are facing an issue in our project when trying to set up WS-Security. A certificate chain is used here and the certificates are kept in the following way –

- The root and the intermediate certs are kept in the Pega truststore

- The client is signing the request using a leaf cert

The request is failing and we see the following error in the logs and in the response –

<soap:Fault>

<faultcode>wsse:FailedAuthentication</faultcode>

<faultstring>Certificate validation failed</faultstring>

</soap:Fault>

The application is running on Websphere 8.5.5.8

We have been able to replicate the issue using SOAP UI by following these steps –

1) Create 3 level key pair using keystore explorer.
A -- B (A) -- C(B)
2)Use this jks as keystore in SOAP UI.
3) Export certificates A.cer (root), B.cer (immediate), C.cer (leaf) fom keystore explorer.
4) Create a jks file and import B.cer into this. Use this jks file as truststore in the ws-security profile instance.
5) Use this ws-secuirty profile to enable web security for a SOAP service.
6) The web security configuration uses in-flow as below
Signature Algorithm -RSA-SHA1
Digest SHA256
Signature Key Identifier - Binary Security Token
7) Invoke the soap service from soap-ui using that keystore in outgoing WS-Secuirty configuration. Use B as alias so that the signature has to check certificate B

We raised an SR for this and got the following reply –

ROOT CAUSE
Issue with IBM WebSphere

RESOLUTION
Please follow the resolution IBM suggested in the following link.
http://www-01.ibm.com/support/docview.wss?uid=swg21651084

We have also tried this, but the issue did not resolve.

Has anyone faced this issue? If yes, then how did you resolve it?

Thanks

Deepankar

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Security Support Case Exists
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.