Wednesday, January 7, 2009

How to solve SEVERE: WSS1852: KeyIdentifier value cannot be empty. Possible cause, certificate version being used does not support SubjectKeyIdentifie

Solution:
--------------------------------------------
-------------------------------------------------------------------
The SubjectKeyIdentifier can not be empty problem can be solved by

Change the IncludeToken to "always" has solved the problem in the server's
wsit-*.*.*.WsrmServer.xml file:
sp:IncludeToken=http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
Then the SubjectKeyIdentifier problem is solved.
-------------------------------------------
However, a new problem occurred. this is dure to the fact that certificate trust chain is missing.
we need to put the intermediate cert as well as the root cert in the trust store.
-----------------------------------------------
WSP1049: Loaded WSIT configuration from file: file:/C:/PHIN-SRM/container/webapps/WSRM_Client/WEB-INF/classes/META-INF/wsit-client.xml
Feb 17, 2009 4:47:16 PM com.sun.xml.wss.impl.misc.DefaultCallbackHandler$X509CertificateValidatorImpl validate
SEVERE: WSS1518: Failed to validate certificate
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:195)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
-----------------------------------------------------------



-------------------------------------------------
1. One possible cause, the cert version mismatch,
The solution for this is:
Download the following :
https://xwss.dev.java.net/files/documents/4864/54020/copyv3.zip

Unzip and cd to copyv3

set AS_HOME environment variable to GlassFish Home and run "ant"

restart GF

Now configure the alias as "xws-security-sever" in the Client Truststore.

Then you should see it running.
-------------------------------------
2. The SubjectKeyIdentifier is missing from the cert,
The solutions is:
So from the error it appears you have a cert which does not contain the SubjectKeyIdentifier Extension.

If you do

keytool -printcert you should see something like :

Extensions:
-------------------------------
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 75 51 36 F7 2B 32 15 6F E2 0F 59 5A DD D7 5E 3F uQ6.+2.o..YZ..^?
0010: 33 3A 21 6A 3:!j
]
]
----------------------

do you see such a thing ?. if not then you have two options :

1. Regenerate the Cert using some tool such as openssl so that it create the SKI Extension correctly

OR

2. Otherwise you can change the policy of the STS to be able to use a cert that does not have this extension.

Change any occurence of with

If your cert does not have an SKI extension.

So please make sure the X509Token in your WSDL Policy looks as below :



So it is clear that your cert does not have an SKI extension.

So please make sure the X509Token in your WSDL Policy looks as below :


<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireIssuerSerialReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>


You can also use <sp:RequireThumbprintReference/> but for that to work the WSS version in the policy should be WSS 2.0




You can also use but for that to work the WSS version in the policy should be WSS 2.0
-----------------------------------------------------------------



see also:
http://forums.java.net/jive/thread.jspa?threadID=35273
--------------------------------------------

---------------------------------
Jan 7, 2009 8:58:11 PM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
INFO: WSP1049: Loaded WSIT configuration from file: file:/home/srm/wsrm_grid/container/webapps/WSRM_Client/WEB-INF/classes/META-INF/wsit-client.xml
Jan 7, 2009 8:58:12 PM com.sun.xml.ws.security.opt.impl.keyinfo.TokenBuilder buildKeyInfoWithKI
SEVERE: WSS1852: KeyIdentifier value cannot be empty. Possible cause, certificate version being used does not support SubjectKeyIdentifier.
Jan 7, 2009 8:58:12 PM com.sun.xml.wss.jaxws.impl.SecurityTubeBase secureOutboundMessage SEVERE: WSSTUBE0024: Error in Securing Outbound Message.
com.sun.xml.wss.XWSSecurityException: WSS1852: KeyIdentifier value cannot be empty. Possible cause, certificate version being used does not support SubjectKeyIdentifier.
at com.sun.xml.ws.security.opt.impl.keyinfo.TokenBuilder.buildKeyInfoWithKI(TokenBuilder.java:205)
at com.sun.xml.ws.security.opt.impl.keyinfo.X509TokenBuilder.process(X509TokenBuilder.java:93)
at com.sun.xml.ws.security.opt.impl.enc.TokenProcessor.process(TokenProcessor.java:160)
at com.sun.xml.ws.security.opt.impl.enc.EncryptionProcessor.process(EncryptionProcessor.java:143)
at com.sun.xml.wss.impl.filter.EncryptionFilter.encrypt(EncryptionFilter.java:442)
at com.sun.xml.wss.impl.filter.EncryptionFilter.process(EncryptionFilter.java:403)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:95)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:268)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:186)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:147)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.secureOutboundMessage(SecurityTubeBase.java:378)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:239)
at com.sun.xml.ws.security.secconv.WSSCPlugin.sendRequest(WSSCPlugin.java:397)
at com.sun.xml.ws.security.secconv.WSSCPlugin.process(WSSCPlugin.java:260)
51,9 0%

at com.sun.xml.ws.security.secconv.impl.client.SCTokenProviderImpl.issue(SCTokenProviderImpl.java:129)
at com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(IssuedTokenManager.java:79)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.startSecureConversation(SecurityClientTube.java:460)
at com.sun.xml.ws.rm.runtime.ProtocolCommunicator.tryStartSecureConversation(ProtocolCommunicator.java:103)
at com.sun.xml.ws.rm.runtime.ClientSession.initializeIfNecessary(ClientSession.java:255)
at com.sun.xml.ws.rm.runtime.ClientSession.processOutgoingPacket(ClientSession.java:157)
at com.sun.xml.ws.rm.runtime.RmClientTube.processRequest(RmClientTube.java:123)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
at com.sun.xml.ws.client.Stub.process(Stub.java:222)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy73.receiveMessage(Unknown Source)
at gov.cdc.wsigrid.wsrm.WsrmClientServlet.processRequest(WsrmClientServlet.java:219)
at gov.cdc.wsigrid.wsrm.WsrmClientServlet.doPost(WsrmClientServlet.java:281)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Jan 7, 2009 8:58:12 PM com.sun.xml.wss.jaxws.impl.SecurityClientTube processClientRequestPacket
SEVERE: WSSTUBE0024: Error in Securing Outbound Message.


http://www.jroller.com/gmazza/date/20080805