Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SOAPUi and keystore

Recently, i had to enhance SOAP communications between me and a web service. After creating a private key file on my server and after CSR was created/sent, a certificate file was received in PEM format.

I want to test it in SOAPUi but it keeps saying that Error: Access is Denied. Client SSL Certificate Required.

Here what i did :

  • Certificate conversion

    openssl pkcs12 -export -out **certif.p12** -inkey **myprivatekey.pem** -in **Certificate-received.pem**
    
  • Keystore import

    keytool -importkeystore -deststorepass **changeit** -destkeypass **changeit** -destkeystore **pierrejks.jks** -srckeystore **certif.p12** -srcstoretype PKCS12 -srcstorepass **tenzin** -alias 1
    

In SOAPUi,

I went to preferences and in SSL Settings Tab,

  • keystore was set to be pierrejks.jks

  • keystore password provided : changeit

  • requires client authentication was ticked.

On the project now ( Right click on project's root then Show Project View), i went to WS-Security Configurations, keystore tab to add a new source.

  • Source is the path to pierrejks.jks file
  • Password is changeit
  • Defaults Alias is set to pierrealias
  • No Alias Password provided

After filling these information, status became ok

In the Outgoing WS-Security Configurations, a configuration was added with a new WSS-Entry Encryption.

  • Configuration Name is pierreconf
  • WSS Entry type is Encryption
  • Keystore choosen is pierrejks.jks
  • Alias is 1
  • password is changeit

Finally, a request is made with pierreconf Outgoing WSS profile and this is were i have the error. At this moment, if i understand correctly, RAW tab shows that it is encrypted :

POST https://gsxapi.apple.com/gsx-ws/services/emea/iphone HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:authenticate"
Content-Length: 3047
Host: gsxapi.apple.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

    <soapenv:Envelope xmlns:glob="http://gsxws.apple.com/elements/global" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
       <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:EncryptedKey Id="EK-974B3C3F270F85DA2A143289398095719" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple Corporate External Authentication CA 1</ds:X509IssuerName><ds:X509SerialNumber>6119460251051586160</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>yWIQ5aWqy50ba/kaw3mLYyvpBL8S+mcQnkZri8q6deJXoNFZm+TGOry9ds5VCbsYzpgjAYGFRZxnEfnAirFDqojUgbthc6E/YeG15y1GShiBZrBB3U5KVk6ZIqRaOAVSBMCG5DXosFDz0I/MrToMA8MvX5A26pgp6siM6fhfVRLfFPDCJQOQJw3gr2G3IUnu0t4jf2BIs4FPObtOZSN1ou+w3ny2meL2F0VhT2UPDbZ46EKwHiY7Az9RVt0MocWRRQSR9FU4h6zqziWbUC95OrzrKXrbo01La8UDZ4mykQXqg==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-974B3C3F270F85DA2A143289398095720"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soapenv:Header>
       <soapenv:Body><xenc:EncryptedData Id="ED-974B3C3F270F85DA2A143289398095720" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-974B3C3F270F85DA2A143289398095719"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>cYyhZSw7/XR9Gtj7+lzkwwilTlpuAHVYdT+v8WeofYo48j8K0CReBIdeUI3pfWQ+cEj1D+VQO1k7e6fCsDuK7vZfrCG2qrYDlJmChnDrR7Tr5QSpC/ES3ohnYFqRrNnaOAhgjrqtDevww/S0dUKxmAFEbY18rvbF+l1T32da53zo1b9mN+sD9oKdWq7w+1eJHZOpJ4WQuMcdHp9DqAxizu4nc4FX65myZieI2qoWTzKGqeNMbqqyFFVpQ0iqI+7sT5Rh9Qc/Sw9pZMHxx3x856+PH/4PExTj/00f7rzhy6MhxEFavHksBraeGU6Ctd+xRMaA4Y/ZXGytf6M9C5j0v2SDqAFtwtj9Sky2uRzsXlNwmjinI29SsGAcOOBvyB7+Ff8rSATR3snMgvuNN3l0GsLDP1tzqz7vhHkCeKtsRCC8xtOqsZsz9QEmB31Gz3QMilsmsyhjdZ5QUsc+VU/HJhON2pzk7xL+V8zupc/uDoeg9AS38lti2nid5WDLAdG8j1IAU7ox/tJnAs7NTti9XN2nTcHf9u7laQfEm7i4VaLkn6hHsXf7JTE5GBkTF2sbR0cpSnIi2fYbHlU6EIugTgwU0875enhRQiyHhb84QByTfxig0bXaMCMnHDkdjH41+HoKu5SGxoPOyKp/JDpQaPY3J56RFrp0j8tRlqpUYIU=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body>
    </soapenv:Envelope>

Return message is

HTTP/1.1 401 Access Denied
Connection: close
Content-Length: 57
Content-Type: text/html
Cache-Control: no-cache,no-store
Pragma: no-cache

Error: Access is Denied. Client SSL Certificate Required.

How to use SSL is not clear to me at the moment.

I'm sure i did some mistakes, can someone point me in the right direction ?

like image 203
Tanc Avatar asked May 29 '15 10:05

Tanc


People also ask

How do you attach a certificate in SoapUI?

In SoapUI, click Preferences on the main toolbar or select File > Preferences and switch to the SSL Preferences page. If you want the client to provide its certificate, enable the Client Authentication option.

How do I download SSL certificate from SoapUI?

Procedure. Close any open instance of SoapUI. In AppScan, click Tools > Options > Recording Proxy > Export, and save the ZIP file to your machine. Note: If the Export button is disabled, the certificate is not installed, and you must first install it by clicking the Add button located above it.


1 Answers

Done it !

Info : My SOAPUi version is 5.0 I decided not to use a JKS as keystore but p12 file only

Here is step by step what i did

PKCS12 file creation

Using my privatekey.pem file ( used to generate CSR file ) and certificate.pem received ( Generated by thirs party given previous CSR File )

openssl pkcs12 -export -out certif.p12 -inkey myprivatekey.pem -in Certificate-received.pem

On question :

  • Enter pass phrase for myprivatekey.pem : i did enter password used to generate my private key.
  • Enter export password : tenzin
  • Verifying - Enter Export Password : tenzin

In SOAP UI,

In preferences,

  1. certif.p12 was choosen as keystore.
  2. Password given is tenzin
  3. Requires client authentication is ticked.

It works.

like image 168
Tanc Avatar answered Sep 22 '22 09:09

Tanc