I have been working on a task to invoke a webservice over https. The wsdl itself contains the following information on security -
<wsid:Identity xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
**XXX**
</dsig:X509Certificate>
<dsig:X509IssuerSerial>...</dsig:X509IssuerSerial>
<dsig:X509SubjectName>CN=FAEncryption, DC=cloud, DC=oracle, DC=com</dsig:X509SubjectName>
<dsig:X509SKI>**ZZZ**</dsig:X509SKI>
<dsig:X509Certificate>
**YYY**
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</wsid:Identity>
Now using this information, I came up with the certificate using the following procedure -
Create a new file with any name you like. You must change the extension to .cer to indicate that it is a certificate file.
Using a text editor, open the file you just created and enter "-----BEGIN CERTIFICATE-----" on the first line.
In the next line, copy the Base64 encoded certificate from the service WSDL file to the newly created certificate file.
Add "-----END CERTIFICATE-----" on a new line and save the file. Now you have a certificate containing the public key from the server.
Open the command line and change the directory to $JAVA_HOME/bin. Use the following command to create a KeyStore and import the public key from the certificate.
If you notice , in the wsdl, there are two certificates. I added both of them to the keystore. The commands are -
keytool -import -file ~/ddrive/test/details/SubmitFlow.cer -alias orakey1 -keypass welcome -keystore ~/ddrive/test/details/test.jks -storepass welcome
keytool -import -file ~/ddrive/test/details/SubmitFlow1.cer -alias orakey1 -keypass welcome -keystore ~/ddrive/test/details/test.jks -storepass welcome
Initially I had added only one of the certificates. But later on , I added both of them.I use spring-ws to make the webservice call. However I still get 401 unauthorized call.
I dont have any document which illustrates what needs to be done. It would be great if some one can guide me here. By the way, in case it helps, this webservice is related to Oracle HCM.
In short, you have imported the WSDL certificate into a JKS, but you do not use it, so it has no effect.
But this is not the problem, in fact, the
<wsid:Identity>tags provides information about how you can verify the identity of the endpoint, but not about how the endpoint validates you.A
401-Unauthorizedmeans you have not provided the credentials. First you need to know how to authenticate in web server: username-password, digital-signature, etc.In some cases the WSDL itself includes a
<wsp:Policy>which include the expected authentication method. In other cases, just look at documentation. I suggest to generate the stub with your preferredwsdl2javatool, which will probably correctly generate the code to deal withwsp:policy