wsit client keystore callback never called

Question

I'm using wsit to create a webserice client with some security enhancements. To justify some deployment specifiactions i had to use the callback mechanism for keystore loading:

<wsp:Policy wsu:Id="WSPortBindingPolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <!-- define a keystore and truststore with the ith certificates for ssl encrypted connections -->
            <sc:KeyStore wspp:visibility="private" callbackHandler="webservice.auth.KeyStoreHandler" />
            <sc:TrustStore wspp:visibility="private" callbackHandler="webservice.auth.KeyStoreHandler"/>

now according to my logfiles, the KeyStore handler will be correctly instantiated, but will never be called for keystore creation. That means the callback method 'handle(Callback[] callbacks)' will never be called. Please can someone give me some hints how to better analyse the problem.

The call stack of the instanciation indicates, that the policy is correctly parsed and setup. But during SSL handshake the callbacks will not be triggered.

INFO: WSP5018: WSIT-Konfiguration wurde aus Datei geladen: jar:file:/C:/app.jar!/META-INF/wsit-client.xml.
11:22:08,753 DEBUG [AWT-EventQueue-0] webservice.auth.KeyStoreHandler () : instantiate KeyStoreHandlerjava.lang.Exception
at webservice.auth.KeyStoreHandler.<init>(KeyStoreHandler.java:60)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at com.sun.xml.wss.impl.misc.DefaultCallbackHandler.initNewInstances(DefaultCallbackHandler.java:2022)
at com.sun.xml.wss.impl.misc.DefaultCallbackHandler.<init>(DefaultCallbackHandler.java:344)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.configureClientHandler(SecurityClientTube.java:823)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.<init>(SecurityClientTube.java:180)
at com.sun.xml.wss.provider.wsit.SecurityTubeFactory.createTube(SecurityTubeFactory.java:275)
at com.sun.xml.ws.assembler.TubeCreator.createTube(TubeCreator.java:85)
at com.sun.xml.ws.assembler.MetroTubelineAssembler.createClient(MetroTubelineAssembler.java:137)
at com.sun.xml.ws.client.Stub.createPipeline(Stub.java:328)
at com.sun.xml.ws.client.Stub.<init>(Stub.java:297)
at com.sun.xml.ws.client.Stub.<init>(Stub.java:239)
at com.sun.xml.ws.client.Stub.<init>(Stub.java:254)
at com.sun.xml.ws.client.sei.SEIStub.<init>(SEIStub.java:92)
at com.sun.xml.ws.client.WSServiceDelegate.getStubHandler(WSServiceDelegate.java:746)
at com.sun.xml.ws.client.WSServiceDelegate.createEndpointIFBaseProxy(WSServiceDelegate.java:724)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:408)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:384)
at javax.xml.ws.Service.getPort(Service.java:175)

Answer 1

some hints how to better analyse the problem:

1. enable Level.FINE for logger com.sun.xml.wss.logging you should see some helpfull messages from DefaultCallbackHandler

2. set a breakpoint on DefaultCallbackHandler#getKeyStoreUsingCallback(Map runtimeProps) and getPrivateKey(Map runtimeProps, String alias) methods. I gues they are not called at all. Maybe SSL is not initialized at all?

3. To debug SSL set system property javax.net.debug=ssl. Then you will see what exactly happens. You can find more info here: Debugging SSL/TLS Connections.

If you provide the output then maybe we will be able to help you.

Answer 2

To justify some deployment specifiactions i had to use the callback mechanism for keystore loading

You use keystore callback mechanism to avoid providing cleartext Keystore key/password.

1. Understand your chosen Security Mechanism, and whether the keystore is used used on server/client:

   Keystore is used on the server for these security mechanisms:

   • Username Auth. w/Symmetric Keys
   • Mutual Certs.
   • SAML Auth. over SSL
   • Endorsing Cert.
   • SAML Sender Vouches with Cert.
   • SAML Holder of Key

   Keystore is used on the client for these security mechanisms:

   • Mutual Certs.
   • Transport Sec.
   • Message Auth. over SSL - Username Token
   • Message Auth. over SSL - X.509 Token
   • SAML Auth. over SSL
   • Endorsing Cert.
   • SAML Sender Vouches with Cert.
   • SAML Holder of Key
   • STS Issued Token
   • STS Issued Token with Service Cert.
   • STS Issued Endorsing Token

2. Understand your app server/container and Java EE version whether Keystore is used:

3. Understand your client implementation and whether Keystore is used:

Further steps can be added, if further details of your setup/configuration are provided.