Testing Oracle WSM’s Encrypting and Decrypting with SoapUI

As said before I am currently going through the book ‘Oracle Web Service Manager‘. In chapter 5 of this book an example is given how to configure OWSM to encrypt outgoing and decrypt incoming soap messages for a web service. To test this setup a dotNet client is created. In this post I will show you how you can test the setup by using SoapUI instead.
The first step (assuming that SoapUI is already installed) is to create a keystore on the client machine. This keystore must also be used in the OWSM configuration in the example. To create the keystore and necessary key-pair I use Portecle. I created a new keystore (PKCS based) and added a key for ‘pascalalma’ to it. Here is the screenshot with all the necessary info:

In SoapUI I have created a new project based on the WSDL in the example. At the project level I enter the WS-Security parameters and actions that must be performed. Since the gateway expects the soap message to be encoded I have to encode the outgoing message in SoapUI and decode the incoming response message.
Here is the security configuration at project level. First select the keystore to be used by SoapUI:

Then define the outgoing encryption action:

And the last one, define the incoming decryption action:

Now everything at project level is set. The next step is to tell the request it should use these settings. This is a step that took some time for me to discover. But when you click at the ‘Auth’ tab at the request window you can define the actions that must be executed by SoapUI for the request (and response) of the SOAP call. Here you can find the tab:

And here are the parameters set for the security:

Now, this should be it. Actually kind of straightforward…. But not in my case. I am using SoapUI2.5 and when I sended the request I go the following response back:

<soap-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
         <faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.GenericFault</faultcode>
         <faultstring>WS-Security process failure:FAULT CODE: UnsupportedSecurityToken FAULT MESSAGE: An unsupported token was provided</faultstring>

After an extensive search I found out it was a version problem in the SOAP header. OWSM gateway expects an element ‘wsse:Reference’ with attribute
but SoapUI was sending the request with ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v1"
When I knew what caused the error the solution was quickly found here. I downloaded the older version of the WSS4J library (wss4j-1.5.3.jar) and put that in the SoapUI/lib/ directory. I also modified the SoapUI/bin/soapui.bat file so the correct version is loaded by SoapUI. And this time the call worked like a charm. The response I got back now was (decrypted by SoapUI of course):

<soap:Envelope soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <wsse:Security soap:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="asKWwEekHdcXDlFgYL5yP3w22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICBDCCAW0CBElt0WUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCTkwxETAPBgNVBAoMCHBhbG1hLWl0MRIwEAYDVQQLDAlkZXZlbG9wZXIxEzARBgNVBAMMCnBhc2NhbGFsbWEwHhcNMDkwMTE0MTE0OTU3WhcNMDkwNzEzMTE0OTU3WjBJMQswCQYDVQQGEwJOTDERMA8GA1UECgwIcGFsbWEtaXQxEjAQBgNVBAsMCWRldmVsb3BlcjETMBEGA1UEAwwKcGFzY2FsYWxtYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApSBk3VobSFPMBuzkWpHvVsQLxWcICzOXWuhescOPqgvkQRfBl6g99v/O+73l0eJjrS/ayUf9fNs/VpUWrgHJ2AMD2/tRKrjfOV9YpG9HcupGB74ygpJ4lDy9VY6KxDDnNF0G6q1oJEZWhHkfupTZIZh70DzRVXqrzf6WqXOzd7MCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAGJAPB24oqfBSlUXXBg/krsKKKPKgpxKV5mpoSf+G9WVjIgK1lplURht2Wyecze91MKhQONMqecHqyIorzXmnO0DWa+ND7exDjcGw+tsagVrxIr1FG85QzJqic+l/uX2+8c5a5m85+o0qPLQeKAwc8DWuANJXIh7/Fy76H7CAMvg==</wsse:BinarySecurityToken>
         <xenc:EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
            <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
               <wsse:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                  <wsse:Reference URI="#asKWwEekHdcXDlFgYL5yP3w22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
               <xenc:DataReference URI="#_o8iRaqZLI6bBw6wR009kLQ22"/>
      <n:getTimeResponse xmlns:n="urn:Test:GetTime">
         <result xsi:type="xsd:string">12:23 PM</result>

About Pascal Alma

Pascal is a senior IT consultant and has been working in IT since 1997. He is monitoring the latest development in new technologies (Mobile, Cloud, Big Data) closely and particularly interested in Java open source tool stacks, cloud related technologies like AWS and mobile development like building iOS apps with Swift. Specialties: Java/JEE/Spring Amazon AWS API/REST Big Data Continuous Delivery Swift/iOS
This entry was posted in Security, SoapUI, Web Service and tagged , , , . Bookmark the permalink.