wsit
  1. wsit
  2. WSIT-1624

SEVERE: WSS0222: Unable to locate matching private key for 14478695720124859712

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.2
    • Fix Version/s: None
    • Component/s: wsit-runtime
    • Labels:
      None
    • Environment:

      Tomcat 7.0.27

      Description

      1. Client to STS, STS-Client call is fine. When Client send request to service, it throws following exception.
      2. Keystore information
      Client keystore: added both service and sts certificate
      Service: added sts certificate
      STS: added service sercitifate

      Apr 26, 2012 4:35:32 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getPrivateKey
      SEVERE: WSS0222: Unable to locate matching private key for 14478695720124859712:E=xxxx@xxxx.xxxx,CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US using CallbackHandler.
      Apr 26, 2012 4:35:32 PM com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor processX509IssuerSerial
      SEVERE: WSS1816: Error occurred while resolving Issuer Serial
      javax.xml.crypto.KeySelectorException: com.sun.xml.wss.XWSSecurityException: No Matching private key for serial number 14478695720124859712 and issuer name E=xxxx@xxxx.xxxx,CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US found
      at com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial(KeySelectorImpl.java:412)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.processX509IssuerSerial(SecurityTokenProcessor.java:369)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.processX509Data(SecurityTokenProcessor.java:292)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.resolveReference(SecurityTokenProcessor.java:161)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processKeyInfo(KeyInfoProcessor.java:152)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(KeyInfoProcessor.java:132)
      at com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.process(EncryptedKey.java:208)
      at com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.<init>(EncryptedKey.java:131)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processKeyInfo(KeyInfoProcessor.java:157)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(KeyInfoProcessor.java:132)
      at com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.process(EncryptedData.java:156)
      at com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.<init>(EncryptedData.java:113)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:458)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:291)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:241)
      at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:450)
      at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
      at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:717)
      at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:418)
      at com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:364)
      at com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:370)
      at com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:519)
      at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:206)
      at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)
      at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194)
      at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
      at java.lang.Thread.run(Thread.java:662)
      Caused by: com.sun.xml.wss.XWSSecurityException: No Matching private key for serial number 14478695720124859712 and issuer name E=xxxx@xxxx.xxxx,CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US found
      at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getPrivateKey(DefaultSecurityEnvironmentImpl.java:644)
      at com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial(KeySelectorImpl.java:392)
      ... 46 more
      Apr 26, 2012 4:35:32 PM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
      SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
      com.sun.xml.wss.XWSSecurityException: WSS1816: Error occurred while resolving Issuer Serial
      at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.processX509IssuerSerial(SecurityTokenProcessor.java:374)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.processX509Data(SecurityTokenProcessor.java:292)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.resolveReference(SecurityTokenProcessor.java:161)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processKeyInfo(KeyInfoProcessor.java:152)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(KeyInfoProcessor.java:132)
      at com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.process(EncryptedKey.java:208)
      at com.sun.xml.ws.security.opt.impl.incoming.EncryptedKey.<init>(EncryptedKey.java:131)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.processKeyInfo(KeyInfoProcessor.java:157)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.KeyInfoProcessor.getKey(KeyInfoProcessor.java:132)
      at com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.process(EncryptedData.java:156)
      at com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.<init>(EncryptedData.java:113)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:458)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:291)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:241)
      at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:450)
      at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
      at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:717)
      at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:418)
      at com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:364)
      at com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:370)
      at com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:519)
      at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:206)
      at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)
      at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194)
      at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
      at java.lang.Thread.run(Thread.java:662)
      Caused by: javax.xml.crypto.KeySelectorException: com.sun.xml.wss.XWSSecurityException: No Matching private key for serial number 14478695720124859712 and issuer name E=xxxx@xxxx.xxxx,CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US found
      at com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial(KeySelectorImpl.java:412)
      at com.sun.xml.ws.security.opt.impl.incoming.processor.SecurityTokenProcessor.processX509IssuerSerial(SecurityTokenProcessor.java:369)
      ... 45 more
      Caused by: com.sun.xml.wss.XWSSecurityException: No Matching private key for serial number 14478695720124859712 and issuer name E=xxxx@xxxx.xxxx,CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US found
      at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getPrivateKey(DefaultSecurityEnvironmentImpl.java:644)
      at com.sun.xml.ws.security.opt.impl.incoming.KeySelectorImpl.resolveIssuerSerial(KeySelectorImpl.java:392)
      ... 46 more

      1. adfs_encryption_cert.cer
        0.7 kB
        gchoi
      2. clientKeystoreContent.txt
        3 kB
        gchoi
      3. clientstore.jks
        4 kB
        gchoi
      4. DoubleIt.wsdl
        9 kB
        gchoi
      5. DoubleIt.xml
        4 kB
        gchoi
      6. DoubleItSTSService.xml
        6 kB
        gchoi
      7. serviceKeystoreContent.txt
        2 kB
        gchoi
      8. servicestore.jks
        3 kB
        gchoi
      9. WSIT-1624-request-response-message.txt
        45 kB
        gchoi
      10. wsit-client.xml
        0.5 kB
        gchoi
      1. ADFS_screenshot.png
        71 kB

        Activity

        Hide
        kumarjayanti added a comment -

        Can you relate to the following Serial Number and Issuer Name :

        serial number 14478695720124859712 and issuer name E=xxxx@xxxx.xxxx,CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US

        Is it not part of your project stores at all ?.

        If it is part of your project then does it correspond to alias "myservicekey" in the client store (clientstore.jks).

        Have made sure that by listing keytool -list -v -keystore servicestore.jks can you check if there is a privatekey entry in the store with this issuername and serial number ?.

        Show
        kumarjayanti added a comment - Can you relate to the following Serial Number and Issuer Name : serial number 14478695720124859712 and issuer name E=xxxx@xxxx.xxxx,CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US Is it not part of your project stores at all ?. If it is part of your project then does it correspond to alias "myservicekey" in the client store (clientstore.jks). Have made sure that by listing keytool -list -v -keystore servicestore.jks can you check if there is a privatekey entry in the store with this issuername and serial number ?.
        Hide
        Nithya Ramakrishnan added a comment -

        Could you please attach the request and response messages as well? It will help us better.

        Show
        Nithya Ramakrishnan added a comment - Could you please attach the request and response messages as well? It will help us better.
        Hide
        gchoi added a comment - - edited

        Hi Kumar,

        I attached following files for you.
        1. adfs_encryption_cert.cert - This is encryption certificate exported from ADFS.
        2. clientKeystoreContent.txt - I listed content of client keystore.
        3. serviceKeystoreContent.txt - I listed content of service keystore.
        4. clientstore.jks
        5. servicestore.jks

        >Can you relate to the following Serial Number and Issuer Name :
        >serial number 14478695720124859712 and issuer name >E=xxxx@xxxx.xxxx,CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US

        I converted serial number for service private keyentry from Hex c8eea90bc902c540 to decimal 14478695720124860000. I assume serial number is hex. I can't related anything with 14478695720124859712.

        >Is it not part of your project stores at all ?
        It is part of my project, but serial number is different. Please see attached clientKeystoreContent.txt.

        Thanks.
        Gina

        Show
        gchoi added a comment - - edited Hi Kumar, I attached following files for you. 1. adfs_encryption_cert.cert - This is encryption certificate exported from ADFS. 2. clientKeystoreContent.txt - I listed content of client keystore. 3. serviceKeystoreContent.txt - I listed content of service keystore. 4. clientstore.jks 5. servicestore.jks >Can you relate to the following Serial Number and Issuer Name : >serial number 14478695720124859712 and issuer name >E=xxxx@xxxx.xxxx,CN=servicecn,OU=SCT,O=XXX,L=reading,S=massachusetts,C=US I converted serial number for service private keyentry from Hex c8eea90bc902c540 to decimal 14478695720124860000. I assume serial number is hex. I can't related anything with 14478695720124859712. >Is it not part of your project stores at all ? It is part of my project, but serial number is different. Please see attached clientKeystoreContent.txt. Thanks. Gina
        Hide
        gchoi added a comment -

        Hi Nithya,

        I have attached full message trace. This include client request to ADFS and ADFS response to client, client reques to service provider, service provider response to client. Please see attached WSIT-1624-request-response-message.txt.

        Thanks.

        Gina

        Show
        gchoi added a comment - Hi Nithya, I have attached full message trace. This include client request to ADFS and ADFS response to client, client reques to service provider, service provider response to client. Please see attached WSIT-1624 -request-response-message.txt. Thanks. Gina
        Hide
        gchoi added a comment - - edited

        Kumar and Nithya,

        Following is request from Metro client to ADFS2.0. I just don't understand why Metro converting my SAML2.0 reques to SAML1.0.

        <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"
        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
        <S:Header>

        And following is part of my web service wsdl file. As you can see, I configured it to accept SAML2.0.

        <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
        <sp:RequestSecurityTokenTemplate>
        <t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
        <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType>
        <t:KeySize>256</t:KeySize>
        </sp:RequestSecurityTokenTemplate>
        <wsp:Policy>
        <sp:RequireInternalReference/>
        </wsp:Policy>

        Show
        gchoi added a comment - - edited Kumar and Nithya, Following is request from Metro client to ADFS2.0. I just don't understand why Metro converting my SAML2.0 reques to SAML1.0. <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <S:Header> And following is part of my web service wsdl file. As you can see, I configured it to accept SAML2.0. <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <sp:RequestSecurityTokenTemplate> <t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType> <t:KeyType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey </t:KeyType> <t:KeySize>256</t:KeySize> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireInternalReference/> </wsp:Policy>
        Hide
        Nithya Ramakrishnan added a comment -

        As mentioned in issue 1625, this is not an issue with SAML tokentype conversion. From what we understand, it appears that the RP certificate configured with STS seems incorrect and that's why this error is happening. Can you please double-check the ADFS STS configuration?

        Show
        Nithya Ramakrishnan added a comment - As mentioned in issue 1625, this is not an issue with SAML tokentype conversion. From what we understand, it appears that the RP certificate configured with STS seems incorrect and that's why this error is happening. Can you please double-check the ADFS STS configuration?
        Hide
        gchoi added a comment -

        I don't know what else do I need to on STS side. In ADFS, adding a certificate is very straight forward. It is done using GUI. I have attached screenshot of my Relying Party encryption key configuration. Please see ADFS_screenshot.png. I have attached all document that I can. Key issue is X509SerialNumber inside STS response token. Could you tell how does STS get this number?

        Show
        gchoi added a comment - I don't know what else do I need to on STS side. In ADFS, adding a certificate is very straight forward. It is done using GUI. I have attached screenshot of my Relying Party encryption key configuration. Please see ADFS_screenshot.png. I have attached all document that I can. Key issue is X509SerialNumber inside STS response token. Could you tell how does STS get this number?
        Hide
        Nithya Ramakrishnan added a comment -

        Lowering the priority of the issue, since it is specific to the test case (ADFS) and analysis does not show an issue with Metro security

        Show
        Nithya Ramakrishnan added a comment - Lowering the priority of the issue, since it is specific to the test case (ADFS) and analysis does not show an issue with Metro security

          People

          • Assignee:
            Nithya Ramakrishnan
            Reporter:
            gchoi
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: