Signing Error on Mendelson AS4

Hi All,

We have a situation where we get the below error , but i am not sure why it is saying Failed Authentication as we are not using any username or password.
I have checked with the certificates and they are ok . One thing interesting was the line which says SIG_KEY_INFO should contain only one child. Other live partners are able to use the same singature and keyinfo format with no issues.

My Key info looks like below :

xxxx certificate value xxxxx

vzhAU4SwESGEVl4a5PzcRRhhsg+aDQs/9QAjyQU/B00BwOnPxMYB0FANqiNpk6bPyFdWNDsKxaKF
RcgCC3YiWV1p/K+tx1oyrbT1Jp+pCi3v+iVrrnBLPZvBTYwWhXVK7Y3I/qwJ7oR80RVgdhiwITTP
3D5qrtG/m3oF48bDiwCw2a4WYGBIutLjrmbpNmgtpvqWfAKYwwV1AjJMx7hs4zDHmvMi5MDUcPEe
SlJRg3rLzoprOvIUB/Cmr5SNAAbURnNNOBYXRwZfhvalRvdfISCN+lyRQ+XEdzi52OFJl3l05A8a
9A9XzFdKS9f6RRL8yzAq9nZKXFRaWlCB9bUAdQ==
AQAB

Actual Error :

The signature in the Security header intended for the "ebms" SOAP actor, could not be validated by the Security module.
BSP:R5402: Any SIG_KEY_INFO MUST contain exactly one child element

Any help on this is much appreciated.

Best Regards,
Harish S S

Forum
AS4

Comments

Profile picture for user service
Permalink

Hello,

thank you for the feedback. Please contact us at service@mendelson.de to discuss this issue. As this is a functionality of the underlaying wss4j (web service security for java) it might be automatically fixed in the current version as we updated this lib.

Regards

Profile picture for user service
Permalink

Hello,

ok, I figured out the meaning. For these kind of errors please always have a look at

http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html

The "BSP:R5402" part of the error message means: Basic Security Profile Issue R5402. This is in this case:

--
9.8 KeyInfo
9.8.1 Exactly One KeyInfo Child Element
R5402 Any SIG_KEY_INFO MUST contain exactly one child element.
--

Means for example the error
"BSP:R5417: Any SIG_KEY_INFO MUST contain a SECURITY_TOKEN_REFERENCE child element"

would refer to the section "R5417" which is:

--
9.8.2 SecurityTokenReference Mandatory

The ds:KeyInfo element allows for many different child elements. The Profile mandates a single element, wsse:SecurityTokenReference, which is needed to reference security tokens.

R5417 Any SIG_KEY_INFO MUST contain a SECURITY_TOKEN_REFERENCE child element.

For example,

CORRECT:

<ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#' >
<wsse:SecurityTokenReference>
<wsse:Reference URI='#SomeCert'
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof…" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>

--

Means your partner has to implement the BasicSecurityProfile-1.1 in a proper way and then it should work.

Regards