Signing Error on Mendelson AS4

Hi All,

We have a situation where we get the below error , but i am not sure why it is saying Failed Authentication as we are not using any username or password.
I have checked with the certificates and they are ok . One thing interesting was the line which says SIG_KEY_INFO should contain only one child. Other live partners are able to use the same singature and keyinfo format with no issues.

My Key info looks like below :

xxxx certificate value xxxxx

vzhAU4SwESGEVl4a5PzcRRhhsg+aDQs/9QAjyQU/B00BwOnPxMYB0FANqiNpk6bPyFdWNDsKxaKF
RcgCC3YiWV1p/K+tx1oyrbT1Jp+pCi3v+iVrrnBLPZvBTYwWhXVK7Y3I/qwJ7oR80RVgdhiwITTP
3D5qrtG/m3oF48bDiwCw2a4WYGBIutLjrmbpNmgtpvqWfAKYwwV1AjJMx7hs4zDHmvMi5MDUcPEe
SlJRg3rLzoprOvIUB/Cmr5SNAAbURnNNOBYXRwZfhvalRvdfISCN+lyRQ+XEdzi52OFJl3l05A8a
9A9XzFdKS9f6RRL8yzAq9nZKXFRaWlCB9bUAdQ==
AQAB

Actual Error :

The signature in the Security header intended for the "ebms" SOAP actor, could not be validated by the Security module.
BSP:R5402: Any SIG_KEY_INFO MUST contain exactly one child element

Any help on this is much appreciated.

Best Regards,
Harish S S

Foren
AS4

Comments

Hello,

thank you for the feedback. Please contact us at service@mendelson.de to discuss this issue. As this is a functionality of the underlaying wss4j (web service security for java) it might be automatically fixed in the current version as we updated this lib.

Regards

Hello,

ok, I figured out the meaning. For these kind of errors please always have a look at

http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html

The "BSP:R5402" part of the error message means: Basic Security Profile Issue R5402. This is in this case:

--
9.8 KeyInfo
9.8.1 Exactly One KeyInfo Child Element
R5402 Any SIG_KEY_INFO MUST contain exactly one child element.
--

Means for example the error
"BSP:R5417: Any SIG_KEY_INFO MUST contain a SECURITY_TOKEN_REFERENCE child element"

would refer to the section "R5417" which is:

--
9.8.2 SecurityTokenReference Mandatory

The ds:KeyInfo element allows for many different child elements. The Profile mandates a single element, wsse:SecurityTokenReference, which is needed to reference security tokens.

R5417 Any SIG_KEY_INFO MUST contain a SECURITY_TOKEN_REFERENCE child element.

For example,

CORRECT:

<ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#' >
<wsse:SecurityTokenReference>
<wsse:Reference URI='#SomeCert'
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof…" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>

--

Means your partner has to implement the BasicSecurityProfile-1.1 in a proper way and then it should work.

Regards