1

I need to build web-service client application using Axis 1.4 that will access third party system (Web service Producer).

In order to send valid request to third party system I need to encrypt and sign the SOAP request before sending it to them.

I make use of wss4j 1.5 to do this task where I follow the steps in this link: Calling an OWSM protected service with Axis 1.4 and WSS4J

What I understand that:

1- To encrypt the SOAP I need to use third party public key and they will decrypt it using their own private key.

2- To sign the SOAP I need to use my own private key and they should verify the signature using my public key that I need to share it with them.

I did that but I am receiving the error 

  faultString: Did not understand "MustUnderstand" header(s)

From third party end. After checking with third party team they said:

"We use “Username authentication with symmetric key”, so we do not maintain any client certificates at our trust store. There is a single shared key used for both signing and encryption. Hence you need to do signing and encryption using our certificate."

This response does not make sense to me. I understand that I need to use third party certificate (i.e. public key) to encrypt the SOAP Request.

But how can I use the same public key - which is the only certificate shared by them - to sign SOAP Request ?

I believe I need a private key in order to do that.

Do I need their private key to do that? Any clarification will be helpful.

Rookie007
  • 1,229
  • 2
  • 18
  • 50
Salman
  • 1,236
  • 5
  • 30
  • 59
  • Since they said they dont maintain your certificates, get a key from them and encrypt the request with that . – Rookie007 Jun 25 '15 at 08:50
  • @primitiveType I did asked them for the key file again. But no luck, they still Insisting that I do not need any file other than their public certificate. At this point I want to know who is mistaken? Where is the misunderstanding? Do I really need their private key ? – Salman Jun 28 '15 at 07:04

0 Answers0