Patrick-Dussault

Tech Tip : CA Single Sign-On : Protecting my SOAP Resource with WS-Security, I get the error Signature-0 was not accepted

Discussion created by Patrick-Dussault Employee on Nov 11, 2016

Issue:

 

  I Configure WSS service to handle WS-security enveloppes when protecting
  the soap resource /myservice/services/OpenSecWebService/serviceWSS, the
  service fails and I'd like to know what means the error seen :

 

  Trying to resolve id: #id-6B4F79D3E5B3A12A5E147248702585410
  Found nodeElem http://schemas.xmlsoap.org/soap/envelope/:Body
  Check if Timestamp covered by header or Envelope? signedElem=4signatureType=-124
  SM_WSC_00629 - Unspecified acceptance error.
  SM_WSC_00624 - Signature-0 was not accepted.
  SM_WSC_00909 - Failed to validate signature
  dispatch request failed.
Environment:
WSS Agent 12.52SP1CR04 64bit on Apache 2.4 on RedHat 6 64bit; Policy Server 12.52SP1CR04 on RedHat 6 64bit;
Cause:

 

  In the XML Signature Restrictions pane, you need to select :

 

  Must Cover Body of Message
  Require Signature over wsu:Timestamp Element

 

  as per documentation :

 

  "If the authentication scheme is configured to require the
  timestamp element, the digital signature must cover that timestamp."

 

  https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-services-security-wss-configuration/configure-authentication-schemes-to-verify-user-identities-obtained-from-web-service-requests/ws-security-authentication-introduced
Resolution:

 

  Configuring the SOAP signature restriction in the pane

 

    "XML Signature Restrictions"

 

  by selecting these options :

 

    Must Cover Body of Message
    Require Signature over wsu:Timestamp Element

 

  it solves the issue.
Additional Information:

 

N/A

 

KB : TEC1691635

Outcomes