I'm hoping someone can help with this security issue around a new SOAP service we are trying to test. The soap env header looks like this:
The wsse Password and Nonce elements need to be encoded and sent down with the wsu:Created timestamp.
I've so far been unable to achieve this using vugen. I've imported a pcap file to get the semblance of my web_custom_request. If I re-use values already captured in wireshark, I get at least as far as the service detecting that it is a replay attack.
This is the best link I can get on the security information.
I cannot be the first person to have tried to do this in vugen. Anyone implemented similar?
Thanks for reaching Microfocus technical support,
I can understand you are facing an issue with the SOAP wsse security but not sure what is the problem you are trying to overcome with Vugen, is there any error log in Vugen that you can provide us?
I recommend you to enable full extended logs and upload it here in order to better understand what is missing and also specify which protocol and version are you using.
I will be attentive to your response here,
Thank you Jose
Really what we are wondering is, if there is a straight-forward way to implement wsse authentication using the built in security configuration in web services? Or, do we have to develop a frame work ourselves to create the necessary hashed values here?
Many thanks for posting this KB article.
We are still tied to 12.53 Patch 4 of vugen. When I wanted to include this script, I needed to install two microsoft updates (Microsoft WSE 2.0 SP3 and Microsoft WSE 3.0). After installing these, I need to run vugen as administrator to avoid it crashing. All good fun! However, in 12.53, the Nonce tag was missing the encoding type, and I could find no way of adding it in (even though it is mentioned in that stylesheet, so not quite sure what was going on there).
After some more searching in the microfocus documentataion, I noted the nonce stuff referenced under 12.60 documentation. I had another installation on a different machine at 12.60, where the encoding type is added to the nonce tag by default. I had a litte bit of fiddling about with the parameters in the web_service_set_security block, but got to the point of getting a response from my service after some time.
Many thanks for posting this solution!