Highlighted
Super Contributor.
Super Contributor.
1431 views

SOAP wsse security soapenv header generation in vugen

Jump to solution

Hi Everyone

I'm hoping someone can help with this security issue around a new SOAP service we are trying to test.  The soap env header looks like this:

<soapenv:Header>
            <wsse:Security
                xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <wsse:UsernameToken
                    wsu:Id="UsernameToken-246CB93D94703E8627154530389442913">
                    <wsse:Username>
                        li5ZmZVBQrTMqZE9YnRyhVpumY4LhUyrQDJuwxoCzrBKGbGzYAkrYNFALNNYovLT5RmbfMyw3BNgRZ7g5w8aMziTrXuTecyDcGS9V8wvT80fDMAZXP4P45wItdQj5IjYyeMggmVoXPwAQckVGTEOIaVnALkUnfN9lfJyyP9dlkIk4kTl4xJIFaXSaM9ZSf8Fr0wNAz4m
                        </wsse:Username>
                    <wsse:Password
                        Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
                        +WFaHx+pMP1ii//s6+qkG8KiF0c=
                        </wsse:Password>
                    <wsse:Nonce
                        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
                        p0/BkXWqVAu2lmHDJcAAYQ==
                        </wsse:Nonce>
                    <wsu:Created>
                        2018-12-20T11:04:54.429Z
                        </wsu:Created>
                    </wsse:UsernameToken>
                </wsse:Security>
            </soapenv:Header>

 

The wsse Password and Nonce elements need to be encoded and sent down with the wsu:Created timestamp.

I've so far been unable to achieve this using vugen.  I've imported a pcap file to get the semblance of my web_custom_request.  If I re-use values already captured in wireshark, I get at least as far as the service detecting that it is a replay attack.

This is the best link I can get on the security information.

https://www.oasis-open.org/committees/download.php/13392/wss-v1.1-spec-pr-UsernameTokenProfile-01.htm#_Toc104276211

I cannot be the first person to have tried to do this in vugen.  Anyone implemented similar?

Many Thanks

Claire

0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: SOAP wsse security soapenv header generation in vugen

Jump to solution

Claire,

You may find useful to check the following example:

https://softwaresupport.softwaregrp.com/doc/KM02956439

Let me know if it does help you or not,

Regards,

View solution in original post

4 Replies
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: SOAP wsse security soapenv header generation in vugen

Jump to solution

Hi Claire,

Thanks for reaching Microfocus technical support,

I can understand you are facing an issue with the SOAP wsse security but not sure what is the problem you are trying to overcome with Vugen, is there any error log in Vugen that you can provide us?

I recommend you to enable full extended logs and upload it here in order to better understand what is missing and also specify which protocol and version are you using.

I will be attentive to your response here,

Best regards,

Jose

 

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: SOAP wsse security soapenv header generation in vugen

Jump to solution

Thank you Jose

Really what we are wondering is, if there is a straight-forward way to implement wsse authentication using the built in security configuration in web services?  Or, do we have to develop a frame work ourselves to create the necessary hashed values here?

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: SOAP wsse security soapenv header generation in vugen

Jump to solution

Claire,

You may find useful to check the following example:

https://softwaresupport.softwaregrp.com/doc/KM02956439

Let me know if it does help you or not,

Regards,

View solution in original post

Highlighted
Super Contributor.
Super Contributor.

Re: SOAP wsse security soapenv header generation in vugen

Jump to solution

Hi Jose

Many thanks for posting this KB article. 

We are still tied to 12.53 Patch 4 of vugen.  When I wanted to include this script, I needed to install two microsoft updates (Microsoft WSE 2.0 SP3 and Microsoft WSE 3.0).  After installing these, I need to run vugen as administrator to avoid it crashing.  All good fun!  However, in 12.53, the Nonce tag was missing the encoding type, and I could find no way of adding it in (even though it is mentioned in that stylesheet, so not quite sure what was going on there).

After some more searching in the microfocus documentataion, I noted the nonce stuff referenced under 12.60 documentation.  I had another installation on a different machine at 12.60, where the encoding type is added to the nonce tag by default.  I had a litte bit of fiddling about with the parameters in the web_service_set_security block, but got to the point of getting a response from my service after some time.

Many thanks for posting this solution!

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.