Support for a specific web service

[allquixotic]

I have a SoapUI test that I am trying to convert to Ruby using Akami and Savon. The backend is IBM DataPower and I have absolutely no visibility into how it works, how it parses the requests, or how to generate acceptable responses for it. All I can do is guess and test. I have access to the same keys that SoapUI uses for authentication, and I know generally how the WSSE is configured by reading the SoapUI settings.

Here are the hacks I've done on Akami (this is not a pull request; this is literally the worst code you've ever seen) to try and get this working so far: allquixotic@9c19c17

Here is the request that SoapUI generates that works, and the request from Akami that gives "authentication failed": https://gist.github.com/allquixotic/11f003966d229f338344

I verified that the problem is not at the TLS/HTTP layer, by intercepting a request generated by Akami/Savon and pasting in the full XML from SoapUI. It worked. I got the expected result from the server with no errors.

As you can see, in my code I'm trying to make Akami's WSSE stuff look more and more like the SoapUI request, but I'm still stymied as to why IBM DataPower doesn't like my authentication. Is the format of the signature or private key wrong? I suspect it has something to do with the use of "PKIPathv1" instead of "X509v3", but I'm not sure how to convert an OpenSSL .pem formatted private key (exported from a Java Key Store that SoapUI uses) into a PKIPathv1 accepted format, and then sign the message with that.

Or maybe another source of problems is the c14n stuff. I'm still learning about all the intricacies of WSSE as I go along, but from what it looks like, if I got the c14n wrong (hence my experimenting with canonicalize2, which didn't work out), the wrong namespace tags will be applied to the signed message body, so when it's decrypted, the hash won't match or something like that.

There are a lot of moving parts here due to the complexity of the various specs at work, but if you can provide any insight as to what I should try, maybe I can clean up some of my changes and try to help enhance Akami to better support whatever it is that DataPower needs me to do differently than Akami does out of the box.

As for my actual code using Akami, I have something weird hacked together like so:

client = Savon.client(settings)
wsse = Akami.wsse
wsse.credentials username, password, false
wsse.timestamp = false
sig = Akami::WSSE::Signature.new
certs = Akami::WSSE::Certs.new
certs.cert_file = ...cer
certs.private_key_file = ...pem
certs.private_key_password = password #yes, it matches the credentials password
sig.certs = certs
sig.inclusive_namespaces = ['par', 'soapenv']
sig.xform_inclusive_namespaces = ['par']
wsse.signature = sig

#put the security header in the original payload
theXML = File.read(xml) #a starter file - the payload without the wsse:Security header
wsse.signature.document = theXML
secpayload = wsse.to_xml
xpayload = Nokogiri::XML(theXML)
xsecpayload = Nokogiri::XML(secpayload)
env = xpayload.at_xpath('//soapenv:Envelope')
hdr = Nokogiri::XML:Node.new('Header', xpayload)
hdr.namespace = xpayload.root.namespace_definitions.find {|ns| ns.prefix=='soapenv}
sec = xsecpayload.at_xpath('//wsse:Security')
sec.parent = hdr
env.children.before(hdr)
finalpayload = xpayload.root.to_s

#Do it
response = client.call(operation.to_sym, soap_action: 'http://redacted.biz/whatever', xml: finalpayload)

Thank you for reading and I hope I can both get my code working and help Akami....

[fmundaca]

Hello did you solve your question ? i'm in a similar situation with a Datapower service :(