X.509 Authentication implemented as WS-Security policy

X.509 Authentication implemented as WS-Security policy

In cryptography, X.509 is an important standard for a public key infrastructure (PKI) to manage digital certificates and public-key encryption and a key part of the Transport Layer Security protocol used to secure web and email communication.

An ITU-T standard, X.509 specifies formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

The X509Authentication policy uses X.509 certificates to provide client authentication and includes a Timestamp token to guard against replay attacks. This policy does not enforce signatures or encryption.

Implement X.509 authentication in webMethods

Attach X509 Authentication policy to your web service descriptor in webMethods

Refer to: https://advwmdeveloper.wordpress.com/2016/05/10/setup-client-certificate-authentication-in-webmethods-and-test-with-soapui/ to setup client certificate in SOAPUI and webMethods.

Add outgoing WS-Security configurations for X.509 in SOAPUI. Make sure you have included timestamp.

Apply WS-Security setting to your SOAP request.

If you switch to “Raw” format of the request, you can find X509 in the security token segment.

Implement X.509 authentication with encryption

Similar to the previous steps, attach X509 Authentication, Signature and Encryption policy to your web service descriptor in webMethods

The server certificate is used by encrypt the SOAP message. You can download server certificate by access WSDL via HTTPS. Export the server certificate in X.509 der format. Save server certificate into a java key store (.jks)

JKS that contains server certificate

Add server certificate into keystore in SOAPUI.

Add outgoing WS-Security configurations for X.509 with encryption in SOAPUI. You need to have timestamp, signature and encryption as required by webMethods policy. The “password” value for encryption is not needed, because no private key is needed to encrypt a SOAP message.


To decrypt and validate signatures of the response messages, you need to setup incoming WS-Security configurations. Since the WS-Security headers of the response message contain most of the information required to decrypt or validate a message, the only configuration needed by SoapUI is which keystore or truststore that should be used.

The decrypt keystore should be the same keystore you used as signature in outgoing WSS and the signature keystore should be the one you used as encryption in outgoing WSS.

Apply WS-Security setting to your SOAP request and test it!

The response SOAP body has been decrypted correctly. You can find the encrypted response value by switch to “Raw” view. The raw value is stored in field CipherValue.

There are some known issues in SOAPUI 5.1.3. Please refer the following link to fix it. http://stackoverflow.com/questions/28582769/how-to-decrypt-recieving-message-from-wso2-secured-proxy-service-in-soap-ui-5-0

Easiest fix is this:
Go to C:Program FilesSmartBearSoapUI-5.1.3lib
Rename wss4j-1.6.16.jar to wss4j-1.6.16.jar.old
Copy wss4j-1.6.2.jar from same location for SoapUI 4.5 to this folder.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s