Documentation of the service, says I need to use WS-Security.
From they support, i got a p12 file, which I should be using.
What I did so far
I ran up SoapUI application, configured it, added wsdl etc, and got message
<faultstring>These policy alternatives can not be satisfied: (...)</faultstring>
So I found I need to add basic Auth to the request. And i got my proper answer.
What I need now
I need to use this to SOAP requests, on my PHP application.
First, i changed p12 file into pem, and tried :
$soapClient = new SoapClient('https://int.pz.gov.pl/pz-services/tpSigning?wsdl',
array('location' => 'https://int.pz.gov.pl/pz-services/tpSigning?wsdl',
'trace' => 1,"exceptions" => 1,
'local_cert'=>'path/cert_file.pem',
'passphrase'=>'cert_password'
));
But I am still getting same fail message about policies not being satisfied:
These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: Soap Body is not SIGNED in (...)
Help?
Is it even possible with just PHP? I tried several solutions, found some class extending SoapClient (using user/password, not p12/pem file), found even solution in c# (which I am too ready to use if that's what I need to do - sending xml to c# with WebSocket, and sending it back to browser), but non of those worked.
Changing the cert into pem format is the right way. The native PHP soap client class can not handle p12 certs. Have you tried the following?
try {
$oClient = new SoapClient(
'https://int.pz.gov.pl/pz-services/tpSigning?wsdl',
[
'authentication' => SOAP_AUTHENTICATION_DIGEST,
'exceptions' => true,
'local_cert' => dirname(__FILE__) . 'mycert.pem',
'passphrase' => 'my_passphrase',
'trace' => true,
]
);
} catch (SoapFault $oSoapFault) {
echo "<pre>";
var_dump($oSoapFault);
echo "</pre>";
}
The PHP soap client class uses SOAP_AUTHENTICATION_BASIC by default. Perhaps the DIGEST auth is the right way? Normally the cert includes all the data.
You don 't need the location option. The location option is just required, when using non-wsdl conversation with target namespace as uri option without a direct wsdl file.
And always keep in mind: What works with SoapUI isn 't supposed to run with the native PHP client. ;)
Related
I am connecting to dynamics 365. It used to work perfectly, i curl to get the token then i use it as an authorization header along with php soapclient and it works, i connect i create a client and i can call my methods.
All of a sudden it decided not to work, and where it used to connect as SOAP 1.1 now it enforced SOAP 1.2
After changing from SOAP 1.1 to SOAP 1.2 ( because I got the error of binding mismatch where it said expecting application/soap+xml and text/xml was found ) So I changed versions and that error disappeared and got replaced with ERROR Fetching HTTP Headers.
That error got stuck for the longest time, people suggested to increase timeout but i put it as high as 500 800 5000 all the same.
Then all of a sudden, it started giving me SOAP ERROR Parsing schema element already defined. I did not change my code, i played for awhile with the headers but to no avail, I even removed the authorization header just to see what is going on and that did nothing i kept getting the same error.
SOAP-ERROR: Parsing Schema: element 'http://schemas.datacontract.org/2004/07/Microsoft.Dynamics.Ax.Xpp:XppObjectBase' already defined [string:Exception:private]
everytime I try to connect I get different kind of parsing schema error even though i am not changing anything in my code:
SOAP-ERROR: Parsing Schema: element 'http://schemas.microsoft.com/2003/10/Serialization/:anyType' already defined [string:Exception:private]
and another
SOAP-ERROR: Parsing Schema: element 'http://schemas.datacontract.org/2004/07/Microsoft.Dynamics.AX.KernelInterop:ProxyBase' already defined [string:Exception:private]
and then sometimes it does get through for a second but with fetching http header error again..
so i can not create a client instance anymore now..
where before i was able to create a client instance but i get an error when I call the method of "Error Fetching HTTP Headers"
something is definitely not stable because my errors are not one.
now some stated the wsdl could be faulty, but this is microsoft and the person i am in contact keeps saying he can not doing anything about it.
Help is this a PHP problem or a dynamics problem or wsdl custom made problem .
And how to solve this.
Thank you.
UPDATE
I'm sorry I mentioned earlier it is Dynamics AX , it turns out it is Dynamics 365 D365. I will keep dynamics ax tag in case it helps someone who needs the solutions provided.
UPDATE
Following is the connection code I am using:
function getAuthenticationHeader()
{
//Each variable has the values for our server
//resource
$appResource = urlencode($appADResource);
//clientID
$appClientID = urlencode($appADClientId);
//appSecret
$appSecret = urlencode($appADSecret);
//username
$appUserID = urlencode($appUserID);
// Password
$appUserPassword = urlencode($password);
// Construct the body for the STS request
$authenticationRequestBody = 'resource='.$appResource.'&client_id='.$appClientID.'&client_secret='.$appSecret.'&grant_type=password&username='.$appUserID.'&password='.$appUserPassword.'&scope=openid';
//Using curl to post the information to STS and get back the authentication response
$ch = curl_init();
// set url
$stsUrl = 'https://login.microsoftonline.com/'.$appTenantId.'/oauth2/token';
curl_setopt($ch, CURLOPT_URL, $stsUrl);
// Get the response back as a string
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// Set the parameters for the request
curl_setopt($ch, CURLOPT_POSTFIELDS, $authenticationRequestBody);
// By default, HTTPS does not work with curl.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
// read the output from the post request
$output = curl_exec($ch);
// close curl resource to free up system resources
curl_close($ch);
// decode the response from sts using json decoder
$tokenOutput = json_decode($output);
return $tokenOutput->{'token_type'}.' '.$tokenOutput->{'access_token'};
}
try
{
//WSDL Link
$url = "https://urlToOurServer/services/webservice?wsdl";
$authorizationToken = getAuthenticationHeader();
$context = stream_context_create(array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
),
'https' => array(
'curl_verify_ssl_peer' => false,
'curl_verify_ssl_host' => false
),
'http' => array(
'header' =>'Authorization: '.$authorizationToken
)
));
//Create array of Soap Options
$arrOpt = array(
"soap_version" => SOAP_1_2,
"cache_wsdl" => WSDL_CACHE_NONE,
"exceptions" => true,
'trace' => true,
'encoding' => 'UTF-8',
'stream_context' => $context
);
}catch(Exception $e)
{
print_r($e);
}
I also found this in my wsdl
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
</trust:TokenType>
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
</trust:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
How can I connect to SAML for Token ?
If everything is pretty much the same, but it's not working, the first thing to do is rule out the most basic AX issues. These may not solve your issue but will be a good first step.
now some stated the wsdl could be faulty, but this is microsoft and the person i am in contact keeps saying he can not doing anything about it.
Whomever that person is, you need to confirm they've done the following:
Confirm the environment and specifically the CIL is fully compiled. Do a full AXBuild and a full CIL to be sure during non-business hours and ensure the output is good. It's basically saying "recompile everything".
Refresh the WCF configuration in the client configuration you are using to connect to AX. This client configuration may be a *.axc file or it may just be the active one. Also refresh the business connector WCF. This is separate and may be what you are using to connect to AX. This is what most people are talking about.
Here's a little article that talks about creating a configuration, but I'll discuss below.
An AX client configuration ultimately is a bunch of text. It's either stored in an .axc file or stored in the registry in a few locations. The Business Connector client config may be the one that is getting missed in your scenario.
If you follow the link above and create a new .axc configuration file and ensure you've clicked "Refresh Configuration" before exporting, when you open the file up in Notepad, you'll see wcfconfig and a bunch of XML following it. That XML is what you're trying to get updated. Creating a new AXC here is just an exercise to help you understand what it is. You can delete the file after you're done looking.
Now, you've basically created a specific configuration file, but that doesn't mean anything is using it. If you call AX32.exe it will default to the one that is loaded in that config screen. Using a file is a way to very specifically choose one. Your code is probably using a specific AXC somewhere that needs either replaced or refreshed OR it's using one that's saved in this window:
It is very likely it is using one of the two that are saved in that configuration window. When you refresh in that window, it ultimately saves the WCF XML in the windows registry on the machine that is hosting the client and/or the AOS in subfolders in HKLM\SOFTWARE\Microsoft\Dynamics\6.0\Configuration. The key(s) is wcfconfig paired with wcfconfigversionid, which just stores a GUID to see if it's up-to-date.
When I say two, I mean most people don't even bother to look at the Business Connector AXC. It's what is highlighted in yellow in my image, and you need to specifically choose and refresh it. This could be important for you. In my image, I do not have it chosen. You need to drop the menu down and choose it.
On a dev machine, you can just clear both of those keys and refresh and you should see whatever configuration you're working on update.
This is a long post, but it's important to rule this part out first. If you have someone who's reasonably experienced administering AX they should know how to ensure these are refreshed.
Since you're saying this is not Dynamics AX, but one of the Dynamics 365 versions. The AX version used to be called Dynamics 365 for Finance and Operations Enterprise Edition but they've changed the licensing/naming again, so I don't even know what it's technically called. Most people call it Dynamics 365 for Operations or some variant.
Either way, you should test the service following the below method. We would need to see more information about the service details and call, so following the below is most likely best.
https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/data-entities/third-party-service-test
I have been using AWS SDK V3 for PHP to put object to S3 with Server side encryption using customer provided key. The documentation is quite sketchy (or at least I havent found it).
For uploading the object using the S3client, I use putobject with
$params['SSECustomerAlgorithm'] = 'AES256';
$params['SSECustomerKey'] = $this->encryptioncustkey;
$params['SSECustomerKeyMD5'] = $this->encryptioncustkeymd5;
The $this->encryptioncustkey is a plain customer key (not base64_encoded because the SDK seems to be doing that) and this->encryptioncustkeymd5 = md5($this->encryptioncustkey,true);
The put object works fine. However, the problem is in generating a createSignedURL.
$cmd = $client->getCommand('GetObject', array(
'Bucket' => $bucket,
'Key' => $storedPath,
'ResponseContentDisposition' => 'attachment;charset=utf-8;filename="'.utf8_encode($fileName).'"',
'ResponseContentType' => $ctype,
'SSECustomerAlgorithm' => 'AES256',
'SSECustomerKey' => $this->encryptioncustkey,
'SSECustomerKeyMD5' => $this->encryptioncustkey64md5
));
but I get a weird response indicating that it is missing "x-amz-server-side-encryption" (ServerSideEncryption) which according to documentation is not required for SSE-C. Even if I set it to ServerSideEncryption='AES256' it has no effect.
<Error>
<Code>InvalidArgument</Code>
<Message>
Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key.
</Message>
<ArgumentName>x-amz-server-side-encryption</ArgumentName>
<ArgumentValue>null</ArgumentValue>
<RequestId>A3368F6CE5DD310D</RequestId>
<HostId>
nHavXXz/gFOoJT0tnh+wgFTbTgGdpggRkyb0sDh07H7SomcX7HrcKU1dDzgZimrQwyaVQEqAjdk=
</HostId>
</Error>
I was running into the same issue and tried every possible permutation to try to get it to work. I finally concluded that this use case is not supported. Reading through the scattered and arcane documentation on the subject, it seems the only way to access SSE-C content on S3 is by specifying the x-amz-server-side-encryption-customer-algorithm/x-amz-server-side-encryption-customer-key/x-amz-server-side-encryption-customer-key-MD5 fields in the HTTP request header, not in the URL.
What I ended up doing is to store the content in question in S3 unencrypted and with the ACL set to private (you could upload it as such from the get go, or use copyObject() to make a copy with those settings). Then, when I wanted to get the ["time-bombed"] pre-signed URL for the GET request, I just used the command similar to the one in your question, but omitting the SSE parameters. That worked for me.
I am trying to connect to a WSDL that uses WS-Security Certificate Signing over HTTPS.
Only the outgoing messages are signed and it uses Binary Security Token (could not find this specific option in WSO2 but so I am unsure I am using the correct option in the code below).
I have looked at the code in the Samples of the WSO2 WSF/PHP and have joined together the WDSL client example and the Signing example.
Code:
$my_cert = ws_get_cert_from_file("./keys/cert.pem");
$my_key = ws_get_key_from_file("./keys/key.pem");
$sec_array = array("sign"=>TRUE,
"algorithmSuite" => "Basic256Rsa15",
"securityTokenReference" => "EmbeddedToken"); //Is this correct for Binary Security Token?
$policy = new WSPolicy(array("security"=>$sec_array));
$sec_token = new WSSecurityToken(array("privateKey" => $my_key,
"certificate" => $my_cert));
$client = new WSClient(array("wsdl"=>"https://.../Informationservice.WSDL",
"useWSA" => TRUE,
"policy" => $policy,
"securityToken" => $sec_token));
$proxy = $client->getProxy();
$return_val = $proxy->StreetTypes();
Any help would be much appreciated as I haven't been able to find an examples of connecting to a service like this online anywhere. Most services seem to sign with Username and Password rather than Certificates and when looking for WSDL and Certificate Signing I don't find anything at all.
You need to specify the CACert option for https to work with "to" endpoint set to the https endpoint. Also use the non wsdl mode as there are some known issues with wsdl mode.
I am feebly trying to implement a stamps.com api interface into my platform. This is my first time using SOAP, I event had to recompile PHP to enable the libraries.
I'm moving along but now I'm having a problem. They support soap 1.1 and soap 1.2 requests, and when I run the following code:
$client = new SOAPClient(
'./SWSIM.wsdl',
array(
'trace' => 1
)
);
I get back a successful response from my request that comes after this.
However if I add the option to use soap 1.2 like this:
$client = new SOAPClient(
'./SWSIM.wsdl',
array(
'trace' => 1,
'soap_version' => SOAP_1_2
)
);
I get the following error:
There was an exception running the extensions specified in the config file. ---> Value cannot be null. Parameter name: input
This line is not actually throwing the exception. Its the following command that throws it, but removing the soap_version is what "fixes it". I would like to use soap 1.2 so naturally this is bugging me.
FTR The command I'm running is this:
$authData = array(
"Credentials" => array(
"IntegrationID" => "MYUID",
"Username" => "MYUSERNAME",
"Password" => "MYPASSWORD"
)
);
try {
$objectresult = $client->AuthenticateUser($authData);
} catch (Exception $e) {
echo "EXCEPTION: " . $e->getMessage();
print_r($e);
exit;
}
The WSDL file can be viewed here:
https://swsim.stamps.com/swsim/swsimv22.asmx?wsdl
I have also checked in with their developer support and they said:
"The message you are currently receiving is returned from whichever program you are designing your integration with. This has been commonly noted happening within Visual Basic where is creates a wrapper class that needs certain variables for the response. This could be similar to the behavior that you are experiencing. Please verify how your program language consumes a WSDL."
I also noticed that the __soapCall method excepts an "input headers" argument. I'm not entirely sure I should be / can even use that method in my code. I suppose I should just try and play with it.
Check your WSDL file. I was using the wrong one, and it appears you may be as well. Try this one: http://developer.stamps.com/developer/downloads/files/Stamps.com_SWSIM.wsdl
NOTE: The above is out of date. Contact stamps.com for the current wsdl!
I know this is an old thread, but here is an example class that should get anyone started with the stamps.com api in php https://github.com/aaronjsmith/stamps.com-php
The WSDL looks fine and it's the same input structure for both Soap versions. The problem is a bug somewhere at their end, you'll have to contact them to resolve.
I would also test it via a .NET app just to see if it behaves the same.
I can load in the wsdl, pull out the functions and data types just fine but when I try to call a function on the server I get a connection error. When I look at the soap data passed in the $request it doesn't contain any of the security certificate and no errors are generated.
My code looks like this:
// setup the transaction array
$header = array('local_cert' => "certificate.pem",
'logonUser' => "user_name",
'style' => SOAP_DOCUMENT,
'use' => SOAP_LITERAL,
'exceptions' => true,
'trace' => true);
// create the soap client, this will log us in
$client = new SoapClient($wsdl, $header);
try
{
$response = $client->getMessage($parameters);
}
catch (Exception $e)
{
dumpVars($client->__getLastRequest());
echo 'Caught exception: ', $e->getMessage(), "\n";
}
?>
So my question is this, what do I have to do to get the security certificate to be passed?
Thanks,
Pete
The purpose of local_cert in $header is not sending it in the SOAP call itself. It's only being used as an SSL client certificate. Also, according to this comment on php.net you need to read the file contents of the certificate in order to use it.
2 (small) things :
'logonUser' does not seem to be a valid option for the SoapClient constructor. If it is a required header for this service, consider using soapClient::setSoapHeaders. If it is a standard HTTP login param, use the 'login' key.
try to use the full path of the pem certificate, and make sure it is readable by php