Dear @dchiesa1
I have used the latest WS Security Signature and encountered below error while deploying the proxy.
APIGEE Version: 4.53.01
Error Deploying Revision 27 to sandbox
Failed to load java class com.google.apigee.callouts.wssecdsig.Sign definition due to - com/google/apigee/callouts/wssecdsig/Sign has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0.
Yes
The README is less than clear on this.
The Callout is built for Java11, which works with hybrid and X.
For OPDK, you will still use Java8.
You will need to build the Callout to use it with OPDK.
Follow these instructions:
Especially focus on the part that says:
“To build on JDK8…”
Hello @dchiesa1
We have built the jar file to be used in OPDK and we are getting below error.
We have also tried by including the bcpkix and bcprox libraries for Java Callout policy
java.lang.SecurityException: sealing violation: package org.bouncycastle.util.io.pem is sealed
It means the package is sealed and you tried to load another jar also containing the package .
You probably need to NOT include the BC JARs in your API proxy, and just rely on n the packaged BC jars that are included with OPDK. That’s what I would try.
Dear @dchiesa1
We have tried in both the ways by including only the packaged jar and with the bcpkix and bcprov libraries but it returns the same error.
oooh, I’m sorry to hear that. I think you need to contact Google support to ask for assistance with this.
Dear @dchiesa1 ,
We already raised this with Apigee team and team confirmed that we will not be able to use the provider “BC” post upgrade, however we are still using the provider “BC” in WssecCalloutBase class and it may be causing the issue as its been blocked at platform level[only BCFIPS is allowed].
ClassName:WssecCalloutBase
LineNumber: 282.
Request your kind support to resolve the issue.
Dear @dchiesa1
Request your support in resolving below issue.
Hello @kushal09,
I see Dino advised on reaching out to support for better assistance on your case. Find here the steps to reach out to the support team.
Dear @AlexET
We have already reached out to support team and team has confirmed that we will not be able to use the provider “BC” post upgrade, however we are still using the provider “BC” in WssecCalloutBase class and it may be causing the issue as its been blocked at platform level[only BCFIPS is allowed].
ClassName:WssecCalloutBase
LineNumber: 282.
Request your kind support to resolve the issue.
Thank you for sharing the latest update from the Google Support team.
Since Google Support has provided a response regarding your question, the community forum is unable to provide a different solution or a workaround. If you have further questions on how to implement the required changes, I recommend continuing the conversation with your Google Account Team or Customer Engineer.
We appreciate you keeping us updated on the progress.
Dear @AlexET
Thanks for your response
We used the library from the community, however its not compatible with latest OPDK release. We request your support in updating the library to comply with latest upgrade.
Kushal,
have you tried re-compiling the Callout to explicitly refer to BCFIPS instead of BC as the provider name? You will need to:
modify the pom.xml file to replace dependencies on bcprov-jdk15on and bcpkix-jdk15on with bc-fips and bcpkix-fips
add <org.jcp.xml.dsig.secureValidation>false</org.jcp.xml.dsig.secureValidation> to the surefire properties in the same pom.xml file
modify the source code to use BCFIPS instead of BC in 3 or 4 places
modify CalloutTestBase to use
java.security.Security.addProvider(
new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
…in a static initializer
Then run
mvn clean package
I don’t know if the result will run in a current OPDK, but it compiles and the tests pass, for me.
This branch shows my modifications.