I need to build web-service client application using Axis 1.4 that will access third party system (Web service Producer).
In order to send valid request to third party system I need to encrypt and sign the SOAP request before sending it to them.
I make use of wss4j 1.5 to do this task where I follow the steps in this link:
Calling an OWSM protected service with Axis 1.4 and WSS4J
What I understand that:
1- To encrypt the SOAP I need to use third party public key and they will decrypt it using their own private key.
2- To sign the SOAP I need to use my own private key and they should verify the signature using my public key that I need to share it with them.
I did that but I am receiving the error
faultString: Did not understand "MustUnderstand" header(s)
From third party end. After checking with third party team they said:
"We use “Username authentication with symmetric key”, so we do not maintain any client certificates at our trust store. There is a single shared key used for both signing and encryption. Hence you need to do signing and encryption using our certificate."
This response does not make sense to me. I understand that I need to use third party certificate (i.e. public key) to encrypt the SOAP Request.
But how can I use the same public key - which is the only certificate shared by them - to sign SOAP Request ?
I believe I need a private key in order to do that.
Do I need their private key to do that? Any clarification will be helpful.