You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "rahul.soa" <ra...@googlemail.com> on 2009/08/11 23:15:45 UTC
[Doubts] X509 Signing
Hello Jarek,
I hope you are doing well.
Presently, I am setting the signing at client side, I have a couple of
doubts.
I think, I can do something similar in the CXFPortMethodInterceptor
String signatureKeyIdentifier = (String)
properties.get("signatureKeyIdentifier");
String user = (String) properties.get("user");
//in case where <property name="wss4j.out.action">Signature</property>
if (containsValue(action, WSHandlerConstants.SIGNATURE)) {
* // doubt about this, how CXFPortMethodInterceptor will know about this
*
properties.put(WSHandlerConstants.SIG_PROP_FILE,
clientKeystore.properties");
// alias or user
properties.put(WSHandlerConstants.USER, user);
if(signatureKeyIdentifier.equals("DirectReference"))
properties.put(WSHandlerConstants.SIG_KEY_ID,
"DirectReference");
if(signatureKeyIdentifier.equals("IssuerSerial"))
properties.put(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
//in order to obtain the key password for the private key
properties.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ClientKeystorePasswordCallback.class.getName());
}
I think we should specify the following things in the <property> under the
<port> in the geronimo-web.xml at client side.
<property name="wss4j.out.action">Signature</property>
<property name="wss4j.out.user">myclientkey</property>
<property name="wss4j.out.signatureKeyIdentifier">IssuerSerial</property>
can we set the keypassword too in the property? what other things we should
set in the property?
Question:1
Here, first thing is how we can provide signature property file, in the
above case "clientKeystore.properties". It should be at client side. If this
is in the client application written by the user then how can we give the
reference of this in the CXFPortMethodInterceptor. In other words, *where to
set this property *
properties.put(WSHandlerConstants.SIG_PROP_FILE,
clientKeystore.properties");
Question2:
For the ClientKeystorePasswordCallback, how can the client send the
keypassword,
through the geronimo-web.xml?
<property name="wss4j.out.keypass">keypass</property>
Another thing is, I noticed one thing, In geronimo server we have these two
following tabs under the
Security Keystores<http://localhost:8096/console/portal/Security/Keystores>
Certificate Authority<http://localhost:8096/console/portal/Security/Certificate%20Authority>
What are these for?
Thanks for your help.
Best Regards,
Rahul
PS: for signing and encryption, I think we need the bouncy castle and the
xalan jar files in the cxf plugin, I pulled them
Re: [Doubts] X509 Signing
Posted by "rahul.soa" <ra...@googlemail.com>.
Hello David,
Thanks for your suggestions.
So far, after setting up UsernameToken profile, I have set the ws-security
(X509 profile - signing and encryption) with the property file for basic
security. I have attached the patches on the JIRA-4642.
Now I am after the things you suggested. It sounds a good idea to use the
geronimo built-in security for the same.
Many Thanks again for your immediate reply!
Rahul
On Wed, Aug 12, 2009 at 5:57 PM, David Jencks <da...@yahoo.com>wrote:
> HI Rahul,
> I don't understand any details of what you are trying to do but I think you
> are trying to get access to a certificate so some parts of the xml message
> can be signed.
>
> In geronimo we have several gbeans to help with managing certificate stores
> and trust stores. These are set up so that if you get a reference to the
> appropriate gbean you should be able to access the cerificate as needed with
> no further passwords or authentication needed. While these are normally
> present in servers you can set one up in an app client if you want.
>
> The portal pages I think you are mentioning let you administer these
> gbeans.
>
> The jetty https connector is set up to use one of these gbeans, you might
> find it a useful example of how to proceed for
> instance HTTPSSelectChannelConnector and GeronimoSelectChannelSSLListener.
>
> The central class is
> org.apache.geronimo.management.geronimo.KeystoreManager implemented
> by org.apache.geronimo.security.keystore.FileKeystoreManager in the
> framework/modules/geronimo-security module.
>
> I'd suspect you might want to get a KeystoreInstance from the
> KeystoreManager and then get the Certificate you want from that.
>
> Hope this helps,
> david jencks
>
> On Aug 11, 2009, at 2:15 PM, rahul.soa wrote:
>
> Hello Jarek,
>
> I hope you are doing well.
>
> Presently, I am setting the signing at client side, I have a couple of
> doubts.
>
> I think, I can do something similar in the CXFPortMethodInterceptor
>
> String signatureKeyIdentifier = (String)
> properties.get("signatureKeyIdentifier");
> String user = (String) properties.get("user");
>
> //in case where <property name="wss4j.out.action">Signature</property>
> if (containsValue(action, WSHandlerConstants.SIGNATURE)) {
> * // doubt about this, how CXFPortMethodInterceptor will know about
> this*
> properties.put(WSHandlerConstants.SIG_PROP_FILE,
> clientKeystore.properties");
> // alias or user
> properties.put(WSHandlerConstants.USER, user);
>
> if(signatureKeyIdentifier.equals("DirectReference"))
> properties.put(WSHandlerConstants.SIG_KEY_ID,
> "DirectReference");
> if(signatureKeyIdentifier.equals("IssuerSerial"))
> properties.put(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
> //in order to obtain the key password for the private key
> properties.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> ClientKeystorePasswordCallback.class.getName());
>
> }
>
>
> I think we should specify the following things in the <property> under the
> <port> in the geronimo-web.xml at client side.
>
> <property name="wss4j.out.action">Signature</property>
> <property name="wss4j.out.user">myclientkey</property>
> <property name="wss4j.out.signatureKeyIdentifier">IssuerSerial</property>
>
> can we set the keypassword too in the property? what other things we should
> set in the property?
>
> Question:1
> Here, first thing is how we can provide signature property file, in the
> above case "clientKeystore.properties". It should be at client side. If this
> is in the client application written by the user then how can we give the
> reference of this in the CXFPortMethodInterceptor. In other words, *where
> to set this property *
> properties.put(WSHandlerConstants.SIG_PROP_FILE,
> clientKeystore.properties");
>
> Question2:
>
> For the ClientKeystorePasswordCallback, how can the client send the
> keypassword,
>
> through the geronimo-web.xml?
> <property name="wss4j.out.keypass">keypass</property>
>
>
> Another thing is, I noticed one thing, In geronimo server we have these two
> following tabs under the
> Security Keystores<http://localhost:8096/console/portal/Security/Keystores>
> Certificate Authority<http://localhost:8096/console/portal/Security/Certificate%20Authority>
>
>
> What are these for?
>
>
> Thanks for your help.
>
> Best Regards,
> Rahul
>
>
>
> PS: for signing and encryption, I think we need the bouncy castle and the
> xalan jar files in the cxf plugin, I pulled them
>
>
>
Re: [Doubts] X509 Signing
Posted by David Jencks <da...@yahoo.com>.
HI Rahul,
I don't understand any details of what you are trying to do but I
think you are trying to get access to a certificate so some parts of
the xml message can be signed.
In geronimo we have several gbeans to help with managing certificate
stores and trust stores. These are set up so that if you get a
reference to the appropriate gbean you should be able to access the
cerificate as needed with no further passwords or authentication
needed. While these are normally present in servers you can set one
up in an app client if you want.
The portal pages I think you are mentioning let you administer these
gbeans.
The jetty https connector is set up to use one of these gbeans, you
might find it a useful example of how to proceed for instance
HTTPSSelectChannelConnector and GeronimoSelectChannelSSLListener.
The central class is
org.apache.geronimo.management.geronimo.KeystoreManager implemented by
org.apache.geronimo.security.keystore.FileKeystoreManager in the
framework/modules/geronimo-security module.
I'd suspect you might want to get a KeystoreInstance from the
KeystoreManager and then get the Certificate you want from that.
Hope this helps,
david jencks
On Aug 11, 2009, at 2:15 PM, rahul.soa wrote:
> Hello Jarek,
>
> I hope you are doing well.
>
> Presently, I am setting the signing at client side, I have a couple
> of doubts.
>
> I think, I can do something similar in the CXFPortMethodInterceptor
>
> String signatureKeyIdentifier = (String)
> properties.get("signatureKeyIdentifier");
> String user = (String) properties.get("user");
>
> //in case where <property name="wss4j.out.action">Signature</property>
> if (containsValue(action, WSHandlerConstants.SIGNATURE)) {
> // doubt about this, how CXFPortMethodInterceptor will know
> about this
> properties.put(WSHandlerConstants.SIG_PROP_FILE,
> clientKeystore.properties");
> // alias or user
> properties.put(WSHandlerConstants.USER, user);
>
> if(signatureKeyIdentifier.equals("DirectReference"))
> properties.put(WSHandlerConstants.SIG_KEY_ID,
> "DirectReference");
> if(signatureKeyIdentifier.equals("IssuerSerial"))
> properties.put(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
> //in order to obtain the key password for the private key
> properties.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> ClientKeystorePasswordCallback.class.getName());
>
> }
>
>
> I think we should specify the following things in the <property>
> under the <port> in the geronimo-web.xml at client side.
>
> <property name="wss4j.out.action">Signature</property>
> <property name="wss4j.out.user">myclientkey</property>
> <property name="wss4j.out.signatureKeyIdentifier">IssuerSerial</
> property>
>
> can we set the keypassword too in the property? what other things we
> should set in the property?
>
> Question:1
> Here, first thing is how we can provide signature property file, in
> the above case "clientKeystore.properties". It should be at client
> side. If this is in the client application written by the user then
> how can we give the reference of this in the
> CXFPortMethodInterceptor. In other words, where to set this property
> properties.put(WSHandlerConstants.SIG_PROP_FILE,
> clientKeystore.properties");
>
> Question2:
>
> For the ClientKeystorePasswordCallback, how can the client send the
> keypassword,
>
> through the geronimo-web.xml?
> <property name="wss4j.out.keypass">keypass</property>
>
>
> Another thing is, I noticed one thing, In geronimo server we have
> these two following tabs under the
>
> Security
> Keystores
> Certificate Authority
>
>
> What are these for?
>
>
> Thanks for your help.
>
> Best Regards,
> Rahul
>
>
>
> PS: for signing and encryption, I think we need the bouncy castle
> and the xalan jar files in the cxf plugin, I pulled them
>
Re: [Doubts] X509 Signing
Posted by Kevan Miller <ke...@gmail.com>.
On Aug 11, 2009, at 5:15 PM, rahul.soa wrote:
> Hello Jarek,
FYI, Jarek is on vacation. I don't think he's reading email...
--kevan