Questions about policy.xml, signatures, and certificates.

[Nate Roe <na...@vegas.com>]

I am using Axis2 v1.3 and Rampart v1.3 on JBossAS v4.0.5 running on Java 1.6.0_03.

My goal is to allow access to my service only to those clients who possess a certificate that I issued (using a self-signed CA certificate.)

I also require that the client submit some unique ID -- preferably their encryptionUser (the name that I originally created when issuing the client's certificate.)  I used the information found on this page to create my certificates: http://wso2.org/library/174

My final requirement is to retrieve the IP address of the connecting client.

I have tried several different forms of policy.xml, but I've become confused.  I don't understand exactly what tags enforce a signature.

I've been reading ws-securitypolicy.pdf (2005, v1.1) but I don't completely understand it.  What does the OnlySignEntireHeadersAndBody assertion do?

How can I require a signature?
How can I pass the encryptionUser rather than some arbitrarily-named user token?
How can I obtain the client's IP address?

Thanks,
Nate Roe

RE: Questions about policy.xml, signatures, and certificates.

[Nate Roe <na...@vegas.com>]

Nandana,

Thank you for this detailed response, and especially for the link to your policy article.  I spent considerable time searching for an article just like that!

I have a couple of remaining questions, but these apply to Axis2 more generally, so I will post them in axis-user.

Thanks again,
Nate

-----Original Message-----
From: Nandana Mihindukulasooriya [mailto:nandana.cse@gmail.com]
Sent: Tuesday, March 11, 2008 1:43 AM
To: rampart-dev@ws.apache.org
Subject: Re: Questions about policy.xml, signatures, and certificates.

Hi Nate,

>  My goal is to allow access to my service only to those clients who possess a certificate that I issued (using a self-signed CA certificate.)

Yes, this is possible. As you are already trying to do, in the
security policy specify requirement that incoming SOAP messages has to
be signed so only a client possessing a valid certificate can consume
the service.

>  I also require that the client submit some unique ID -- preferably their encryptionUser (the name that I originally created when issuing the client's certificate.)  I used the information found on this page to create my certificates: http://wso2.org/library/174

This can be easily done too. A X509 certificate contains a lot of
unique properties [1]. You can use one of them as the unique ID. For
example Thumb print value , issuer serial , etc.

>  My final requirement is to retrieve the IP address of the connecting client.

Take a look at the KB article [2]

>  I have tried several different forms of policy.xml, but I've become confused.  I don't understand exactly what tags enforce a signature.

Signed Parts assertion can be used to sign body and the headers. If
you want to sign arbitrary elements then you can use signed elements
assertion.

>  I've been reading ws-securitypolicy.pdf (2005, v1.1) but I don't completely understand it.  What does the OnlySignEntireHeadersAndBody assertion do?

If that property is true, we only sign the entire headers and body and
we don't sign arbitrary elements inside them.  Take a look at the
article [3]

>  How can I require a signature?

Use a Signed Parts or Signed elements assertion according to your requirement.

>  How can I pass the encryptionUser rather than some arbitrarily-named user token?

I think it is better to use the properties in the certificate used to
sign the message to uniquely identify the client.

>  How can I obtain the client's IP address?

Take a look at the KB - [2]

thanks,
/nandana

[1] - http://en.wikipedia.org/wiki/X.509
[2] - http://wso2.org/library/480
[3] - http://wso2.org/library/3132

http://nandana83.blogspot.com/
http://nandanasm.wordpress.com/

Re: Questions about policy.xml, signatures, and certificates.

[Nandana Mihindukulasooriya <na...@gmail.com>]

Hi Nate,

>  My goal is to allow access to my service only to those clients who possess a certificate that I issued (using a self-signed CA certificate.)

Yes, this is possible. As you are already trying to do, in the
security policy specify requirement that incoming SOAP messages has to
be signed so only a client possessing a valid certificate can consume
the service.

>  I also require that the client submit some unique ID -- preferably their encryptionUser (the name that I originally created when issuing the client's certificate.)  I used the information found on this page to create my certificates: http://wso2.org/library/174

This can be easily done too. A X509 certificate contains a lot of
unique properties [1]. You can use one of them as the unique ID. For
example Thumb print value , issuer serial , etc.

>  My final requirement is to retrieve the IP address of the connecting client.

Take a look at the KB article [2]

>  I have tried several different forms of policy.xml, but I've become confused.  I don't understand exactly what tags enforce a signature.

Signed Parts assertion can be used to sign body and the headers. If
you want to sign arbitrary elements then you can use signed elements
assertion.

>  I've been reading ws-securitypolicy.pdf (2005, v1.1) but I don't completely understand it.  What does the OnlySignEntireHeadersAndBody assertion do?

If that property is true, we only sign the entire headers and body and
we don't sign arbitrary elements inside them.  Take a look at the
article [3]

>  How can I require a signature?

Use a Signed Parts or Signed elements assertion according to your requirement.

>  How can I pass the encryptionUser rather than some arbitrarily-named user token?

I think it is better to use the properties in the certificate used to
sign the message to uniquely identify the client.

>  How can I obtain the client's IP address?

Take a look at the KB - [2]

thanks,
/nandana

[1] - http://en.wikipedia.org/wiki/X.509
[2] - http://wso2.org/library/480
[3] - http://wso2.org/library/3132

http://nandana83.blogspot.com/
http://nandanasm.wordpress.com/