WS-Security with HSM (Hardware security)

[Gonzalo Aguilar Delgado <ga...@aguilardelgado.com>]

Hi

We are implmenting all our crypto in hardware. One of the requirements 
of the client is to do WS-Security.

I'm experienced about doing it in software with a software based 
keystore. But now we need to do it in HSM.
My partners say that if CXF uses JCE (and it does) everything can be 
done in hardware.

Can you point us to the right direction about how to do it?

We are using safenet solutions for HSMs.

Best regards,

Re: WS-Security with HSM (Hardware security)

[Colm O hEigeartaigh <co...@apache.org>]

It should be possible to do this. Normally with WS-Security in CXF, you use
a crypto properties file that defines a "Merlin" provider. This is a class
in WSS4J that wraps a keystore loaded from a file. There is an alternative
crypto provider available, MerlinDevice, which allows loading keystores
using a null InputStream, which is what is required when you have keys
stored on a smartcard:

http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/MerlinDevice.java?view=markup

Colm.

On Thu, Mar 5, 2015 at 5:42 PM, Gonzalo Aguilar Delgado <
gaguilar@aguilardelgado.com> wrote:

> Hi
>
> We are implmenting all our crypto in hardware. One of the requirements of
> the client is to do WS-Security.
>
> I'm experienced about doing it in software with a software based keystore.
> But now we need to do it in HSM.
> My partners say that if CXF uses JCE (and it does) everything can be done
> in hardware.
>
> Can you point us to the right direction about how to do it?
>
> We are using safenet solutions for HSMs.
>
> Best regards,
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com