You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Ron Reynolds <Ro...@RonReynolds.com> on 2005/12/06 00:36:50 UTC
RE: Help(urgent) : My Keypair did not work for wss4j project (wss
4j\interop example)
i've never considered this, but yes, for the server to return a secure
response to the client it would have to encrypt its response with the client's
public key so that only the holder of the private key (the client) could
decrypt it. that's definitely a Werner/Dims question.
that wiki was written from my experience of creating signed messages from
client-to-server. each client is issued (by the team that owns the server) a
certificate/keystore which is added to the server's keystore as a trusted
cert. the data is not sensitive and thus not encrypted and thus the client
doesn't need to have the server's public key (also those are self-signed certs
so the trust issue is a little different - the server already knows the
client's cert and trusts it in advance - as this is an inhouse server and we
don't often add new clients (and thus don't often generate new certificates) i
chose the simple approach which is to trust the clients' certs directly
instead of having a root trusted cert (the server's) and then signing all the
clients with this cert. in the real 24/7 world where you never want the
server going down, it'll have to change to a root trusted cert and that way
new clients simply need to have their certs signed with the server's key to be
trusted by the server.
there MUST be a way to select the public key to encrypt the response with,
otherwise you'd never be able to have secure responses... the client's
identity is established via the x.509 token in the request (which contains the
client's public key) - in the response flow that public-key must be used to
encrypt the response...
i need to update that wiki with my C# interop experience, come to think of it...
> Ron,
>
>
>
> Thanks for your document at the following URL. When I was
> implementing WSS4J for my project, I could not find your doc and struggled
> lot to set the infrastructure(Key and Certificates). I have a question after
> reading the documentation here.
>
>
>
> http://wiki.apache.org/ws/RonReynolds/XmlSigSetup
> <http://wiki.apache.org/ws/RonReynolds/XmlSigSetup>
>
>
>
> In this sample client1 will have his own certificate for decrypting data got
> from the server. Similarly Client2 will have his own certificate to decrypt.
>
>
>
> The question is on the server side when WSS4J encrypts data (for sending to
> clients), if it uses same key for all clients (I am assuming this because,
> in the server-config.wsdd I don't see any control over this aspect) then
> client1 can decrypt data sent to client2 and thus end up having insecure
> communication ??
>
>
>
>
>
> Thanks
>
>
>
> Giri Kosuru
>
>
>
> My server-config.wsdd is as follows.
>
>
>
> <requestFlow>
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
>
> <parameter name="passwordCallbackClass" value="**.**.**.SSPWCallback"/>
>
> <parameter name="action" value="Signature Encrypt"/>
>
> <parameter name="signaturePropFile" value="crypto.properties" />
>
> </handler>
>
> </requestFlow>
>
>
>
> <responseFlow>
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
>
> <parameter name="user" value="************"/>
>
> <parameter name="passwordCallbackClass" value="**.**.**.SSPWCallback"/>
>
> <parameter name="action" value="Encrypt"/>
>
> <parameter name="encryptionPropFile" value="crypto.properties" />
>
> <parameter name="encryptionUser" value="*********" />
>
> </handler>
>
> </responseFlow>
>
>
>
>
>
> -----Original Message-----
> From: Ron Reynolds [mailto:Ron@RonReynolds.com]
> Sent: Sunday, December 04, 2005 3:58 AM
> To: elilvannan@affno.lk
> Cc: wss4j-dev@ws.apache.org
> Subject: Re: Help(urgent) : My Keypair did not work for wss4j project
> (wss4j\interop example)
>
>
>
> so your server is signing and encrypting its response as well to be verified
> by the client? then i would expect that both certificates would have to be
> signed (or self-signed as in my example) and then exported and imported into
> the other keystore as a trusted cert. i did find that if you want to work
> with .NET clients you're best off using RSA keys in a PKCS12 keystore (save
> as a .p12 or .pfx file and it's very easy to import the certificate).
> however i did have to leave my server keystore as JKS - i had some trouble
> loading many trusted certificates into a PKCS12 keystore. as i said, i am
> no crypto expert - certainly someone on the wss4j list knows the answer...
>
> ----- Original Message -----
>
> From: Elilvannan <ma...@affno.lk> Nagarajah
>
> To: 'Ron Reynolds' <ma...@RonReynolds.com>
>
> Sent: Saturday, December 03, 2005 11:52 PM
>
> Subject: RE: Help(urgent) : My Keypair did not work for wss4j project
> (wss4j\interop example)
>
>
>
> Thanks Reynolds.
>
> Yah I followed the same steps as u described
> (earlier I used 2 keystore and did the same steps but that did not work then
> I used the same key store for both client and server).
>
> Anyway for my case I want to add encryption and signature both.
>
>
>
> These r my configurations
>
>
>
> Clientside
>
>
>
> <service name="AddressBook">
>
> <requestFlow>
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
>
> <parameter name="signatureKeyIdentifier" value="DirectReference"/>
>
> <parameter name="user" value="affnoclient"/>
>
> <parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier"/>
>
> <parameter name="signaturePropFile" value="wsstest.properties"/>
>
> <parameter name="encryptionUser" value="affnoserver"/>
>
> <parameter name="passwordCallbackClass"
> value="org.apache.ws.axis.oasis.PWCallback1"/>
>
> <parameter name="action" value="Signature Encrypt Timestamp"/>
>
> </handler>
>
> </requestFlow>
>
> <responseFlow>
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
>
> <parameter name="signaturePropFile" value="wsstest.properties"/>
>
> <parameter name="passwordCallbackClass"
> value="org.apache.ws.axis.oasis.PWCallback1"/>
>
> <parameter name="action" value="Signature Encrypt Timestamp"/>
>
> </handler>
>
> </responseFlow>
>
> </service>
>
>
>
>
>
>
>
> In the server side ....
>
> <service name=" AddressBook " provider="java:RPC" style="wrapped"
> use="literal">
>
> <operation name="ping" qname="ns17:Ping" soapAction=""
> xmlns:ns17="http://xmlsoap.org/Ping">
>
> <parameter qname="ns17:ticket" type="ns17:ticketType"/>
>
> <parameter mode="inout" qname="ns17:text" type="xsd:string"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"/>
>
> </operation>
>
> <requestFlow>
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
>
> <parameter name="signatureKeyIdentifier" value="DirectReference"/>
>
> <parameter name="user" value=" affnoserver"/>
>
> <parameter name="encryptionKeyIdentifier" value="SKIKeyIdentifier"/>
>
> <parameter name="signaturePropFile" value="wsstest.properties"/>
>
> <parameter name="encryptionUser" value="affnoclient"/>
>
> <parameter name="passwordCallbackClass"
> value="org.apache.ws.axis.oasis.PWCallback1"/>
>
> <parameter name="action" value="Signature Encrypt Timestamp"/>
>
> </handler>
>
> </requestFlow>
>
> <responseFlow>
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
>
> <parameter name="signaturePropFile" value="wsstest.properties"/>
>
> <parameter name="passwordCallbackClass"
> value="org.apache.ws.axis.oasis.PWCallback1"/>
>
> <parameter name="action" value="Signature Encrypt Timestamp"/>
>
> </handler>
>
> </responseFlow>
>
> </service>
>
>
>
> </responseFlow>
>
> <parameter name="allowedMethods" value="ping"/>
>
> <parameter name="wsdlPortType" value="PingPort"/>
>
> <parameter name="wsdlServicePort" value="Ping3"/>
>
> <parameter name="className"
> value="org.apache.ws.axis.oasis.ping.PingBindingImpl"/>
>
> <parameter name="wsdlTargetNamespace" value="http://xmlsoap.org/Ping"/>
>
> <parameter name="sendXsiTypes" value="false"/>
>
> <parameter name="sendMultiRefs" value="false"/>
>
> <parameter name="wsdlServiceElement" value="PingService"/>
>
> <typeMapping
> deserializer="org.apache.axis.encoding.ser.SimpleDeserializerFactory"
> encodingStyle="" qname="ns18:ticketType"
> serializer="org.apache.axis.encoding.ser.SimpleSerializerFactory"
> type="java:org.apache.ws.axis.oasis.ping.TicketType"
> xmlns:ns18="http://xmlsoap.org/Ping"/>
>
> </service>
>
>
>
>
>
>
>
> Could u please check this configuration ?
>
> But same configuration is working for the example that's wss4j\interop
> example.
>
>
>
> I do not know how they created the keystore ....
>
> If I used keytool utility did I have to change any
> configurations...............
>
>
>
> Could u help in this issue pls?
>
>
>
> Thanks and best regards,
>
> Elilvannan
>
>
> _____
>
>
> From: Ron Reynolds [mailto:Ron@RonReynolds.com]
> Sent: Sunday, December 04, 2005 1:27 PM
> To: elilvannan@affno.lk
> Subject: Re: Help(urgent) : My Keypair did not work for wss4j project
> (wss4j\interop example)
>
>
>
> i'm no expert in security but these are the steps i used to create a trust
> between my client and server -
>
> generate the two keystores as you did, then:
>
> create a self-signed certificate for the client
>
> keytool -selfcert ...
>
> export the certificate from the client keystore
>
> keytool -export ...
>
> import the certificate into the server's keystore
>
> keytool -import ...
>
> it'll ask if you trust the certificate - tell it yes. at that point when
> the client signs and includes its x.509 with the message the server will be
> able to look the cert up and verify that it trusts the signer. i was
> working on a wiki that covers this is a bit more detail - perhaps it'll help
> (tho it's not entirely done) -
> http://wiki.apache.org/ws/RonReynolds/XmlSigSetup
> <http://wiki.apache.org/ws/RonReynolds/XmlSigSetup>
>
>
>
>
>
> ----- Original Message -----
>
> From: Elilvannan <ma...@affno.lk> Nagarajah
>
> To: wss4j-dev@ws.apache.org <ma...@ws.apache.org>
>
> Sent: Saturday, December 03, 2005 10:53 PM
>
> Subject: Help(urgent) : My Keypair did not work for wss4j project
> (wss4j\interop example)
>
>
>
> Hi all,
>
> I tried to use the wss4j project for adding security for my web
> services. For my web service I want to add signature and encryption type of
> security. First I tested the interop example (tested with 'bob' and 'alice'
> entries) in the wss4j project. That works fine.
>
> Then I tried to create my key store (using keytool) and
> generated 2 keypairs one for server and one for client. I configured
> correctly all properties ( I replace the entries 'bob' and 'alice' with my
> own aliases name 'affnoserver' and 'affnoclinet'). But for my case client
> side is working fine (encrypt the request and sign and send) but in the
> serverside I got an exception (when decrypting).
>
>
>
> This is the exception trace ----
>
>
>
> org.apache.ws.security.WSSecurityException: Cannot encrypt/decrypt data;
> nested
>
> exception is:
>
> java.security.UnrecoverableKeyException: Cannot recover key
>
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncrypte
>
> dKey(EncryptedKeyProcessor.java:268)
>
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncrypte
>
> dKey(EncryptedKeyProcessor.java:81)
>
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(En
>
> cryptedKeyProcessor.java:75)
>
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
>
> ityEngine.java:252)
>
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
>
> ityEngine.java:179)
>
> at
> org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
>
> va:159)
>
>
>
>
>
>
>
>
>
> this is my key store :
>
>
>
>
>
>
>
> Keystore type: jks
>
> Keystore provider: SUN
>
>
>
> Your keystore contains 2 entries
>
>
>
> Alias name: affnoserver
>
> Creation date: Dec 2, 2005
>
> Entry type: keyEntry
>
> Certificate chain length: 1
>
> Certificate[1]:
>
> Owner: CN=affnoserver, OU=affno, O=eng, L=col, ST=col, C=sl
>
> Issuer: CN=affnoserver, OU=affno, O=eng, L=col, ST=col, C=sl
>
> Serial number: 43900be2
>
> Valid from: Fri Dec 02 14:54:58 LKT 2005 until: Thu Mar 02 14:54:58 LKT 2006
>
> Certificate fingerprints:
>
> MD5: 23:92:DD:B9:D5:CA:66:5B:AD:92:27:0E:48:11:8C:75
>
> SHA1: AB:13:03:92:32:FD:EA:51:DE:DD:9E:7C:DD:90:DD:35:96:52:25:08
>
>
>
>
>
> *******************************************
>
> *******************************************
>
>
>
>
>
> Alias name: affnoclient
>
> Creation date: Dec 2, 2005
>
> Entry type: keyEntry
>
> Certificate chain length: 1
>
> Certificate[1]:
>
> Owner: CN=affnoclient, OU=affno, O=eng, L=col, ST=col, C=SL
>
> Issuer: CN=affnoclient, OU=affno, O=eng, L=col, ST=col, C=SL
>
> Serial number: 43904844
>
> Valid from: Fri Dec 02 19:12:36 LKT 2005 until: Thu Mar 02 19:12:36 LKT 2006
>
> Certificate fingerprints:
>
> MD5: B3:76:5E:F5:81:1A:80:9E:0A:9A:FA:A3:36:8E:D7:C3
>
> SHA1: 51:D7:04:8F:4C:5D:4F:F9:21:B0:41:B3:58:8B:E9:FB:FA:98:6A:D2
>
>
>
>
>
> *******************************************
>
> *******************************************
>
>
>
> I used following commands for creating this key store.
>
>
>
> keytool -genkey -keyalg RSA -alias affnoserver -keystore affnoserver.jks
> -keypass XXXXXXX -storepass password
>
> keytool -genkey -keyalg RSA -alias affnoclient -keystore affnoserver.jks
> -keypass XXXXXXX -storepass password
>
>
>
>
>
> Should I use some other commands to create this key store (like openssl or
> PKCS12 format ...)
>
>
>
> Please anybody can help me how to create my own keystore and keypairs for
> this wss4j project?
>
>
>
>
>
> Thanks and best regards,
>
> N.Elilvannan
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org