You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2013/06/20 16:48:27 UTC
svn commit: r866640 - in /websites/production/cxf/content: cache/docs.pageCache docs/xml-key-management-service-xkms.html

Author: buildbot
Date: Thu Jun 20 14:48:27 2013
New Revision: 866640

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/xml-key-management-service-xkms.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/xml-key-management-service-xkms.html
==============================================================================
--- websites/production/cxf/content/docs/xml-key-management-service-xkms.html (original)
+++ websites/production/cxf/content/docs/xml-key-management-service-xkms.html Thu Jun 20 14:48:27 2013
@@ -25,6 +25,8 @@
 <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
 <meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
 <meta name="description" content="Apache CXF, Services Framework - XML Key Management Service (XKMS)">
+
+
     <title>
 Apache CXF -- XML Key Management Service (XKMS)
     </title>
@@ -125,7 +127,7 @@ Apache CXF -- XML Key Management Service
 
 <h2><a shape="rect" name="XMLKeyManagementService%28XKMS%29-Usecase"></a>Use case</h2>
 
-<p>CXF security uses asymmetric algorithms for different purposes: encryption of symmetric keys and payloads, signing security tokens and messages, proof of possession.<br clear="none">
+<p>CXF uses asymmetric algorithms for different purposes: encryption of symmetric keys and payloads, signing security tokens and messages, proof of possession.<br clear="none">
 Normally the public keys (in form of X509 certificates) are stored in java keystores.</p>
 
 <p>For example, if sender encrypts the message payload sending to the receiver, he should have access to receiver certificate saved in local keystore. <br clear="none">
@@ -165,47 +167,95 @@ This design makes XKMS internal implemen
 For example certificate can be searched firstly in the LDAP repository by LDAP lookup handler and, if it is not found there, additionally looked in remote PKI using appropriate lookup handler. Validation operation logic is organized in chain is well: first validation handler checks format and expire date of X509 certificate, next one checks certificate trust chain.</p>
 
 <p>Currently XKMS Service supports simple file based and LDAP backends.<br clear="none">
-Sample spring configuration of XKMS handlers for file backend looks like:</p>
+Sample spring configuration of XKMS handlers looks like:</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
-   <span class="code-tag">&lt;bean id=<span class="code-quote">"dateValidator"</span> class=<span class="code-quote">"org.apache.cxf.xkms.x509.validator.DateValidator"</span> /&gt;</span>
+&lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
+    <span class="code-keyword">xmlns:cxf</span>=<span class="code-quote">"http://cxf.apache.org/core"</span> <span class="code-keyword">xmlns:jaxws</span>=<span class="code-quote">"http://cxf.apache.org/jaxws"</span>
+    <span class="code-keyword">xmlns:test</span>=<span class="code-quote">"http://apache.org/hello_world_soap_http"</span> <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
+    <span class="code-keyword">xmlns:util</span>=<span class="code-quote">"http://www.springframework.org/schema/util"</span>
+    xsi:schemaLocation="
+        http://cxf.apache.org/core
+        http://cxf.apache.org/schemas/core.xsd
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+        http://cxf.apache.org/jaxws                                     
+        http://cxf.apache.org/schemas/jaxws.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-2.0.xsd"&gt;
+
+
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"dateValidator"</span> class=<span class="code-quote">"org.apache.cxf.xkms.x509.validator.DateValidator"</span> /&gt;</span>
+
+    &lt;bean id=<span class="code-quote">"trustedAuthorityValidator"</span>
+        class=<span class="code-quote">"org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"certificateRepo"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"x509Locator"</span> class=<span class="code-quote">"org.apache.cxf.xkms.x509.handlers.X509Locator"</span>&gt;</span>
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"certificateRepo"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    &lt;bean id=<span class="code-quote">"x509Register"</span>
+        class=<span class="code-quote">"org.apache.cxf.xkms.x509.handlers.x509Register"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"certificateRepo"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+
+    <span class="code-tag"><span class="code-comment">&lt;!-- LDAP based implementation --&gt;</span></span>
+
+    &lt;bean id=<span class="code-quote">"certificateRepo"</span>
+        class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"ldapServerConfig"</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"ldapSchemaConfig"</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"dc=example,dc=com"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"ldapServerConfig"</span> class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapServerConfig"</span>&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"ldap://localhost:2389"</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"cn=Directory Manager,dc=example,dc=com"</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"test"</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"2"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"ldapSchemaConfig"</span> class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig"</span>&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"certObjectClass"</span> value=<span class="code-quote">"inetOrgPerson"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"attrUID"</span> value=<span class="code-quote">"uid"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"attrIssuerID"</span> value=<span class="code-quote">"manager"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"attrSerialNumber"</span> value=<span class="code-quote">"employeeNumber"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"attrCrtBinary"</span> value=<span class="code-quote">"userCertificate;binary"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"constAttrNamesCSV"</span> value=<span class="code-quote">"sn"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"constAttrValuesCSV"</span> value=<span class="code-quote">"X509 certificate"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"serviceCertRDNTemplate"</span> value=<span class="code-quote">"cn=%s,ou=services"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"serviceCertUIDTemplate"</span> value=<span class="code-quote">"cn=%s"</span> /&gt;</span>
+	<span class="code-tag">&lt;property name=<span class="code-quote">"trustedAuthorityFilter"</span> value=<span class="code-quote">"(&amp;#038;(objectClass=inetOrgPerson)(ou:dn:=CAs))"</span> /&gt;</span>
+	<span class="code-tag">&lt;property name=<span class="code-quote">"intermediateFilter"</span> value=<span class="code-quote">"(objectClass=inetOrgPerson)"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+
+    <span class="code-tag"><span class="code-comment">&lt;!-- File based implementation --&gt;</span></span>
+
+    &lt;!-- bean id=<span class="code-quote">"certificateRepo"</span>
+        class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"../conf/certs"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean--&gt;</span>
 
-   <span class="code-tag">&lt;bean id=<span class="code-quote">"x509FileLocator"</span> class=<span class="code-quote">"org.apache.cxf.xkms.x509.locator.FileLocator"</span>&gt;</span>
-      <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"../conf/certs"</span> /&gt;</span>
-   <span class="code-tag">&lt;/bean&gt;</span>
-
-   <span class="code-tag">&lt;bean id=<span class="code-quote">"fileRegisterHandler"</span> class=<span class="code-quote">"org.apache.cxf.xkms.x509.handlers.FileRegisterHandler"</span>&gt;</span>
-      <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"../conf/certs"</span> /&gt;</span>
-   <span class="code-tag">&lt;/bean&gt;</span>
-
-   <span class="code-tag">&lt;bean id=<span class="code-quote">"xkmsProviderBean"</span> class=<span class="code-quote">"org.apache.cxf.xkms.service.XKMSService"</span>&gt;</span>
-      <span class="code-tag">&lt;property name=<span class="code-quote">"validators"</span>&gt;</span>
-         <span class="code-tag">&lt;list&gt;</span>
-            <span class="code-tag">&lt;ref bean=<span class="code-quote">"dateValidator"</span> /&gt;</span>
-         <span class="code-tag">&lt;/list&gt;</span>
-      <span class="code-tag">&lt;/property&gt;</span>
-      <span class="code-tag">&lt;property name=<span class="code-quote">"locators"</span>&gt;</span>
-         <span class="code-tag">&lt;list&gt;</span>
-            <span class="code-tag">&lt;ref bean=<span class="code-quote">"x509FileLocator"</span> /&gt;</span>
-         <span class="code-tag">&lt;/list&gt;</span>
-      <span class="code-tag">&lt;/property&gt;</span>
-      <span class="code-tag">&lt;property name=<span class="code-quote">"keyRegisterHandlers"</span>&gt;</span>
-         <span class="code-tag">&lt;list&gt;</span>
-            <span class="code-tag">&lt;ref bean=<span class="code-quote">"fileRegisterHandler"</span> /&gt;</span>
-         <span class="code-tag">&lt;/list&gt;</span>
-      <span class="code-tag">&lt;/property&gt;</span>
-   <span class="code-tag">&lt;/bean&gt;</span>
-
-   &lt;jaxws:endpoint id=<span class="code-quote">"XKMSService"</span> <span class="code-keyword">xmlns:serviceNamespace</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#wsdl"</span>
-      serviceName=<span class="code-quote">"serviceNamespace:XKMSService"</span> endpointName=<span class="code-quote">"serviceNamespace:XKMSPort"</span>
-      implementor=<span class="code-quote">"#xkmsProviderBean"</span> address=<span class="code-quote">"/XKMS"</span>&gt;
-   <span class="code-tag">&lt;/jaxws:endpoint&gt;</span>
+<span class="code-tag">&lt;/beans&gt;</span>
 </pre>
 </div></div>
 
-<h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-IntegrationXKMSclientintoCXFsecurity."></a>Integration XKMS client into CXF security.</h4>
+<p>dateValidator and trustedAuthorityValidator beans are implementations of Validator interface for validity date and trusted chain validation. <br clear="none">
+x509Locator and x509Register are implementations of Locator and Register interfaces for X509 certificates.<br clear="none">
+certificateRepo is repository implementation for LDAP backend. LdapServerConfig and LdapSchemaConfig contain LDAP configuration described in the following table:</p>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Property</th><th colspan="1" rowspan="1" class="confluenceTh">Sample Value</th><th colspan="1" rowspan="1" class="confluenceTh">Description</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">ldapServerConfig arguments</td><td colspan="1" rowspan="1" class="confluenceTd">&#160;</td><td colspan="1" rowspan="1" class="confluenceTd"> URL, baseDN and credentials of LDAP Server</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">certObjectClass</td><td colspan="1" rowspan="1" class="confluenceTd">inetOrgPerson</td><td colspan="1" rowspan="1" class="confluenceTd">LDAP object class used to store certificates</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">attrUID</td><td colspan="1" rowspan="1" class="confluenceTd">uid</td><td colspan="1" rowspan="1" class="confluenceTd">Attribute containing X509 subject DN</td></tr><tr><td colspan="1" rowspan="1" class="conf
 luenceTd">attrIssuerID</td><td colspan="1" rowspan="1" class="confluenceTd">manager</td><td colspan="1" rowspan="1" class="confluenceTd">LDAP attribute containing X509 issuer DN</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">attrSerialNumber</td><td colspan="1" rowspan="1" class="confluenceTd">employeeNumber</td><td colspan="1" rowspan="1" class="confluenceTd">LDAP attribute containing X509 serial number</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">attrCrtBinary</td><td colspan="1" rowspan="1" class="confluenceTd">userCertificate</td><td colspan="1" rowspan="1" class="confluenceTd">LDAP attribute containing X509 certificate content</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">constAttrNamesCSV</td><td colspan="1" rowspan="1" class="confluenceTd">sn</td><td colspan="1" rowspan="1" class="confluenceTd">Comma separated list of mandatory LDAP attributes</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">constAttrValuesC
 SV</td><td colspan="1" rowspan="1" class="confluenceTd">X509 certificate</td><td colspan="1" rowspan="1" class="confluenceTd">Comma separated list of mandatory LDAP attributes values</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">serviceCertRDNTemplate</td><td colspan="1" rowspan="1" class="confluenceTd">cn=%s,ou=services</td><td colspan="1" rowspan="1" class="confluenceTd">Relative distinguished name for service certificates</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">serviceCertUIDTemplate</td><td colspan="1" rowspan="1" class="confluenceTd">cn=%s</td><td colspan="1" rowspan="1" class="confluenceTd">Template to transform service QName to DN for storing into attrUID</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">trustedAuthorityFilter</td><td colspan="1" rowspan="1" class="confluenceTd">(&amp;(objectClass=inetOrgPerson)(ou:dn:=CAs))</td><td colspan="1" rowspan="1" class="confluenceTd">Filter to determine trusted CAs for truste
 d chain validation</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">intermediateFilter</td><td colspan="1" rowspan="1" class="confluenceTd">(objectClass=inetOrgPerson)</td><td colspan="1" rowspan="1" class="confluenceTd">Filter to determine intermediate certificates for trusted chain validation</td></tr></tbody></table>
+</div>
+
+
+<h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-IntegrationXKMSclientintoCXFruntime."></a>Integration XKMS client into CXF runtime.</h4>
 
-<p>XKMS client can be integrated into CXF and WSS4J using custom Crypto provider implementation. In this case XKMS service will be automatically invoked when WSS4J requires or validates certificate. Details are described in this <a shape="rect" class="external-link" href="http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html" rel="nofollow">blog</a>.</p>
+<p>XKMS client can be integrated into CXF and WSS4J using custom Crypto provider implementation. In this case XKMS service will be automatically invoked when WSS4J requires or validates certificate. Details are described in this <a shape="rect" class="external-link" href="http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html" rel="nofollow">blog</a>. Sample XKMS based implementation of WSS4J Crypto interface is contributed into XKMS Client component. </p>
 
 <h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-DataFormats"></a>Data Formats</h4>