Axis2 Rampart - Key Rotation

[Rajan Gupta <Ra...@Yodlee.com>]

I am using Rampart 1.4 with Axis2 1.4.1. We are signing and encryption
the soap body.

 

On the server side to support multiple clients, we have specified the
value "useReqSigCert" for the parameter ramp:encryptionUser. 

 

On the client side, we have specified the alias of server certificate as
the value for the parameter ramp:encryptionUser.

 

My question is around key rotation. 

 

Case 1: Client has a new certificate. 

-----------------------------------------------

As per my understanding this should be as simple as importing the new
client certificate in the server keystore with a new alias. Since we
don't use client certificate alias names on the server side, as and when
client starts sending us request signed with new certificate, the server
will start using the new certificate to verify signature and encrypt the
response.  Please confirm if my understanding is correct. 

 

 

Case 2: Server has a new certificate

-----------------------------------------------

Without the need to synchronize client and server deployment activities,
I am not sure how this can be done without a downtime as the server
certificate alias name, which is tied to old certificate, is used in
rampart configuration. Any suggestions? Is there any best practices
document available with details on this topic. 

 

Thanks in advance,

Rajan