You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Kent Tong <ke...@cpttm.org.mo> on 2007/12/12 06:01:19 UTC
[Axis2] rampart encryption and multiple clients
Hi,
To use rampart encryption, the service needs an <encryptionUser> setting.
But how can this
work if there can be multiple clients? Ideally this setting should be
modifiable at runtime. If
this is possible, how?
However, this won't solve the whole problem as it still needs the
certificate for the client.
Currently it must be in the keystore (for the Merlin provider). This won't
work if the client
is unknown (being unknown is fine as long as the certificate can be verified
by a trusted
CA). Is rampart designed to be used for known/fixed clients only?
Thanks!
-----
--
Kent Tong
Wicket tutorials freely available at http://www.agileskills2.org/EWDW
--
View this message in context: http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14289084.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Axis2] rampart encryption and multiple clients
Posted by Kent Tong <ke...@cpttm.org.mo>.
Nunny wrote:
>
> Hi Kent,
>
>> This won't work if the client
>> is unknown (being unknown is fine as long as the certificate can be
>> verified
>> by a trusted CA). Is rampart designed to be used for known/fixed clients
>> only?
>
> No, Rampart can be used in this kind of scenario. You have to set the
> encryption user as
>
> <encryptionUser>useReqSigCert</encryptionUser>.
>
> Then the certificate used to sign the request message will be used to
> encrypt the response message.
> If the certificate is not in the key store it has to be sent with the
> request as a binary token (according
> token inclusion property of the security token defined in the security
> policy).
>
I see. Thanks!
-----
--
Kent Tong
Wicket tutorials freely available at http://www.agileskills2.org/EWDW
--
View this message in context: http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14292657.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Axis2] rampart encryption and multiple clients
Posted by yueyue <wy...@mailbox.gxnu.edu.cn>.
thanks very much, Nunny. i understand what you mean .:handshake:
Nunny wrote:
>
> Hi yueyue,
>
> i have a question : if the certificate is in the key store ,how do the
>> server know a client user is who ?
>
>
> There are number of key referencing mechanisms defined in WSS and
> WS - security policy specifications. You can use a Subject key
> identifier,
> issuer serial, Thumbprint key identifier etc. These information are
> unique,
> so we can get the referenced certificate from the key store using these
> references.
>
> eg.
>
> Key referenced using a subject key identifier reference :
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <o:SecurityTokenReference>
> <o:KeyIdentifier ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> ">Xeg55vRyK3ZhAEhEf+YT0z986L0=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
>
> Key referenced using a thumbprint reference :
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <o:SecurityTokenReference>
> <o:KeyIdentifier ValueType="
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-security-1.1#ThumbprintSHA1
> ">NQM0IBvuplAtETQvk+6gn8C13wE=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
>
> Thanks,
> Nandana
>
>
>>
>> Regards,
>>
>> yueyue
>>
>>
>> Nunny wrote:
>> >
>> > Hi Kent,
>> >
>> > This won't
>> >
>> >> work if the client
>> >> is unknown (being unknown is fine as long as the certificate can be
>> >> verified
>> >> by a trusted CA). Is rampart designed to be used for known/fixed
>> clients
>> >> only?
>> >
>> >
>> > No, Rampart can be used in this kind of scenario. You have to set the
>> > encryption user as
>> >
>> > <encryptionUser>useReqSigCert</encryptionUser>.
>> >
>> > Then the certificate used to sign the request message will be used to
>> > encrypt the response message.
>> > If the certificate is not in the key store it has to be sent with the
>> > request as a binary token (according
>> > token inclusion property of the security token defined in the security
>> > policy).
>> >
>> > Regards,
>> > Nandana
>> >
>> >
>> >
>> >>
>> >> Thanks!
>> >>
>> >> -----
>> >> --
>> >> Kent Tong
>> >> Wicket tutorials freely available at http://www.agileskills2.org/EWDW
>> >> --
>> >> View this message in context:
>> >>
>> http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14289084.html
>> >> Sent from the Axis - User mailing list archive at Nabble.com.
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> >> For additional commands, e-mail: axis-user-help@ws.apache.org
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14409381.html
>> Sent from the Axis - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>
>
--
View this message in context: http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14428302.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Axis2] rampart encryption and multiple clients
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi yueyue,
i have a question : if the certificate is in the key store ,how do the
> server know a client user is who ?
There are number of key referencing mechanisms defined in WSS and
WS - security policy specifications. You can use a Subject key
identifier,
issuer serial, Thumbprint key identifier etc. These information are unique,
so we can get the referenced certificate from the key store using these
references.
eg.
Key referenced using a subject key identifier reference :
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
">Xeg55vRyK3ZhAEhEf+YT0z986L0=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
Key referenced using a thumbprint reference :
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-security-1.1#ThumbprintSHA1
">NQM0IBvuplAtETQvk+6gn8C13wE=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
Thanks,
Nandana
>
> Regards,
>
> yueyue
>
>
> Nunny wrote:
> >
> > Hi Kent,
> >
> > This won't
> >
> >> work if the client
> >> is unknown (being unknown is fine as long as the certificate can be
> >> verified
> >> by a trusted CA). Is rampart designed to be used for known/fixed
> clients
> >> only?
> >
> >
> > No, Rampart can be used in this kind of scenario. You have to set the
> > encryption user as
> >
> > <encryptionUser>useReqSigCert</encryptionUser>.
> >
> > Then the certificate used to sign the request message will be used to
> > encrypt the response message.
> > If the certificate is not in the key store it has to be sent with the
> > request as a binary token (according
> > token inclusion property of the security token defined in the security
> > policy).
> >
> > Regards,
> > Nandana
> >
> >
> >
> >>
> >> Thanks!
> >>
> >> -----
> >> --
> >> Kent Tong
> >> Wicket tutorials freely available at http://www.agileskills2.org/EWDW
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14289084.html
> >> Sent from the Axis - User mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: axis-user-help@ws.apache.org
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14409381.html
> Sent from the Axis - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
Re: [Axis2] rampart encryption and multiple clients
Posted by yueyue <wy...@mailbox.gxnu.edu.cn>.
Hi Nunny,
If the certificate is not in the key store it has to be sent with the
request as a binary token (according
token inclusion property of the security token defined in the security
policy).
i have a question : if the certificate is in the key store ,how do the
server know a client user is who ?
Regards,
yueyue
Nunny wrote:
>
> Hi Kent,
>
> This won't
>
>> work if the client
>> is unknown (being unknown is fine as long as the certificate can be
>> verified
>> by a trusted CA). Is rampart designed to be used for known/fixed clients
>> only?
>
>
> No, Rampart can be used in this kind of scenario. You have to set the
> encryption user as
>
> <encryptionUser>useReqSigCert</encryptionUser>.
>
> Then the certificate used to sign the request message will be used to
> encrypt the response message.
> If the certificate is not in the key store it has to be sent with the
> request as a binary token (according
> token inclusion property of the security token defined in the security
> policy).
>
> Regards,
> Nandana
>
>
>
>>
>> Thanks!
>>
>> -----
>> --
>> Kent Tong
>> Wicket tutorials freely available at http://www.agileskills2.org/EWDW
>> --
>> View this message in context:
>> http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14289084.html
>> Sent from the Axis - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>
>
--
View this message in context: http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14409381.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Axis2] rampart encryption and multiple clients
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Kent,
This won't
> work if the client
> is unknown (being unknown is fine as long as the certificate can be
> verified
> by a trusted CA). Is rampart designed to be used for known/fixed clients
> only?
No, Rampart can be used in this kind of scenario. You have to set the
encryption user as
<encryptionUser>useReqSigCert</encryptionUser>.
Then the certificate used to sign the request message will be used to
encrypt the response message.
If the certificate is not in the key store it has to be sent with the
request as a binary token (according
token inclusion property of the security token defined in the security
policy).
Regards,
Nandana
>
> Thanks!
>
> -----
> --
> Kent Tong
> Wicket tutorials freely available at http://www.agileskills2.org/EWDW
> --
> View this message in context:
> http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14289084.html
> Sent from the Axis - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>