RE: Using Rampart to send a proxy certificate and sign using a symmetric key

[Abdelrahman Almahmoud <fi...@hotmail.com>]

Thank you for the reply, I was studying up on WS-Security for a while and found this
"For example, symmetric binding can be used when only the server possesses a X509Token. Here, the initiator first creates an ephemeral key and then creates an encrypted key encrypting that ephemeral key using the recipient’s public key. This ephemeral key is then used for both signing and encrypting messages back and forth. This mechanism allows a Web service to sign and encrypt messages even with an anonymous client thus very useful at times"
http://wso2.org/library/3132

It is true that I poses an X.509 token, but I do not have the private key for it. Can I still use symmetric binding?
I am sorry if this is not the right place to ask this and appreciate the help
From: mgainty@hotmail.com
To: java-dev@axis.apache.org
Subject: RE: Using Rampart to send a proxy certificate and sign using a symmetric key
Date: Wed, 20 Mar 2013 19:31:32 -0400




the sts-policy-symm-binding.xml from the integration samples inside Rampart is what you want to start with

1)read the xsd  declared at the top
2)have a good understanding of what youre doing before you make the change
3)implement the service which implements sts-policy-symm-binding.xml 
make sure you engage rampart
run the client code which implements sts-policy-symm-binding.xml 

-- creating the aar change to rampart-integration
cd \rampart\rampart-src-1.4\modules\rampart-integration
vi .\src\test\resources\rampart\services-20.xml

tweak the signatureCrypto to replace default Merlin attributes with bouncycastle attributes
 
<ramp:signatureCrypto>
     <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
      <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
      <ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/rahas/policy/store.jks</ramp:property>
      <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
     </ramp:crypto>
</ramp:signatureCrypto>
 <ramp:encryptionCypto>
                     <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                         <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                         <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
                         <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
                     </ramp:crypto>
</ramp:encryptionCypto>
 
if your X509 cert is v3 you're in luck
 if your cert is NOT X509 v3   you have to change the WssX509V3Token10 element
change
<sp:WssX509V3Token10/>
to your specific version of X509

Java code:
the only java mod to be aware of is when the service responds to your PWCallback class
<ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass>
 
--  run mvn process-test-resources
mvn process-test-resources

use the Axis Admin tool to 
upload the new service aar into Axis located at
target/test-resources/rampart_service_repo/services/SecureService20.aar
 
engage the following modules:
rampart-src-1.4/modules/rampart-integration/target/test-resources/rampart_service_repo/modules/addressing-${addressing.mar.version}.mar

rampart-src-1.4/modules/rampart-integration/target/test-
resources/rampart_service_repo/modules/rahas-${addressing.mar.version}.mar
 
rampart-src-1.4/modules/rampart-integration/target/test-resources/rampart_service_repo/modules/rampart-mar-${addressing.mar.version}.mar
 
if you dont have them run process-test-resources e.g.
mvn process-test-resources

ping back here if you have any questions

Martin Gainty 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.

 From: fire_storm5002@hotmail.com
To: java-dev@axis.apache.org
Subject: RE: Using Rampart to send a proxy certificate and sign using a symmetric key
Date: Wed, 20 Mar 2013 10:57:46 +0000




Thank you for the reply, this sounds like what I want to do
I just want to clarify one thing. We have our own STS which uses Bouncycastle library to generate a certificate and a Key to send to the clientSo the client now has a Proxy Certificate (Only public key is known to the client, no private key supplied) and a secret symmetric key.
One of the things that confused me is how Rampart reads these information, I got them in byte form but I am unsure how to direct rampart to them or ask them to use these
Sincerely,

> Date: Tue, 19 Mar 2013 17:32:11 -0400
> Subject: Re: Using Rampart to send a proxy certificate and sign using a symmetric key
> From: ruchith.fernando@gmail.com
> To: java-dev@axis.apache.org
> 
> Hi,
> 
> To do this with rampart, first you need to be able to express your
> requirements in WS-SecurityPolicy.
> 
> Since you mentioned the use of a symmetric key to sign (MAC) (as in
> 3.4 of [1]) I suppose you will have to try to use a SymmetricBinding
> policy (Example [2]). This will involve getting a token issued by an
> STS which will include the certificate, and a symmetric key (since you
> need this to sign/mac). This will be the IssuedToken specified in the
> policy.
> 
> Then Rampart should be able to use the token and include it in the
> security header and sign using the given key value.
> 
> I'm not sure whether this works, but I will take a crack at generating
> an example of this over the weekend.
> 
> Thanks,
> Ruchith
> 
> 1. https://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf
> 2. http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc100567712
> 
> On Sun, Mar 17, 2013 at 3:10 AM, Abdelrahman Almahmoud
> <fi...@hotmail.com> wrote:
> > Thank you for the reply
> >
> > I understand the typical use of certificates as I have worked in security
> > for a while, it is a bit complicated to explain and I am not even sure if I
> > am allowed to discuss this so I will avoid talking about the architecture. I
> > appreciate the comments but as I mentioned, our use case is a little
> > different than usual. I am trying to avoid using SSL altogether because of
> > various reasons as well.
> >
> > What I simply want to do is give rampart my X.509 certificate and have it
> > send it to my target where I will try to have rampart do what I want or
> > simply write my own handler to make it do that.
> >
> > I also want rampart to sign that message using my own symmetric key. We have
> > our reasons to use symmetric keys here. If Rampart can't do this, can I
> > write a handler to do this my self and ask rampart to include this into the
> > SOAP message?
> >
> >
> >
> >
> > ________________________________
> > From: mgainty@hotmail.com
> > To: java-dev@axis.apache.org
> > Subject: RE: Using Rampart to send a proxy certificate and sign using a
> > symmetric key
> > Date: Thu, 14 Mar 2013 06:32:42 -0400
> >
> >
> >
> > ________________________________
> > From: fire_storm5002@hotmail.com
> > To: java-dev@axis.apache.org
> > Subject: Using Rampart to send a proxy certificate and sign using a
> > symmetric key
> > Date: Thu, 14 Mar 2013 08:59:15 +0000
> >
> > Hi
> >
> >
> > I have a bit of a unique situation, I am writing an Axis2 client and have to
> > follow a certain procedure. I would like to use Rampart to do the following,
> >
> > 1- I have a proxy certificate issued by a server for me, this certificate
> > has my username and the server's public key, I would like to have rampart to
> > send this certificate.
> > MG>A certificate is generally used by Browsers for verifiying you are who
> > you are and you wish to communicate to server with these specific
> > credentials
> > As far as I know, the samples only show how to have rampart use a
> > certificate from a key store
> > MG>from the trust-store called cacerts
> >
> > is there another way to do it?
> > MG>First step is to get the cert working to validate you to the external
> > interface
> >
> > MG>Second step is to setup a SSLv2 or SSLv3 session (using some known
> > transport) to the server
> >
> > 2- I would like Rampart to sign the request using a Symmetric key. As far as
> > I know, rampart takes the key from a key store but I am not sure how to ask
> > it to sign the request using this key and such
> >
> > The samples didn't help much with this and I am not sure where to find more
> > information
> > Any help is greatly appreciated
> >
> > MG>Read this cover to cover
> > http://download.java.net/jdk8/docs/technotes/guides/security/jsse/JSSERefGuide.html
> >
> > Thanks
> 
> 
> 
> -- 
> http://ruchith.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-dev-help@axis.apache.org
> 
 		 	   		   		 	   		   		 	   		  

RE: Using Rampart to send a proxy certificate and sign using a symmetric key

[Abdelrahman Almahmoud <fi...@hotmail.com>]

Just a follow up question, where can I find the sts-policy-symm-binding.xml? The rampart distribution folder has no such file
Thanks

From: fire_storm5002@hotmail.com
To: java-dev@axis.apache.org
Subject: RE: Using Rampart to send a proxy certificate and sign using a symmetric key
Date: Mon, 1 Apr 2013 12:26:06 +0000




Thank you for the reply, I was studying up on WS-Security for a while and found this
"For example, symmetric binding can be used when only the server possesses a X509Token. Here, the initiator first creates an ephemeral key and then creates an encrypted key encrypting that ephemeral key using the recipient’s public key. This ephemeral key is then used for both signing and encrypting messages back and forth. This mechanism allows a Web service to sign and encrypt messages even with an anonymous client thus very useful at times"
http://wso2.org/library/3132

It is true that I poses an X.509 token, but I do not have the private key for it. Can I still use symmetric binding?
I am sorry if this is not the right place to ask this and appreciate the help
From: mgainty@hotmail.com
To: java-dev@axis.apache.org
Subject: RE: Using Rampart to send a proxy certificate and sign using a symmetric key
Date: Wed, 20 Mar 2013 19:31:32 -0400




the sts-policy-symm-binding.xml from the integration samples inside Rampart is what you want to start with

1)read the xsd  declared at the top
2)have a good understanding of what youre doing before you make the change
3)implement the service which implements sts-policy-symm-binding.xml 
make sure you engage rampart
run the client code which implements sts-policy-symm-binding.xml 

-- creating the aar change to rampart-integration
cd \rampart\rampart-src-1.4\modules\rampart-integration
vi .\src\test\resources\rampart\services-20.xml

tweak the signatureCrypto to replace default Merlin attributes with bouncycastle attributes
 
<ramp:signatureCrypto>
     <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
      <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
      <ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/rahas/policy/store.jks</ramp:property>
      <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
     </ramp:crypto>
</ramp:signatureCrypto>
 <ramp:encryptionCypto>
                     <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                         <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                         <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
                         <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
                     </ramp:crypto>
</ramp:encryptionCypto>
 
if your X509 cert is v3 you're in luck
 if your cert is NOT X509 v3   you have to change the WssX509V3Token10 element
change
<sp:WssX509V3Token10/>
to your specific version of X509

Java code:
the only java mod to be aware of is when the service responds to your PWCallback class
<ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass>
 
--  run mvn process-test-resources
mvn process-test-resources

use the Axis Admin tool to 
upload the new service aar into Axis located at
target/test-resources/rampart_service_repo/services/SecureService20.aar
 
engage the following modules:
rampart-src-1.4/modules/rampart-integration/target/test-resources/rampart_service_repo/modules/addressing-${addressing.mar.version}.mar

rampart-src-1.4/modules/rampart-integration/target/test-
resources/rampart_service_repo/modules/rahas-${addressing.mar.version}.mar
 
rampart-src-1.4/modules/rampart-integration/target/test-resources/rampart_service_repo/modules/rampart-mar-${addressing.mar.version}.mar
 
if you dont have them run process-test-resources e.g.
mvn process-test-resources

ping back here if you have any questions

Martin Gainty 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.

 From: fire_storm5002@hotmail.com
To: java-dev@axis.apache.org
Subject: RE: Using Rampart to send a proxy certificate and sign using a symmetric key
Date: Wed, 20 Mar 2013 10:57:46 +0000




Thank you for the reply, this sounds like what I want to do
I just want to clarify one thing. We have our own STS which uses Bouncycastle library to generate a certificate and a Key to send to the clientSo the client now has a Proxy Certificate (Only public key is known to the client, no private key supplied) and a secret symmetric key.
One of the things that confused me is how Rampart reads these information, I got them in byte form but I am unsure how to direct rampart to them or ask them to use these
Sincerely,

> Date: Tue, 19 Mar 2013 17:32:11 -0400
> Subject: Re: Using Rampart to send a proxy certificate and sign using a symmetric key
> From: ruchith.fernando@gmail.com
> To: java-dev@axis.apache.org
> 
> Hi,
> 
> To do this with rampart, first you need to be able to express your
> requirements in WS-SecurityPolicy.
> 
> Since you mentioned the use of a symmetric key to sign (MAC) (as in
> 3.4 of [1]) I suppose you will have to try to use a SymmetricBinding
> policy (Example [2]). This will involve getting a token issued by an
> STS which will include the certificate, and a symmetric key (since you
> need this to sign/mac). This will be the IssuedToken specified in the
> policy.
> 
> Then Rampart should be able to use the token and include it in the
> security header and sign using the given key value.
> 
> I'm not sure whether this works, but I will take a crack at generating
> an example of this over the weekend.
> 
> Thanks,
> Ruchith
> 
> 1. https://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf
> 2. http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc100567712
> 
> On Sun, Mar 17, 2013 at 3:10 AM, Abdelrahman Almahmoud
> <fi...@hotmail.com> wrote:
> > Thank you for the reply
> >
> > I understand the typical use of certificates as I have worked in security
> > for a while, it is a bit complicated to explain and I am not even sure if I
> > am allowed to discuss this so I will avoid talking about the architecture. I
> > appreciate the comments but as I mentioned, our use case is a little
> > different than usual. I am trying to avoid using SSL altogether because of
> > various reasons as well.
> >
> > What I simply want to do is give rampart my X.509 certificate and have it
> > send it to my target where I will try to have rampart do what I want or
> > simply write my own handler to make it do that.
> >
> > I also want rampart to sign that message using my own symmetric key. We have
> > our reasons to use symmetric keys here. If Rampart can't do this, can I
> > write a handler to do this my self and ask rampart to include this into the
> > SOAP message?
> >
> >
> >
> >
> > ________________________________
> > From: mgainty@hotmail.com
> > To: java-dev@axis.apache.org
> > Subject: RE: Using Rampart to send a proxy certificate and sign using a
> > symmetric key
> > Date: Thu, 14 Mar 2013 06:32:42 -0400
> >
> >
> >
> > ________________________________
> > From: fire_storm5002@hotmail.com
> > To: java-dev@axis.apache.org
> > Subject: Using Rampart to send a proxy certificate and sign using a
> > symmetric key
> > Date: Thu, 14 Mar 2013 08:59:15 +0000
> >
> > Hi
> >
> >
> > I have a bit of a unique situation, I am writing an Axis2 client and have to
> > follow a certain procedure. I would like to use Rampart to do the following,
> >
> > 1- I have a proxy certificate issued by a server for me, this certificate
> > has my username and the server's public key, I would like to have rampart to
> > send this certificate.
> > MG>A certificate is generally used by Browsers for verifiying you are who
> > you are and you wish to communicate to server with these specific
> > credentials
> > As far as I know, the samples only show how to have rampart use a
> > certificate from a key store
> > MG>from the trust-store called cacerts
> >
> > is there another way to do it?
> > MG>First step is to get the cert working to validate you to the external
> > interface
> >
> > MG>Second step is to setup a SSLv2 or SSLv3 session (using some known
> > transport) to the server
> >
> > 2- I would like Rampart to sign the request using a Symmetric key. As far as
> > I know, rampart takes the key from a key store but I am not sure how to ask
> > it to sign the request using this key and such
> >
> > The samples didn't help much with this and I am not sure where to find more
> > information
> > Any help is greatly appreciated
> >
> > MG>Read this cover to cover
> > http://download.java.net/jdk8/docs/technotes/guides/security/jsse/JSSERefGuide.html
> >
> > Thanks
> 
> 
> 
> -- 
> http://ruchith.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-dev-help@axis.apache.org
>