You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Suran Jayathilaka <su...@wso2.com> on 2008/06/11 07:31:13 UTC
Rampart download link broken
Hi,
The standard bin zip distro download link on
http://ws.apache.org/rampart/download/1.4/download is broken.
Thanks.
Suran
--
U. Suran Jayathilaka
WSO2, Inc. - http://www.wso2.com
http://suranjay.blogspot.com
Re: Rampart download link broken
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi,
I think now this is fixed. We were waiting for this to properly reflected
to send the release note. And you also need to go through the link,
http://ws.apache.org/rampart/download/1.4/download.cgi , otherwise mirrors
won't be set correctly.
thanks,
nandana
On Wed, Jun 11, 2008 at 8:31 AM, Suran Jayathilaka <su...@wso2.com> wrote:
> Hi,
> The standard bin zip distro download link on
> http://ws.apache.org/rampart/download/1.4/download is broken.
>
> Thanks.
> Suran
>
> --
> U. Suran Jayathilaka
> WSO2, Inc. - http://www.wso2.com
>
> http://suranjay.blogspot.com
>
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
Re: Question about Rampart
Posted by Fabien Couvert <fa...@bull.net>.
Ok it works with this client files :
<parameter name="InflowSecurity">
<action>
<items>Encrypt</items>
<passwordCallbackClass>
fr.bull.presto.emetteur.commun.PWCBHandler
</passwordCallbackClass>
<decryptionPropFile>client.properties</decryptionPropFile>
</action>
</parameter>
<parameter name="OutflowSecurity">
<action>
<items>Signature Encrypt</items>
<user>client</user>
<signaturePropFile>client.properties</signaturePropFile>
<passwordCallbackClass>
fr.bull.presto.emetteur.commun.PWCBHandler
</passwordCallbackClass>
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
<encryptionUser>service</encryptionUser>
<encryptionPropFile>client.properties</encryptionPropFile>
</action>
</parameter>
and the server side :
<module ref="rampart" />
<parameter name="OutflowSecurity">
<action>
<items>Encrypt</items>
<encryptionUser>useReqSigCert</encryptionUser>
<encryptionPropFile>
service.properties
</encryptionPropFile>
</action>
</parameter>
<parameter name="InflowSecurity">
<action>
<items>Signature Encrypt</items>
<signaturePropFile>service.properties</signaturePropFile>
<passwordCallbackClass>
fr.bull.presto.recepteur.api.PWCBHandler
</passwordCallbackClass>
<decryptionPropFile>
service.properties
</decryptionPropFile>
</action>
</parameter>
But now, I have another question :) :
Currently client use the public key of the server store in the keystore.
If I want to give my client application to many user, how I can change
the public and private key of the client in the client keystore (to give
a different key for each client) while keeping the public key of the
server in it ?
Is it possible to generate the keystore for everyclient with server
public key include ?
Thank you very much.
Nandana Mihindukulasooriya a écrit :
>> Then :
>>
>> * The client encrypt with the public key of the server wiich is
>> store in the keystore of the client.
>>
>
>
> yes.
>
> * The server respond to the client with the key that it is in the
>
>> header of the soap request ?
>>
>
>
> Depends on the value of the encryptionUser parameter in the rampart
> configuration. If encryptionUser value is an certificate alias such as
> "client", server will look at the key store and pick the certificate
> according to the alias given in the encryptionUser parameter. But
> encryptionUser has a a special value "useReqSigCert" which tells the server
> to use the certificate that was used to sign the request to encrypt the
> response. But it doesn't necessarily mean that request had the certificate
> in the security header. In some cases, Security header carries the binary
> certificate and sometimes not. IFAIK the <signatureKeyIdentifier/> is used
> to decide whether to send the binary certificate in the security header or
> not. If you use
> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> , then
> security header will contain the binary certificate of the client in the
> security header of the request. In other cases, different referencing
> mechanisms will be used. For examples , a subject key identifier may be used
> an server will pick the certificate according the SKI value to verify the
> signature of the incoming request and will cache that certificate so that
> the same certificate can be used to encrypt the response back to the client.
>
>
> But in my case the server use a keystore like the client.
>
>> I want to do the response with the key given by the client in the header
>> soap how I can do that please ?
>>
>
>
> You need to change the encryptionUser value in Rampart configuration in the
> services.xml to "useReqSigCert".
> Then add the property
> <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> to the same
> configuration.
> Anyway the server must trust the client's certificate for this to work
> correctly. For example, the client certificate must be issued by CA that the
> service trusts.
>
> And if you are just starting to use Rampart, I would recommend you to use
> WS Security Policy based configuration . You can find policy based samples
> , under samples/policy in the Rampart binary distribution.
>
> thanks,
> nandana
>
> Here is my client_axis2.xml in the client side:
>
>> <module ref="rampart" />
>> <parameter name="InflowSecurity">
>> <action>
>> <items>Encrypt</items>
>> <passwordCallbackClass>
>> fr.bull.presto.emetteur.commun.PWCBHandler
>> </passwordCallbackClass>
>> <decryptionPropFile>client.properties</decryptionPropFile>
>> </action>
>> </parameter>
>> <parameter name="OutflowSecurity">
>> <action>
>> <items>Encrypt</items>
>> <encryptionUser>service</encryptionUser>
>> <encryptionPropFile>client.properties</encryptionPropFile>
>> </action>
>> </parameter>
>>
>> and here my service.xml in the server side :
>> <module ref="rampart" />
>> <parameter name="OutflowSecurity">
>> <action>
>> <items>Encrypt</items>
>> <encryptionUser>client</encryptionUser>
>> <encryptionPropFile>
>> service.properties
>> </encryptionPropFile>
>> </action>
>> </parameter>
>> <parameter name="InflowSecurity">
>> <action>
>> <items>Encrypt</items>
>> <passwordCallbackClass>
>> fr.bull.presto.recepteur.api.PWCBHandler
>> </passwordCallbackClass>
>> <decryptionPropFile>
>> service.properties
>> </decryptionPropFile>
>> </action>
>> </parameter>
>>
>> The client include natively his public key in the soap header or not ?
>> How can I specify to the server to use this public key of the client to
>> crypt the response ?
>>
>> Thank a lot
>>
>> Nandana Mihindukulasooriya a écrit :
>>
>> On Wed, Jun 11, 2008 at 7:41 PM, Fabien Couvert <fa...@bull.net>
>>
>>> wrote:
>>>
>>>
>>>
>>>
>>>> Hi all,
>>>> I have a question about the mechanism of Encryption with asymmetric key.
>>>> In my application I use 2 keystore, one for the client(specified in the
>>>> client.properties file) and one for the server (specified in the
>>>> service.properties).
>>>>
>>>> In the client conf file I added :
>>>> <items>Encrypt</items>
>>>> <encryptionUser>service</encryptionUser>
>>>> <encryptionPropFile>client.properties</encryptionPropFile>
>>>> </action>
>>>>
>>>> Everything works fine but how ?! :)
>>>>
>>>> How the client can crypt the message with the public key of the server ?
>>>> (name service)
>>>>
>>>>
>>>>
>>> In the keystore of the client, you must be having the service's
>>> certificate
>>> with the alias "service". You can check this with the java keytool. Use
>>> the
>>> command given bellow to check the content of the key store.
>>>
>>> $ keytool -v -list -keystore /path/to/keystore.jks -storepass
>>> keystore-password
>>>
>>> How the client recover the public key of the server ?
>>>
>>> It has to be there in the client's key store. But in the server side, if
>>> you
>>> have use "useReqSigCert" as the encryption user , binary certificate which
>>> was in security header of the request can be used to encrypt the message
>>> back to the client.
>>>
>>>
>>>
>>>
>>
Re: Question about Rampart
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
> Then :
>
> * The client encrypt with the public key of the server wiich is
> store in the keystore of the client.
yes.
* The server respond to the client with the key that it is in the
> header of the soap request ?
Depends on the value of the encryptionUser parameter in the rampart
configuration. If encryptionUser value is an certificate alias such as
"client", server will look at the key store and pick the certificate
according to the alias given in the encryptionUser parameter. But
encryptionUser has a a special value "useReqSigCert" which tells the server
to use the certificate that was used to sign the request to encrypt the
response. But it doesn't necessarily mean that request had the certificate
in the security header. In some cases, Security header carries the binary
certificate and sometimes not. IFAIK the <signatureKeyIdentifier/> is used
to decide whether to send the binary certificate in the security header or
not. If you use
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> , then
security header will contain the binary certificate of the client in the
security header of the request. In other cases, different referencing
mechanisms will be used. For examples , a subject key identifier may be used
an server will pick the certificate according the SKI value to verify the
signature of the incoming request and will cache that certificate so that
the same certificate can be used to encrypt the response back to the client.
But in my case the server use a keystore like the client.
> I want to do the response with the key given by the client in the header
> soap how I can do that please ?
You need to change the encryptionUser value in Rampart configuration in the
services.xml to "useReqSigCert".
Then add the property
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> to the same
configuration.
Anyway the server must trust the client's certificate for this to work
correctly. For example, the client certificate must be issued by CA that the
service trusts.
And if you are just starting to use Rampart, I would recommend you to use
WS Security Policy based configuration . You can find policy based samples
, under samples/policy in the Rampart binary distribution.
thanks,
nandana
Here is my client_axis2.xml in the client side:
> <module ref="rampart" />
> <parameter name="InflowSecurity">
> <action>
> <items>Encrypt</items>
> <passwordCallbackClass>
> fr.bull.presto.emetteur.commun.PWCBHandler
> </passwordCallbackClass>
> <decryptionPropFile>client.properties</decryptionPropFile>
> </action>
> </parameter>
> <parameter name="OutflowSecurity">
> <action>
> <items>Encrypt</items>
> <encryptionUser>service</encryptionUser>
> <encryptionPropFile>client.properties</encryptionPropFile>
> </action>
> </parameter>
>
> and here my service.xml in the server side :
> <module ref="rampart" />
> <parameter name="OutflowSecurity">
> <action>
> <items>Encrypt</items>
> <encryptionUser>client</encryptionUser>
> <encryptionPropFile>
> service.properties
> </encryptionPropFile>
> </action>
> </parameter>
> <parameter name="InflowSecurity">
> <action>
> <items>Encrypt</items>
> <passwordCallbackClass>
> fr.bull.presto.recepteur.api.PWCBHandler
> </passwordCallbackClass>
> <decryptionPropFile>
> service.properties
> </decryptionPropFile>
> </action>
> </parameter>
>
> The client include natively his public key in the soap header or not ?
> How can I specify to the server to use this public key of the client to
> crypt the response ?
>
> Thank a lot
>
> Nandana Mihindukulasooriya a écrit :
>
> On Wed, Jun 11, 2008 at 7:41 PM, Fabien Couvert <fa...@bull.net>
>> wrote:
>>
>>
>>
>>> Hi all,
>>> I have a question about the mechanism of Encryption with asymmetric key.
>>> In my application I use 2 keystore, one for the client(specified in the
>>> client.properties file) and one for the server (specified in the
>>> service.properties).
>>>
>>> In the client conf file I added :
>>> <items>Encrypt</items>
>>> <encryptionUser>service</encryptionUser>
>>> <encryptionPropFile>client.properties</encryptionPropFile>
>>> </action>
>>>
>>> Everything works fine but how ?! :)
>>>
>>> How the client can crypt the message with the public key of the server ?
>>> (name service)
>>>
>>>
>>
>>
>> In the keystore of the client, you must be having the service's
>> certificate
>> with the alias "service". You can check this with the java keytool. Use
>> the
>> command given bellow to check the content of the key store.
>>
>> $ keytool -v -list -keystore /path/to/keystore.jks -storepass
>> keystore-password
>>
>> How the client recover the public key of the server ?
>>
>> It has to be there in the client's key store. But in the server side, if
>> you
>> have use "useReqSigCert" as the encryption user , binary certificate which
>> was in security header of the request can be used to encrypt the message
>> back to the client.
>>
>>
>>
>
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
Re: Question about Rampart
Posted by Fabien Couvert <fa...@bull.net>.
thank you
Then :
* The client encrypt with the public key of the server wiich is
store in the keystore of the client.
* The server respond to the client with the key that it is in the
header of the soap request ?
But in my case the server use a keystore like the client.
I want to do the response with the key given by the client in the header
soap how I can do that please ?
Here is my client_axis2.xml in the client side:
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>Encrypt</items>
<passwordCallbackClass>
fr.bull.presto.emetteur.commun.PWCBHandler
</passwordCallbackClass>
<decryptionPropFile>client.properties</decryptionPropFile>
</action>
</parameter>
<parameter name="OutflowSecurity">
<action>
<items>Encrypt</items>
<encryptionUser>service</encryptionUser>
<encryptionPropFile>client.properties</encryptionPropFile>
</action>
</parameter>
and here my service.xml in the server side :
<module ref="rampart" />
<parameter name="OutflowSecurity">
<action>
<items>Encrypt</items>
<encryptionUser>client</encryptionUser>
<encryptionPropFile>
service.properties
</encryptionPropFile>
</action>
</parameter>
<parameter name="InflowSecurity">
<action>
<items>Encrypt</items>
<passwordCallbackClass>
fr.bull.presto.recepteur.api.PWCBHandler
</passwordCallbackClass>
<decryptionPropFile>
service.properties
</decryptionPropFile>
</action>
</parameter>
The client include natively his public key in the soap header or not ?
How can I specify to the server to use this public key of the client to
crypt the response ?
Thank a lot
Nandana Mihindukulasooriya a écrit :
> On Wed, Jun 11, 2008 at 7:41 PM, Fabien Couvert <fa...@bull.net>
> wrote:
>
>
>> Hi all,
>> I have a question about the mechanism of Encryption with asymmetric key.
>> In my application I use 2 keystore, one for the client(specified in the
>> client.properties file) and one for the server (specified in the
>> service.properties).
>>
>> In the client conf file I added :
>> <items>Encrypt</items>
>> <encryptionUser>service</encryptionUser>
>> <encryptionPropFile>client.properties</encryptionPropFile>
>> </action>
>>
>> Everything works fine but how ?! :)
>>
>> How the client can crypt the message with the public key of the server ?
>> (name service)
>>
>
>
> In the keystore of the client, you must be having the service's certificate
> with the alias "service". You can check this with the java keytool. Use the
> command given bellow to check the content of the key store.
>
> $ keytool -v -list -keystore /path/to/keystore.jks -storepass
> keystore-password
>
> How the client recover the public key of the server ?
>
>
> It has to be there in the client's key store. But in the server side, if you
> have use "useReqSigCert" as the encryption user , binary certificate which
> was in security header of the request can be used to encrypt the message
> back to the client.
>
>
Re: Question about Rampart
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
On Wed, Jun 11, 2008 at 7:41 PM, Fabien Couvert <fa...@bull.net>
wrote:
> Hi all,
> I have a question about the mechanism of Encryption with asymmetric key.
> In my application I use 2 keystore, one for the client(specified in the
> client.properties file) and one for the server (specified in the
> service.properties).
>
> In the client conf file I added :
> <items>Encrypt</items>
> <encryptionUser>service</encryptionUser>
> <encryptionPropFile>client.properties</encryptionPropFile>
> </action>
>
> Everything works fine but how ?! :)
>
> How the client can crypt the message with the public key of the server ?
> (name service)
In the keystore of the client, you must be having the service's certificate
with the alias "service". You can check this with the java keytool. Use the
command given bellow to check the content of the key store.
$ keytool -v -list -keystore /path/to/keystore.jks -storepass
keystore-password
How the client recover the public key of the server ?
>
It has to be there in the client's key store. But in the server side, if you
have use "useReqSigCert" as the encryption user , binary certificate which
was in security header of the request can be used to encrypt the message
back to the client.
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
Question about Rampart
Posted by Fabien Couvert <fa...@bull.net>.
Hi all,
I have a question about the mechanism of Encryption with asymmetric key.
In my application I use 2 keystore, one for the client(specified in the
client.properties file) and one for the server (specified in the
service.properties).
In the client conf file I added :
<items>Encrypt</items>
<encryptionUser>service</encryptionUser>
<encryptionPropFile>client.properties</encryptionPropFile>
</action>
Everything works fine but how ?! :)
How the client can crypt the message with the public key of the server ?
(name service)
How the client recover the public key of the server ?
It isn't store in the client keystore. no ?
Thank for you light :)