You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Nate Roe <na...@vegas.com> on 2008/04/12 01:39:15 UTC
Some PKI Questions
I've secured a service using Rampart, and now I'm considering how to implement the certificate issuance portion.
To get the service running, I followed Ruchith Fernando's tutorial:
http://wso2.org/library/174
Is it necessary to modify the service's keystore to add new client certificates? Is it possible to store the service's copy of the client's public keys in a database or in separate files in the filesystem?
Why does my password callback class need to supply the client's certificate password? It's just supposed to be the client's public key, right? So, why the password?
Thanks,
Nate Roe
Re: Some PKI Questions
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Alberto,
Great, this will be helpful. Can you change the policy samples as
Dimuthu has mentioned and attach the patch to a JIRA.
thanks,
nandana
On Sat, Apr 19, 2008 at 10:45 AM, Alberto Patino <pa...@gmail.com>
wrote:
> Cool, if you are interested I'd be glad to help in some way to build such
> demo
>
> Thanks
>
> On Thu, Apr 17, 2008 at 10:27 PM, Dimuthu Leelarathne <di...@wso2.com>
> wrote:
> > Hi Alberto,
> >
> > It is good that you pointed out that we do not have samples domonstrate
> > the full abilities. We will include a sample to demonstrate how it can
> > be scaled in the future. The sample will demonstrate how trust is
> > validated traversing up the certificate chain.
> >
> > Thank you,
> > Dimuthu
> >
> >
> >
> > On Thu, 2008-04-17 at 15:08 -0500, Alberto Patino wrote:
> > > I have run rampart demos and it's obvoius that a java keystore
> doesn't
> > > scale well. If I want to propagate user identity in service invokes
> > > throug the use of certificates what happen in an environment with
> > > thousands of users?
> > >
> > > I have always had this question...
> > >
> > > On Tue, Apr 15, 2008 at 10:01 PM, Dimuthu Leelarathne <
> dimuthul@wso2.com> wrote:
> > > > Hi Nate,
> > > >
> > > > Please see my comments below.
> > > >
> > > >
> > > > On Fri, 2008-04-11 at 16:39 -0700, Nate Roe wrote:
> > > > > I've secured a service using Rampart, and now I'm considering
> how to implement the certificate issuance portion.
> > > > >
> > > > > To get the service running, I followed Ruchith Fernando's
> tutorial:
> > > > > http://wso2.org/library/174
> > > > >
> > > > > Is it necessary to modify the service's keystore to add new
> client certificates? Is it possible to store the service's copy of the
> client's public keys in a database or in separate files in the filesystem?
> > > > The easiest way to do this would be to ask the client to include
> the
> > > > certificate in the request message always. If we want to store a
> > > > certificate, we usually store it in the KeyStore, so that Rampart
> can
> > > > easily pick it up from KeyStore.
> > > >
> > > >
> > > >
> > > > > Why does my password callback class need to supply the client's
> certificate password? It's just supposed to be the client's public key,
> right? So, why the password?
> > > >
> > > > Even though we have a single password callback class in Rampart
> samples
> > > > in the real world scenario there should be two password callback
> classes
> > > > - one for server and one for client.
> > > >
> > > > At the server side password callback class do not need to supply
> > > > client's password.
> > > >
> > > > Thank you,
> > > > Dimuthu
> > > >
> > > > > Thanks,
> > > > > Nate Roe
> > > >
> > > >
> > >
> > >
> > >
> >
> >
>
>
>
> --
> Don't be evil!!!
>
Re: Some PKI Questions
Posted by Alberto Patino <pa...@gmail.com>.
Cool, if you are interested I'd be glad to help in some way to build such demo
Thanks
On Thu, Apr 17, 2008 at 10:27 PM, Dimuthu Leelarathne <di...@wso2.com> wrote:
> Hi Alberto,
>
> It is good that you pointed out that we do not have samples domonstrate
> the full abilities. We will include a sample to demonstrate how it can
> be scaled in the future. The sample will demonstrate how trust is
> validated traversing up the certificate chain.
>
> Thank you,
> Dimuthu
>
>
>
> On Thu, 2008-04-17 at 15:08 -0500, Alberto Patino wrote:
> > I have run rampart demos and it's obvoius that a java keystore doesn't
> > scale well. If I want to propagate user identity in service invokes
> > throug the use of certificates what happen in an environment with
> > thousands of users?
> >
> > I have always had this question...
> >
> > On Tue, Apr 15, 2008 at 10:01 PM, Dimuthu Leelarathne <di...@wso2.com> wrote:
> > > Hi Nate,
> > >
> > > Please see my comments below.
> > >
> > >
> > > On Fri, 2008-04-11 at 16:39 -0700, Nate Roe wrote:
> > > > I've secured a service using Rampart, and now I'm considering how to implement the certificate issuance portion.
> > > >
> > > > To get the service running, I followed Ruchith Fernando's tutorial:
> > > > http://wso2.org/library/174
> > > >
> > > > Is it necessary to modify the service's keystore to add new client certificates? Is it possible to store the service's copy of the client's public keys in a database or in separate files in the filesystem?
> > > The easiest way to do this would be to ask the client to include the
> > > certificate in the request message always. If we want to store a
> > > certificate, we usually store it in the KeyStore, so that Rampart can
> > > easily pick it up from KeyStore.
> > >
> > >
> > >
> > > > Why does my password callback class need to supply the client's certificate password? It's just supposed to be the client's public key, right? So, why the password?
> > >
> > > Even though we have a single password callback class in Rampart samples
> > > in the real world scenario there should be two password callback classes
> > > - one for server and one for client.
> > >
> > > At the server side password callback class do not need to supply
> > > client's password.
> > >
> > > Thank you,
> > > Dimuthu
> > >
> > > > Thanks,
> > > > Nate Roe
> > >
> > >
> >
> >
> >
>
>
--
Don't be evil!!!
Re: Some PKI Questions
Posted by Dimuthu Leelarathne <di...@wso2.com>.
Hi Alberto,
It is good that you pointed out that we do not have samples domonstrate
the full abilities. We will include a sample to demonstrate how it can
be scaled in the future. The sample will demonstrate how trust is
validated traversing up the certificate chain.
Thank you,
Dimuthu
On Thu, 2008-04-17 at 15:08 -0500, Alberto Patino wrote:
> I have run rampart demos and it's obvoius that a java keystore doesn't
> scale well. If I want to propagate user identity in service invokes
> throug the use of certificates what happen in an environment with
> thousands of users?
>
> I have always had this question...
>
> On Tue, Apr 15, 2008 at 10:01 PM, Dimuthu Leelarathne <di...@wso2.com> wrote:
> > Hi Nate,
> >
> > Please see my comments below.
> >
> >
> > On Fri, 2008-04-11 at 16:39 -0700, Nate Roe wrote:
> > > I've secured a service using Rampart, and now I'm considering how to implement the certificate issuance portion.
> > >
> > > To get the service running, I followed Ruchith Fernando's tutorial:
> > > http://wso2.org/library/174
> > >
> > > Is it necessary to modify the service's keystore to add new client certificates? Is it possible to store the service's copy of the client's public keys in a database or in separate files in the filesystem?
> > The easiest way to do this would be to ask the client to include the
> > certificate in the request message always. If we want to store a
> > certificate, we usually store it in the KeyStore, so that Rampart can
> > easily pick it up from KeyStore.
> >
> >
> >
> > > Why does my password callback class need to supply the client's certificate password? It's just supposed to be the client's public key, right? So, why the password?
> >
> > Even though we have a single password callback class in Rampart samples
> > in the real world scenario there should be two password callback classes
> > - one for server and one for client.
> >
> > At the server side password callback class do not need to supply
> > client's password.
> >
> > Thank you,
> > Dimuthu
> >
> > > Thanks,
> > > Nate Roe
> >
> >
>
>
>
Re: Some PKI Questions
Posted by Alberto Patino <pa...@gmail.com>.
I have run rampart demos and it's obvoius that a java keystore doesn't
scale well. If I want to propagate user identity in service invokes
throug the use of certificates what happen in an environment with
thousands of users?
I have always had this question...
On Tue, Apr 15, 2008 at 10:01 PM, Dimuthu Leelarathne <di...@wso2.com> wrote:
> Hi Nate,
>
> Please see my comments below.
>
>
> On Fri, 2008-04-11 at 16:39 -0700, Nate Roe wrote:
> > I've secured a service using Rampart, and now I'm considering how to implement the certificate issuance portion.
> >
> > To get the service running, I followed Ruchith Fernando's tutorial:
> > http://wso2.org/library/174
> >
> > Is it necessary to modify the service's keystore to add new client certificates? Is it possible to store the service's copy of the client's public keys in a database or in separate files in the filesystem?
> The easiest way to do this would be to ask the client to include the
> certificate in the request message always. If we want to store a
> certificate, we usually store it in the KeyStore, so that Rampart can
> easily pick it up from KeyStore.
>
>
>
> > Why does my password callback class need to supply the client's certificate password? It's just supposed to be the client's public key, right? So, why the password?
>
> Even though we have a single password callback class in Rampart samples
> in the real world scenario there should be two password callback classes
> - one for server and one for client.
>
> At the server side password callback class do not need to supply
> client's password.
>
> Thank you,
> Dimuthu
>
> > Thanks,
> > Nate Roe
>
>
--
Don't be evil!!!
RE: Some PKI Questions
Posted by Nate Roe <na...@vegas.com>.
I'll look at policy/sample02/policy.xml.
Thank you for your responses, Dimuthu.
-----Original Message-----
From: Dimuthu Leelarathne [mailto:dimuthul@wso2.com]
Sent: Thursday, April 17, 2008 8:22 PM
To: Nate Roe
Cc: 'rampart-dev@ws.apache.org'
Subject: RE: Some PKI Questions
Hi Nate,
Please see my comments below.
On Thu, 2008-04-17 at 12:00 -0700, Nate Roe wrote:
> How can I use policy.xml to direct the client to include its
> certificate in the request message?
You can look at policy/sample02/policy.xml file. It will always include
the token in message. If you inspect the message using TCPMon the
SecurityTokenReference has a pointer to the certificate.
> It is important to me to prove
> cryptographically that the client certificate was issued from the/a CA
> certificate in the service's keystore.
Rampart does this. These are the steps taken by Rampart. You can look at
verifyTrust method in
org.apache.rampart.PolicyBasedResultsValidator.java class.
First it is checked whether the certificate is in the key store. If so
the client is trusted, else Rampart tries to verify trust of the
certificate chain.
> In my service's password callback, when the service receives a message
> from the client, the callback is asked to retrieve the password for
> "client". The service's keystore password is already known from
> policy.xml. I don't understand why the service would want the
> client's password.
Service does not need the client's password. In the real world, you have
to implement two password call back classes - one for the server and one
for the client.
The callback is asked to retrieve the password for the client's private
key when the signature is going to be performed, at the client side, not
at the server side.
Thank you,
Dimuthu
> -----Original Message-----
> From: Dimuthu Leelarathne [mailto:dimuthul@wso2.com]
> Sent: Tuesday, April 15, 2008 8:01 PM
> To: rampart-dev@ws.apache.org
> Subject: Re: Some PKI Questions
>
> Hi Nate,
>
> Please see my comments below.
>
> On Fri, 2008-04-11 at 16:39 -0700, Nate Roe wrote:
> > I've secured a service using Rampart, and now I'm considering how to implement the certificate issuance portion.
> >
> > To get the service running, I followed Ruchith Fernando's tutorial:
> > http://wso2.org/library/174
> >
> > Is it necessary to modify the service's keystore to add new client certificates? Is it possible to store the service's copy of the client's public keys in a database or in separate files in the filesystem?
> The easiest way to do this would be to ask the client to include the
> certificate in the request message always. If we want to store a
> certificate, we usually store it in the KeyStore, so that Rampart can
> easily pick it up from KeyStore.
>
>
> > Why does my password callback class need to supply the client's certificate password? It's just supposed to be the client's public key, right? So, why the password?
>
> Even though we have a single password callback class in Rampart samples
> in the real world scenario there should be two password callback classes
> - one for server and one for client.
>
> At the server side password callback class do not need to supply
> client's password.
>
> Thank you,
> Dimuthu
>
> > Thanks,
> > Nate Roe
>
RE: Some PKI Questions
Posted by Dimuthu Leelarathne <di...@wso2.com>.
Hi Nate,
Please see my comments below.
On Thu, 2008-04-17 at 12:00 -0700, Nate Roe wrote:
> How can I use policy.xml to direct the client to include its
> certificate in the request message?
You can look at policy/sample02/policy.xml file. It will always include
the token in message. If you inspect the message using TCPMon the
SecurityTokenReference has a pointer to the certificate.
> It is important to me to prove
> cryptographically that the client certificate was issued from the/a CA
> certificate in the service's keystore.
Rampart does this. These are the steps taken by Rampart. You can look at
verifyTrust method in
org.apache.rampart.PolicyBasedResultsValidator.java class.
First it is checked whether the certificate is in the key store. If so
the client is trusted, else Rampart tries to verify trust of the
certificate chain.
> In my service's password callback, when the service receives a message
> from the client, the callback is asked to retrieve the password for
> "client". The service's keystore password is already known from
> policy.xml. I don't understand why the service would want the
> client's password.
Service does not need the client's password. In the real world, you have
to implement two password call back classes - one for the server and one
for the client.
The callback is asked to retrieve the password for the client's private
key when the signature is going to be performed, at the client side, not
at the server side.
Thank you,
Dimuthu
> -----Original Message-----
> From: Dimuthu Leelarathne [mailto:dimuthul@wso2.com]
> Sent: Tuesday, April 15, 2008 8:01 PM
> To: rampart-dev@ws.apache.org
> Subject: Re: Some PKI Questions
>
> Hi Nate,
>
> Please see my comments below.
>
> On Fri, 2008-04-11 at 16:39 -0700, Nate Roe wrote:
> > I've secured a service using Rampart, and now I'm considering how to implement the certificate issuance portion.
> >
> > To get the service running, I followed Ruchith Fernando's tutorial:
> > http://wso2.org/library/174
> >
> > Is it necessary to modify the service's keystore to add new client certificates? Is it possible to store the service's copy of the client's public keys in a database or in separate files in the filesystem?
> The easiest way to do this would be to ask the client to include the
> certificate in the request message always. If we want to store a
> certificate, we usually store it in the KeyStore, so that Rampart can
> easily pick it up from KeyStore.
>
>
> > Why does my password callback class need to supply the client's certificate password? It's just supposed to be the client's public key, right? So, why the password?
>
> Even though we have a single password callback class in Rampart samples
> in the real world scenario there should be two password callback classes
> - one for server and one for client.
>
> At the server side password callback class do not need to supply
> client's password.
>
> Thank you,
> Dimuthu
>
> > Thanks,
> > Nate Roe
>
RE: Some PKI Questions
Posted by Nate Roe <na...@vegas.com>.
How can I use policy.xml to direct the client to include its certificate in the request message? It is important to me to prove cryptographically that the client certificate was issued from the/a CA certificate in the service's keystore.
In my service's password callback, when the service receives a message from the client, the callback is asked to retrieve the password for "client". The service's keystore password is already known from policy.xml. I don't understand why the service would want the client's password.
-----Original Message-----
From: Dimuthu Leelarathne [mailto:dimuthul@wso2.com]
Sent: Tuesday, April 15, 2008 8:01 PM
To: rampart-dev@ws.apache.org
Subject: Re: Some PKI Questions
Hi Nate,
Please see my comments below.
On Fri, 2008-04-11 at 16:39 -0700, Nate Roe wrote:
> I've secured a service using Rampart, and now I'm considering how to implement the certificate issuance portion.
>
> To get the service running, I followed Ruchith Fernando's tutorial:
> http://wso2.org/library/174
>
> Is it necessary to modify the service's keystore to add new client certificates? Is it possible to store the service's copy of the client's public keys in a database or in separate files in the filesystem?
The easiest way to do this would be to ask the client to include the
certificate in the request message always. If we want to store a
certificate, we usually store it in the KeyStore, so that Rampart can
easily pick it up from KeyStore.
> Why does my password callback class need to supply the client's certificate password? It's just supposed to be the client's public key, right? So, why the password?
Even though we have a single password callback class in Rampart samples
in the real world scenario there should be two password callback classes
- one for server and one for client.
At the server side password callback class do not need to supply
client's password.
Thank you,
Dimuthu
> Thanks,
> Nate Roe
Re: Some PKI Questions
Posted by Dimuthu Leelarathne <di...@wso2.com>.
Hi Nate,
Please see my comments below.
On Fri, 2008-04-11 at 16:39 -0700, Nate Roe wrote:
> I've secured a service using Rampart, and now I'm considering how to implement the certificate issuance portion.
>
> To get the service running, I followed Ruchith Fernando's tutorial:
> http://wso2.org/library/174
>
> Is it necessary to modify the service's keystore to add new client certificates? Is it possible to store the service's copy of the client's public keys in a database or in separate files in the filesystem?
The easiest way to do this would be to ask the client to include the
certificate in the request message always. If we want to store a
certificate, we usually store it in the KeyStore, so that Rampart can
easily pick it up from KeyStore.
> Why does my password callback class need to supply the client's certificate password? It's just supposed to be the client's public key, right? So, why the password?
Even though we have a single password callback class in Rampart samples
in the real world scenario there should be two password callback classes
- one for server and one for client.
At the server side password callback class do not need to supply
client's password.
Thank you,
Dimuthu
> Thanks,
> Nate Roe