axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <>
Subject RE: Using Rampart to send a proxy certificate and sign using a symmetric key
Date Wed, 20 Mar 2013 23:31:32 GMT
the sts-policy-symm-binding.xml from the integration samples inside Rampart is what you want
to start with

1)read the xsd  declared at the top
2)have a good understanding of what youre doing before you make the change
3)implement the service which implements sts-policy-symm-binding.xml make sure you engage
run the client code which implements sts-policy-symm-binding.xml 

-- creating the aar change to rampart-integration
cd \rampart\rampart-src-1.4\modules\rampart-integrationvi .\src\test\resources\rampart\services-20.xml
tweak the signatureCrypto to replace default Merlin attributes with bouncycastle attributes
<ramp:signatureCrypto>     <ramp:crypto provider="">
      <ramp:property name="">JKS</ramp:property>
      <ramp:property name="">test-resources/rahas/policy/store.jks</ramp:property>
      <ramp:property name="">password</ramp:property>
     </ramp:crypto></ramp:signatureCrypto> <ramp:encryptionCypto>
                     <ramp:crypto provider="">
                         <ramp:property name="">JKS</ramp:property>
                         <ramp:property name="">rampart/store.jks</ramp:property>
                         <ramp:property name="">password</ramp:property>
</ramp:encryptionCypto> if your X509 cert is v3 you're in luck if your cert is NOT X509
v3   you have to change the WssX509V3Token10 element
change<sp:WssX509V3Token10/>to your specific version of X509
Java code:
the only java mod to be aware of is when the service responds to your PWCallback class
--  run mvn process-test-resourcesmvn process-test-resources

use the Axis Admin tool to upload the new service aar into Axis located attarget/test-resources/rampart_service_repo/services/SecureService20.aar
engage the following modules:rampart-src-1.4/modules/rampart-integration/target/test-resources/rampart_service_repo/modules/addressing-${addressing.mar.version}.mar
resources/rampart_service_repo/modules/rahas-${addressing.mar.version}.mar rampart-src-1.4/modules/rampart-integration/target/test-resources/rampart_service_repo/modules/rampart-mar-${addressing.mar.version}.mar
if you dont have them run process-test-resources e.g.mvn process-test-resources
ping back here if you have any questions
Martin Gainty 
Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.
Subject: RE: Using Rampart to send a proxy certificate and sign using a symmetric key
Date: Wed, 20 Mar 2013 10:57:46 +0000

Thank you for the reply, this sounds like what I want to do
I just want to clarify one thing. We have our own STS which uses Bouncycastle library to generate
a certificate and a Key to send to the clientSo the client now has a Proxy Certificate (Only
public key is known to the client, no private key supplied) and a secret symmetric key.
One of the things that confused me is how Rampart reads these information, I got them in byte
form but I am unsure how to direct rampart to them or ask them to use these

> Date: Tue, 19 Mar 2013 17:32:11 -0400
> Subject: Re: Using Rampart to send a proxy certificate and sign using a symmetric key
> From:
> To:
> Hi,
> To do this with rampart, first you need to be able to express your
> requirements in WS-SecurityPolicy.
> Since you mentioned the use of a symmetric key to sign (MAC) (as in
> 3.4 of [1]) I suppose you will have to try to use a SymmetricBinding
> policy (Example [2]). This will involve getting a token issued by an
> STS which will include the certificate, and a symmetric key (since you
> need this to sign/mac). This will be the IssuedToken specified in the
> policy.
> Then Rampart should be able to use the token and include it in the
> security header and sign using the given key value.
> I'm not sure whether this works, but I will take a crack at generating
> an example of this over the weekend.
> Thanks,
> Ruchith
> 1.
> 2.
> On Sun, Mar 17, 2013 at 3:10 AM, Abdelrahman Almahmoud
> <> wrote:
> > Thank you for the reply
> >
> > I understand the typical use of certificates as I have worked in security
> > for a while, it is a bit complicated to explain and I am not even sure if I
> > am allowed to discuss this so I will avoid talking about the architecture. I
> > appreciate the comments but as I mentioned, our use case is a little
> > different than usual. I am trying to avoid using SSL altogether because of
> > various reasons as well.
> >
> > What I simply want to do is give rampart my X.509 certificate and have it
> > send it to my target where I will try to have rampart do what I want or
> > simply write my own handler to make it do that.
> >
> > I also want rampart to sign that message using my own symmetric key. We have
> > our reasons to use symmetric keys here. If Rampart can't do this, can I
> > write a handler to do this my self and ask rampart to include this into the
> > SOAP message?
> >
> >
> >
> >
> > ________________________________
> > From:
> > To:
> > Subject: RE: Using Rampart to send a proxy certificate and sign using a
> > symmetric key
> > Date: Thu, 14 Mar 2013 06:32:42 -0400
> >
> >
> >
> > ________________________________
> > From:
> > To:
> > Subject: Using Rampart to send a proxy certificate and sign using a
> > symmetric key
> > Date: Thu, 14 Mar 2013 08:59:15 +0000
> >
> > Hi
> >
> >
> > I have a bit of a unique situation, I am writing an Axis2 client and have to
> > follow a certain procedure. I would like to use Rampart to do the following,
> >
> > 1- I have a proxy certificate issued by a server for me, this certificate
> > has my username and the server's public key, I would like to have rampart to
> > send this certificate.
> > MG>A certificate is generally used by Browsers for verifiying you are who
> > you are and you wish to communicate to server with these specific
> > credentials
> > As far as I know, the samples only show how to have rampart use a
> > certificate from a key store
> > MG>from the trust-store called cacerts
> >
> > is there another way to do it?
> > MG>First step is to get the cert working to validate you to the external
> > interface
> >
> > MG>Second step is to setup a SSLv2 or SSLv3 session (using some known
> > transport) to the server
> >
> > 2- I would like Rampart to sign the request using a Symmetric key. As far as
> > I know, rampart takes the key from a key store but I am not sure how to ask
> > it to sign the request using this key and such
> >
> > The samples didn't help much with this and I am not sure where to find more
> > information
> > Any help is greatly appreciated
> >
> > MG>Read this cover to cover
> >
> >
> > Thanks
> -- 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
View raw message