Mailing-List: contact axis-user-help@ws.apache.org; run by ezmlm
Precedence: bulk
Reply-To: axis-user@ws.apache.org
Received-SPF: pass (athena.apache.org: domain of nandana.cse@gmail.com
 designates 209.85.146.178 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
        b=OglW9N/jN5YaujpfTEGGzeRHI9xta96ghI1OLqzJ+KswDu83pNmIagkrfog7AKFe1XNFPvXSOvL57LMYXFKdY8+yivSzaWZFvtu6UnqvElmKl3ci0cNVuBGCMVGzhvesEY6riMRXjcPjxwnmxNwBMtpbtg+2161Yj77raOLoUf0=
Message-ID: <9e2fff830712292358q7f374927q646c140037a4632c@mail.gmail.com>
Date: Sun, 30 Dec 2007 13:28:01 +0530
From: "Nandana Mihindukulasooriya" <nandana.cse@gmail.com>
To: axis-user@ws.apache.org
Subject: Re: ws-security: Encryption using UserToken
In-Reply-To: <14542558.post@talk.nabble.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_19620_21300602.1199001481502"
References: <14542558.post@talk.nabble.com>

------=_Part_19620_21300602.1199001481502
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi Patrick,

On 12/30/07, qvall <qvall@o2.pl> wrote:
>
>
> Hi,
> I would like to encrypt and sign my requests any responses using WSS4J and
> UserToken
> but can't figure it out how to make it.guess I should play with
> "encryptionKeyIdentifier", "EmbeddedKeyName",
> "encryptionPropFile"
> "encryptionSymAlgorithm" according to other link that works. However i
> still
> don't know how
> to make it. Especially how can i reference UserToken that is generated to
> be
> used to
> signature and encryption ?


I think the Rampart basic sample 9 -  [1] which uses the embedded key name
as the encryption key identifier will help you understand the usage.


> is there any way to
> encrypt
> response from server (using x509 Certificates) without knowing client's
> public key in advance?
> I mean in many samples I saw that server's keystore had client's cert. I
> would like to
> avoid it since this requires modifing server with each new client. Does
> "useReqSigCert"
> has something to do it with?


    Yes, if we use "useReqSigCert", the certificate used to sign the request
message will
be used to encrypt the response message back to the client. So the
server may either get
the certificate from the key store or extract it from the request. In the
latter case,  the server
must be able to verify the trust for the client's certificate.
   If you are using policy based configuration of Rampart, you have another
option. You can
use a Symmetric Binding. If you use symmetric binding, then the
client doesn't need to have
a certificate at all to do the encryption and signature.

Thanks,
Nandana

[1] -
https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-samples/basic/sample09/

------=_Part_19620_21300602.1199001481502
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi Patrick,<br><br>
<div><span class="gmail_quote">On 12/30/07, <b class="gmail_sendername">qvall</b> &lt;<a href="mailto:qvall@o2.pl">qvall@o2.pl</a>&gt; wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><br>Hi,<br>I would like to encrypt and sign my requests any responses using WSS4J and<br>UserToken<br>but can&#39;t figure it out how to make 
it.guess I should play with &quot;encryptionKeyIdentifier&quot;, &quot;EmbeddedKeyName&quot;,<br>&quot;encryptionPropFile&quot;<br>&quot;encryptionSymAlgorithm&quot; according to other link that works. However i still<br>
don&#39;t know how<br>to make it. Especially how can i reference UserToken that is generated to be<br>used to<br>signature and encryption ?</blockquote>
<div>&nbsp;</div>
<div>I think the&nbsp;Rampart&nbsp;basic sample&nbsp;9 - &nbsp;[1] which uses the embedded key name as the encryption key identifier will help you understand the usage.</div>
<div><br>&nbsp;</div>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">is there any way to<br>encrypt<br>response from server (using x509 Certificates) without knowing client&#39;s
<br>public key in advance?<br>I mean in many samples I saw that server&#39;s keystore had client&#39;s cert. I<br>would like to<br>avoid it since this requires modifing server with each new client. Does<br>&quot;useReqSigCert&quot;
<br>has something to do it with?</blockquote>
<div>&nbsp;</div>
<div>&nbsp;&nbsp;&nbsp; Yes, if we use &quot;useReqSigCert&quot;, the certificate used to sign the request message will</div>
<div>be used to encrypt the response message back to the client. So&nbsp;the server&nbsp;may either get</div>
<div>the certificate from the key store or&nbsp;extract it&nbsp;from the request.&nbsp;In the latter case, &nbsp;the server </div>
<div>must be able to verify the trust for the client&#39;s certificate. </div>
<div>&nbsp;&nbsp;&nbsp;If you are using policy based configuration of Rampart, you&nbsp;have another option. You can</div>
<div>use a Symmetric Binding. If you use symmetric binding, then&nbsp;the client&nbsp;doesn&#39;t need to have</div>
<div>a certificate at all to do the encryption and signature. </div>
<div>&nbsp;</div>
<div>Thanks,</div>
<div>Nandana</div>
<div>&nbsp;</div>
<div>[1] - <a href="https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-samples/basic/sample09/">https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-samples/basic/sample09/
</a></div><br>&nbsp;</div>

------=_Part_19620_21300602.1199001481502--