cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > XML Key Management Service (XKMS)
Date Thu, 02 May 2013 16:46:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29">XML
Key Management Service (XKMS)</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~ashakirin">Andrei
Shakirin</a>
    </h4>
        <br/>
                         <h4>Changes (5)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >!XKMS-cxf.jpg! <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">XKMS
Service exposes standardized XKISS and XKRSS SOAP interfaces.  <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">XKMS
Service exposes standardized XKISS and XKRSS SOAP interfaces.</span> Input and output
parameters as well as samples of SOAP messages are described in the specification [XKMS 2.0|http://www.w3.org/TR/xkms2/].
<br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">XKMS
implementation supports chain of responsibility design pattern [chain-of-responsibility |
http://en.wikipedia.org/wiki/Chain-of-responsibility_pattern]. Each XKMS operation defines
handler interface and provides one or more implementations of this interface. Handler implementations
are connected into chain. Operation implementation invokes handlers one after another from
pre-configured chain until either all handlers will be processed or critical error will occur.
This design decision makes XKMS internal implementation quite flexible: it is easy to add/remove
handlers, change their order, introduce handlers supporting new backends, etc.  <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">XKMS
implementation supports chain of responsibility design pattern [chain-of-responsibility |
http://en.wikipedia.org/wiki/Chain-of-responsibility_pattern].  <br>Each XKMS operation
defines handler interface and provides one or more implementations of this interface. Handler
implementations are connected into chain.  <br>Operation implementation invokes handlers
one after another from pre-configured chain until either all handlers will be processed or
critical error will occur.  <br>This design decision makes XKMS internal implementation
quite flexible: it is easy to add/remove handlers, change their order, introduce handlers
supporting new backends, etc.  <br></td></tr>
            <tr><td class="diff-unchanged" >For example certificate can be searched
firstly in the LDAP repository by LDAP lookup handler and, if it is not found there, additionally
looked in remote PKI using appropriate lookup handler. Logic validation operation is organized
in chain is well: first validation handler checks format and expire date of X509 certificate,
next one checks certificate trust chain. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>h4. Data Formats <br> <br>Input and output data formats are specified
in XML Key Management Service Specification Version 2.0 (see [XKMS 2.0]). Anyway XKMS service
supports only subset of specified requests and responses. <br>Restrictions of formats
for request and responses are described in following table: <br> <br>Element XPath||Supporting
values||Description <br>RootElement/QueryKeyBinding/UseKeyWith@Application | urn:ietf:rfc:2459
| Application specifies X509 SubjectDN in Identifier attribute. Used for normal users certificates
 <br>RootElement/QueryKeyBinding/UseKeyWith@Application | urn:apache:cxf:service:soap
| Application specifies Service Id in Identifier attribute in form: {SERVICE_ NAMESPACE}SERVICE_NAME.
Used for service certificates <br>RootElement/QueryKeyBinding/UseKeyWith@Identifier
| X509 Subject DN or Service name as {SERVICE_ NAMESPACE}SERVICE_NAME | Depending on Application
attribute public key is identified as X509 Subject DN or Service nameservice certificates
<br>RootElement/UnverifiedKeyBinding/KeyInfo | X509Data/X509Certificate | Only X509Data
with X509Certificate is supported <br> <br> <br> <br>| colB1 | colB2
| <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="XMLKeyManagementService%28XKMS%29-XMLKeyManagementService%28XKMS%29"></a>XML
Key Management Service (XKMS)</h1>

<h2><a name="XMLKeyManagementService%28XKMS%29-Usecase"></a>Use case</h2>

<p>CXF security uses asymmetric algorithms for different purposes: encryption of symmetric
keys and payloads, signing security tokens and messages, proof of possession.<br/>
Normally the public keys (in form of X509 certificates) are stored in java keystores.</p>

<p>For example, if sender encrypts the message payload sending to the receiver, he should
have access to receiver certificate saved in local keystore. <br/>
The sender uses this certificate for message encryption and receiver decrypts request with
corresponded own private key:</p>


<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/31820321/classic-message-encryption.jpg?version=1&amp;modificationDate=1367436712000"
style="border: 0px solid black" /></span></p>


<p>Seems to be OK? Imagine now that you have production environment with 100 different
clients of this service and service certificate is expired. You should reissue and replace
certificate in ALL client keystores! Even more, if keystores are packaged into war files or
OSGi bundles – they should be unpackaged and updated. Not really acceptable for enterprise
environments.</p>

<p>Therefore large service landscapes support central certificates management. It means
that X509 certificates are not stored locally in keystores, but are provided and administrated
centrally.</p>

<p>Normally it is a responsibility of <a href="http://en.wikipedia.org/wiki/Public-key_infrastructure"
class="external-link" rel="nofollow">Public Key Infrastructure</a> (PKI) established
in organization. PKI is responsible to create, manage, store, distribute, synchronize and
revoke public certificates and certification authorities (CAs).</p>

<h2><a name="XMLKeyManagementService%28XKMS%29-XKMSSpecification"></a>XKMS
Specification</h2>

<p>W3C specifies standard protocol to distribute and register public keys, certificates
and CAs that can be used for XML-based cryptography, including signature and encryption: <a
href="http://www.w3.org/TR/xkms2/" class="external-link" rel="nofollow">XML Key Management
Specification</a> (XKMS 2.0). XKMS can be used as standardized frontend to Public Key
Infrastructure (PKI).<br/>
The XKMS Specification comprises two parts – the XML Key Information Service Specification
(XKISS) describing the runtime aspects of key lookup and certificate validation and the XML
Key Registration Service Specification (XKRSS) describing the administrative aspects of registering,
renewing, revoking and recovering certificates. XKMS Service implements both parts of specification.</p>

<h3><a name="XMLKeyManagementService%28XKMS%29-XKMSDesign"></a>XKMS Design</h3>

<p>Internal structure of XKMS service is represented on the following figure:</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/31820321/XKMS-cxf.jpg?version=1&amp;modificationDate=1367512345536"
style="border: 0px solid black" /></span></p>

<p>XKMS Service exposes standardized XKISS and XKRSS SOAP interfaces. <br/>
Input and output parameters as well as samples of SOAP messages are described in the specification
<a href="http://www.w3.org/TR/xkms2/" class="external-link" rel="nofollow">XKMS 2.0</a>.
<br/>
XKMS implementation supports chain of responsibility design pattern <a href="http://en.wikipedia.org/wiki/Chain-of-responsibility_pattern"
class="external-link" rel="nofollow">chain-of-responsibility </a>. <br/>
Each XKMS operation defines handler interface and provides one or more implementations of
this interface. Handler implementations are connected into chain. <br/>
Operation implementation invokes handlers one after another from pre-configured chain until
either all handlers will be processed or critical error will occur. <br/>
This design decision makes XKMS internal implementation quite flexible: it is easy to add/remove
handlers, change their order, introduce handlers supporting new backends, etc. <br/>
For example certificate can be searched firstly in the LDAP repository by LDAP lookup handler
and, if it is not found there, additionally looked in remote PKI using appropriate lookup
handler. Logic validation operation is organized in chain is well: first validation handler
checks format and expire date of X509 certificate, next one checks certificate trust chain.</p>

<h4><a name="XMLKeyManagementService%28XKMS%29-DataFormats"></a>Data Formats</h4>

<p>Input and output data formats are specified in XML Key Management Service Specification
Version 2.0 (see <a href="/confluence/pages/createpage.action?spaceKey=CXF20DOC&amp;title=XKMS+2.0&amp;linkCreation=true&amp;fromPageId=31820321"
class="createlink">XKMS 2.0</a>). Anyway XKMS service supports only subset of specified
requests and responses.<br/>
Restrictions of formats for request and responses are described in following table:</p>

<p>Element XPath||Supporting values||Description<br/>
RootElement/QueryKeyBinding/UseKeyWith@Application | urn:ietf:rfc:2459 | Application specifies
X509 SubjectDN in Identifier attribute. Used for normal users certificates <br/>
RootElement/QueryKeyBinding/UseKeyWith@Application | urn:apache:cxf:service:soap | Application
specifies Service Id in Identifier attribute in form: </p>
<div class="error"><span class="error">Unknown macro: {SERVICE_ NAMESPACE}</span>
<p>SERVICE_NAME. Used for service certificates<br/>
RootElement/QueryKeyBinding/UseKeyWith@Identifier | X509 Subject DN or Service name as </p></div>
<p>SERVICE_NAME | Depending on Application attribute public key is identified as X509
Subject DN or Service nameservice certificates<br/>
RootElement/UnverifiedKeyBinding/KeyInfo | X509Data/X509Certificate | Only X509Data with X509Certificate
is supported</p>



<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> colB1 </td>
<td class='confluenceTd'> colB2 </td>
</tr>
</tbody></table>
</div>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=31820321&revisedVersion=4&originalVersion=3">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message