cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache CXF Documentation > XML Key Management Service (XKMS)
Date Wed, 01 May 2013 19:32:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">XML
Key Management Service (XKMS)</a></h2>
    <h4>Page  <b>added</b> by             <a href="">Andrei
    <div class="notificationGreySide">
         <h1><a name="XMLKeyManagementService%28XKMS%29-XMLKeyManagementService%28XKMS%29"></a>XML
Key Management Service (XKMS)</h1>

<h2><a name="XMLKeyManagementService%28XKMS%29-Usecase"></a>Use case</h2>

<p>CXF security uses asymmetric algorithms for different purposes: encryption of symmetric
keys and payloads, signing security tokens and messages, proof of possession.<br/>
Normally the public keys (in form of X509 certificates) are stored in java keystores.</p>

<p>For example, if sender encrypts the message payload sending to the receiver, he should
have access to receiver certificate saved in local keystore. <br/>
The sender uses this certificate for message encryption and receiver decrypts request with
corresponded own private key:</p>

<p><span class="error">Unable to render embedded object: File (classic-message-encryption.jpg)
not found.</span></p>

<p>Seems to be OK? Imagine now that you have production environment with 100 different
clients of this service and service certificate is expired. You should reissue and replace
certificate in ALL client keystores! Even more, if keystores are packaged into war files or
OSGi bundles – they should be unpackaged and updated. Not really acceptable for enterprise

<p>Therefore large service landscapes support central certificates management. It means
that X509 certificates are not stored locally in keystores, but are provided and administrated

<p>Normally it is a responsibility of <a href=""
class="external-link" rel="nofollow">Public Key Infrastructure</a> (PKI) established
in organization. PKI is responsible to create, manage, store, distribute, synchronize and
revoke public certificates and certification authorities (CAs).</p>

<h2><a name="XMLKeyManagementService%28XKMS%29-XKMSSpecification"></a>XKMS

<p>W3C specifies standard protocol to distribute and register public keys that can be
used for XML-based cryptography, including signature and encryption: <a href=""
class="external-link" rel="nofollow">XML Key Management Specification</a> (XKMS 2.0).
The XKMS Specification comprises two parts – the XML Key Information Service Specification
(XKISS) describing the runtime aspects of key lookup and certificate validation and the XML
Key Registration Service Specification (XKRSS) describing the administrative aspects of registering,
renewing, revoking and recovering certificates.</p>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>
       <a href="">View
       <a href=";showCommentArea=true#addcomment">Add

View raw message