cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r866647 - in /websites/production/cxf/content: cache/docs.pageCache docs/xml-key-management-service-xkms.html
Date Thu, 20 Jun 2013 15:48:22 GMT
Author: buildbot
Date: Thu Jun 20 15:48:22 2013
New Revision: 866647

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/xml-key-management-service-xkms.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/xml-key-management-service-xkms.html
==============================================================================
--- websites/production/cxf/content/docs/xml-key-management-service-xkms.html (original)
+++ websites/production/cxf/content/docs/xml-key-management-service-xkms.html Thu Jun 20 15:48:22
2013
@@ -125,6 +125,8 @@ Apache CXF -- XML Key Management Service
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1><a shape="rect" name="XMLKeyManagementService%28XKMS%29-XMLKeyManagementService%28XKMS%29"></a>XML
Key Management Service (XKMS)</h1>
 
+<p>Available since CXF 3.0.0.</p>
+
 <h2><a shape="rect" name="XMLKeyManagementService%28XKMS%29-Usecase"></a>Use
case</h2>
 
 <p>CXF uses asymmetric algorithms for different purposes: encryption of symmetric keys
and payloads, signing security tokens and messages, proof of possession.<br clear="none">
@@ -206,12 +208,12 @@ Sample spring configuration of XKMS hand
 
     &lt;bean id=<span class="code-quote">"certificateRepo"</span>
         class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo"</span>&gt;
-        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"ldapServerConfig"</span>
/&gt;</span>
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"ldapSearch"</span>
/&gt;</span>
         <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"ldapSchemaConfig"</span>
/&gt;</span>
         <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"dc=example,dc=com"</span>
/&gt;</span>
     <span class="code-tag">&lt;/bean&gt;</span>
 
-    <span class="code-tag">&lt;bean id=<span class="code-quote">"ldapServerConfig"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapServerConfig"</span>&gt;</span>
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"ldapSearch"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapSearch"</span>&gt;</span>
         <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"ldap://localhost:2389"</span>
/&gt;</span>
         <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"cn=Directory
Manager,dc=example,dc=com"</span> /&gt;</span>
         <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"test"</span>
/&gt;</span>
@@ -246,10 +248,17 @@ Sample spring configuration of XKMS hand
 
 <p>dateValidator and trustedAuthorityValidator beans are implementations of Validator
interface for validity date and trusted chain validation. <br clear="none">
 x509Locator and x509Register are implementations of Locator and Register interfaces for X509
certificates.<br clear="none">
-certificateRepo is repository implementation for LDAP backend. LdapServerConfig and LdapSchemaConfig
contain LDAP configuration described in the following table:</p>
+certificateRepo is repository implementation for LDAP backend. LdapSearch and LdapSchemaConfig
contain LDAP configuration described in the following table:</p>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"> Property </th><th colspan="1" rowspan="1" class="confluenceTh">
Sample Value </th><th colspan="1" rowspan="1" class="confluenceTh"> Description
</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ldapServerConfig
arguments </td><td colspan="1" rowspan="1" class="confluenceTd">&#160;</td><td
colspan="1" rowspan="1" class="confluenceTd"> URL, baseDN and credentials of LDAP Server
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> certObjectClass
</td><td colspan="1" rowspan="1" class="confluenceTd"> inetOrgPerson </td><td
colspan="1" rowspan="1" class="confluenceTd"> LDAP object class used to store certificates
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> attrUID
</td><td colspan="1" rowspan="1" class="confluenceTd"> uid </td><td colspan="1"
rowspan="1" class="confluenceTd"> Attribute containing X509 subject DN </td></tr><tr><td
colspan="1" ro
 wspan="1" class="confluenceTd"> attrIssuerID </td><td colspan="1" rowspan="1"
class="confluenceTd"> manager </td><td colspan="1" rowspan="1" class="confluenceTd">
LDAP attribute containing X509 issuer DN </td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> attrSerialNumber </td><td colspan="1" rowspan="1"
class="confluenceTd"> employeeNumber </td><td colspan="1" rowspan="1" class="confluenceTd">
LDAP attribute containing X509 serial number </td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> attrCrtBinary </td><td colspan="1" rowspan="1"
class="confluenceTd"> userCertificate </td><td colspan="1" rowspan="1" class="confluenceTd">
LDAP attribute containing X509 certificate content </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> constAttrNamesCSV </td><td colspan="1"
rowspan="1" class="confluenceTd"> sn </td><td colspan="1" rowspan="1" class="confluenceTd">
Comma separated list of mandatory LDAP attributes </td></tr><tr><td colspan="1"
rows
 pan="1" class="confluenceTd"> constAttrValuesCSV </td><td colspan="1" rowspan="1"
class="confluenceTd"> X509 certificate </td><td colspan="1" rowspan="1" class="confluenceTd">
Comma separated list of mandatory LDAP attributes values </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> serviceCertRDNTemplate </td><td
colspan="1" rowspan="1" class="confluenceTd"> cn=%s,ou=services </td><td colspan="1"
rowspan="1" class="confluenceTd"> Relative distinguished name for service certificates
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> serviceCertUIDTemplate
</td><td colspan="1" rowspan="1" class="confluenceTd"> cn=%s </td><td
colspan="1" rowspan="1" class="confluenceTd"> Template to transform service QName to DN
for storing into attrUID </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
trustedAuthorityFilter </td><td colspan="1" rowspan="1" class="confluenceTd">
(&amp;(objectClass=inetOrgPerson)(ou:dn:=CAs)) </td><td colspan="1" rowspan=
 "1" class="confluenceTd"> Filter to determine trusted CAs for trusted chain validation
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> intermediateFilter
</td><td colspan="1" rowspan="1" class="confluenceTd"> (objectClass=inetOrgPerson)
</td><td colspan="1" rowspan="1" class="confluenceTd"> Filter to determine intermediate
certificates for trusted chain validation </td></tr></tbody></table>
+</div>
+
 
+<h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-Supportedcertificatestypes."></a>Supported
certificates types.</h4>
+<p>XKMS distinguishes following types of X509 certificates:</p>
 <div class="table-wrap">
-<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">Property</th><th colspan="1" rowspan="1" class="confluenceTh">Sample
Value</th><th colspan="1" rowspan="1" class="confluenceTh">Description</th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">ldapServerConfig arguments</td><td
colspan="1" rowspan="1" class="confluenceTd">&#160;</td><td colspan="1" rowspan="1"
class="confluenceTd"> URL, baseDN and credentials of LDAP Server</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">certObjectClass</td><td colspan="1"
rowspan="1" class="confluenceTd">inetOrgPerson</td><td colspan="1" rowspan="1"
class="confluenceTd">LDAP object class used to store certificates</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">attrUID</td><td colspan="1" rowspan="1"
class="confluenceTd">uid</td><td colspan="1" rowspan="1" class="confluenceTd">Attribute
containing X509 subject DN</td></tr><tr><td colspan="1" rowspan="1" class="conf
 luenceTd">attrIssuerID</td><td colspan="1" rowspan="1" class="confluenceTd">manager</td><td
colspan="1" rowspan="1" class="confluenceTd">LDAP attribute containing X509 issuer DN</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">attrSerialNumber</td><td colspan="1"
rowspan="1" class="confluenceTd">employeeNumber</td><td colspan="1" rowspan="1"
class="confluenceTd">LDAP attribute containing X509 serial number</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">attrCrtBinary</td><td colspan="1"
rowspan="1" class="confluenceTd">userCertificate</td><td colspan="1" rowspan="1"
class="confluenceTd">LDAP attribute containing X509 certificate content</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">constAttrNamesCSV</td><td colspan="1"
rowspan="1" class="confluenceTd">sn</td><td colspan="1" rowspan="1" class="confluenceTd">Comma
separated list of mandatory LDAP attributes</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">constAttrValuesC
 SV</td><td colspan="1" rowspan="1" class="confluenceTd">X509 certificate</td><td
colspan="1" rowspan="1" class="confluenceTd">Comma separated list of mandatory LDAP attributes
values</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">serviceCertRDNTemplate</td><td
colspan="1" rowspan="1" class="confluenceTd">cn=%s,ou=services</td><td colspan="1"
rowspan="1" class="confluenceTd">Relative distinguished name for service certificates</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">serviceCertUIDTemplate</td><td colspan="1"
rowspan="1" class="confluenceTd">cn=%s</td><td colspan="1" rowspan="1" class="confluenceTd">Template
to transform service QName to DN for storing into attrUID</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">trustedAuthorityFilter</td><td colspan="1"
rowspan="1" class="confluenceTd">(&amp;(objectClass=inetOrgPerson)(ou:dn:=CAs))</td><td
colspan="1" rowspan="1" class="confluenceTd">Filter to determine trusted CAs for truste
 d chain validation</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">intermediateFilter</td><td
colspan="1" rowspan="1" class="confluenceTd">(objectClass=inetOrgPerson)</td><td
colspan="1" rowspan="1" class="confluenceTd">Filter to determine intermediate certificates
for trusted chain validation</td></tr></tbody></table>
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">Type</th><th colspan="1" rowspan="1" class="confluenceTh">Description</th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> User </td><td colspan="1" rowspan="1"
class="confluenceTd"> Normal user X509 certificate</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> Service </td><td colspan="1" rowspan="1"
class="confluenceTd"> Certificate identifies service. Required application "urn:apache:cxf:service:soap"
by lookup and registration. Identified as {SERVICE_ NAMESPACE}SERVICE_NAME </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> Trusted CA </td><td colspan="1"
rowspan="1" class="confluenceTd"> CAs used as trusted anchor by certificates validations.
Trusted CAs can be retrieved using trustedAuthorityFilter property </td></tr></tbody></table>
 </div>
 
 
@@ -360,7 +369,7 @@ XKMS Service uses following values for r
 </div></div>
 
 <h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-CurrentrestrictionsandToDos"></a>Current
restrictions and ToDos</h4>
-<ul><li>only X509 certificates are supported as keys;</li><li>only
LDAP and File based backends are supported;</li><li>validate operations checks
expiration date, but doesn't validate trusted chain;</li><li>revocation lists
are not implemented;</li><li>more integration tests are required</li></ul>
+<ul><li>only X509 certificates are supported as keys;</li><li>only
LDAP and File based backends are supported;</li><li>revocation lists are not implemented;</li><li>more
integration tests are required</li></ul>
 </div>
            </div>
            <!-- Content -->



Mime
View raw message