cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > XML Key Management Service (XKMS)
Date Fri, 21 Jun 2013 09:50:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29">XML
Key Management Service (XKMS)</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~ashakirin">Andrei
Shakirin</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >| Trusted CA | CAs used as trusted
anchor by certificates validations. Trusted CAs can be retrieved using trustedAuthorityFilter
property | <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">XKMS
service endpoint is configured in following way: <br> <br>{code:xml} <br>
   &lt;bean id=&quot;xkmsProviderBean&quot; class=&quot;org.apache.cxf.xkms.service.XKMSService&quot;&gt;
<br>        &lt;property name=&quot;validators&quot;&gt; <br>
           &lt;list&gt; <br>                &lt;ref bean=&quot;dateValidator&quot;
/&gt; <br>                &lt;ref bean=&quot;trustedAuthorityValidator&quot;
/&gt; <br>            &lt;/list&gt; <br>        &lt;/property&gt;
<br>        &lt;property name=&quot;locators&quot;&gt; <br>  
         &lt;list&gt; <br>                &lt;ref bean=&quot;x509Locator&quot;
/&gt; <br>            &lt;/list&gt; <br>        &lt;/property&gt;
<br>        &lt;property name=&quot;keyRegisterHandlers&quot;&gt; <br>
           &lt;list&gt; <br>                &lt;ref bean=&quot;x509Register&quot;
/&gt; <br>            &lt;/list&gt; <br>        &lt;/property&gt;
<br>    &lt;/bean&gt; <br> <br>    &lt;jaxws:endpoint id=&quot;XKMSService&quot;
<br>        xmlns:serviceNamespace=&quot;http://www.w3.org/2002/03/xkms#wsdl&quot;
<br>        serviceName=&quot;serviceNamespace:XKMSService&quot; endpointName=&quot;serviceNamespace:XKMSPort&quot;
<br>        implementor=&quot;#xkmsProviderBean&quot; address=&quot;/XKMS&quot;&gt;
<br>    &lt;/jaxws:endpoint&gt; <br>{code} <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h4. Integration XKMS client into CXF
runtime. <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="XMLKeyManagementService%28XKMS%29-XMLKeyManagementService%28XKMS%29"></a>XML
Key Management Service (XKMS)</h1>

<p>Available since CXF 3.0.0.</p>

<h2><a name="XMLKeyManagementService%28XKMS%29-Usecase"></a>Use case</h2>

<p>CXF uses asymmetric algorithms for different purposes: encryption of symmetric keys
and payloads, signing security tokens and messages, proof of possession.<br/>
Normally the public keys (in form of X509 certificates) are stored in java keystores.</p>

<p>For example, if sender encrypts the message payload sending to the receiver, he should
have access to receiver certificate saved in local keystore. <br/>
The sender uses this certificate for message encryption and receiver decrypts request with
corresponded own private key:</p>


<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/31820321/classic-message-encryption.jpg?version=1&amp;modificationDate=1367436712000"
style="border: 0px solid black" /></span></p>


<p>Seems to be OK? Imagine now that you have production environment with 100 different
clients of this service and service certificate is expired. You should reissue and replace
certificate in ALL client keystores! Even more, if keystores are packaged into war files or
OSGi bundles – they should be unpackaged and updated. Not really acceptable for enterprise
environments.</p>

<p>Therefore large service landscapes support central certificates management. It means
that X509 certificates are not stored locally in keystores, but are provided and administrated
centrally.</p>

<p>Normally it is a responsibility of <a href="http://en.wikipedia.org/wiki/Public-key_infrastructure"
class="external-link" rel="nofollow">Public Key Infrastructure</a> (PKI) established
in organization. PKI is responsible to create, manage, store, distribute, synchronize and
revoke public certificates and certification authorities (CAs).</p>

<h2><a name="XMLKeyManagementService%28XKMS%29-XKMSSpecification"></a>XKMS
Specification</h2>

<p>W3C specifies protocol to distribute and register public keys, certificates and CAs
that can be used for XML-based cryptography, including signature and encryption: <a href="http://www.w3.org/TR/xkms2/"
class="external-link" rel="nofollow">XML Key Management Specification</a> (XKMS 2.0).
<br/>
The XKMS Specification comprises two parts – the XML Key Information Service Specification
(XKISS) describing the runtime aspects of key lookup and certificate validation and the XML
Key Registration Service Specification (XKRSS) describing the administrative aspects of registering,
renewing, revoking and recovering certificates. <br/>
XKMS Service implements both parts of specification.</p>

<p>XKMS SOAP interface can be used as standard frontend to access Public Key Infrastructure
(PKI). Using XKMS message encryption scenario  message encryption picture will change in following
way:</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/31820321/classic-message-encryption-PKI-XKMS.jpg?version=1&amp;modificationDate=1367593577000"
style="border: 0px solid black" /></span></p>

<h3><a name="XMLKeyManagementService%28XKMS%29-XKMSDesign"></a>XKMS Design</h3>

<p>Internal structure of XKMS service is represented on the following figure:</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/31820321/XKMS-cxf.jpg?version=1&amp;modificationDate=1367512345000"
style="border: 0px solid black" /></span></p>

<p>XKMS Service exposes SOAP interface specified in <a href="http://www.w3.org/TR/xkms2/"
class="external-link" rel="nofollow">XKMS 2.0</a>. <br/>
XKMS implementation realizes chain of <a href="http://en.wikipedia.org/wiki/Chain-of-responsibility_pattern"
class="external-link" rel="nofollow">responsibility design pattern </a>.<br/>
Each XKMS operation defines handler interface and provides one or more implementations of
this interface. Handler implementations are connected into chain. <br/>
Operation implementation invokes handlers one after another from pre-configured chain until
either all handlers will be processed or critical error will occur. <br/>
This design makes XKMS internal implementation quite flexible: it is easy to add/remove handlers,
change their order, introduce handlers supporting new backends, etc. <br/>
For example certificate can be searched firstly in the LDAP repository by LDAP lookup handler
and, if it is not found there, additionally looked in remote PKI using appropriate lookup
handler. Validation operation logic is organized in chain is well: first validation handler
checks format and expire date of X509 certificate, next one checks certificate trust chain.</p>

<p>Currently XKMS Service supports simple file based and LDAP backends.<br/>
Sample spring configuration of XKMS handlers looks like:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
    <span class="code-keyword">xmlns:cxf</span>=<span class="code-quote">"http://cxf.apache.org/core"</span>
<span class="code-keyword">xmlns:jaxws</span>=<span class="code-quote">"http://cxf.apache.org/jaxws"</span>
    <span class="code-keyword">xmlns:test</span>=<span class="code-quote">"http://apache.org/hello_world_soap_http"</span>
<span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
    <span class="code-keyword">xmlns:util</span>=<span class="code-quote">"http://www.springframework.org/schema/util"</span>
    xsi:schemaLocation="
        http://cxf.apache.org/core
        http://cxf.apache.org/schemas/core.xsd
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        http://cxf.apache.org/jaxws                                     
        http://cxf.apache.org/schemas/jaxws.xsd
        http://www.springframework.org/schema/util
        http://www.springframework.org/schema/util/spring-util-2.0.xsd"&gt;


    <span class="code-tag">&lt;bean id=<span class="code-quote">"dateValidator"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.validator.DateValidator"</span>
/&gt;</span>

    &lt;bean id=<span class="code-quote">"trustedAuthorityValidator"</span>
        class=<span class="code-quote">"org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator"</span>&gt;
        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"certificateRepo"</span>
/&gt;</span>
    <span class="code-tag">&lt;/bean&gt;</span>

    <span class="code-tag">&lt;bean id=<span class="code-quote">"x509Locator"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.handlers.X509Locator"</span>&gt;</span>
        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"certificateRepo"</span>
/&gt;</span>
    <span class="code-tag">&lt;/bean&gt;</span>

    &lt;bean id=<span class="code-quote">"x509Register"</span>
        class=<span class="code-quote">"org.apache.cxf.xkms.x509.handlers.x509Register"</span>&gt;
        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"certificateRepo"</span>
/&gt;</span>
    <span class="code-tag">&lt;/bean&gt;</span>


    <span class="code-tag"><span class="code-comment">&lt;!-- LDAP based implementation
--&gt;</span></span>

    &lt;bean id=<span class="code-quote">"certificateRepo"</span>
        class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo"</span>&gt;
        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"ldapSearch"</span>
/&gt;</span>
        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"ldapSchemaConfig"</span>
/&gt;</span>
        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"dc=example,dc=com"</span>
/&gt;</span>
    <span class="code-tag">&lt;/bean&gt;</span>

    <span class="code-tag">&lt;bean id=<span class="code-quote">"ldapSearch"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapSearch"</span>&gt;</span>
        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"ldap://localhost:2389"</span>
/&gt;</span>
        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"cn=Directory
Manager,dc=example,dc=com"</span> /&gt;</span>
        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"test"</span>
/&gt;</span>
        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"2"</span>
/&gt;</span>
    <span class="code-tag">&lt;/bean&gt;</span>

    <span class="code-tag">&lt;bean id=<span class="code-quote">"ldapSchemaConfig"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig"</span>&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"certObjectClass"</span>
value=<span class="code-quote">"inetOrgPerson"</span> /&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"attrUID"</span>
value=<span class="code-quote">"uid"</span> /&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"attrIssuerID"</span>
value=<span class="code-quote">"manager"</span> /&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"attrSerialNumber"</span>
value=<span class="code-quote">"employeeNumber"</span> /&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"attrCrtBinary"</span>
value=<span class="code-quote">"userCertificate;binary"</span> /&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"constAttrNamesCSV"</span>
value=<span class="code-quote">"sn"</span> /&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"constAttrValuesCSV"</span>
value=<span class="code-quote">"X509 certificate"</span> /&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"serviceCertRDNTemplate"</span>
value=<span class="code-quote">"cn=%s,ou=services"</span> /&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"serviceCertUIDTemplate"</span>
value=<span class="code-quote">"cn=%s"</span> /&gt;</span>
	<span class="code-tag">&lt;property name=<span class="code-quote">"trustedAuthorityFilter"</span>
value=<span class="code-quote">"(&amp;#038;(objectClass=inetOrgPerson)(ou:dn:=CAs))"</span>
/&gt;</span>
	<span class="code-tag">&lt;property name=<span class="code-quote">"intermediateFilter"</span>
value=<span class="code-quote">"(objectClass=inetOrgPerson)"</span> /&gt;</span>
    <span class="code-tag">&lt;/bean&gt;</span>


    <span class="code-tag"><span class="code-comment">&lt;!-- File based implementation
--&gt;</span></span>

    &lt;!-- bean id=<span class="code-quote">"certificateRepo"</span>
        class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo"</span>&gt;
        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"../conf/certs"</span>
/&gt;</span>
    <span class="code-tag">&lt;/bean--&gt;</span>

<span class="code-tag">&lt;/beans&gt;</span>
</pre>
</div></div>


<p>dateValidator and trustedAuthorityValidator beans are implementations of Validator
interface for validity date and trusted chain validation. <br/>
x509Locator and x509Register are implementations of Locator and Register interfaces for X509
certificates.<br/>
certificateRepo is repository implementation for LDAP backend. LdapSearch and LdapSchemaConfig
contain LDAP configuration described in the following table:</p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Property </th>
<th class='confluenceTh'> Sample Value </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> ldapServerConfig arguments </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> URL, baseDN and credentials of LDAP Server </td>
</tr>
<tr>
<td class='confluenceTd'> certObjectClass </td>
<td class='confluenceTd'> inetOrgPerson </td>
<td class='confluenceTd'> LDAP object class used to store certificates </td>
</tr>
<tr>
<td class='confluenceTd'> attrUID </td>
<td class='confluenceTd'> uid </td>
<td class='confluenceTd'> Attribute containing X509 subject DN </td>
</tr>
<tr>
<td class='confluenceTd'> attrIssuerID </td>
<td class='confluenceTd'> manager </td>
<td class='confluenceTd'> LDAP attribute containing X509 issuer DN </td>
</tr>
<tr>
<td class='confluenceTd'> attrSerialNumber </td>
<td class='confluenceTd'> employeeNumber </td>
<td class='confluenceTd'> LDAP attribute containing X509 serial number </td>
</tr>
<tr>
<td class='confluenceTd'> attrCrtBinary </td>
<td class='confluenceTd'> userCertificate </td>
<td class='confluenceTd'> LDAP attribute containing X509 certificate content </td>
</tr>
<tr>
<td class='confluenceTd'> constAttrNamesCSV </td>
<td class='confluenceTd'> sn </td>
<td class='confluenceTd'> Comma separated list of mandatory LDAP attributes </td>
</tr>
<tr>
<td class='confluenceTd'> constAttrValuesCSV </td>
<td class='confluenceTd'> X509 certificate </td>
<td class='confluenceTd'> Comma separated list of mandatory LDAP attributes values </td>
</tr>
<tr>
<td class='confluenceTd'> serviceCertRDNTemplate </td>
<td class='confluenceTd'> cn=%s,ou=services </td>
<td class='confluenceTd'> Relative distinguished name for service certificates </td>
</tr>
<tr>
<td class='confluenceTd'> serviceCertUIDTemplate </td>
<td class='confluenceTd'> cn=%s </td>
<td class='confluenceTd'> Template to transform service QName to DN for storing into
attrUID </td>
</tr>
<tr>
<td class='confluenceTd'> trustedAuthorityFilter </td>
<td class='confluenceTd'> (&#038;(objectClass=inetOrgPerson)(ou:dn:=CAs)) </td>
<td class='confluenceTd'> Filter to determine trusted CAs for trusted chain validation
</td>
</tr>
<tr>
<td class='confluenceTd'> intermediateFilter </td>
<td class='confluenceTd'> (objectClass=inetOrgPerson) </td>
<td class='confluenceTd'> Filter to determine intermediate certificates for trusted
chain validation </td>
</tr>
</tbody></table>
</div>


<h4><a name="XMLKeyManagementService%28XKMS%29-Supportedcertificatestypes."></a>Supported
certificates types.</h4>
<p>XKMS distinguishes following types of X509 certificates:</p>
<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>Type</th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'> User </td>
<td class='confluenceTd'> Normal user X509 certificate</td>
</tr>
<tr>
<td class='confluenceTd'> Service </td>
<td class='confluenceTd'> Certificate identifies service. Required application "urn:apache:cxf:service:soap"
by lookup and registration. Identified as {SERVICE_ NAMESPACE}SERVICE_NAME </td>
</tr>
<tr>
<td class='confluenceTd'> Trusted CA </td>
<td class='confluenceTd'> CAs used as trusted anchor by certificates validations. Trusted
CAs can be retrieved using trustedAuthorityFilter property </td>
</tr>
</tbody></table>
</div>


<p>XKMS service endpoint is configured in following way:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
    <span class="code-tag">&lt;bean id=<span class="code-quote">"xkmsProviderBean"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.service.XKMSService"</span>&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"validators"</span>&gt;</span>
            <span class="code-tag">&lt;list&gt;</span>
                <span class="code-tag">&lt;ref bean=<span class="code-quote">"dateValidator"</span>
/&gt;</span>
                <span class="code-tag">&lt;ref bean=<span class="code-quote">"trustedAuthorityValidator"</span>
/&gt;</span>
            <span class="code-tag">&lt;/list&gt;</span>
        <span class="code-tag">&lt;/property&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"locators"</span>&gt;</span>
            <span class="code-tag">&lt;list&gt;</span>
                <span class="code-tag">&lt;ref bean=<span class="code-quote">"x509Locator"</span>
/&gt;</span>
            <span class="code-tag">&lt;/list&gt;</span>
        <span class="code-tag">&lt;/property&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"keyRegisterHandlers"</span>&gt;</span>
            <span class="code-tag">&lt;list&gt;</span>
                <span class="code-tag">&lt;ref bean=<span class="code-quote">"x509Register"</span>
/&gt;</span>
            <span class="code-tag">&lt;/list&gt;</span>
        <span class="code-tag">&lt;/property&gt;</span>
    <span class="code-tag">&lt;/bean&gt;</span>

    &lt;jaxws:endpoint id=<span class="code-quote">"XKMSService"</span>
        <span class="code-keyword">xmlns:serviceNamespace</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#wsdl"</span>
        serviceName=<span class="code-quote">"serviceNamespace:XKMSService"</span>
endpointName=<span class="code-quote">"serviceNamespace:XKMSPort"</span>
        implementor=<span class="code-quote">"#xkmsProviderBean"</span> address=<span
class="code-quote">"/XKMS"</span>&gt;
    <span class="code-tag">&lt;/jaxws:endpoint&gt;</span>
</pre>
</div></div>

<h4><a name="XMLKeyManagementService%28XKMS%29-IntegrationXKMSclientintoCXFruntime."></a>Integration
XKMS client into CXF runtime.</h4>

<p>XKMS client can be integrated into CXF and WSS4J using custom Crypto provider implementation.
In this case XKMS service will be automatically invoked when WSS4J requires or validates certificate.
Details are described in this <a href="http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html"
class="external-link" rel="nofollow">blog</a>. Sample XKMS based implementation of
WSS4J Crypto interface is contributed into XKMS Client component. </p>

<h4><a name="XMLKeyManagementService%28XKMS%29-DataFormats"></a>Data Formats</h4>

<p>Input and output data formats are specified in XML Key Management Service Specification
Version 2.0 (see <a href="/confluence/pages/createpage.action?spaceKey=CXF20DOC&amp;title=XKMS+2.0&amp;linkCreation=true&amp;fromPageId=31820321"
class="createlink">XKMS 2.0</a>). Anyway XKMS service supports only subset of specified
requests and responses.<br/>
Restrictions of formats for request and responses are described in following table:</p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>Element XPath</th>
<th class='confluenceTh'>Supporting values</th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'>RootElement/QueryKeyBinding/UseKeyWith@Application </td>
<td class='confluenceTd'> urn:ietf:rfc:2459 </td>
<td class='confluenceTd'> Application specifies X509 SubjectDN in Identifier attribute.
Used for normal users certificates</td>
</tr>
<tr>
<td class='confluenceTd'>RootElement/QueryKeyBinding/UseKeyWith@Application </td>
<td class='confluenceTd'> urn:apache:cxf:service:soap </td>
<td class='confluenceTd'> Application specifies Service Id in Identifier attribute as
{SERVICE_ NAMESPACE}SERVICE_NAME. Used for service certificates</td>
</tr>
<tr>
<td class='confluenceTd'>RootElement/QueryKeyBinding/UseKeyWith@Identifier </td>
<td class='confluenceTd'> X509 Subject DN or Service name as {SERVICE_ NAMESPACE}SERVICE_NAME
</td>
<td class='confluenceTd'> Depending on Application attribute public key is identified
as X509 Subject DN or Service nameservice certificates</td>
</tr>
<tr>
<td class='confluenceTd'>RootElement/UnverifiedKeyBinding/KeyInfo </td>
<td class='confluenceTd'> X509Data/X509Certificate </td>
<td class='confluenceTd'> Only X509Data with X509Certificate is supported</td>
</tr>
</tbody></table>
</div>


<h4><a name="XMLKeyManagementService%28XKMS%29-ErrorHandling"></a>Error
Handling</h4>

<p>Success and Fault Response formats are specified in <a href="/confluence/pages/createpage.action?spaceKey=CXF20DOC&amp;title=XKMS+2.0&amp;linkCreation=true&amp;fromPageId=31820321"
class="createlink">XKMS 2.0</a>. Error conditions in XKMS service are reported using
ResultMajor and ResultMinor attributes in root response element.<br/>
XKMS Service uses following values for response codes:</p>

<p>ResultMajor</p>
<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>Value</th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'> Success</td>
<td class='confluenceTd'> The operation succeeded. </td>
</tr>
<tr>
<td class='confluenceTd'> Receiver</td>
<td class='confluenceTd'> An error occurred at the receiver. </td>
</tr>
<tr>
<td class='confluenceTd'> Sender</td>
<td class='confluenceTd'> An error occurred that was due to the message sent by the
sender. </td>
</tr>
</tbody></table>
</div>



<p>ResultMinor</p>
<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>Value</th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'> Failure</td>
<td class='confluenceTd'> The service attempted to perform the request but the operation
failed. </td>
</tr>
<tr>
<td class='confluenceTd'> NoMatch</td>
<td class='confluenceTd'> No match was found for the search prototype provided. </td>
</tr>
<tr>
<td class='confluenceTd'> TooManyResponses</td>
<td class='confluenceTd'> The request resulted in the number of responses that exceeded
limit determined by the service. </td>
</tr>
<tr>
<td class='confluenceTd'> TimeInstantNotSupported</td>
<td class='confluenceTd'> The receiver has refused the operation because it does not
support the TimeInstant element. </td>
</tr>
</tbody></table>
</div>


<h4><a name="XMLKeyManagementService%28XKMS%29-Deployment"></a>Deployment</h4>

<p>XKMS Service can be deployed into web and OSGi containers. Service implementation
was tested with Tomcat and Karaf.</p>

<h4><a name="XMLKeyManagementService%28XKMS%29-SampleRequestsandResponses"></a>Sample
Requests and Responses</h4>
<p>Sample request for Locate operation:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;soap:Envelope <span class="code-keyword">xmlns:soap</span>=<span
class="code-quote">"http://schemas.xmlsoap.org/soap/envelope/"</span>&gt;</span>
    <span class="code-tag">&lt;soap:Body&gt;</span>
        &lt;ns2:LocateRequest xmlns=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>
            <span class="code-keyword">xmlns:ns2</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#"</span>

            <span class="code-keyword">xmlns:ns3</span>=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#"</span>
            Id=<span class="code-quote">"I047257513d19456687e6b4f4a2a72606"</span>
Service=<span class="code-quote">"http://cxf.apache.org/services/XKMS/"</span>&gt;
            <span class="code-tag">&lt;ns2:QueryKeyBinding&gt;</span>
                &lt;ns2:UseKeyWith Application=<span class="code-quote">"urn:ietf:rfc:2459"</span>
                    Identifier=<span class="code-quote">"EMAILADDRESS=client@client.com,
CN=www.client.com, OU=IT Department, O=Sample Client -- NOT FOR PRODUCTION, L=Niagara Falls,
ST=New York, C=US"</span> /&gt;
            <span class="code-tag">&lt;/ns2:QueryKeyBinding&gt;</span>
        <span class="code-tag">&lt;/ns2:LocateRequest&gt;</span>
    <span class="code-tag">&lt;/soap:Body&gt;</span>
<span class="code-tag">&lt;/soap:Envelope&gt;</span>
</pre>
</div></div>

<p>Sample response for Locate operation:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;soap:Envelope <span class="code-keyword">xmlns:soap</span>=<span
class="code-quote">"http://schemas.xmlsoap.org/soap/envelope/"</span>&gt;</span>
    <span class="code-tag">&lt;soap:Body&gt;</span>
        &lt;ns2:LocateResult ResultMajor=<span class="code-quote">"http://www.w3.org/2002/03/xkms#Success"</span>
            RequestId=<span class="code-quote">"I047257513d19456687e6b4f4a2a72606"</span>
Id=<span class="code-quote">"I0758390284847918129574923948"</span>
            Service=<span class="code-quote">"http://cxf.apache.org/services/XKMS/"</span>

            <span class="code-keyword">xmlns:ns2</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#"</span>
            <span class="code-keyword">xmlns:ns3</span>=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#"</span>

            <span class="code-keyword">xmlns:ns4</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>
            <span class="code-keyword">xmlns:ns5</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#wsdl"</span>&gt;
            <span class="code-tag">&lt;ns2:UnverifiedKeyBinding&gt;</span>
                <span class="code-tag">&lt;ns4:KeyInfo&gt;</span>
                    <span class="code-tag">&lt;ns4:X509Data&gt;</span>
                        <span class="code-tag">&lt;ns4:X509Certificate&gt;</span>…
<span class="code-tag">&lt;/ns4:X509Certificate&gt;</span>
                    <span class="code-tag">&lt;/ns4:X509Data&gt;</span>
                <span class="code-tag">&lt;/ns4:KeyInfo&gt;</span>
            <span class="code-tag">&lt;/ns2:UnverifiedKeyBinding&gt;</span>
        <span class="code-tag">&lt;/ns2:LocateResult&gt;</span>
    <span class="code-tag">&lt;/soap:Body&gt;</span>
<span class="code-tag">&lt;/soap:Envelope&gt;</span>
</pre>
</div></div>

<p>Sample error message:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;soap:Envelope <span class="code-keyword">xmlns:soap</span>=<span
class="code-quote">"http://schemas.xmlsoap.org/soap/envelope/"</span>&gt;</span>
    <span class="code-tag">&lt;soap:Body&gt;</span>
        &lt;ns2:LocateResult ResultMajor=<span class="code-quote">"http://www.w3.org/2002/03/xkms#Receiver"</span>
            ResultMinor=<span class="code-quote">"http://www.w3.org/2002/03/xkms#Failure"</span>
            RequestId=<span class="code-quote">"I047257513d19456687e6b4f4a2a72606"</span>
Id=<span class="code-quote">"I0758390284847918129574923948"</span>
            Service=<span class="code-quote">"http://cxf.apache.org/services/XKMS/"</span>

            <span class="code-keyword">xmlns:ns2</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#"</span>
            <span class="code-keyword">xmlns:ns3</span>=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#"</span>

            <span class="code-keyword">xmlns:ns4</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>
            <span class="code-keyword">xmlns:ns5</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#wsdl"</span>&gt;

            &lt;ns2:MessageExtension xsi:type=<span class="code-quote">"ns5:resultDetails"</span>
                <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>&gt;
                <span class="code-tag">&lt;Details&gt;</span>Search certificates
failure: Application
                    identifier not supported<span class="code-tag">&lt;/Details&gt;</span>
            <span class="code-tag">&lt;/ns2:MessageExtension&gt;</span>
        <span class="code-tag">&lt;/ns2:LocateResult&gt;</span>
    <span class="code-tag">&lt;/soap:Body&gt;</span>
<span class="code-tag">&lt;/soap:Envelope&gt;</span>
</pre>
</div></div>

<h4><a name="XMLKeyManagementService%28XKMS%29-CurrentrestrictionsandToDos"></a>Current
restrictions and ToDos</h4>
<ul>
	<li>only X509 certificates are supported as keys;</li>
	<li>only LDAP and File based backends are supported;</li>
	<li>revocation lists are not implemented;</li>
	<li>more integration tests are required</li>
</ul>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=31820321&revisedVersion=20&originalVersion=19">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message