cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF Documentation > XML Key Management Service (XKMS)
Date Tue, 09 Jul 2013 10:20:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29">XML
Key Management Service (XKMS)</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
        <br/>
                         <h4>Changes (31)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h2. Use case <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >CXF uses asymmetric algorithms
for different purposes: encryption of symmetric keys and payloads, signing security tokens
and messages, proof of <span class="diff-changed-words">possession<span class="diff-added-chars"style="background-color:
#dfd;">, etc</span>.</span> <br></td></tr>
            <tr><td class="diff-changed-lines" >Normally the public keys (in <span
class="diff-added-words"style="background-color: #dfd;">the</span> form of X509 certificates)
are stored in java keystores. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" >For example, if <span class="diff-added-words"style="background-color:
#dfd;">the</span> sender encrypts the message payload sending to the receiver, he
should have access to <span class="diff-added-words"style="background-color: #dfd;">the</span>
receiver certificate saved in <span class="diff-added-words"style="background-color: #dfd;">the</span>
local keystore. <br></td></tr>
            <tr><td class="diff-changed-lines" >The sender uses this certificate
for message encryption and receiver decrypts <span class="diff-added-words"style="background-color:
#dfd;">the</span> request with <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">corresponded
own</span> <span class="diff-added-words"style="background-color: #dfd;">the corresponding</span>
private key: <br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Seems to be OK? Imagine now that
you have <span class="diff-added-words"style="background-color: #dfd;">a</span>
production environment with 100 different clients of this service and <span class="diff-added-words"style="background-color:
#dfd;">the</span> service certificate is expired. You should reissue and replace
<span class="diff-added-words"style="background-color: #dfd;">the</span> certificate
in ALL client keystores! Even more, if keystores are packaged into war files or OSGi bundles
– they should be unpackaged and updated. Not really acceptable for enterprise environments.
<br></td></tr>
            <tr><td class="diff-unchanged" > <br>Therefore large service
landscapes support central certificates management. It means that X509 certificates are not
stored locally in keystores, but are provided and administrated centrally. <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Normally it is a responsibility
of [Public Key Infrastructure|http://en.wikipedia.org/wiki/Public-key_infrastructure] (PKI)
established in <span class="diff-added-words"style="background-color: #dfd;">the</span>
organization. PKI is responsible to create, manage, store, distribute, synchronize and revoke
public certificates and certification authorities (CAs). <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h2. XKMS Specification
<br> <br></td></tr>
            <tr><td class="diff-changed-lines" >W3C specifies <span class="diff-added-words"style="background-color:
#dfd;">a</span> protocol to distribute and register public keys, certificates and
CAs that can be used for XML-based cryptography, including signature and encryption: [XML
Key Management Specification|http://www.w3.org/TR/xkms2/] (XKMS 2.0). <br></td></tr>
            <tr><td class="diff-changed-lines" >The XKMS Specification comprises
two parts – the XML Key Information Service Specification (XKISS) describing the runtime
aspects of key lookup and certificate <span class="diff-changed-words">validation<span
class="diff-added-chars"style="background-color: #dfd;">,</span></span> and
the XML Key Registration Service Specification (XKRSS) describing the administrative aspects
of registering, renewing, revoking and recovering certificates. <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-added-words"style="background-color:
#dfd;">The</span> XKMS Service implements both parts of specification. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-added-words"style="background-color:
#dfd;">The</span> XKMS SOAP interface can be used as <span class="diff-added-words"style="background-color:
#dfd;">a</span> standard frontend to access <span class="diff-added-words"style="background-color:
#dfd;">the</span> Public Key Infrastructure (PKI). Using XKMS message encryption
<span class="diff-changed-words">scenario<span class="diff-added-chars"style="background-color:
#dfd;">,</span> <span class="diff-added-chars"style="background-color: #dfd;">the</span></span>
message encryption picture will change in <span class="diff-added-words"style="background-color:
#dfd;">the</span> following way: <br></td></tr>
            <tr><td class="diff-unchanged" > <br>!classic-message-encryption-PKI-XKMS.jpg!
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h3. XKMS Design <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Internal structure of XKMS service
is represented <span class="diff-changed-words"><span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">o</span><span
class="diff-added-chars"style="background-color: #dfd;">i</span>n</span> the
following figure: <br></td></tr>
            <tr><td class="diff-unchanged" > <br>!XKMS-cxf.jpg! <br>
<br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-added-words"style="background-color:
#dfd;">The</span> XKMS Service exposes <span class="diff-added-words"style="background-color:
#dfd;">a</span> SOAP interface specified in [XKMS 2.0|http://www.w3.org/TR/xkms2/].
<br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-added-words"style="background-color:
#dfd;">The</span> XKMS implementation realizes <span class="diff-changed-words"><span
class="diff-added-chars"style="background-color: #dfd;">[</span>chain</span>
of <span class="diff-changed-words"><span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">[</span>responsibility</span>
design pattern | http://en.wikipedia.org/wiki/Chain-of-responsibility_pattern]. <br></td></tr>
            <tr><td class="diff-changed-lines" >Each XKMS operation defines <span
class="diff-added-words"style="background-color: #dfd;">a</span> handler interface
and provides one or more implementations of this interface. Handler implementations are connected
into <span class="diff-added-words"style="background-color: #dfd;">a</span> chain.
<br></td></tr>
            <tr><td class="diff-changed-lines" >Operation implementation invokes
handlers one after another from <span class="diff-added-words"style="background-color:
#dfd;">the</span> pre-configured chain until either all handlers will be processed
or <span class="diff-added-words"style="background-color: #dfd;">a</span> critical
error will occur. <br></td></tr>
            <tr><td class="diff-changed-lines" >This design makes <span class="diff-added-words"style="background-color:
#dfd;">the</span> XKMS internal implementation quite flexible: it is easy to add/remove
handlers, change their order, introduce handlers supporting new backends, etc. <br></td></tr>
            <tr><td class="diff-changed-lines" >For <span class="diff-changed-words">example<span
class="diff-added-chars"style="background-color: #dfd;">, a</span></span> certificate
can be searched firstly in the LDAP repository by LDAP lookup handler and, if it is not found
there, additionally looked <span class="diff-added-words"style="background-color: #dfd;">for</span>
in <span class="diff-added-words"style="background-color: #dfd;">a</span> remote
PKI using <span class="diff-added-words"style="background-color: #dfd;">an</span>
appropriate lookup handler. Validation operation logic is organized in <span class="diff-added-words"style="background-color:
#dfd;">a</span> chain is well: first validation handler checks format and <span
class="diff-changed-words">expir<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">e</span><span
class="diff-added-chars"style="background-color: #dfd;">y</span></span> date
of <span class="diff-added-words"style="background-color: #dfd;">the</span> X509
certificate, next one checks <span class="diff-added-words"style="background-color: #dfd;">the</span>
certificate trust chain. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" >Currently <span class="diff-added-words"style="background-color:
#dfd;">the</span> XKMS Service supports simple file based and LDAP backends. <br></td></tr>
            <tr><td class="diff-unchanged" >Sample spring configuration of XKMS
handlers looks like: <br>{code:xml} <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">
<br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-added-words"style="background-color:
#dfd;">The</span> dateValidator and trustedAuthorityValidator beans are implementations
of <span class="diff-added-words"style="background-color: #dfd;">the</span> Validator
interface for <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">validity</span>
date and trusted chain validation. <br></td></tr>
            <tr><td class="diff-unchanged" >x509Locator and x509Register are implementations
of Locator and Register interfaces for X509 certificates. <br></td></tr>
            <tr><td class="diff-changed-lines" >certificateRepo is <span class="diff-added-words"style="background-color:
#dfd;">the</span> repository implementation for LDAP backend. LdapSearch and LdapSchemaConfig
contain LDAP configuration described in the following table: <br></td></tr>
            <tr><td class="diff-unchanged" > <br>|| Property || Sample Value
|| Description || <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h4. Supported certificates
types. <br></td></tr>
            <tr><td class="diff-changed-lines" >XKMS distinguishes <span class="diff-added-words"style="background-color:
#dfd;">between the</span> following types of X509 certificates: <br></td></tr>
            <tr><td class="diff-unchanged" >||Type||Description|| <br>|
User | Normal user X509 certificate| <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >| Trusted CA | CAs used as trusted
anchor by certificates validations. Trusted CAs can be retrieved using trustedAuthorityFilter
property | <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >XKMS service endpoint is configured
in <span class="diff-added-words"style="background-color: #dfd;">the</span> following
way: <br></td></tr>
            <tr><td class="diff-unchanged" > <br>{code:xml} <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h4.
Integration XKMS client into CXF runtime. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h4.
Integrating the XKMS client into the CXF runtime. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-added-words"style="background-color:
#dfd;">The</span> XKMS client can be integrated into CXF and WSS4J using <span
class="diff-added-words"style="background-color: #dfd;">a</span> custom Crypto provider
implementation. In this <span class="diff-changed-words">case<span class="diff-added-chars"style="background-color:
#dfd;">, the</span></span> XKMS service will be automatically invoked when
WSS4J requires or validates <span class="diff-added-words"style="background-color: #dfd;">a</span>
certificate. Details are described in this [blog|http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html].
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">Sample</span>
<span class="diff-added-words"style="background-color: #dfd;">A sample</span>
XKMS based implementation of WSS4J Crypto interface is contributed into <span class="diff-added-words"style="background-color:
#dfd;">the</span> XKMS Client component. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h4. Data Formats <br>
<br></td></tr>
            <tr><td class="diff-changed-lines" >Input and output data formats
are specified in XML Key Management Service Specification Version 2.0 (see [XKMS <span
class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">2.0]).
Anyway</span> <span class="diff-added-words"style="background-color: #dfd;">2.0|http://www.w3.org/TR/xkms2/]).
The</span> XKMS service supports only <span class="diff-added-words"style="background-color:
#dfd;">a</span> subset of <span class="diff-added-words"style="background-color:
#dfd;">the</span> specified requests and responses. <br></td></tr>
            <tr><td class="diff-changed-lines" >Restrictions of formats for request
and responses are described in <span class="diff-added-words"style="background-color: #dfd;">the</span>
following table: <br></td></tr>
            <tr><td class="diff-unchanged" > <br>||Element XPath||Supporting
values||Description <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h4. Error Handling <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Success and Fault Response formats
are specified in [XKMS <span class="diff-changed-words">2.0<span class="diff-added-chars"style="background-color:
#dfd;">|http://www.w3.org/TR/xkms2/</span>].</span> Error conditions in XKMS
service are reported using ResultMajor and ResultMinor attributes in <span class="diff-added-words"style="background-color:
#dfd;">the</span> root response element. <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-added-words"style="background-color:
#dfd;">The</span> XKMS Service uses <span class="diff-added-words"style="background-color:
#dfd;">the</span> following values for response codes: <br></td></tr>
            <tr><td class="diff-unchanged" > <br>ResultMajor <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h4. Deployment <br> <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-added-words"style="background-color:
#dfd;">The</span> XKMS Service can be deployed into web and OSGi containers. <span
class="diff-added-words"style="background-color: #dfd;">The</span> Service implementation
was tested with Tomcat and Karaf. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h4. Sample Requests and
Responses <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="XMLKeyManagementService%28XKMS%29-XMLKeyManagementService%28XKMS%29"></a>XML
Key Management Service (XKMS)</h1>

<p>Available since CXF 3.0.0.</p>

<h2><a name="XMLKeyManagementService%28XKMS%29-Usecase"></a>Use case</h2>

<p>CXF uses asymmetric algorithms for different purposes: encryption of symmetric keys
and payloads, signing security tokens and messages, proof of possession, etc.<br/>
Normally the public keys (in the form of X509 certificates) are stored in java keystores.</p>

<p>For example, if the sender encrypts the message payload sending to the receiver,
he should have access to the receiver certificate saved in the local keystore. <br/>
The sender uses this certificate for message encryption and receiver decrypts the request
with the corresponding private key:</p>


<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/31820321/classic-message-encryption.jpg?version=1&amp;modificationDate=1367422312000"
style="border: 0px solid black" /></span></p>


<p>Seems to be OK? Imagine now that you have a production environment with 100 different
clients of this service and the service certificate is expired. You should reissue and replace
the certificate in ALL client keystores! Even more, if keystores are packaged into war files
or OSGi bundles – they should be unpackaged and updated. Not really acceptable for enterprise
environments.</p>

<p>Therefore large service landscapes support central certificates management. It means
that X509 certificates are not stored locally in keystores, but are provided and administrated
centrally.</p>

<p>Normally it is a responsibility of <a href="http://en.wikipedia.org/wiki/Public-key_infrastructure"
class="external-link" rel="nofollow">Public Key Infrastructure</a> (PKI) established
in the organization. PKI is responsible to create, manage, store, distribute, synchronize
and revoke public certificates and certification authorities (CAs).</p>

<h2><a name="XMLKeyManagementService%28XKMS%29-XKMSSpecification"></a>XKMS
Specification</h2>

<p>W3C specifies a protocol to distribute and register public keys, certificates and
CAs that can be used for XML-based cryptography, including signature and encryption: <a
href="http://www.w3.org/TR/xkms2/" class="external-link" rel="nofollow">XML Key Management
Specification</a> (XKMS 2.0). <br/>
The XKMS Specification comprises two parts – the XML Key Information Service Specification
(XKISS) describing the runtime aspects of key lookup and certificate validation, and the XML
Key Registration Service Specification (XKRSS) describing the administrative aspects of registering,
renewing, revoking and recovering certificates. <br/>
The XKMS Service implements both parts of specification.</p>

<p>The XKMS SOAP interface can be used as a standard frontend to access the Public Key
Infrastructure (PKI). Using XKMS message encryption scenario, the message encryption picture
will change in the following way:</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/31820321/classic-message-encryption-PKI-XKMS.jpg?version=1&amp;modificationDate=1367579177000"
style="border: 0px solid black" /></span></p>

<h3><a name="XMLKeyManagementService%28XKMS%29-XKMSDesign"></a>XKMS Design</h3>

<p>Internal structure of XKMS service is represented in the following figure:</p>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/31820321/XKMS-cxf.jpg?version=1&amp;modificationDate=1367497945000"
style="border: 0px solid black" /></span></p>

<p>The XKMS Service exposes a SOAP interface specified in <a href="http://www.w3.org/TR/xkms2/"
class="external-link" rel="nofollow">XKMS 2.0</a>. <br/>
The XKMS implementation realizes <a href="http://en.wikipedia.org/wiki/Chain-of-responsibility_pattern"
class="external-link" rel="nofollow">chain of responsibility design pattern </a>.<br/>
Each XKMS operation defines a handler interface and provides one or more implementations of
this interface. Handler implementations are connected into a chain. <br/>
Operation implementation invokes handlers one after another from the pre-configured chain
until either all handlers will be processed or a critical error will occur. <br/>
This design makes the XKMS internal implementation quite flexible: it is easy to add/remove
handlers, change their order, introduce handlers supporting new backends, etc. <br/>
For example, a certificate can be searched firstly in the LDAP repository by LDAP lookup handler
and, if it is not found there, additionally looked for in a remote PKI using an appropriate
lookup handler. Validation operation logic is organized in a chain is well: first validation
handler checks format and expiry date of the X509 certificate, next one checks the certificate
trust chain.</p>

<p>Currently the XKMS Service supports simple file based and LDAP backends.<br/>
Sample spring configuration of XKMS handlers looks like:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:cxf="http://cxf.apache.org/core" xmlns:jaxws="http://cxf.apache.org/jaxws"
    xmlns:test="http://apache.org/hello_world_soap_http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="
        http://cxf.apache.org/core
        http://cxf.apache.org/schemas/core.xsd
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        http://cxf.apache.org/jaxws                                     
        http://cxf.apache.org/schemas/jaxws.xsd
        http://www.springframework.org/schema/util
        http://www.springframework.org/schema/util/spring-util-2.0.xsd"&gt;


    &lt;bean id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator"
/&gt;

    &lt;bean id="trustedAuthorityValidator"
        class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator"&gt;
        &lt;constructor-arg ref="certificateRepo" /&gt;
    &lt;/bean&gt;

    &lt;bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator"&gt;
        &lt;constructor-arg ref="certificateRepo" /&gt;
    &lt;/bean&gt;

    &lt;bean id="x509Register"
        class="org.apache.cxf.xkms.x509.handlers.x509Register"&gt;
        &lt;constructor-arg ref="certificateRepo" /&gt;
    &lt;/bean&gt;


    &lt;!-- LDAP based implementation --&gt;

    &lt;bean id="certificateRepo"
        class="org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo"&gt;
        &lt;constructor-arg ref="ldapSearch" /&gt;
        &lt;constructor-arg ref="ldapSchemaConfig" /&gt;
        &lt;constructor-arg value="dc=example,dc=com" /&gt;
    &lt;/bean&gt;

    &lt;bean id="ldapSearch" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSearch"&gt;
        &lt;constructor-arg value="ldap://localhost:2389" /&gt;
        &lt;constructor-arg value="cn=Directory Manager,dc=example,dc=com" /&gt;
        &lt;constructor-arg value="test" /&gt;
        &lt;constructor-arg value="2" /&gt;
    &lt;/bean&gt;

    &lt;bean id="ldapSchemaConfig" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig"&gt;
        &lt;property name="certObjectClass" value="inetOrgPerson" /&gt;
        &lt;property name="attrUID" value="uid" /&gt;
        &lt;property name="attrIssuerID" value="manager" /&gt;
        &lt;property name="attrSerialNumber" value="employeeNumber" /&gt;
        &lt;property name="attrCrtBinary" value="userCertificate;binary" /&gt;
        &lt;property name="constAttrNamesCSV" value="sn" /&gt;
        &lt;property name="constAttrValuesCSV" value="X509 certificate" /&gt;
        &lt;property name="serviceCertRDNTemplate" value="cn=%s,ou=services" /&gt;
        &lt;property name="serviceCertUIDTemplate" value="cn=%s" /&gt;
	&lt;property name="trustedAuthorityFilter" value="(&amp;#038;(objectClass=inetOrgPerson)(ou:dn:=CAs))"
/&gt;
	&lt;property name="intermediateFilter" value="(objectClass=inetOrgPerson)" /&gt;
    &lt;/bean&gt;


    &lt;!-- File based implementation --&gt;

    &lt;!-- bean id="certificateRepo"
        class="org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo"&gt;
        &lt;constructor-arg value="../conf/certs" /&gt;
    &lt;/bean--&gt;

&lt;/beans&gt;
</pre>
</div></div>

<p>The dateValidator and trustedAuthorityValidator beans are implementations of the
Validator interface for date and trusted chain validation. <br/>
x509Locator and x509Register are implementations of Locator and Register interfaces for X509
certificates.<br/>
certificateRepo is the repository implementation for LDAP backend. LdapSearch and LdapSchemaConfig
contain LDAP configuration described in the following table:</p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Property </th>
<th class='confluenceTh'> Sample Value </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> ldapServerConfig arguments </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> URL, baseDN and credentials of LDAP Server </td>
</tr>
<tr>
<td class='confluenceTd'> certObjectClass </td>
<td class='confluenceTd'> inetOrgPerson </td>
<td class='confluenceTd'> LDAP object class used to store certificates </td>
</tr>
<tr>
<td class='confluenceTd'> attrUID </td>
<td class='confluenceTd'> uid </td>
<td class='confluenceTd'> Attribute containing X509 subject DN </td>
</tr>
<tr>
<td class='confluenceTd'> attrIssuerID </td>
<td class='confluenceTd'> manager </td>
<td class='confluenceTd'> LDAP attribute containing X509 issuer DN </td>
</tr>
<tr>
<td class='confluenceTd'> attrSerialNumber </td>
<td class='confluenceTd'> employeeNumber </td>
<td class='confluenceTd'> LDAP attribute containing X509 serial number </td>
</tr>
<tr>
<td class='confluenceTd'> attrCrtBinary </td>
<td class='confluenceTd'> userCertificate </td>
<td class='confluenceTd'> LDAP attribute containing X509 certificate content </td>
</tr>
<tr>
<td class='confluenceTd'> constAttrNamesCSV </td>
<td class='confluenceTd'> sn </td>
<td class='confluenceTd'> Comma separated list of mandatory LDAP attributes </td>
</tr>
<tr>
<td class='confluenceTd'> constAttrValuesCSV </td>
<td class='confluenceTd'> X509 certificate </td>
<td class='confluenceTd'> Comma separated list of mandatory LDAP attributes values </td>
</tr>
<tr>
<td class='confluenceTd'> serviceCertRDNTemplate </td>
<td class='confluenceTd'> cn=%s,ou=services </td>
<td class='confluenceTd'> Relative distinguished name for service certificates </td>
</tr>
<tr>
<td class='confluenceTd'> serviceCertUIDTemplate </td>
<td class='confluenceTd'> cn=%s </td>
<td class='confluenceTd'> Template to transform service QName to DN for storing into
attrUID </td>
</tr>
<tr>
<td class='confluenceTd'> trustedAuthorityFilter </td>
<td class='confluenceTd'> (&#038;(objectClass=inetOrgPerson)(ou:dn:=CAs)) </td>
<td class='confluenceTd'> Filter to determine trusted CAs for trusted chain validation
</td>
</tr>
<tr>
<td class='confluenceTd'> intermediateFilter </td>
<td class='confluenceTd'> (objectClass=inetOrgPerson) </td>
<td class='confluenceTd'> Filter to determine intermediate certificates for trusted
chain validation </td>
</tr>
</tbody></table>
</div>


<h4><a name="XMLKeyManagementService%28XKMS%29-Supportedcertificatestypes."></a>Supported
certificates types.</h4>
<p>XKMS distinguishes between the following types of X509 certificates:</p>
<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>Type</th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'> User </td>
<td class='confluenceTd'> Normal user X509 certificate</td>
</tr>
<tr>
<td class='confluenceTd'> Service </td>
<td class='confluenceTd'> Certificate identifies service. Required application "urn:apache:cxf:service:soap"
by lookup and registration. Identified as {SERVICE_ NAMESPACE}SERVICE_NAME </td>
</tr>
<tr>
<td class='confluenceTd'> Trusted CA </td>
<td class='confluenceTd'> CAs used as trusted anchor by certificates validations. Trusted
CAs can be retrieved using trustedAuthorityFilter property </td>
</tr>
</tbody></table>
</div>


<p>XKMS service endpoint is configured in the following way:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    &lt;bean id="xkmsProviderBean" class="org.apache.cxf.xkms.service.XKMSService"&gt;
        &lt;property name="validators"&gt;
            &lt;list&gt;
                &lt;ref bean="dateValidator" /&gt;
                &lt;ref bean="trustedAuthorityValidator" /&gt;
            &lt;/list&gt;
        &lt;/property&gt;
        &lt;property name="locators"&gt;
            &lt;list&gt;
                &lt;ref bean="x509Locator" /&gt;
            &lt;/list&gt;
        &lt;/property&gt;
        &lt;property name="keyRegisterHandlers"&gt;
            &lt;list&gt;
                &lt;ref bean="x509Register" /&gt;
            &lt;/list&gt;
        &lt;/property&gt;
    &lt;/bean&gt;

    &lt;jaxws:endpoint id="XKMSService"
        xmlns:serviceNamespace="http://www.w3.org/2002/03/xkms#wsdl"
        serviceName="serviceNamespace:XKMSService" endpointName="serviceNamespace:XKMSPort"
        implementor="#xkmsProviderBean" address="/XKMS"&gt;
    &lt;/jaxws:endpoint&gt;
</pre>
</div></div>

<h4><a name="XMLKeyManagementService%28XKMS%29-IntegratingtheXKMSclientintotheCXFruntime."></a>Integrating
the XKMS client into the CXF runtime.</h4>

<p>The XKMS client can be integrated into CXF and WSS4J using a custom Crypto provider
implementation. In this case, the XKMS service will be automatically invoked when WSS4J requires
or validates a certificate. Details are described in this <a href="http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html"
class="external-link" rel="nofollow">blog</a>. A sample XKMS based implementation
of WSS4J Crypto interface is contributed into the XKMS Client component. </p>

<h4><a name="XMLKeyManagementService%28XKMS%29-DataFormats"></a>Data Formats</h4>

<p>Input and output data formats are specified in XML Key Management Service Specification
Version 2.0 (see <a href="http://www.w3.org/TR/xkms2/" class="external-link" rel="nofollow">XKMS
2.0</a>). The XKMS service supports only a subset of the specified requests and responses.<br/>
Restrictions of formats for request and responses are described in the following table:</p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>Element XPath</th>
<th class='confluenceTh'>Supporting values</th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'>RootElement/QueryKeyBinding/UseKeyWith@Application </td>
<td class='confluenceTd'> urn:ietf:rfc:2459 </td>
<td class='confluenceTd'> Application specifies X509 SubjectDN in Identifier attribute.
Used for normal users certificates</td>
</tr>
<tr>
<td class='confluenceTd'>RootElement/QueryKeyBinding/UseKeyWith@Application </td>
<td class='confluenceTd'> urn:apache:cxf:service:soap </td>
<td class='confluenceTd'> Application specifies Service Id in Identifier attribute as
{SERVICE_ NAMESPACE}SERVICE_NAME. Used for service certificates</td>
</tr>
<tr>
<td class='confluenceTd'>RootElement/QueryKeyBinding/UseKeyWith@Identifier </td>
<td class='confluenceTd'> X509 Subject DN or Service name as {SERVICE_ NAMESPACE}SERVICE_NAME
</td>
<td class='confluenceTd'> Depending on Application attribute public key is identified
as X509 Subject DN or Service nameservice certificates</td>
</tr>
<tr>
<td class='confluenceTd'>RootElement/UnverifiedKeyBinding/KeyInfo </td>
<td class='confluenceTd'> X509Data/X509Certificate </td>
<td class='confluenceTd'> Only X509Data with X509Certificate is supported</td>
</tr>
</tbody></table>
</div>


<h4><a name="XMLKeyManagementService%28XKMS%29-ErrorHandling"></a>Error
Handling</h4>

<p>Success and Fault Response formats are specified in <a href="http://www.w3.org/TR/xkms2/"
class="external-link" rel="nofollow">XKMS 2.0</a>. Error conditions in XKMS service
are reported using ResultMajor and ResultMinor attributes in the root response element.<br/>
The XKMS Service uses the following values for response codes:</p>

<p>ResultMajor</p>
<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>Value</th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'> Success</td>
<td class='confluenceTd'> The operation succeeded. </td>
</tr>
<tr>
<td class='confluenceTd'> Receiver</td>
<td class='confluenceTd'> An error occurred at the receiver. </td>
</tr>
<tr>
<td class='confluenceTd'> Sender</td>
<td class='confluenceTd'> An error occurred that was due to the message sent by the
sender. </td>
</tr>
</tbody></table>
</div>



<p>ResultMinor</p>
<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>Value</th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'> Failure</td>
<td class='confluenceTd'> The service attempted to perform the request but the operation
failed. </td>
</tr>
<tr>
<td class='confluenceTd'> NoMatch</td>
<td class='confluenceTd'> No match was found for the search prototype provided. </td>
</tr>
<tr>
<td class='confluenceTd'> TooManyResponses</td>
<td class='confluenceTd'> The request resulted in the number of responses that exceeded
limit determined by the service. </td>
</tr>
<tr>
<td class='confluenceTd'> TimeInstantNotSupported</td>
<td class='confluenceTd'> The receiver has refused the operation because it does not
support the TimeInstant element. </td>
</tr>
</tbody></table>
</div>


<h4><a name="XMLKeyManagementService%28XKMS%29-Deployment"></a>Deployment</h4>

<p>The XKMS Service can be deployed into web and OSGi containers. The Service implementation
was tested with Tomcat and Karaf.</p>

<h4><a name="XMLKeyManagementService%28XKMS%29-SampleRequestsandResponses"></a>Sample
Requests and Responses</h4>
<p>Sample request for Locate operation:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
    &lt;soap:Body&gt;
        &lt;ns2:LocateRequest xmlns="http://www.w3.org/2000/09/xmldsig#"
            xmlns:ns2="http://www.w3.org/2002/03/xkms#" 
            xmlns:ns3="http://www.w3.org/2001/04/xmlenc#"
            Id="I047257513d19456687e6b4f4a2a72606" Service="http://cxf.apache.org/services/XKMS/"&gt;
            &lt;ns2:QueryKeyBinding&gt;
                &lt;ns2:UseKeyWith Application="urn:ietf:rfc:2459"
                    Identifier="EMAILADDRESS=client@client.com, CN=www.client.com, OU=IT Department,
O=Sample Client -- NOT FOR PRODUCTION, L=Niagara Falls, ST=New York, C=US" /&gt;
            &lt;/ns2:QueryKeyBinding&gt;
        &lt;/ns2:LocateRequest&gt;
    &lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;
</pre>
</div></div>

<p>Sample response for Locate operation:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
    &lt;soap:Body&gt;
        &lt;ns2:LocateResult ResultMajor="http://www.w3.org/2002/03/xkms#Success"
            RequestId="I047257513d19456687e6b4f4a2a72606" Id="I0758390284847918129574923948"
            Service="http://cxf.apache.org/services/XKMS/" 
            xmlns:ns2="http://www.w3.org/2002/03/xkms#"
            xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" 
            xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"
            xmlns:ns5="http://www.w3.org/2002/03/xkms#wsdl"&gt;
            &lt;ns2:UnverifiedKeyBinding&gt;
                &lt;ns4:KeyInfo&gt;
                    &lt;ns4:X509Data&gt;
                        &lt;ns4:X509Certificate&gt;… &lt;/ns4:X509Certificate&gt;
                    &lt;/ns4:X509Data&gt;
                &lt;/ns4:KeyInfo&gt;
            &lt;/ns2:UnverifiedKeyBinding&gt;
        &lt;/ns2:LocateResult&gt;
    &lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;
</pre>
</div></div>

<p>Sample error message:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
    &lt;soap:Body&gt;
        &lt;ns2:LocateResult ResultMajor="http://www.w3.org/2002/03/xkms#Receiver"
            ResultMinor="http://www.w3.org/2002/03/xkms#Failure"
            RequestId="I047257513d19456687e6b4f4a2a72606" Id="I0758390284847918129574923948"
            Service="http://cxf.apache.org/services/XKMS/" 
            xmlns:ns2="http://www.w3.org/2002/03/xkms#"
            xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" 
            xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"
            xmlns:ns5="http://www.w3.org/2002/03/xkms#wsdl"&gt;

            &lt;ns2:MessageExtension xsi:type="ns5:resultDetails"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"&gt;
                &lt;Details&gt;Search certificates failure: Application
                    identifier not supported&lt;/Details&gt;
            &lt;/ns2:MessageExtension&gt;
        &lt;/ns2:LocateResult&gt;
    &lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;
</pre>
</div></div>

<h4><a name="XMLKeyManagementService%28XKMS%29-CurrentrestrictionsandToDos"></a>Current
restrictions and ToDos</h4>
<ul>
	<li>only X509 certificates are supported as keys;</li>
	<li>only LDAP and File based backends are supported;</li>
	<li>revocation lists are not implemented;</li>
	<li>more integration tests are required</li>
</ul>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF20DOC">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=31820321&revisedVersion=21&originalVersion=20">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message