geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: [Doubts] X509 Signing
Date Wed, 12 Aug 2009 15:57:31 GMT
HI Rahul,

I don't understand any details of what you are trying to do but I  
think you are trying to get access to a certificate so some parts of  
the xml message can be signed.

In geronimo we have several gbeans to help with managing certificate  
stores and trust stores.  These are set up so that if you get a  
reference to the appropriate gbean you should be able to access the  
cerificate as needed with no further passwords or authentication  
needed.  While these are normally present in servers you can set one  
up in an app client if you want.

The portal pages I think you are mentioning let you administer these  
gbeans.

The jetty https connector is set up to use one of these gbeans, you  
might find it a useful example of how to  proceed for instance  
HTTPSSelectChannelConnector and GeronimoSelectChannelSSLListener.

The central class is  
org.apache.geronimo.management.geronimo.KeystoreManager implemented by  
org.apache.geronimo.security.keystore.FileKeystoreManager in the  
framework/modules/geronimo-security module.

I'd suspect you might want to get a KeystoreInstance from the  
KeystoreManager and then get the Certificate you want from that.

Hope this helps,
david jencks

On Aug 11, 2009, at 2:15 PM, rahul.soa wrote:

> Hello Jarek,
>
> I hope you are doing well.
>
> Presently, I am setting the signing at client side, I have a couple  
> of doubts.
>
> I think, I can do something similar in the CXFPortMethodInterceptor
>
> String signatureKeyIdentifier = (String)  
> properties.get("signatureKeyIdentifier");
> String user = (String) properties.get("user");
>
> //in case where <property name="wss4j.out.action">Signature</property>
>  if (containsValue(action, WSHandlerConstants.SIGNATURE)) {
>      // doubt about this, how CXFPortMethodInterceptor will know  
> about this
> properties.put(WSHandlerConstants.SIG_PROP_FILE,  
> clientKeystore.properties");
>   // alias or user
>    properties.put(WSHandlerConstants.USER, user);
>
> if(signatureKeyIdentifier.equals("DirectReference"))
>                     properties.put(WSHandlerConstants.SIG_KEY_ID,  
> "DirectReference");
> if(signatureKeyIdentifier.equals("IssuerSerial"))
> properties.put(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
> //in order to obtain the key password for the private key
>  properties.put(WSHandlerConstants.PW_CALLBACK_CLASS,
>                      ClientKeystorePasswordCallback.class.getName());
>
>             }
>
>
> I think we should specify the following things in the <property>  
> under the <port> in the geronimo-web.xml at client side.
>
> <property name="wss4j.out.action">Signature</property>
> <property name="wss4j.out.user">myclientkey</property>
> <property name="wss4j.out.signatureKeyIdentifier">IssuerSerial</ 
> property>
>
> can we set the keypassword too in the property? what other things we  
> should set in the property?
>
> Question:1
> Here, first thing is how we can provide signature property file, in  
> the above case "clientKeystore.properties". It should be at client  
> side. If this is in the client application written by the user then  
> how can we give the reference of this in the  
> CXFPortMethodInterceptor. In other words, where to set this property
> properties.put(WSHandlerConstants.SIG_PROP_FILE,  
> clientKeystore.properties");
>
> Question2:
>
> For the ClientKeystorePasswordCallback, how can the client send the  
> keypassword,
>
> through the geronimo-web.xml?
> <property name="wss4j.out.keypass">keypass</property>
>
>
> Another thing is, I noticed one thing, In geronimo server we have  
> these two following tabs under the
>
>  	 Security
>  Keystores
>  Certificate Authority	
>
>
> What are these for?
>
>
> Thanks for your help.
>
> Best Regards,
> Rahul
>
>
>
> PS: for signing and encryption, I think we need the bouncy castle  
> and the xalan jar files in the cxf plugin, I pulled them
>


Mime
View raw message