geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "rahul.soa" <rahul....@googlemail.com>
Subject Re: [Doubts] X509 Signing
Date Sat, 15 Aug 2009 20:57:07 GMT
Hello David,

Thanks for your suggestions.

So far, after setting up UsernameToken profile, I have set the ws-security
(X509 profile - signing and encryption) with the property file for basic
security. I have attached the patches on the JIRA-4642.

Now I am after the things you suggested. It sounds a good idea to use the
geronimo built-in security for the same.

Many Thanks again for your immediate reply!

Rahul

On Wed, Aug 12, 2009 at 5:57 PM, David Jencks <david_jencks@yahoo.com>wrote:

> HI Rahul,
> I don't understand any details of what you are trying to do but I think you
> are trying to get access to a certificate so some parts of the xml message
> can be signed.
>
> In geronimo we have several gbeans to help with managing certificate stores
> and trust stores.  These are set up so that if you get a reference to the
> appropriate gbean you should be able to access the cerificate as needed with
> no further passwords or authentication needed.  While these are normally
> present in servers you can set one up in an app client if you want.
>
> The portal pages I think you are mentioning let you administer these
> gbeans.
>
> The jetty https connector is set up to use one of these gbeans, you might
> find it a useful example of how to  proceed for
> instance HTTPSSelectChannelConnector and GeronimoSelectChannelSSLListener.
>
> The central class is
> org.apache.geronimo.management.geronimo.KeystoreManager implemented
> by org.apache.geronimo.security.keystore.FileKeystoreManager in the
> framework/modules/geronimo-security module.
>
> I'd suspect you might want to get a KeystoreInstance from the
> KeystoreManager and then get the Certificate you want from that.
>
> Hope this helps,
> david jencks
>
> On Aug 11, 2009, at 2:15 PM, rahul.soa wrote:
>
> Hello Jarek,
>
> I hope you are doing well.
>
> Presently, I am setting the signing at client side, I have a couple of
> doubts.
>
> I think, I can do something similar in the CXFPortMethodInterceptor
>
> String signatureKeyIdentifier = (String)
> properties.get("signatureKeyIdentifier");
> String user = (String) properties.get("user");
>
> //in case where <property name="wss4j.out.action">Signature</property>
>  if (containsValue(action, WSHandlerConstants.SIGNATURE)) {
>     * // doubt about this, how CXFPortMethodInterceptor will know about
> this*
> properties.put(WSHandlerConstants.SIG_PROP_FILE,
> clientKeystore.properties");
>   // alias or user
>    properties.put(WSHandlerConstants.USER, user);
>
> if(signatureKeyIdentifier.equals("DirectReference"))
>                     properties.put(WSHandlerConstants.SIG_KEY_ID,
> "DirectReference");
> if(signatureKeyIdentifier.equals("IssuerSerial"))
> properties.put(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
> //in order to obtain the key password for the private key
>  properties.put(WSHandlerConstants.PW_CALLBACK_CLASS,
>                      ClientKeystorePasswordCallback.class.getName());
>
>             }
>
>
> I think we should specify the following things in the <property> under the
> <port> in the geronimo-web.xml at client side.
>
> <property name="wss4j.out.action">Signature</property>
> <property name="wss4j.out.user">myclientkey</property>
> <property name="wss4j.out.signatureKeyIdentifier">IssuerSerial</property>
>
> can we set the keypassword too in the property? what other things we should
> set in the property?
>
> Question:1
> Here, first thing is how we can provide signature property file, in the
> above case "clientKeystore.properties". It should be at client side. If this
> is in the client application written by the user then how can we give the
> reference of this in the CXFPortMethodInterceptor. In other words, *where
> to set this property *
> properties.put(WSHandlerConstants.SIG_PROP_FILE,
> clientKeystore.properties");
>
> Question2:
>
> For the ClientKeystorePasswordCallback, how can the client send the
> keypassword,
>
> through the geronimo-web.xml?
> <property name="wss4j.out.keypass">keypass</property>
>
>
> Another thing is, I noticed one thing, In geronimo server we have these two
> following tabs under the
>    Security  Keystores<http://localhost:8096/console/portal/Security/Keystores>
>  Certificate Authority<http://localhost:8096/console/portal/Security/Certificate%20Authority>
>
>
> What are these for?
>
>
> Thanks for your help.
>
> Best Regards,
> Rahul
>
>
>
> PS: for signing and encryption, I think we need the bouncy castle and the
> xalan jar files in the cxf plugin, I pulled them
>
>
>

Mime
View raw message