HI Rahul,

I don't understand any details of what you are trying to do but I think you are trying to get access to a certificate so some parts of the xml message can be signed.

In geronimo we have several gbeans to help with managing certificate stores and trust stores.  These are set up so that if you get a reference to the appropriate gbean you should be able to access the cerificate as needed with no further passwords or authentication needed.  While these are normally present in servers you can set one up in an app client if you want.

The portal pages I think you are mentioning let you administer these gbeans.

The jetty https connector is set up to use one of these gbeans, you might find it a useful example of how to  proceed for instance HTTPSSelectChannelConnector and GeronimoSelectChannelSSLListener.

The central class is org.apache.geronimo.management.geronimo.KeystoreManager implemented by org.apache.geronimo.security.keystore.FileKeystoreManager in the framework/modules/geronimo-security module.

I'd suspect you might want to get a KeystoreInstance from the KeystoreManager and then get the Certificate you want from that.

Hope this helps,
david jencks

On Aug 11, 2009, at 2:15 PM, rahul.soa wrote:

Hello Jarek,

I hope you are doing well.

Presently, I am setting the signing at client side, I have a couple of doubts.

I think, I can do something similar in the CXFPortMethodInterceptor

String signatureKeyIdentifier = (String) properties.get("signatureKeyIdentifier");
String user = (String) properties.get("user");

//in case where <property name="wss4j.out.action">Signature</property>
 if (containsValue(action, WSHandlerConstants.SIGNATURE)) {
     // doubt about this, how CXFPortMethodInterceptor will know about this
properties.put(WSHandlerConstants.SIG_PROP_FILE, clientKeystore.properties");
  // alias or user     
   properties.put(WSHandlerConstants.USER, user);
     
if(signatureKeyIdentifier.equals("DirectReference"))
                    properties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
if(signatureKeyIdentifier.equals("IssuerSerial"))
properties.put(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
//in order to obtain the key password for the private key
 properties.put(WSHandlerConstants.PW_CALLBACK_CLASS,
                     ClientKeystorePasswordCallback.class.getName());
                   
            }


I think we should specify the following things in the <property> under the <port> in the geronimo-web.xml at client side.

<property name="wss4j.out.action">Signature</property>
<property name="wss4j.out.user">myclientkey</property>
<property name="wss4j.out.signatureKeyIdentifier">IssuerSerial</property>

can we set the keypassword too in the property? what other things we should set in the property?

Question:1
Here, first thing is how we can provide signature property file, in the above case "clientKeystore.properties". It should be at client side. If this is in the client application written by the user then how can we give the reference of this in the CXFPortMethodInterceptor. In other words, where to set this property
properties.put(WSHandlerConstants.SIG_PROP_FILE, clientKeystore.properties");

Question2:

For the ClientKeystorePasswordCallback, how can the client send the keypassword,

through the geronimo-web.xml?
<property name="wss4j.out.keypass">keypass</property>


Another thing is, I noticed one thing, In geronimo server we have these two following tabs under the

   Security
 Keystores
 Certificate Authority
 


What are these for?


Thanks for your help.

Best Regards,
Rahul



PS: for signing and encryption, I think we need the bouncy castle and the xalan jar files in the cxf plugin, I pulled them