(almost done)

How to set up XML-Signature using WSS4J and Axis 1.2.1

  1. create a keystore file for the server 
     keytool -genkey 
         -alias     server
         -dname     "CN=My Server"
         -keypass   serverKeyPW
         -keystore  server.keystore
         -storepass serverStorePW
    2. create a keystore (and public-key/private-key pair) for the client 
     keytool -genkey 
         -alias     client1
         -dname     "CN=Client 1"
         -keypass   client1KeyPW
         -keystore  client1.keystore
         -storepass client1StorePW
    3. generate a self-signed certificate for the client (stored within the keystore) 
     keytool -selfcert
         -alias     client1
         -keypass   client1KeyPW
         -keystore  client1.keystore
         -storepass client1StorePW
    4. export the self-signed X.509 certificate 
     keytool -export  
         -alias     client1
         -keystore  client1.keystore
         -storepass client1StorePW 
         -file      client.x509
    5. import the certificate into the server's keystore 
     keytool -import
         -alias     client1
         -file      client.x509 
         -keystore  server.keystore
         -storepass serverStorePW

    6. repeat the above for each client you want the server to accept signed messages from 7. add the following to the server's server-config.wsdd 
      <service name="MyWebservice" provider="java:RPC" style="document" use="literal">
    <!-- WS-Security handlers -->
    <requestFlow>
      <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
        <parameter name="action"                value="Signature"/>
        <parameter name="actor"                 value="clientSig"/>
        <parameter name="signaturePropFile"     value="server-crypto.properties" />
      </handler>   
    </requestFlow>
    ...
    8. create a server-crypto.properties file with the following contents: 
       org.apache.ws.security.crypto.provider                  = org.apache.ws.security.components.crypto.Merlin
   org.apache.ws.security.crypto.merlin.keystore.type      = jks
   org.apache.ws.security.crypto.merlin.keystore.password  = serverStorePW
   org.apache.ws.security.crypto.merlin.file               = server.keystore
    9. place the server.keystore and server-crypto.properties files in the WEB-INF/classes directory and the server-config.wsdd file in the WEB-INF directory. 10. on the client side you'll need a similar client-config.wsdd to tell Axis to generate the signature 
       <?xml version="1.0"?>
   <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
     <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/>
     <globalConfiguration>
       <requestFlow>
         <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
           <parameter name="action"                value="Signature"/>
           <parameter name="actor"                 value="clientSig"/>
           <parameter name="user"                  value="client1"/>
           <parameter name="passwordCallbackClass" value="Client1PWCallback"/>
           <parameter name="signaturePropFile"     value="client1-crypto.properties" />
         </handler>
       </requestFlow>
     </globalConfiguration>
   </deployment>
    and a similar client1-crypto.properties file to tell it what key to sign with 
       org.apache.ws.security.crypto.provider                  = org.apache.ws.security.components.crypto.Merlin
   org.apache.ws.security.crypto.merlin.keystore.type      = jks
   org.apache.ws.security.crypto.merlin.keystore.password  = client1StorePW
   org.apache.ws.security.crypto.merlin.file               = client1.keystore
    11. you also need to create the password callback classes... (TODO)
  • No labels