Differences between revisions 1 and 2
Revision 1 as of 2005-10-25 19:53:03
Size: 3911
Editor: RonReynolds
Comment:
Revision 2 as of 2009-09-20 22:48:02
Size: 3911
Editor: localhost
Comment: converted to 1.6 markup
No differences found!

(almost done)

How to set up XML-Signature using WSS4J and Axis 1.2.1

  1. create a keystore file for the server

     keytool -genkey 
             -alias     server
             -dname     "CN=My Server"
             -keypass   serverKeyPW
             -keystore  server.keystore
             -storepass serverStorePW 
  2. create a keystore (and public-key/private-key pair) for the client

     keytool -genkey 
             -alias     client1
             -dname     "CN=Client 1"
             -keypass   client1KeyPW
             -keystore  client1.keystore
             -storepass client1StorePW 
  3. generate a self-signed certificate for the client (stored within the keystore)

     keytool -selfcert
             -alias     client1
             -keypass   client1KeyPW
             -keystore  client1.keystore
             -storepass client1StorePW 
  4. export the self-signed X.509 certificate

     keytool -export  
             -alias     client1
             -keystore  client1.keystore
             -storepass client1StorePW 
             -file      client.x509 
  5. import the certificate into the server's keystore

     keytool -import
             -alias     client1
             -file      client.x509 
             -keystore  server.keystore
             -storepass serverStorePW 
  6. repeat the above for each client you want the server to accept signed messages from
  7. add the following to the server's server-config.wsdd

      <service name="MyWebservice" provider="java:RPC" style="document" use="literal">
        <!-- WS-Security handlers -->
        <requestFlow>
          <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
            <parameter name="action"                value="Signature"/>
            <parameter name="actor"                 value="clientSig"/>
            <parameter name="signaturePropFile"     value="server-crypto.properties" />
          </handler>   
        </requestFlow>
        ...
  8. create a server-crypto.properties file with the following contents:

       org.apache.ws.security.crypto.provider                  = org.apache.ws.security.components.crypto.Merlin
       org.apache.ws.security.crypto.merlin.keystore.type      = jks
       org.apache.ws.security.crypto.merlin.keystore.password  = serverStorePW
       org.apache.ws.security.crypto.merlin.file               = server.keystore
  9. place the server.keystore and server-crypto.properties files in the WEB-INF/classes directory and the server-config.wsdd file in the WEB-INF directory.
  10. on the client side you'll need a similar client-config.wsdd to tell Axis to generate the signature

       <?xml version="1.0"?>
       <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
         <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/>
         <globalConfiguration>
           <requestFlow>
             <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
               <parameter name="action"                value="Signature"/>
               <parameter name="actor"                 value="clientSig"/>
               <parameter name="user"                  value="client1"/>
               <parameter name="passwordCallbackClass" value="Client1PWCallback"/>
               <parameter name="signaturePropFile"     value="client1-crypto.properties" />
             </handler>
           </requestFlow>
         </globalConfiguration>
       </deployment>

    and a similar client1-crypto.properties file to tell it what key to sign with

       org.apache.ws.security.crypto.provider                  = org.apache.ws.security.components.crypto.Merlin
       org.apache.ws.security.crypto.merlin.keystore.type      = jks
       org.apache.ws.security.crypto.merlin.keystore.password  = client1StorePW
       org.apache.ws.security.crypto.merlin.file               = client1.keystore
  11. you also need to create the password callback classes... (TODO)

RonReynolds/XmlSigSetup (last edited 2009-09-20 22:48:02 by localhost)