Apr 29 2012 CXF and 2-way SSLWhen interacting...

New Download Links
Speed
New Download Links
Speed
Category: 

Contents


Apr 29 2012 CXF and 2-way SSLWhen interacting... 2012 2-way SSLWhenApr 29 2012 CXF and 2-way SSLWhen interacting with some clients, there is a need to add an extra level of security by applying 2-way SSL between the client and the service endpoint. This interaction is going to require using two keystores (one being the truststore and one being a basic keystore), along with CXF configuration. If you have never done work with a keystore before, no worries, the commands are pretty simple and there are some easy to use tools. My favorite site for commands is below:The Most Common Java Keytool Keystore CommandsAnd if I feel lazy and want to interact with keystores via a GUI instead of the command line, I use Keystore Explorer.The JDK defaults to using cacerts as the start location to put trust certs. The default password for the cacerts is “changeit” incase you want to practice the commands or utilizing a tool to view default certs. For simplifying upgrades to Application Servers, sometimes it is better to create a new jks that is used as the truststore.

Just be aware that there might be default certificate authorities in cacerts that you might need to export/import into your new truststore. Then a parameter is added to the startup scripts of WebLogic Server to inform it that the application is using a different truststore from the default.-Djavax.net.ssl.trustStore=ssl/CA-Trust.jks -Djavax.net.ssl.trustStorePassword=PasswordThere is other one important item related to Java Keystores. If you are doing more WS* capabilities or interactions with other clients and therefore need to have multiple keys for doing 2-way SSL and Digital Signatures, etc…I have to refer back to documentation about the fact that you cannot have more than one private key in a keystore:From IBM Documentation: If you are using the default properties to configure SSL (javax.net.ssl.*), the SSL keystore should contain exactly one private key, because there is no way to specify which key will be used.This becomes more apparent when you realize that the configuration for http:conduit does not let you supply an alias, even though configurations like Digital Signatures do. So if you have two private keys within the same keystore, you may run into an issue where your Digital Signature works but your 2-way SSL has handshake failures because it is scanning the keystore for the most immediate private key that it uses (which was meant for the Digital Signature). So the solution is just to create a separate keystore for each private key.Once I have the keystores in place and startup scripts for registering our new truststore, then our next task is to figure out what is the necessary configuration for CXF keystore explorer unlimited strength. The best documentation for how to do security with CXF is actually from a vendor that uses CXF as a core product and publishes some documentation on how to use it… Fusesource. There document Fuse Services Framework – Security Guide is hands down the best resource I have used on the subject.I need to configure an http:conduit in CXF.

The one thing to realize as you read about the http:conduit is that if you use a wildcarding feature for http:conduit, it will apply to every service call out that occurs with that war application keystore explorer unlimited strength. So with regards to the previous link to CXF, the following is the example:Thanks for your write up and which is helpful for the people who got some idea on it. I am here kind of newbie to the Webservice security world and here I have requirement like this.We have a Webservice call which needs to be done with Digital Signature. We are using Apache CXF 2.7.1 with JDK 1.6 and Spring 3.0.5 and WSS4J 1.6.9I got hold this website which is explained in nice way from starters perspective and I followed the same before I find your website.https://sites.google.com/site/ddmwsst/ws-security-implHowever I am getting this following error when I try to make a Webservice call from Junit.javax.xml.ws.soap.SOAPFaultException: An error was discovered processing the headerLooks like our Custom Header in SOAP Request is overriding the Security header. Do you know how to append to attach security header with existing SOAP header.I believe Security information(Digital Signature Info) will be embedded under SOAP Header.Could you please help with your kind suggestion or approach to resolve my issue?I really appreciate if you can provide some information or guidance to towards my issue.Thanks in AdvanceReplyadminMar 07, 2013 @ 17:17:08

Download
загрузка...