Hello people,
I managed to create a secure WS using rampart (signed and encrypted
communication with asymmetric keys),
using one of the sample provided with rampart....
but I still think I have not very clear in my mind the way things work "under
the hood".
I'd like to know if I got things right about the working... (Notice that at
this point I don't really care about which takes place 1st, sign or crypt.)
1) The client takes the XML of his request, CRYPTS it with the Web Service's
'certificate' and SIGNS it with the Client's private key [both key and
certificate are stored in client.jks]
2) The Web Service verifies the signature using the client's certificate, and
de-crypts the data using its own private key. These certificates/keys are taken
from service.jks
The reverse appens for the response:
3) At this point, the Web Service takes the XML of the "answer" and CRYPTS it
with the client's certificate, then SIGNS it with its private key....
(etc etc)
Did I get it right?
Thanks
