Re: [Axis2] Generation of Keystores

Thu, 06 Apr 2006 09:12:43 -0700 

Hello Ruchith.
I follow you instructions. I create a script for generating the keystore. But now I got into trubble with a error: 


"WSHandler: Signature: error during message 
procesingorg.apache.ws.security.WSSecurityException: General security 
error (Unexpected number of X509Data: for Signature) ..."



If I use the original "sec.jks" from the security sample (and changing 
the axis2.xml user and encryptionUser param) it works. So I think 
there's still something wrong with my Keystore.



Here is the script I use to generate the keystore.
-----------------------------

@echo off
set CLIENT_KEYPASS=keyPassClient
set CLIENT_STOREPASS=storePassClient
set SERVER_KEYPASS=keyPassServer
set SERVER_STOREPASS=storePassServer


keytool -genkey -keyalg RSA -alias client -keystore client.jks -dname 
"cn=Client" -keypass %CLIENT_KEYPASS% -storepass %CLIENT_STOREPASS%
keytool -genkey -keyalg RSA -alias server -keystore server.jks -dname 
"cn=Server" -keypass %SERVER_KEYPASS% -storepass %SERVER_STOREPASS%



keytool -selfcert -alias client -keystore client.jks -keypass 
%CLIENT_KEYPASS% -storepass %CLIENT_STOREPASS%
keytool -selfcert -alias server -keystore server.jks -keypass 
%SERVER_KEYPASS% -storepass %SERVER_STOREPASS%



keytool -export -keystore client.jks -alias client -storepass 
%CLIENT_STOREPASS% -file client.cert
keytool -export -keystore server.jks -alias server -storepass 
%SERVER_STOREPASS% -file server.cert



keytool -import -noprompt -alias server -file server.cert -keystore 
client.jks -storepass %CLIENT_STOREPASS%
keytool -import -noprompt -alias client -file client.cert -keystore 
server.jks -storepass %SERVER_STOREPASS%


del client.cert
del server.cert


keytool -list -keystore client.jks -storepass %CLIENT_STOREPASS%
keytool -list -keystore server.jks -storepass %SERVER_STOREPASS%

pause

-----------------------------

The resulting keystores look now like this:

-----------------------------

Keystore-Typ: jks
Keystore-Provider: SUN

Ihr Keystore enthõlt 2 Eintrõge.

client, 06.04.2006, keyEntry,

Zertifikatsfingerabdruck (MD5): 
EA:30:9C:AF:FF:05:CE:91:10:6E:E8:C4:5F:B8:B5:7C

server, 06.04.2006, trustedCertEntry,

Zertifikatsfingerabdruck (MD5): 
77:D3:A0:AB:BF:70:05:6D:38:AD:E5:23:BB:8C:1E:04


-----------------------------

Keystore-Typ: jks
Keystore-Provider: SUN

Ihr Keystore enthõlt 2 Eintrõge.

client, 06.04.2006, trustedCertEntry,

Zertifikatsfingerabdruck (MD5): 
EA:30:9C:AF:FF:05:CE:91:10:6E:E8:C4:5F:B8:B5:7C

server, 06.04.2006, keyEntry,

Zertifikatsfingerabdruck (MD5): 
77:D3:A0:AB:BF:70:05:6D:38:AD:E5:23:BB:8C:1E:04


-----------------------------

Thank you very much for your help!

Siamak


Ruchith Fernando schrieb:

Hi Siamak,

Please see my inline comments:

On 4/6/06, Siamak Haschemi <[EMAIL PROTECTED]> wrote:

  

Hello everybody.

I successfully can use the security example. Within this example there
is the keystore which ist used. I start with the example and try to
generate my own keystore but I have no luck. Can somebody give me the
lines to write down the console to get a keystore simmilar to the
"sec.jks" in the "secUtil.jar" of the security example.

    


You can use openssl and the java keytool to do this. Please see the
following shell scripts:
https://svn.apache.org/repos/asf/webservices/wss4j/trunk/keys/genCAKey.sh
https://svn.apache.org/repos/asf/webservices/wss4j/trunk/keys/genKeystore.sh
https://svn.apache.org/repos/asf/webservices/wss4j/trunk/keys/genCertRequest.sh
https://svn.apache.org/repos/asf/webservices/wss4j/trunk/keys/signConvertImportCert.sh


  

By the way I got a question on the security example:

The keystore listing shows that there are two private/public keys in the
keystore and two signed and accepted certificates. Am I right?

    


Yes


  

Keystore-Typ: jks
Keystore-Provider: SUN

Ihr Keystore enthõlt 4 Eintrõge.

alice, 04.06.2005, keyEntry,
Zertifikatsfingerabdruck (MD5):
57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
root, 04.06.2005, trustedCertEntry,
Zertifikatsfingerabdruck (MD5):
0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
ca, 04.06.2005, trustedCertEntry,
Zertifikatsfingerabdruck (MD5):
CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
bob, 04.06.2005, keyEntry,
Zertifikatsfingerabdruck (MD5):
89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC


The security example uses this keystore for both the client and the
server. My question now is how to produce two different keystores for
alice and bob each containing the private/public key and the certificate
(including the public key) of the other. something like this:

    


These are the steps to create the keystores you want:

1.) generate two separate keystores with self signed keys
$ keytool -genkey ...

2.) Export the certs of both private keys in the two keystores
$ keytool -export

3.) Import the cert of one private key to the other keystore
$ keytool -import


  

Keystore for Alice:
- Private/Public Key of Alice
- Certificate of Bob

Keystore for Bob:
- Private/Public Key of Bob
- Certificate of Alice


Does Axis2 works this such a scenario?

    


Yes !!

Thanks,
Ruchith


  
























					Reply via email to