xml-key-management-service-xkms.html

buildbot Thu, 20 Jun 2013 07:49:57 -0700

Author: buildbot
Date: Thu Jun 20 14:48:27 2013
New Revision: 866640

Log:
Production update by buildbot for cxf


Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/xml-key-management-service-xkms.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: 
websites/production/cxf/content/docs/xml-key-management-service-xkms.html
==============================================================================
--- websites/production/cxf/content/docs/xml-key-management-service-xkms.html 
(original)
+++ websites/production/cxf/content/docs/xml-key-management-service-xkms.html 
Thu Jun 20 14:48:27 2013
@@ -25,6 +25,8 @@
 <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
 <meta name="keywords" content="business integration, EAI, SOA, Service 
Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic 
Data Interchange, standards support, integration standards, application 
integration, middleware, software, solutions, services, CXF, open source">
 <meta name="description" content="Apache CXF, Services Framework - XML Key 
Management Service (XKMS)">
+
+
     <title>
 Apache CXF -- XML Key Management Service (XKMS)
     </title>
@@ -125,7 +127,7 @@ Apache CXF -- XML Key Management Service
 
 <h2><a shape="rect" name="XMLKeyManagementService%28XKMS%29-Usecase"></a>Use 
case</h2>
 
-<p>CXF security uses asymmetric algorithms for different purposes: encryption 
of symmetric keys and payloads, signing security tokens and messages, proof of 
possession.<br clear="none">
+<p>CXF uses asymmetric algorithms for different purposes: encryption of 
symmetric keys and payloads, signing security tokens and messages, proof of 
possession.<br clear="none">
 Normally the public keys (in form of X509 certificates) are stored in java 
keystores.</p>
 
 <p>For example, if sender encrypts the message payload sending to the 
receiver, he should have access to receiver certificate saved in local 
keystore. <br clear="none">
@@ -165,47 +167,95 @@ This design makes XKMS internal implemen
 For example certificate can be searched firstly in the LDAP repository by LDAP 
lookup handler and, if it is not found there, additionally looked in remote PKI 
using appropriate lookup handler. Validation operation logic is organized in 
chain is well: first validation handler checks format and expire date of X509 
certificate, next one checks certificate trust chain.</p>
 
 <p>Currently XKMS Service supports simple file based and LDAP backends.<br 
clear="none">
-Sample spring configuration of XKMS handlers for file backend looks like:</p>
+Sample spring configuration of XKMS handlers looks like:</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent 
panelContent">
 <pre class="code-xml">
-   <span class="code-tag">&lt;bean id=<span 
class="code-quote">"dateValidator"</span> class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.validator.DateValidator"</span> 
/&gt;</span>
+&lt;beans xmlns=<span 
class="code-quote">"http://www.springframework.org/schema/beans";</span>
+    <span class="code-keyword">xmlns:cxf</span>=<span 
class="code-quote">"http://cxf.apache.org/core";</span> <span 
class="code-keyword">xmlns:jaxws</span>=<span 
class="code-quote">"http://cxf.apache.org/jaxws";</span>
+    <span class="code-keyword">xmlns:test</span>=<span 
class="code-quote">"http://apache.org/hello_world_soap_http";</span> <span 
class="code-keyword">xmlns:xsi</span>=<span 
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance";</span>
+    <span class="code-keyword">xmlns:util</span>=<span 
class="code-quote">"http://www.springframework.org/schema/util";</span>
+    xsi:schemaLocation="
+        http://cxf.apache.org/core
+        http://cxf.apache.org/schemas/core.xsd
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+        http://cxf.apache.org/jaxws                                     
+        http://cxf.apache.org/schemas/jaxws.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-2.0.xsd"&gt;
+
+
+    <span class="code-tag">&lt;bean id=<span 
class="code-quote">"dateValidator"</span> class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.validator.DateValidator"</span> 
/&gt;</span>
+
+    &lt;bean id=<span class="code-quote">"trustedAuthorityValidator"</span>
+        class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg ref=<span 
class="code-quote">"certificateRepo"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span 
class="code-quote">"x509Locator"</span> class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.handlers.X509Locator"</span>&gt;</span>
+        <span class="code-tag">&lt;constructor-arg ref=<span 
class="code-quote">"certificateRepo"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    &lt;bean id=<span class="code-quote">"x509Register"</span>
+        class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.handlers.x509Register"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg ref=<span 
class="code-quote">"certificateRepo"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+
+    <span class="code-tag"><span class="code-comment">&lt;!-- LDAP based 
implementation --&gt;</span></span>
+
+    &lt;bean id=<span class="code-quote">"certificateRepo"</span>
+        class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg ref=<span 
class="code-quote">"ldapServerConfig"</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg ref=<span 
class="code-quote">"ldapSchemaConfig"</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span 
class="code-quote">"dc=example,dc=com"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span 
class="code-quote">"ldapServerConfig"</span> class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapServerConfig"</span>&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span 
class="code-quote">"ldap://localhost:2389";</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span 
class="code-quote">"cn=Directory Manager,dc=example,dc=com"</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span 
class="code-quote">"test"</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span 
class="code-quote">"2"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span 
class="code-quote">"ldapSchemaConfig"</span> class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig"</span>&gt;</span>
+        <span class="code-tag">&lt;property name=<span 
class="code-quote">"certObjectClass"</span> value=<span 
class="code-quote">"inetOrgPerson"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span 
class="code-quote">"attrUID"</span> value=<span class="code-quote">"uid"</span> 
/&gt;</span>
+        <span class="code-tag">&lt;property name=<span 
class="code-quote">"attrIssuerID"</span> value=<span 
class="code-quote">"manager"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span 
class="code-quote">"attrSerialNumber"</span> value=<span 
class="code-quote">"employeeNumber"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span 
class="code-quote">"attrCrtBinary"</span> value=<span 
class="code-quote">"userCertificate;binary"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span 
class="code-quote">"constAttrNamesCSV"</span> value=<span 
class="code-quote">"sn"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span 
class="code-quote">"constAttrValuesCSV"</span> value=<span 
class="code-quote">"X509 certificate"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span 
class="code-quote">"serviceCertRDNTemplate"</span> value=<span 
class="code-quote">"cn=%s,ou=services"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span 
class="code-quote">"serviceCertUIDTemplate"</span> value=<span 
class="code-quote">"cn=%s"</span> /&gt;</span>
+       <span class="code-tag">&lt;property name=<span 
class="code-quote">"trustedAuthorityFilter"</span> value=<span 
class="code-quote">"(&amp;#038;(objectClass=inetOrgPerson)(ou:dn:=CAs))"</span> 
/&gt;</span>
+       <span class="code-tag">&lt;property name=<span 
class="code-quote">"intermediateFilter"</span> value=<span 
class="code-quote">"(objectClass=inetOrgPerson)"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+
+    <span class="code-tag"><span class="code-comment">&lt;!-- File based 
implementation --&gt;</span></span>
+
+    &lt;!-- bean id=<span class="code-quote">"certificateRepo"</span>
+        class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg value=<span 
class="code-quote">"../conf/certs"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean--&gt;</span>
 
-   <span class="code-tag">&lt;bean id=<span 
class="code-quote">"x509FileLocator"</span> class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.locator.FileLocator"</span>&gt;</span>
-      <span class="code-tag">&lt;constructor-arg value=<span 
class="code-quote">"../conf/certs"</span> /&gt;</span>
-   <span class="code-tag">&lt;/bean&gt;</span>
-
-   <span class="code-tag">&lt;bean id=<span 
class="code-quote">"fileRegisterHandler"</span> class=<span 
class="code-quote">"org.apache.cxf.xkms.x509.handlers.FileRegisterHandler"</span>&gt;</span>
-      <span class="code-tag">&lt;constructor-arg value=<span 
class="code-quote">"../conf/certs"</span> /&gt;</span>
-   <span class="code-tag">&lt;/bean&gt;</span>
-
-   <span class="code-tag">&lt;bean id=<span 
class="code-quote">"xkmsProviderBean"</span> class=<span 
class="code-quote">"org.apache.cxf.xkms.service.XKMSService"</span>&gt;</span>
-      <span class="code-tag">&lt;property name=<span 
class="code-quote">"validators"</span>&gt;</span>
-         <span class="code-tag">&lt;list&gt;</span>
-            <span class="code-tag">&lt;ref bean=<span 
class="code-quote">"dateValidator"</span> /&gt;</span>
-         <span class="code-tag">&lt;/list&gt;</span>
-      <span class="code-tag">&lt;/property&gt;</span>
-      <span class="code-tag">&lt;property name=<span 
class="code-quote">"locators"</span>&gt;</span>
-         <span class="code-tag">&lt;list&gt;</span>
-            <span class="code-tag">&lt;ref bean=<span 
class="code-quote">"x509FileLocator"</span> /&gt;</span>
-         <span class="code-tag">&lt;/list&gt;</span>
-      <span class="code-tag">&lt;/property&gt;</span>
-      <span class="code-tag">&lt;property name=<span 
class="code-quote">"keyRegisterHandlers"</span>&gt;</span>
-         <span class="code-tag">&lt;list&gt;</span>
-            <span class="code-tag">&lt;ref bean=<span 
class="code-quote">"fileRegisterHandler"</span> /&gt;</span>
-         <span class="code-tag">&lt;/list&gt;</span>
-      <span class="code-tag">&lt;/property&gt;</span>
-   <span class="code-tag">&lt;/bean&gt;</span>
-
-   &lt;jaxws:endpoint id=<span class="code-quote">"XKMSService"</span> <span 
class="code-keyword">xmlns:serviceNamespace</span>=<span 
class="code-quote">"http://www.w3.org/2002/03/xkms#wsdl";</span>
-      serviceName=<span 
class="code-quote">"serviceNamespace:XKMSService"</span> endpointName=<span 
class="code-quote">"serviceNamespace:XKMSPort"</span>
-      implementor=<span class="code-quote">"#xkmsProviderBean"</span> 
address=<span class="code-quote">"/XKMS"</span>&gt;
-   <span class="code-tag">&lt;/jaxws:endpoint&gt;</span>
+<span class="code-tag">&lt;/beans&gt;</span>
 </pre>
 </div></div>
 
-<h4><a shape="rect" 
name="XMLKeyManagementService%28XKMS%29-IntegrationXKMSclientintoCXFsecurity."></a>Integration
 XKMS client into CXF security.</h4>
+<p>dateValidator and trustedAuthorityValidator beans are implementations of 
Validator interface for validity date and trusted chain validation. <br 
clear="none">
+x509Locator and x509Register are implementations of Locator and Register 
interfaces for X509 certificates.<br clear="none">
+certificateRepo is repository implementation for LDAP backend. 
LdapServerConfig and LdapSchemaConfig contain LDAP configuration described in 
the following table:</p>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" 
class="confluenceTh">Property</th><th colspan="1" rowspan="1" 
class="confluenceTh">Sample Value</th><th colspan="1" rowspan="1" 
class="confluenceTh">Description</th></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">ldapServerConfig arguments</td><td colspan="1" rowspan="1" 
class="confluenceTd">&#160;</td><td colspan="1" rowspan="1" 
class="confluenceTd"> URL, baseDN and credentials of LDAP 
Server</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">certObjectClass</td><td colspan="1" rowspan="1" 
class="confluenceTd">inetOrgPerson</td><td colspan="1" rowspan="1" 
class="confluenceTd">LDAP object class used to store 
certificates</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">attrUID</td><td colspan="1" rowspan="1" 
class="confluenceTd">uid</td><td colspan="1" rowspan="1" 
class="confluenceTd">Attribute containing X509 subject DN</td></tr><tr><td 
colspan="1" rowspan="1" class="conf
 luenceTd">attrIssuerID</td><td colspan="1" rowspan="1" 
class="confluenceTd">manager</td><td colspan="1" rowspan="1" 
class="confluenceTd">LDAP attribute containing X509 issuer DN</td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd">attrSerialNumber</td><td 
colspan="1" rowspan="1" class="confluenceTd">employeeNumber</td><td colspan="1" 
rowspan="1" class="confluenceTd">LDAP attribute containing X509 serial 
number</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">attrCrtBinary</td><td colspan="1" rowspan="1" 
class="confluenceTd">userCertificate</td><td colspan="1" rowspan="1" 
class="confluenceTd">LDAP attribute containing X509 certificate 
content</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">constAttrNamesCSV</td><td colspan="1" rowspan="1" 
class="confluenceTd">sn</td><td colspan="1" rowspan="1" 
class="confluenceTd">Comma separated list of mandatory LDAP 
attributes</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">constAttrValuesC
 SV</td><td colspan="1" rowspan="1" class="confluenceTd">X509 
certificate</td><td colspan="1" rowspan="1" class="confluenceTd">Comma 
separated list of mandatory LDAP attributes values</td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">serviceCertRDNTemplate</td><td colspan="1" 
rowspan="1" class="confluenceTd">cn=%s,ou=services</td><td colspan="1" 
rowspan="1" class="confluenceTd">Relative distinguished name for service 
certificates</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">serviceCertUIDTemplate</td><td colspan="1" rowspan="1" 
class="confluenceTd">cn=%s</td><td colspan="1" rowspan="1" 
class="confluenceTd">Template to transform service QName to DN for storing into 
attrUID</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">trustedAuthorityFilter</td><td colspan="1" rowspan="1" 
class="confluenceTd">(&amp;(objectClass=inetOrgPerson)(ou:dn:=CAs))</td><td 
colspan="1" rowspan="1" class="confluenceTd">Filter to determine trusted CAs 
for truste
 d chain validation</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">intermediateFilter</td><td colspan="1" rowspan="1" 
class="confluenceTd">(objectClass=inetOrgPerson)</td><td colspan="1" 
rowspan="1" class="confluenceTd">Filter to determine intermediate certificates 
for trusted chain validation</td></tr></tbody></table>
+</div>
+
+
+<h4><a shape="rect" 
name="XMLKeyManagementService%28XKMS%29-IntegrationXKMSclientintoCXFruntime."></a>Integration
 XKMS client into CXF runtime.</h4>
 
-<p>XKMS client can be integrated into CXF and WSS4J using custom Crypto 
provider implementation. In this case XKMS service will be automatically 
invoked when WSS4J requires or validates certificate. Details are described in 
this <a shape="rect" class="external-link" 
href="http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html";
 rel="nofollow">blog</a>.</p>
+<p>XKMS client can be integrated into CXF and WSS4J using custom Crypto 
provider implementation. In this case XKMS service will be automatically 
invoked when WSS4J requires or validates certificate. Details are described in 
this <a shape="rect" class="external-link" 
href="http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html";
 rel="nofollow">blog</a>. Sample XKMS based implementation of WSS4J Crypto 
interface is contributed into XKMS Client component. </p>
 
 <h4><a shape="rect" 
name="XMLKeyManagementService%28XKMS%29-DataFormats"></a>Data Formats</h4>

svn commit: r866640 - in /websites/production/cxf/content: cache/docs.pageCache docs/xml-key-management-service-xkms.html

Reply via email to