Author: buildbot
Date: Thu Jun 20 15:48:22 2013
New Revision: 866647
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/xml-key-management-service-xkms.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified:
websites/production/cxf/content/docs/xml-key-management-service-xkms.html
==============================================================================
--- websites/production/cxf/content/docs/xml-key-management-service-xkms.html
(original)
+++ websites/production/cxf/content/docs/xml-key-management-service-xkms.html
Thu Jun 20 15:48:22 2013
@@ -125,6 +125,8 @@ Apache CXF -- XML Key Management Service
<div class="wiki-content">
<div id="ConfluenceContent"><h1><a shape="rect"
name="XMLKeyManagementService%28XKMS%29-XMLKeyManagementService%28XKMS%29"></a>XML
Key Management Service (XKMS)</h1>
+<p>Available since CXF 3.0.0.</p>
+
<h2><a shape="rect" name="XMLKeyManagementService%28XKMS%29-Usecase"></a>Use
case</h2>
<p>CXF uses asymmetric algorithms for different purposes: encryption of
symmetric keys and payloads, signing security tokens and messages, proof of
possession.<br clear="none">
@@ -206,12 +208,12 @@ Sample spring configuration of XKMS hand
<bean id=<span class="code-quote">"certificateRepo"</span>
class=<span
class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo"</span>>
- <span class="code-tag"><constructor-arg ref=<span
class="code-quote">"ldapServerConfig"</span> /></span>
+ <span class="code-tag"><constructor-arg ref=<span
class="code-quote">"ldapSearch"</span> /></span>
<span class="code-tag"><constructor-arg ref=<span
class="code-quote">"ldapSchemaConfig"</span> /></span>
<span class="code-tag"><constructor-arg value=<span
class="code-quote">"dc=example,dc=com"</span> /></span>
<span class="code-tag"></bean></span>
- <span class="code-tag"><bean id=<span
class="code-quote">"ldapServerConfig"</span> class=<span
class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapServerConfig"</span>></span>
+ <span class="code-tag"><bean id=<span
class="code-quote">"ldapSearch"</span> class=<span
class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapSearch"</span>></span>
<span class="code-tag"><constructor-arg value=<span
class="code-quote">"ldap://localhost:2389";</span> /></span>
<span class="code-tag"><constructor-arg value=<span
class="code-quote">"cn=Directory Manager,dc=example,dc=com"</span> /></span>
<span class="code-tag"><constructor-arg value=<span
class="code-quote">"test"</span> /></span>
@@ -246,10 +248,17 @@ Sample spring configuration of XKMS hand
<p>dateValidator and trustedAuthorityValidator beans are implementations of
Validator interface for validity date and trusted chain validation. <br
clear="none">
x509Locator and x509Register are implementations of Locator and Register
interfaces for X509 certificates.<br clear="none">
-certificateRepo is repository implementation for LDAP backend.
LdapServerConfig and LdapSchemaConfig contain LDAP configuration described in
the following table:</p>
+certificateRepo is repository implementation for LDAP backend. LdapSearch and
LdapSchemaConfig contain LDAP configuration described in the following
table:</p>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"> Property </th><th colspan="1" rowspan="1"
class="confluenceTh"> Sample Value </th><th colspan="1" rowspan="1"
class="confluenceTh"> Description </th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ldapServerConfig arguments </td><td colspan="1"
rowspan="1" class="confluenceTd"> </td><td colspan="1" rowspan="1"
class="confluenceTd"> URL, baseDN and credentials of LDAP Server
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> certObjectClass
</td><td colspan="1" rowspan="1" class="confluenceTd"> inetOrgPerson </td><td
colspan="1" rowspan="1" class="confluenceTd"> LDAP object class used to store
certificates </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
attrUID </td><td colspan="1" rowspan="1" class="confluenceTd"> uid </td><td
colspan="1" rowspan="1" class="confluenceTd"> Attribute containing X509 subject
DN </td></tr><tr><td colspan="1" ro
wspan="1" class="confluenceTd"> attrIssuerID </td><td colspan="1" rowspan="1"
class="confluenceTd"> manager </td><td colspan="1" rowspan="1"
class="confluenceTd"> LDAP attribute containing X509 issuer DN
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
attrSerialNumber </td><td colspan="1" rowspan="1" class="confluenceTd">
employeeNumber </td><td colspan="1" rowspan="1" class="confluenceTd"> LDAP
attribute containing X509 serial number </td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> attrCrtBinary </td><td colspan="1"
rowspan="1" class="confluenceTd"> userCertificate </td><td colspan="1"
rowspan="1" class="confluenceTd"> LDAP attribute containing X509 certificate
content </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
constAttrNamesCSV </td><td colspan="1" rowspan="1" class="confluenceTd"> sn
</td><td colspan="1" rowspan="1" class="confluenceTd"> Comma separated list of
mandatory LDAP attributes </td></tr><tr><td colspan="1" rows
pan="1" class="confluenceTd"> constAttrValuesCSV </td><td colspan="1"
rowspan="1" class="confluenceTd"> X509 certificate </td><td colspan="1"
rowspan="1" class="confluenceTd"> Comma separated list of mandatory LDAP
attributes values </td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> serviceCertRDNTemplate </td><td colspan="1" rowspan="1"
class="confluenceTd"> cn=%s,ou=services </td><td colspan="1" rowspan="1"
class="confluenceTd"> Relative distinguished name for service certificates
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
serviceCertUIDTemplate </td><td colspan="1" rowspan="1" class="confluenceTd">
cn=%s </td><td colspan="1" rowspan="1" class="confluenceTd"> Template to
transform service QName to DN for storing into attrUID </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> trustedAuthorityFilter </td><td
colspan="1" rowspan="1" class="confluenceTd">
(&(objectClass=inetOrgPerson)(ou:dn:=CAs)) </td><td colspan="1" rowspan=
"1" class="confluenceTd"> Filter to determine trusted CAs for trusted chain
validation </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
intermediateFilter </td><td colspan="1" rowspan="1" class="confluenceTd">
(objectClass=inetOrgPerson) </td><td colspan="1" rowspan="1"
class="confluenceTd"> Filter to determine intermediate certificates for trusted
chain validation </td></tr></tbody></table>
+</div>
+
+<h4><a shape="rect"
name="XMLKeyManagementService%28XKMS%29-Supportedcertificatestypes."></a>Supported
certificates types.</h4>
+<p>XKMS distinguishes following types of X509 certificates:</p>
<div class="table-wrap">
-<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">Property</th><th colspan="1" rowspan="1"
class="confluenceTh">Sample Value</th><th colspan="1" rowspan="1"
class="confluenceTh">Description</th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">ldapServerConfig arguments</td><td colspan="1" rowspan="1"
class="confluenceTd"> </td><td colspan="1" rowspan="1"
class="confluenceTd"> URL, baseDN and credentials of LDAP
Server</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">certObjectClass</td><td colspan="1" rowspan="1"
class="confluenceTd">inetOrgPerson</td><td colspan="1" rowspan="1"
class="confluenceTd">LDAP object class used to store
certificates</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">attrUID</td><td colspan="1" rowspan="1"
class="confluenceTd">uid</td><td colspan="1" rowspan="1"
class="confluenceTd">Attribute containing X509 subject DN</td></tr><tr><td
colspan="1" rowspan="1" class="conf
luenceTd">attrIssuerID</td><td colspan="1" rowspan="1"
class="confluenceTd">manager</td><td colspan="1" rowspan="1"
class="confluenceTd">LDAP attribute containing X509 issuer DN</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">attrSerialNumber</td><td
colspan="1" rowspan="1" class="confluenceTd">employeeNumber</td><td colspan="1"
rowspan="1" class="confluenceTd">LDAP attribute containing X509 serial
number</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">attrCrtBinary</td><td colspan="1" rowspan="1"
class="confluenceTd">userCertificate</td><td colspan="1" rowspan="1"
class="confluenceTd">LDAP attribute containing X509 certificate
content</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">constAttrNamesCSV</td><td colspan="1" rowspan="1"
class="confluenceTd">sn</td><td colspan="1" rowspan="1"
class="confluenceTd">Comma separated list of mandatory LDAP
attributes</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">constAttrValuesC
SV</td><td colspan="1" rowspan="1" class="confluenceTd">X509
certificate</td><td colspan="1" rowspan="1" class="confluenceTd">Comma
separated list of mandatory LDAP attributes values</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">serviceCertRDNTemplate</td><td colspan="1"
rowspan="1" class="confluenceTd">cn=%s,ou=services</td><td colspan="1"
rowspan="1" class="confluenceTd">Relative distinguished name for service
certificates</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">serviceCertUIDTemplate</td><td colspan="1" rowspan="1"
class="confluenceTd">cn=%s</td><td colspan="1" rowspan="1"
class="confluenceTd">Template to transform service QName to DN for storing into
attrUID</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">trustedAuthorityFilter</td><td colspan="1" rowspan="1"
class="confluenceTd">(&(objectClass=inetOrgPerson)(ou:dn:=CAs))</td><td
colspan="1" rowspan="1" class="confluenceTd">Filter to determine trusted CAs
for truste
d chain validation</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">intermediateFilter</td><td colspan="1" rowspan="1"
class="confluenceTd">(objectClass=inetOrgPerson)</td><td colspan="1"
rowspan="1" class="confluenceTd">Filter to determine intermediate certificates
for trusted chain validation</td></tr></tbody></table>
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">Type</th><th colspan="1" rowspan="1"
class="confluenceTh">Description</th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> User </td><td colspan="1" rowspan="1"
class="confluenceTd"> Normal user X509 certificate</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> Service </td><td colspan="1" rowspan="1"
class="confluenceTd"> Certificate identifies service. Required application
"urn:apache:cxf:service:soap" by lookup and registration. Identified as
{SERVICE_ NAMESPACE}SERVICE_NAME </td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> Trusted CA </td><td colspan="1" rowspan="1"
class="confluenceTd"> CAs used as trusted anchor by certificates validations.
Trusted CAs can be retrieved using trustedAuthorityFilter property
</td></tr></tbody></table>
</div>
@@ -360,7 +369,7 @@ XKMS Service uses following values for r
</div></div>
<h4><a shape="rect"
name="XMLKeyManagementService%28XKMS%29-CurrentrestrictionsandToDos"></a>Current
restrictions and ToDos</h4>
-<ul><li>only X509 certificates are supported as keys;</li><li>only LDAP and
File based backends are supported;</li><li>validate operations checks
expiration date, but doesn't validate trusted chain;</li><li>revocation lists
are not implemented;</li><li>more integration tests are required</li></ul>
+<ul><li>only X509 certificates are supported as keys;</li><li>only LDAP and
File based backends are supported;</li><li>revocation lists are not
implemented;</li><li>more integration tests are required</li></ul>
</div>
</div>
<!-- Content -->
