Hello David, Thanks for your suggestions.
So far, after setting up UsernameToken profile, I have set the ws-security (X509 profile - signing and encryption) with the property file for basic security. I have attached the patches on the JIRA-4642. Now I am after the things you suggested. It sounds a good idea to use the geronimo built-in security for the same. Many Thanks again for your immediate reply! Rahul On Wed, Aug 12, 2009 at 5:57 PM, David Jencks <[email protected]>wrote: > HI Rahul, > I don't understand any details of what you are trying to do but I think you > are trying to get access to a certificate so some parts of the xml message > can be signed. > > In geronimo we have several gbeans to help with managing certificate stores > and trust stores. These are set up so that if you get a reference to the > appropriate gbean you should be able to access the cerificate as needed with > no further passwords or authentication needed. While these are normally > present in servers you can set one up in an app client if you want. > > The portal pages I think you are mentioning let you administer these > gbeans. > > The jetty https connector is set up to use one of these gbeans, you might > find it a useful example of how to proceed for > instance HTTPSSelectChannelConnector and GeronimoSelectChannelSSLListener. > > The central class is > org.apache.geronimo.management.geronimo.KeystoreManager implemented > by org.apache.geronimo.security.keystore.FileKeystoreManager in the > framework/modules/geronimo-security module. > > I'd suspect you might want to get a KeystoreInstance from the > KeystoreManager and then get the Certificate you want from that. > > Hope this helps, > david jencks > > On Aug 11, 2009, at 2:15 PM, rahul.soa wrote: > > Hello Jarek, > > I hope you are doing well. > > Presently, I am setting the signing at client side, I have a couple of > doubts. > > I think, I can do something similar in the CXFPortMethodInterceptor > > String signatureKeyIdentifier = (String) > properties.get("signatureKeyIdentifier"); > String user = (String) properties.get("user"); > > //in case where <property name="wss4j.out.action">Signature</property> > if (containsValue(action, WSHandlerConstants.SIGNATURE)) { > * // doubt about this, how CXFPortMethodInterceptor will know about > this* > properties.put(WSHandlerConstants.SIG_PROP_FILE, > clientKeystore.properties"); > // alias or user > properties.put(WSHandlerConstants.USER, user); > > if(signatureKeyIdentifier.equals("DirectReference")) > properties.put(WSHandlerConstants.SIG_KEY_ID, > "DirectReference"); > if(signatureKeyIdentifier.equals("IssuerSerial")) > properties.put(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial"); > //in order to obtain the key password for the private key > properties.put(WSHandlerConstants.PW_CALLBACK_CLASS, > ClientKeystorePasswordCallback.class.getName()); > > } > > > I think we should specify the following things in the <property> under the > <port> in the geronimo-web.xml at client side. > > <property name="wss4j.out.action">Signature</property> > <property name="wss4j.out.user">myclientkey</property> > <property name="wss4j.out.signatureKeyIdentifier">IssuerSerial</property> > > can we set the keypassword too in the property? what other things we should > set in the property? > > Question:1 > Here, first thing is how we can provide signature property file, in the > above case "clientKeystore.properties". It should be at client side. If this > is in the client application written by the user then how can we give the > reference of this in the CXFPortMethodInterceptor. In other words, *where > to set this property * > properties.put(WSHandlerConstants.SIG_PROP_FILE, > clientKeystore.properties"); > > Question2: > > For the ClientKeystorePasswordCallback, how can the client send the > keypassword, > > through the geronimo-web.xml? > <property name="wss4j.out.keypass">keypass</property> > > > Another thing is, I noticed one thing, In geronimo server we have these two > following tabs under the > Security > Keystores<http://localhost:8096/console/portal/Security/Keystores> > Certificate > Authority<http://localhost:8096/console/portal/Security/Certificate%20Authority> > > > What are these for? > > > Thanks for your help. > > Best Regards, > Rahul > > > > PS: for signing and encryption, I think we need the bouncy castle and the > xalan jar files in the cxf plugin, I pulled them > > >
