Thank you for the reply, I was studying up on WS-Security for a while and found this "For example, symmetric binding can be used when only the server possesses a X509Token. Here, the initiator first creates an ephemeral key and then creates an encrypted key encrypting that ephemeral key using the recipient’s public key. This ephemeral key is then used for both signing and encrypting messages back and forth. This mechanism allows a Web service to sign and encrypt messages even with an anonymous client thus very useful at times" http://wso2.org/library/3132
It is true that I poses an X.509 token, but I do not have the private key for it. Can I still use symmetric binding? I am sorry if this is not the right place to ask this and appreciate the help From: [email protected] To: [email protected] Subject: RE: Using Rampart to send a proxy certificate and sign using a symmetric key Date: Wed, 20 Mar 2013 19:31:32 -0400 the sts-policy-symm-binding.xml from the integration samples inside Rampart is what you want to start with 1)read the xsd declared at the top 2)have a good understanding of what youre doing before you make the change 3)implement the service which implements sts-policy-symm-binding.xml make sure you engage rampart run the client code which implements sts-policy-symm-binding.xml -- creating the aar change to rampart-integration cd \rampart\rampart-src-1.4\modules\rampart-integration vi .\src\test\resources\rampart\services-20.xml tweak the signatureCrypto to replace default Merlin attributes with bouncycastle attributes <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/rahas/policy/store.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property> </ramp:crypto> </ramp:signatureCrypto> <ramp:encryptionCypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property> </ramp:crypto> </ramp:encryptionCypto> if your X509 cert is v3 you're in luck if your cert is NOT X509 v3 you have to change the WssX509V3Token10 element change <sp:WssX509V3Token10/> to your specific version of X509 Java code: the only java mod to be aware of is when the service responds to your PWCallback class <ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass> -- run mvn process-test-resources mvn process-test-resources use the Axis Admin tool to upload the new service aar into Axis located at target/test-resources/rampart_service_repo/services/SecureService20.aar engage the following modules: rampart-src-1.4/modules/rampart-integration/target/test-resources/rampart_service_repo/modules/addressing-${addressing.mar.version}.mar rampart-src-1.4/modules/rampart-integration/target/test- resources/rampart_service_repo/modules/rahas-${addressing.mar.version}.mar rampart-src-1.4/modules/rampart-integration/target/test-resources/rampart_service_repo/modules/rampart-mar-${addressing.mar.version}.mar if you dont have them run process-test-resources e.g. mvn process-test-resources ping back here if you have any questions Martin Gainty ______________________________________________ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. From: [email protected] To: [email protected] Subject: RE: Using Rampart to send a proxy certificate and sign using a symmetric key Date: Wed, 20 Mar 2013 10:57:46 +0000 Thank you for the reply, this sounds like what I want to do I just want to clarify one thing. We have our own STS which uses Bouncycastle library to generate a certificate and a Key to send to the clientSo the client now has a Proxy Certificate (Only public key is known to the client, no private key supplied) and a secret symmetric key. One of the things that confused me is how Rampart reads these information, I got them in byte form but I am unsure how to direct rampart to them or ask them to use these Sincerely, > Date: Tue, 19 Mar 2013 17:32:11 -0400 > Subject: Re: Using Rampart to send a proxy certificate and sign using a > symmetric key > From: [email protected] > To: [email protected] > > Hi, > > To do this with rampart, first you need to be able to express your > requirements in WS-SecurityPolicy. > > Since you mentioned the use of a symmetric key to sign (MAC) (as in > 3.4 of [1]) I suppose you will have to try to use a SymmetricBinding > policy (Example [2]). This will involve getting a token issued by an > STS which will include the certificate, and a symmetric key (since you > need this to sign/mac). This will be the IssuedToken specified in the > policy. > > Then Rampart should be able to use the token and include it in the > security header and sign using the given key value. > > I'm not sure whether this works, but I will take a crack at generating > an example of this over the weekend. > > Thanks, > Ruchith > > 1. > https://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf > 2. > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc100567712 > > On Sun, Mar 17, 2013 at 3:10 AM, Abdelrahman Almahmoud > <[email protected]> wrote: > > Thank you for the reply > > > > I understand the typical use of certificates as I have worked in security > > for a while, it is a bit complicated to explain and I am not even sure if I > > am allowed to discuss this so I will avoid talking about the architecture. I > > appreciate the comments but as I mentioned, our use case is a little > > different than usual. I am trying to avoid using SSL altogether because of > > various reasons as well. > > > > What I simply want to do is give rampart my X.509 certificate and have it > > send it to my target where I will try to have rampart do what I want or > > simply write my own handler to make it do that. > > > > I also want rampart to sign that message using my own symmetric key. We have > > our reasons to use symmetric keys here. If Rampart can't do this, can I > > write a handler to do this my self and ask rampart to include this into the > > SOAP message? > > > > > > > > > > ________________________________ > > From: [email protected] > > To: [email protected] > > Subject: RE: Using Rampart to send a proxy certificate and sign using a > > symmetric key > > Date: Thu, 14 Mar 2013 06:32:42 -0400 > > > > > > > > ________________________________ > > From: [email protected] > > To: [email protected] > > Subject: Using Rampart to send a proxy certificate and sign using a > > symmetric key > > Date: Thu, 14 Mar 2013 08:59:15 +0000 > > > > Hi > > > > > > I have a bit of a unique situation, I am writing an Axis2 client and have to > > follow a certain procedure. I would like to use Rampart to do the following, > > > > 1- I have a proxy certificate issued by a server for me, this certificate > > has my username and the server's public key, I would like to have rampart to > > send this certificate. > > MG>A certificate is generally used by Browsers for verifiying you are who > > you are and you wish to communicate to server with these specific > > credentials > > As far as I know, the samples only show how to have rampart use a > > certificate from a key store > > MG>from the trust-store called cacerts > > > > is there another way to do it? > > MG>First step is to get the cert working to validate you to the external > > interface > > > > MG>Second step is to setup a SSLv2 or SSLv3 session (using some known > > transport) to the server > > > > 2- I would like Rampart to sign the request using a Symmetric key. As far as > > I know, rampart takes the key from a key store but I am not sure how to ask > > it to sign the request using this key and such > > > > The samples didn't help much with this and I am not sure where to find more > > information > > Any help is greatly appreciated > > > > MG>Read this cover to cover > > http://download.java.net/jdk8/docs/technotes/guides/security/jsse/JSSERefGuide.html > > > > Thanks > > > > -- > http://ruchith.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
