I know it's not an answer to your question, maybe a workaround at best but we ended up modifying the file permissions such that only infrastructure folks can open the file.
From: java-user-return-87277-Meeusen.Christopher=mayo....@axis.apache.org [mailto:java-user-return-87277-Meeusen.Christopher=mayo....@axis.apache.org] On Behalf Of Rajat Aggarwal Sent: Monday, March 11, 2013 12:21 AM To: java-user@axis.apache.org Subject: Re: Encrypting The Admin Passwords used by the Axis Admin Servlet I think I have somewhat confused my query. The question is not about encrypting the authentication tokens in web service calls. My query is that, is there a way by which we can encrypt the Axis' AdminServlets' admin password? <parameter name="adminPassword" value="admin"/> Thanks and Regards, Rajat Aggarwal (91) 9880 029 826 On Sun, Mar 10, 2013 at 6:08 PM, Martin Gainty <mgai...@hotmail.com<mailto:mgai...@hotmail.com>> wrote: Axis doc says to secure a service by encrypting passwords can be achieved by engaging rampart module (i use version 1.4.2 ) cd $AXIS_HOME cd .\modules\rampart-samples\basic org.apache.rampart.samples.sample03.PWCBHandler.java is Password Verification method for encrypt\decrypt sample03.) UsernameToken authentication with a plain text password where services.xml contains <service> ..................................... <parameter name="InflowSecurity"> <action> <items>UsernameToken</items> <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass> </action> </parameter> </service> upload service.aar then run service by.. .\sample03\ant ant service.01 client.axis2.xml contains: <axisconfig name="AxisJava2.0"> <module ref="rampart" /> <parameter name="OutflowSecurity"> <action> <items>UsernameToken</items> <user>aggarwal</user> <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass> <passwordType>UnencryptedPasswordText</passwordType> </action> </parameter> .... </axisconfig> run client test .. .\sample03\ant ant.client.01 .\sample05\ Encryption services.xml would contain <parameter name="InflowSecurity"> <action> <items>Encrypt</items> <passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass> <decryptionPropFile>service.properties</decryptionPropFile> </action> </parameter> service.properties would contain the attributes from security provider (bouncycastle or in this case oracle) this must exist on classpath org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=PutPasswordToBeEncryptedHere org.apache.ws.security.crypto.merlin.file=service.jks .\sample05 ant ant.service.05 client.axis2.xml would contain callbackHandler and service.properties as seen here: <parameter name="InflowSecurity"> <action> <items>Encrypt</items> <passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass> <decryptionPropFile>service.properties</decryptionPropFile> </action> </parameter> once you verified service.properties params works for you you can use those attributes in a servlet with startup params which can be accomplished 2 ways 1)load down container startup script with -Dsystem_option=value params for example: %JAVA_HOME%\bin\java -classpath %CLASSPATH% -DJAVA_OPTS="-server -Xms256M -Xmx512M -XX:MaxPermSize=512M" -Dsun.security.ssl.allowUnsafeRenegotiation=true -Djavax.net.ssl.trustStore=$JRE_HOME/lib/security/cacerts -DtrustStorePath=$JRE_HOME/lib/security -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStore=BancoSantander.jks -Dssl.KeyManagerFactory.algorithm=SunX509 -Djavax.net.ssl.keyStorePassword=PutPasswordToBeEncryptedHere -Djavax.net.ssl.truststoreFile=cacerts -Djava.io.tmpdir=$CATALINA_HOME/tmp -Djavax.net.ssl.trustStore=$CATALINA_HOME/conf/jssecacerts -jar bootstrap.jar 1>tomcat.log --you can see where one misplaced character can fubar the entire script! 2)the safer alternative is to put all SSL params from service.properties in your SSL connector e.g. <Connector port="8443" protocol="HTTP/1.1" algorithm="SunX509" connectionTimeout="10000" connectionLinger="-1" keyStore="BancoSantander.jks" keystorePass="PutPasswordToBeEncryptedHere" keyStoreType="jks" truststoreFile="cacerts" truststorePass="TrustStorePasswordForCacerts" truststoreType="jks" trustStorePath="$JAVA_HOME/jre/lib/security" maxKeepAliveRequests="1" allowUnsafeLegacyRenegotiation="false" secure="true" SSLEnabled="true" sslProtocol="TLS" clientAuth="true" allowUnsafeLegacyRenegotiation="false" /> http://tomcat.apache.org/tomcat-5.5-doc/config/http.html Steer clear of ciphers..it is a new feature and is still being alpha tested I have a date with a snow-shovel which I cannot delay..I'll check back at end of day to see how you're doing Martin ______________________________________________ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. ________________________________ From: rajat.aggarwa...@gmail.com<mailto:rajat.aggarwa...@gmail.com> Date: Sun, 10 Mar 2013 17:02:36 +0530 Subject: Encrypting The Admin Passwords used by the Axis Admin Servlet To: java-user@axis.apache.org<mailto:java-user@axis.apache.org> Hi, We have some web services in our project, where our wsdd files contain the following lines: <globalConfiguration> <parameter name="sendMultiRefs" value="true"/> <parameter name="disablePrettyXML" value="true"/> <parameter name="adminPassword" value="admin"/> <parameter name="dotNetSoapEncFix" value="true"/> <parameter name="enableNamespacePrefixOptimization" value="false"/> <parameter name="sendXMLDeclaration" value="true"/> <parameter name="sendXsiTypes" value="true"/> <parameter name="axis.disableServiceList" value="true"/> <parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/> <requestFlow> <handler type="java:org.apache.axis.handlers.JWSHandler"> <parameter name="scope" value="session"/> </handler> <handler type="java:org.apache.axis.handlers.JWSHandler"> <parameter name="scope" value="request"/> <parameter name="extension" value=".jwr"/> </handler> </requestFlow> </globalConfiguration> I wanted to know the use of the above highlighted element (adminPassword), and also, is there any way we can introduce our own encryption mechanism to encrypt this password so that it is not visible in plain text to anyone? Thanks and Regards, Rajat Aggarwal
