sic wrote:
When applying to ws-security through cxf, I'm likely to use X.509
certificates in order to do the signature and encryption action.
I got some helps by this document:
http://cxf.apache.org/docs/ws-security.html
but I cannot fully understand the Using X.509 Certificates section.
For not the development but the production environment, is it implemented if
I decide to use an algorithm used in keystore and a certified company which
certificates an signature(or manage to do it for myself).
Hi sic,
Yes, self signed won't be of any practical use when working in
production. We require to use external CA authorities to sign and manage
certificates. There are two algorithms you can specify while creating
public private key pair from keytool. One is "key algorithm": the
algorithm using which keytool utility (comes in Java SE sdk) generates
your public key and private key pair (Default is DSA). Second is
"Signature Algorithm" the algorithm compatible with key algorithm which
signs your public key when certify it yourself (defaulted to SHA1DSA).
You can read [1] to get good amount of information about this topic.
Upto best of my knowledge, WSS4J supports,
"tripledes-cbc", AES 128, 256, and 192 bits keys as the symmetric
algorithm to encrypt the data,
DSA-SHA1 and RSA-SHA256 to sign the data,
RSA15 to encrypt the symmetric key.
If you are using WS-SecurityPolicy, the "Algorithm Suite" can be
specified in the binding level policy declaration. The algorithm suite
will help you define many important values for different operations
like, symmetric signature, digest, encryption, etc
You can read more about it in WS-SecurityPolicy specification [2] and [3]
Then is it posslbie whatever the algorithm used in keystore is despite not
certified?
And without a keystore, would I am unable to implement ws-security in the
ways that do the signature and encryption action?
If we you are going to use public private key pair, you require to store
private keys in keystore and public certificates in trust store
somewhere, hence come the significance of key store and trust store
respectively. If you don't want to use X509 tokens then you there is no
need to configure keystores, for example, UsernameToken, Kerberos
(currently not supported by WSS4J) don't require them.
its so difficult for me to understand ws-security itself and hope to
understand my incoherent question.
regards,
sic
With Regards,
Mayank
[1].
http://download.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
[2].
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html
[3].
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Algorithms
