Awesome feedback..thanks.
I want to stay away from any 3rd party SSL tools and stick only with the
java api/keytool, since I want to do much of this programmatically using
a custom server UI on my server component.
I will definitely look into using a CA and the process you suggested.
Thanks,
Chris
On 5/19/2011 1:40 PM, Dennis Sosnoski wrote:
Hi Chris,
It sounds like you might be best off using your own Certificate
Authority. That way you'd only need to import the CA's signing
certificate into your trust store, not every individual client
certificate (and if you configure it correctly, *only* certificates
signed by that CA will be accepted by the server).
The safest way to manage the certificates is to generate the
public/private key pair on the client, then export a certificate request
containing the generated public key (Java's keytool or any number of
other programs will allow you to do this). The owner of the client
system can then just email the certificate request to the CA
administrator, and if the owner's request is valid the CA can email back
a certificate. The owner of the client system would then need to import
the certificate into their keystore (where they saved the private key
that matched the certificate request), and use that keystore for the
SSL/TLS connection.
If you do a search you should find plenty of information to set this up.
I think Glen Mazza had a blog posting about using OpenSSL for your own
CA a while ago, so you might want to start there (keeping this in the
CXF family ;-) ).
- Dennis
Dennis M. Sosnoski
Java SOA and Web Services Consulting<http://www.sosnoski.com/consult.html>
Axis2/CXF/Metro SOA and Web Services Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start<http://www.sosnoski.com/jumpstart.html>
On 05/20/2011 07:51 PM, Chris Richmond wrote:
I have succesfully tested a CXF based service and client in java using
2 way SSL in code only(no spring), following this example:
http://aruld.info/programming-ssl-for-jetty-based-cxf-services/
Now, I am simply reusing the same keystores/truststores from the cxf
example but I am having difficulty figuring out the workflow for
securing my own service. What I want to achieve is having a 2 Way SSL
cxf web service which i will generate certs for on the server side,
then the administrator will hand out those certs to trusted developers
and make an entry in the server's trust store for those certs? That
cert can be used by client developers to submit with their requests
for 2 way SSL.
I *think* the workflow will be like this, but I need advice on this.
create a keystore on the server machine.
create a truststore on the server machine.
generate a key in the keystore for a particular client to use/
export that key's certificate and import that cert into the server's
truststore so that server will trust/allow any clients using that cert
access.
hand out that cert to client developer via email, thumbdrive, etc(not
important how)
the client puts that cert into their keystore? Truststore?
The client needs to have a keystore and truststore as wel does it not?
But I'm not exactly sure what/where the client needs to put that cert
in order to call the server via CXF. The example I used above has
prebuild key/truststores for client/server but has no instruction on
how they were built and what exactly is being accessed in each one in
that code.
Then I was thinking that the server admin can remove a cert from their
truststore(or revoke?) in case he thinks that cert has been compromised .
Is my thinking on this correct? Assuming the server side is correct,
what does a new client developer have to do keystore/trustore wise in
order to effectively use that cert?
Thanks very much,
Chris
