These links could provide some help for you: http://www.jroller.com/gmazza/entry/cxf_x509_profile http://www.jroller.com/gmazza/entry/using_openssl_to_create_certificates
Glen On 05/20/2011 03:51 AM, Chris Richmond wrote:
I have succesfully tested a CXF based service and client in java using 2 way SSL in code only(no spring), following this example: http://aruld.info/programming-ssl-for-jetty-based-cxf-services/ Now, I am simply reusing the same keystores/truststores from the cxf example but I am having difficulty figuring out the workflow for securing my own service. What I want to achieve is having a 2 Way SSL cxf web service which i will generate certs for on the server side, then the administrator will hand out those certs to trusted developers and make an entry in the server's trust store for those certs? That cert can be used by client developers to submit with their requests for 2 way SSL. I *think* the workflow will be like this, but I need advice on this. create a keystore on the server machine. create a truststore on the server machine. generate a key in the keystore for a particular client to use/ export that key's certificate and import that cert into the server's truststore so that server will trust/allow any clients using that cert access. hand out that cert to client developer via email, thumbdrive, etc(not important how) the client puts that cert into their keystore? Truststore? The client needs to have a keystore and truststore as wel does it not? But I'm not exactly sure what/where the client needs to put that cert in order to call the server via CXF. The example I used above has prebuild key/truststores for client/server but has no instruction on how they were built and what exactly is being accessed in each one in that code. Then I was thinking that the server admin can remove a cert from their truststore(or revoke?) in case he thinks that cert has been compromised . Is my thinking on this correct? Assuming the server side is correct, what does a new client developer have to do keystore/trustore wise in order to effectively use that cert? Thanks very much, Chris
-- Glen Mazza Software Engineer, Talend (http://www.talend.com) blog: http://www.jroller.com/gmazza
