Folks,
Is there a way to write WS-SecurityPolicy for WS-Trust and/or use
WS-SecureConversation in Apache CXF, such that clients and servers using
an STS could be configured WITHOUT having to provide the server X.509
certificate to the client for message level signing purposes?
One possible approach: the client-server shared symmetric key, vouched
for by an STS, and distributed in the incoming server request in a
signed SOAP header, could be used to provide signature validation for
the client when the response comes back from the server.
Alternatively, if there were a way that I could send the server
certificate back to the client, in a SOAP header signed by the STS, that
might work. I realize there would be the extra overhead of another trip
to the STS for the return trip but that might be acceptable. This
approach, if it exists, would parallel the way that the client cert gets
sent to the server for the request...but I've not been able yet to
figure out how to write WS-SecurityPolicy to do this, and am not sure if
this would work with a .NET client.
The third thought is that I might be trying to re-invent
WS-SecureConversation here. If WS-SecureConversation can be setup such
that I don't have to distribute client certs to servers AND server certs
to clients, that works for me.
----
My requirements are to use X.509 certificates for authentication and
apply message level signatures. I will also be using 2 way TLS for
messages sent between client and server. Those messages will pass
through XML appliances between client and server, for XML schema
validation of the payload. Therefore encryption will be at the transport
level, and not at the message level. If you were to look at the STS
overview diagram provided in the Redhat JBoss FuseSource documentation
(http://tinyurl.com/n7nor5n), that's basically my setup, except I'm not
encrypting at the message level.
Again, if there was some way I could avoid having to distribute client
certs to servers AND server certs to clients, by using such a symmetric
key, that would be great. But so far, I don't see a way to get the
signatures I need without putting server certs into client truststores.
To be sure, I am new to WS-Trust, and WS-SecureConversation. However, I
don't know if my lack of obvious solutions is because of my newbie
ignorance or because it just cannot be done.
---
I'm looking more for guidance that a solution without manual certificate
distribution is possible - I don't spend a long time trying to do
something that isn't going to work.
Thanks in advance to the WS-Security gurus on this list who might be
able to say "Yes, this is doable" or "No, don't bother trying because
you cannot make it work" or "Try this instead"
Susan
- CXF WS-Trust/WS-SecureConversation security policy que... Susan Liebeskind
-
