Hi Susan,
You should be able to use a SymmetricBinding to avoid the need for
client certificates with WS-SecureConversation - see my article at
http://www.ibm.com/developerworks/java/library/j-jws17/index.html for an
example. That still leaves you distributing server certificates to
clients, but you can always embed these in the policy and have the
client load that from a secure source (note that I haven't tried this
with CXF, but AFAIK it should work).
- Dennis
Dennis M. Sosnoski
Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html>
CXF and Web Services Security Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>
On 10/14/2013 11:46 PM, Susan Liebeskind wrote:
Folks,
Is there a way to write WS-SecurityPolicy for WS-Trust and/or use
WS-SecureConversation in Apache CXF, such that clients and servers
using an STS could be configured WITHOUT having to provide the server
X.509 certificate to the client for message level signing purposes?
One possible approach: the client-server shared symmetric key, vouched
for by an STS, and distributed in the incoming server request in a
signed SOAP header, could be used to provide signature validation for
the client when the response comes back from the server.
Alternatively, if there were a way that I could send the server
certificate back to the client, in a SOAP header signed by the STS,
that might work. I realize there would be the extra overhead of
another trip to the STS for the return trip but that might be
acceptable. This approach, if it exists, would parallel the way that
the client cert gets sent to the server for the request...but I've not
been able yet to figure out how to write WS-SecurityPolicy to do this,
and am not sure if this would work with a .NET client.
The third thought is that I might be trying to re-invent
WS-SecureConversation here. If WS-SecureConversation can be setup such
that I don't have to distribute client certs to servers AND server
certs to clients, that works for me.
----
My requirements are to use X.509 certificates for authentication and
apply message level signatures. I will also be using 2 way TLS for
messages sent between client and server. Those messages will pass
through XML appliances between client and server, for XML schema
validation of the payload. Therefore encryption will be at the transport
level, and not at the message level. If you were to look at the STS
overview diagram provided in the Redhat JBoss FuseSource documentation
(http://tinyurl.com/n7nor5n), that's basically my setup, except I'm
not encrypting at the message level.
Again, if there was some way I could avoid having to distribute client
certs to servers AND server certs to clients, by using such a
symmetric key, that would be great. But so far, I don't see a way to
get the signatures I need without putting server certs into client
truststores. To be sure, I am new to WS-Trust, and
WS-SecureConversation. However, I don't know if my lack of obvious
solutions is because of my newbie ignorance or because it just cannot
be done.
---
I'm looking more for guidance that a solution without manual
certificate distribution is possible - I don't spend a long time
trying to do something that isn't going to work.
Thanks in advance to the WS-Security gurus on this list who might be
able to say "Yes, this is doable" or "No, don't bother trying because
you cannot make it work" or "Try this instead"
Susan
