Hi Susan, This sounds like a perfect use-case for XKMS. CXF ships with an XKMS service, and also a a WSS4J "Crypto" implementation which can ask the remote service for certificates for WS-Security. For example, see the following system test:
http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/xkms/ http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/xkms/ I think using XKMS with the Symmetric binding is quite cool, as it means the client does not need any keystores/certs at all stored locally. I have a blog entry partially written on this that I must publish :-) Colm. On Mon, Oct 14, 2013 at 1:40 PM, Susan Liebeskind < [email protected]> wrote: > On 10/14/13 7:47 AM, Dennis Sosnoski wrote: > >> On 10/15/2013 12:24 AM, Dennis Sosnoski wrote: >> >>> ...That still leaves you distributing server certificates to clients, >>> but you can always embed these in the policy and have the client load that >>> from a secure source (note that I haven't tried this with CXF, but AFAIK it >>> should work). >>> >> >> Sorry, I don't think there is any way of doing this. When I wrote the >> original response I thought I'd seen it somewhere, but after looking over >> the WS-SecurityPolicy specifications I think I was wrong. Too bad - it >> would be great to have a way to avoid distributing server certificates to >> clients. >> >> Darn, darn, darn. So even if I were to try to use > WS-SecureConversation, I'm still stuck with getting a server cert to the > client's trust store? That is, there is at least one response in the > WS-SecureConversation workflow which will be signed by the private key of > the server, necessitating the inclusion of the public key cert of the > server in the client's truststore? > > Susan > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
