And now that I've had some sleep I'll modify my earlier retraction.
Metro, at least, does provide a way of doing the server certificate
distribution in WSDL, but through the WS-Addressing EndpointReference
rather than through the policy:
https://blogs.oracle.com/SureshMandalapu/entry/support_of_endpoint_references_with
The bad news is that it looks like this is based on a non-standard
called "Web Services Addressing Identity", one of the many WS-*
technologies that was introduced but has never made it through to become
widely supported. It looks like this is the proposal:
http://schemas.xmlsoap.org/ws/2004/08/addressing/addressingidentity/WS-AddressingAndIdentity.pdf
An OASIS technical committee was set up to handle work in this area, but
it looks like they haven't actually produced anything:
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=imi
I don't think CXF supports this particular non-standard, so it's
irrelevant to Susan's needs, but it is an interesting idea. Clients need
to have access to the WSDL anyway, so why not include the server
certificate directly in the WSDL? There are obvious security issues
involved which mean you wouldn't want to use this approach for
highly-secure services, but the advantage of configuration-free client
operation would be significant for services using certificates issued by
public CAs.
- Dennis
On 10/15/2013 12:47 AM, Dennis Sosnoski wrote:
On 10/15/2013 12:24 AM, Dennis Sosnoski wrote:
...That still leaves you distributing server certificates to clients,
but you can always embed these in the policy and have the client load
that from a secure source (note that I haven't tried this with CXF,
but AFAIK it should work).
Sorry, I don't think there is any way of doing this. When I wrote the
original response I thought I'd seen it somewhere, but after looking
over the WS-SecurityPolicy specifications I think I was wrong. Too bad
- it would be great to have a way to avoid distributing server
certificates to clients.
- Dennis
- Dennis
Dennis M. Sosnoski
Java SOA and Web Services Consulting
<http://www.sosnoski.com/consult.html>
CXF and Web Services Security Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>
On 10/14/2013 11:46 PM, Susan Liebeskind wrote:
Folks,
Is there a way to write WS-SecurityPolicy for WS-Trust and/or use
WS-SecureConversation in Apache CXF, such that clients and servers
using an STS could be configured WITHOUT having to provide the
server X.509 certificate to the client for message level signing
purposes?
One possible approach: the client-server shared symmetric key,
vouched for by an STS, and distributed in the incoming server
request in a signed SOAP header, could be used to provide signature
validation for the client when the response comes back from the server.
Alternatively, if there were a way that I could send the server
certificate back to the client, in a SOAP header signed by the STS,
that might work. I realize there would be the extra overhead of
another trip to the STS for the return trip but that might be
acceptable. This approach, if it exists, would parallel the way that
the client cert gets sent to the server for the request...but I've
not been able yet to figure out how to write WS-SecurityPolicy to do
this, and am not sure if this would work with a .NET client.
The third thought is that I might be trying to re-invent
WS-SecureConversation here. If WS-SecureConversation can be setup
such that I don't have to distribute client certs to servers AND
server certs to clients, that works for me.
----
My requirements are to use X.509 certificates for authentication and
apply message level signatures. I will also be using 2 way TLS for
messages sent between client and server. Those messages will pass
through XML appliances between client and server, for XML schema
validation of the payload. Therefore encryption will be at the
transport
level, and not at the message level. If you were to look at the STS
overview diagram provided in the Redhat JBoss FuseSource
documentation (http://tinyurl.com/n7nor5n), that's basically my
setup, except I'm not encrypting at the message level.
Again, if there was some way I could avoid having to distribute
client certs to servers AND server certs to clients, by using such a
symmetric key, that would be great. But so far, I don't see a way
to get the signatures I need without putting server certs into
client truststores. To be sure, I am new to WS-Trust, and
WS-SecureConversation. However, I don't know if my lack of obvious
solutions is because of my newbie ignorance or because it just
cannot be done.
---
I'm looking more for guidance that a solution without manual
certificate distribution is possible - I don't spend a long time
trying to do something that isn't going to work.
Thanks in advance to the WS-Security gurus on this list who might be
able to say "Yes, this is doable" or "No, don't bother trying
because you cannot make it work" or "Try this instead"
Susan
