Hi Susan, As Colm already said, that sounds as XKMS use case. Additionally to Colm's information you can find more details in CXF XKMS documentation and my blog: - http://cxf.apache.org/docs/xml-key-management-service-xkms.html - http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html - http://ashakirin.blogspot.de/2013/07/cxf-security-integrate-pki-to-security.html
Regards, Andrei. > -----Original Message----- > From: Susan Liebeskind [mailto:[email protected]] > Sent: Montag, 14. Oktober 2013 12:46 > To: [email protected] > Subject: CXF WS-Trust/WS-SecureConversation security policy questions > > Folks, > > Is there a way to write WS-SecurityPolicy for WS-Trust and/or use WS- > SecureConversation in Apache CXF, such that clients and servers using an STS > could be configured WITHOUT having to provide the server X.509 certificate > to the client for message level signing purposes? > > One possible approach: the client-server shared symmetric key, vouched for > by an STS, and distributed in the incoming server request in a signed SOAP > header, could be used to provide signature validation for the client when the > response comes back from the server. > > Alternatively, if there were a way that I could send the server certificate > back > to the client, in a SOAP header signed by the STS, that might work. I realize > there would be the extra overhead of another trip to the STS for the return > trip but that might be acceptable. This approach, if it exists, would > parallel the > way that the client cert gets sent to the server for the request...but I've > not > been able yet to figure out how to write WS-SecurityPolicy to do this, and am > not sure if this would work with a .NET client. > > The third thought is that I might be trying to re-invent WS- > SecureConversation here. If WS-SecureConversation can be setup such that I > don't have to distribute client certs to servers AND server certs to clients, > that works for me. > > ---- > > My requirements are to use X.509 certificates for authentication and apply > message level signatures. I will also be using 2 way TLS for messages sent > between client and server. Those messages will pass through XML > appliances between client and server, for XML schema validation of the > payload. Therefore encryption will be at the transport level, and not at the > message level. If you were to look at the STS overview diagram provided in > the Redhat JBoss FuseSource documentation (http://tinyurl.com/n7nor5n), > that's basically my setup, except I'm not encrypting at the message level. > > Again, if there was some way I could avoid having to distribute client certs > to > servers AND server certs to clients, by using such a symmetric key, that > would be great. But so far, I don't see a way to get the signatures I need > without putting server certs into client truststores. > To be sure, I am new to WS-Trust, and WS-SecureConversation. However, I > don't know if my lack of obvious solutions is because of my newbie ignorance > or because it just cannot be done. > > --- > > I'm looking more for guidance that a solution without manual certificate > distribution is possible - I don't spend a long time trying to do something > that > isn't going to work. > > Thanks in advance to the WS-Security gurus on this list who might be able to > say "Yes, this is doable" or "No, don't bother trying because you cannot make > it work" or "Try this instead" > > Susan
