Hi, > So, just to make sure that I understand you, in this older version of WSS4J, a SINGLE keystore is used to contain both the > private encryption keys for outbound traffic and the public keys to decrypt and/or authenticate incoming requests? I.e., there is > NO truststore?
Yep this is essentially correct. It also allowed the use of the Java cacerts as a truststore. > Then, I am mixing configuration elements for the older WSS4J 1.5.x version and the newer 1.6.x version and, in fact, the > truststore entries are ignored? Correct, TrustStore stuff only applies to WSS4J 1.6.x. > And, this is a forlorn hope, but if this is true, I don't suppose there would be any clean way of dropping in a newer version of > WSS4J 1.6 and have it work with CXF 2.3.1? It is indeed a forlorn hope :-) Possibly you could try hacking the cxf-rt-ws-security source for 2.3.X to try to get it to work with WSS4J 1.6.x, but this is definately not recommended. Colm. On Fri, Nov 8, 2013 at 6:55 PM, Hart, Andrew B. <[email protected]> wrote: > > Hello Colm, > > I have a bit of an urgent question re WSS4J. > > I am using JBoss 6.1 which includes JBossWS 3.4.1. This version of the > JBoss web services CXF stack is based on Apache CXF 2.3.1. I think this > means that I am using WSS4J 1.5.8. > > Looking at your blog at this page, > http://coheigea.blogspot.com/2011/01/wss4j-16-crypto-property-change.html, > you are describing the changes from WSS4J 1.5.x and 1.6 and you state that > > "there is no clean separation of the keystore used to obtain > private/secret keys, and that used to verify trust on received credentials" > > So, just to make sure that I understand you, in this older version of > WSS4J, a SINGLE keystore is used to contain both the private encryption > keys for outbound traffic and the public keys to decrypt and/or > authenticate incoming requests? I.e., there is NO truststore? > > So, if I have a security properties file used by the WSS4J interceptor > that contains these entries: > > org.apache.ws.security.crypto.merlin.file=common-config/server.keystore > # > # Truststore information > > org.apache.ws.security.crypto.merlin.truststore.file=config/server.truststore > > Then, I am mixing configuration elements for the older WSS4J 1.5.x version > and the newer 1.6.x version and, in fact, the truststore entries are > ignored? > > And, this is a forlorn hope, but if this is true, I don't suppose there > would be any clean way of dropping in a newer version of WSS4J 1.6 and have > it work with CXF 2.3.1? > > Thanks > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
