Hi Martin, You can start/deploy XKMS service either in web container (xkms-war component) or in OSGi (xkms-osgi component). It is "normal" SOAP service. CXF provides file system based (default) and LDAP backends implementation for XKMS.
To integrate XKMS in your application you need to configure SOAP XKMS client, inject it into XkmsCryptoProvider and use this Crypto provider instead keystore-based Merlin. The best way to understand how it works is looking into system test: https://github.com/apache/cxf/tree/master/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/xkms with configuration: https://github.com/apache/cxf/tree/master/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/xkms For OSGi deployment, please take a look into itests: https://github.com/apache/cxf/tree/master/services/xkms/xkms-itests You can find some additional information in my blogs: http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html http://ashakirin.blogspot.de/2013/07/cxf-security-integrate-pki-to-security.html Regards, Andrei. > -----Original Message----- > From: Martin Nielsen [mailto:[email protected]] > Sent: Sonntag, 8. März 2015 22:28 > To: [email protected] > Subject: Re: Alternative key sources using asymmetric security? > > One more question: Concerning XKMS. > I am having a hard time finding a tutorial or documentation of how to add the > XKMS service into an application. I found a list of XKMS artifacts, but i > have yet > to find something that describes how to actually use the the service in > context. > Do you have any good material on that? > > On Sun, Mar 8, 2015 at 12:21 AM, Martin Nielsen <[email protected]> > wrote: > > > I want the key or alias passed through to the method body. > > I have a case where a key infrastructure is already in place, and the > > public key og the sender is used for further evaluation in the backend. > > If i can get the alias or key for the caller passed to the method on > > the backend, then i can use that key to authenticate the user without > > the need for further user credentials. > > > > So i would like something along the lines of: > > @webservice > > public interface SEI{ > > public ReturnVal doStuff(String/PublicKey alias, Object inVal) ... > > > > Where alias is provided by the CXF runtime, and not visible to the > > WSDL or client.. > > If i have to pick it out of the interceptor chain or something, thats > > fine too, i am not picky. > > > > Thanks for the sustained interest:) > > On 7 Mar 2015 20:34, "Andrei Shakirin" <[email protected]> wrote: > > > >> Hi Martin, > >> > >> I assume you would like to get client certificate on the service side > >> to use it for encryption of response, correct? > >> If yes, I would first of all evaluate using of "useReqSigCert" > >> constant as value of in "ws-security.encryption.username" property on > >> the server side. > >> In this case service will extract client certificate from request and > >> use it to encrypt the response. This approach is very convenient on > >> the server side to encrypt responses for different clients. In this > >> case you don't need to lookup client certificate on server side at > >> all, service will get certificate and proceed encryption automatically. > >> Is this close to your question? If not, please elaborate your use > >> case a bit more. > >> > >> Regards, > >> Andrei. > >> > >> > -----Original Message----- > >> > From: Martin Nielsen [mailto:[email protected]] > >> > Sent: Samstag, 7. März 2015 13:32 > >> > To: [email protected] > >> > Subject: RE: Alternative key sources using asymmetric security? > >> > > >> > Great! > >> > > >> > I will get right on that.. > >> > As a bonus question, i was wondering, is it possible to make > >> > either > >> the calling > >> > public key or alias (or anything that uniquely identifies the key) > >> available to the > >> > method being invoked by CXF when the client calls a service? > >> > Optimally, i would like it defined as a method parameter, but im > >> > not > >> picky. > >> > > >> > And thank you :) > >> > On 6 Mar 2015 18:11, "Andrei Shakirin" <[email protected]> wrote: > >> > > >> > > Hi Martin, > >> > > > >> > > Yes, for sure. You need to provide own implementation of WSS4J > >> > > Crypto interface. > >> > > Btw CXF supports XKMS standard to get public keys as alternative > >> > > to keystore. > >> > > You can take this either as example of Crypto implementation: > >> > > > >> https://github.com/apache/cxf/blob/master/services/xkms/xkms-client/s > >> r > >> > > c/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvide > >> > > r.jav > >> > > a > >> > > > >> > > or use XKMS service to manage your certificates: > >> > > http://cxf.apache.org/docs/xml-key-management-service-xkms.html > >> > > > >> > > Regards, > >> > > Andrei. > >> > > > >> > > > >> > > > -----Original Message----- > >> > > > From: Martin Nielsen [mailto:[email protected]] > >> > > > Sent: Freitag, 6. März 2015 10:36 > >> > > > To: [email protected] > >> > > > Subject: Alternative key sources using asymmetric security? > >> > > > > >> > > > Looking at WS-Security asymmetric encryption, i was wondering > >> > > > if it is > >> > > possible > >> > > > in some way to configure CXF to look somewhere else than a java > >> > > > keystore > >> > > for > >> > > > the key information. > >> > > > > >> > > > Say that you have a case where you need to add web services to > >> > > > an > >> > > application > >> > > > that already has a public key for all it's users in a database, > >> > > > for > >> > > example. Would > >> > > > it be possible to have CXF look for a public key in the > >> > > > database instead > >> > > of a > >> > > > keystore? > >> > > > > >> > > > -Martin > >> > > > >> > >
