take a look at Rampart configuration parameters available at
http://ws.apache.org/rampart/rampartconfig-guide.html
specifically these 2 attributes need to be specified
user The user's name Set username of UsernameToken to be used
<user> bob</user>
userCertAlias The user's cert alias Set alias of the key to be used to
sign
<userCertAlias> bob</userCertAlias>
//then create the java keystores
* If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or
later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".
* Execute:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
with a password value of "changeit" for both the certificate and
the keystore itself.
keytool -certreq [-v] [-protected]
[-alias <alias>] [-sigalg <sigalg>]
[-file <csr_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providerName <name>]
[-providerClass <provider_class_name> [-providerArg <arg>]] ...
(you'll want to specify the csr_file)
this is a sample Receiver defined in axis2.xml notice the keystore filename and
the keypassword
which you specifed above
<parameter name="keystore" locked="false">
<KeyStore>
<Location>identity.jks</Location>
<Type>JKS</Type>
<Password>password</Password>
<KeyPassword>password</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>trust.jks</Location>
<Type>JKS</Type>
<Password>password</Password>
</TrustStore>
</parameter>-->
HTH
Martin
______________________________________________
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relates to the official business
of Sender. This transmission is of a confidential nature and Sender does not
endorse distribution to any party other than intended recipient. Sender does
not necessarily endorse content contained within this transmission.
> Date: Tue, 7 Oct 2008 06:48:56 +0530
> From: [EMAIL PROTECTED]
> To: axis-user@ws.apache.org
> Subject: Re: Rampart Username and signed certificate
>
> What is the exception that you get?
>
> Samisa...
>
> RonnieMJ wrote:
> > I'm pretty new to WS, and especially the security piece, but I'm using
> > rampart 1.4 using policy files to try to function as a client to an existing
> > (external to my company) web service.
> >
> > I know that I need to send both a usernameToken and sign the header with a
> > certificate. I've been able to do EITHER, but so far haven't been able to
> > do both.
> >
> > I've tried it about 20 different ways, but my most recent attempt is:
> >
> >
> > <wsp:Policy wsu:Id="SigAndUName"
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> > <wsp:All>
> > <sp:AsymmetricBinding
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > <wsp:Policy>
> > <sp:InitiatorToken>
> > <wsp:Policy>
> > <sp:X509Token
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
> > <wsp:Policy>
> >
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:InitiatorToken>
> > <sp:RecipientToken>
> > <wsp:Policy>
> > <sp:X509Token
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
> > <wsp:Policy>
> >
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:RecipientToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic128Rsa15/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:OnlySignEntireHeadersAndBody/>
> > <sp:SupportingTokens>
> > <wsp:Policy>
> > <sp:UsernameToken
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
> > />
> > </wsp:Policy>
> > </sp:SupportingTokens>
> > </wsp:Policy>
> > </sp:AsymmetricBinding>
> >
> >
> > <sp:Wss10
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > <wsp:Policy>
> > <sp:MustSupportRefKeyIdentifier />
> > <sp:MustSupportRefIssuerSerial />
> > </wsp:Policy>
> > </sp:Wss10>
> >
> >
> > <sp:SignedParts
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> > <sp:Body/>
> > </sp:SignedParts>
> >
> > <ramp:RampartConfig
> > xmlns:ramp="http://ws.apache.org/rampart/policy";>
> > <ramp:user>user</ramp:user>
> > <ramp:encryptionUser>user</ramp:encryptionUser>
> >
> > <ramp:passwordCallbackClass>com.xo.vzn_asr.business.util.PWCBHandler</ramp:passwordCallbackClass>
> >
> > <ramp:signatureCrypto>
> > <ramp:crypto
> > provider="org.apache.ws.security.components.crypto.Merlin">
> > <ramp:property
> > name="org.apache.ws.security.crypto.merlin.keystore.type">jks</ramp:property>
> > <ramp:property
> > name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> > <ramp:property
> > name="org.apache.ws.security.crypto.merlin.keystore.alias">user</ramp:property>
> > <ramp:property
> > name="org.apache.ws.security.crypto.merlin.keystore.password">keypassword</ramp:property>
> > </ramp:crypto>
> > </ramp:signatureCrypto>
> > </ramp:RampartConfig>
> >
> > </wsp:All>
> > </wsp:Policy>
> >
> >
> >
> > I expect the final header output to be something like:
> > <SOAP-ENV:Header >
> > <wsse:Security >
> > <wsse:UsernameToken >
> > <wsse:Username >XXX</wsse:Username>
> > </wsse:UsernameToken>
> > <wsse:BinarySecurityToken
> > >binaryTokenHere</wsse:BinarySecurityToken>
> > <ds:Signature >
> > <ds:SignedInfo >
> > <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > <ds:Reference >
> > <ds:Transforms >
> > <ds:Transform />
> > </ds:Transforms>
> > <ds:DigestMethod />
> > <ds:DigestValue </ds:DigestValue>
> > </ds:Reference>
> > <ds:Reference >
> > <ds:Transforms >
> > <ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > </ds:Transforms>
> > <ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > <ds:DigestValue </ds:DigestValue>
> > </ds:Reference>
> > </ds:SignedInfo>
> > <ds:SignatureValue </ds:SignatureValue>
> > <ds:KeyInfo >
> > <wsse:SecurityTokenReference >
> > <wsse:Reference />
> > </wsse:SecurityTokenReference>
> > </ds:KeyInfo>
> > </ds:Signature>
> > </wsse:Security>
> > </SOAP-ENV:Header>
> >
> >
> > I'm fairly sure I've just got the policy file slightly off. Any
> > suggestions? Thanks for any reply.
> >
>
>
> --
> Samisa Abeysinghe
>
> http://people.apache.org/~samisa/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
_________________________________________________________________
Want to do more with Windows Live? Learn “10 hidden secrets” from Jamie.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
