Hi folks.
I´m using Crypto Caching as a way to improve the security performance.
I have a service deployed inside AS 4.1.0 with SecConSgnEncrUsername
security policy. Also I use the IS 3.2.0 for STS request.
In the policy attach you can see a lot of RampartConfig, this is the normal
behavior? I load my service and sts policies from xml files.
I figure out that this due to my load policy method:
private Policy loadPolicyservice(String xmlPath) throws Exception {
StAXOMBuilder builder = null;
Policy policy = null;
RampartConfig rc = null;
CryptoConfig sigCryptoConfig = null;
String path = null;
String keystore = null;
Properties merlinProp = null;
CryptoConfig encrCryptoConfig = null;
builder = new StAXOMBuilder(xmlPath);
policy =
PolicyEngine.getPolicy(builder.getDocumentElement());
rc = new RampartConfig();
rc.setUser("jorgeio");
rc.setUserCertAlias("wso2carbon");
rc.setEncryptionUser("wso2carbon");
rc.setPwCbClass(PWCBHandlerESB.class.getName());
path = System.getProperty("user.dir");
keystore = "c:\\keys\\wso2carbon.jks";
merlinProp = new Properties();
merlinProp.put("org.apache.ws.security.crypto.merlin.keystore.type", "JKS");
merlinProp.put("org.apache.ws.security.crypto.merlin.file",
keystore);
merlinProp.put("org.apache.ws.security.crypto.merlin.keystore.password",
"wso2carbon");
sigCryptoConfig = new CryptoConfig();
sigCryptoConfig.setProvider("org.apache.ws.security.components.crypto.Merlin
");
sigCryptoConfig.setProp(merlinProp);
encrCryptoConfig = new CryptoConfig();
encrCryptoConfig.setProvider("org.apache.ws.security.components.crypto.Merli
n");
encrCryptoConfig.setProp(merlinProp);
rc.setSigCryptoConfig(sigCryptoConfig);
rc.setEncrCryptoConfig(encrCryptoConfig);
policy.addAssertion(rc);
return policy;
}
How can avoid this RampartConfig replication?
I have another doubt :
Why if I use "org.apache.ws.security.components.crypto.Merlin" as the crypto
provider in my load policy methods, in the attach policy appear
"org.wso2.carbon.security.util.ServerCrypto".
in this case what is the correct value to cryptoKey?
Saludos,
Ing. Jorge Infante Osorio.
J´Dpto Soluciones SOA.
CDAE.
Fac. 5.
UCI.
<wsp:Policy wsu:Id="SecConSgnEncrUsername" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11>
<sp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:RequireSignatureConfirmation/>
</sp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
<sp:MustSupportIssuedTokens/>
</wsp:Policy>
</sp:Trust10>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy";>
<rampart:user>wso2carbon</rampart:user>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy";>
<rampart:user>wso2carbon</rampart:user>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy";>
<rampart:user>wso2carbon</rampart:user>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy";>
<rampart:user>wso2carbon</rampart:user>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy";>
<rampart:user>wso2carbon</rampart:user>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy";>
<rampart:user>wso2carbon</rampart:user>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:EncryptedParts>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
</sp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
<sp:MustSupportIssuedTokens/>
</wsp:Policy>
</sp:Trust10>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy";>
<rampart:user>wso2carbon</rampart:user>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore" cacheRefreshInterval="300000">
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">0</rampart:property>
<rampart:property name="org.apache.ws.security.crypto.provider">org.wso2.carbon.security.util.ServerCrypto</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>_______________________________________________
Carbon-dev mailing list
Carbon-dev@wso2.org
http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
