Hi List, At the moment a Rampart/C service can handle single client for signed messages. This is because of the static configuration of the certificate files. Now Rampart/C supports the PKCS12 key stores. A PKCS12 key store allows the service writer to specify multiple certificates. These certificates can be used by the service to verify weather the actual signature is from a trusted user.
This is the proposed way of handling multiple clients in the server side. Service writer has to create a key store with the certificates of all the trusted parties. A request has a reference to the certificate that it used for signing. Usually there are various ways to refer an X509 certificate. First case is to embed the certificate in the message itself. In this case the reference will be a direct one. Rampart/C will extract the certificate from the message and checks weather it is in the certificate store. If it is in the store it indicates that a trusted user has signed the message. If the certificate is not in the store the request is rejected. In the second case the certificate is not embedded in the message and a reference to the certificate is sent. In this case the reference will be used to query the PKCS12 key store and if a matching certificate is found it will be used to verify the signature of the message. If a match cannot be found the message is rejected. In both these cases the certificate that is loaded in the in path will be used for the encryption in the out path. So we are assuming that the response is always going to the end point where the message originated. In the client side the situation is different. Usually a single client will talk with a single service. So the existing mechanism is enough to handle most of the cases. But if the client wants to change the certificates among different requests he should be able to do that. We can easily achieve this by introducing a new parameter to the rampart client configuration. Regards, Supun.
