I'll look at policy/sample02/policy.xml. Thank you for your responses, Dimuthu.
-----Original Message----- From: Dimuthu Leelarathne [mailto:[EMAIL PROTECTED] Sent: Thursday, April 17, 2008 8:22 PM To: Nate Roe Cc: '[email protected]' Subject: RE: Some PKI Questions Hi Nate, Please see my comments below. On Thu, 2008-04-17 at 12:00 -0700, Nate Roe wrote: > How can I use policy.xml to direct the client to include its > certificate in the request message? You can look at policy/sample02/policy.xml file. It will always include the token in message. If you inspect the message using TCPMon the SecurityTokenReference has a pointer to the certificate. > It is important to me to prove > cryptographically that the client certificate was issued from the/a CA > certificate in the service's keystore. Rampart does this. These are the steps taken by Rampart. You can look at verifyTrust method in org.apache.rampart.PolicyBasedResultsValidator.java class. First it is checked whether the certificate is in the key store. If so the client is trusted, else Rampart tries to verify trust of the certificate chain. > In my service's password callback, when the service receives a message > from the client, the callback is asked to retrieve the password for > "client". The service's keystore password is already known from > policy.xml. I don't understand why the service would want the > client's password. Service does not need the client's password. In the real world, you have to implement two password call back classes - one for the server and one for the client. The callback is asked to retrieve the password for the client's private key when the signature is going to be performed, at the client side, not at the server side. Thank you, Dimuthu > -----Original Message----- > From: Dimuthu Leelarathne [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 15, 2008 8:01 PM > To: [email protected] > Subject: Re: Some PKI Questions > > Hi Nate, > > Please see my comments below. > > On Fri, 2008-04-11 at 16:39 -0700, Nate Roe wrote: > > I've secured a service using Rampart, and now I'm considering how to > > implement the certificate issuance portion. > > > > To get the service running, I followed Ruchith Fernando's tutorial: > > http://wso2.org/library/174 > > > > Is it necessary to modify the service's keystore to add new client > > certificates? Is it possible to store the service's copy of the client's > > public keys in a database or in separate files in the filesystem? > The easiest way to do this would be to ask the client to include the > certificate in the request message always. If we want to store a > certificate, we usually store it in the KeyStore, so that Rampart can > easily pick it up from KeyStore. > > > > Why does my password callback class need to supply the client's certificate > > password? It's just supposed to be the client's public key, right? So, > > why the password? > > Even though we have a single password callback class in Rampart samples > in the real world scenario there should be two password callback classes > - one for server and one for client. > > At the server side password callback class do not need to supply > client's password. > > Thank you, > Dimuthu > > > Thanks, > > Nate Roe >
