> Then : > > * The client encrypt with the public key of the server wiich is > store in the keystore of the client.
yes. * The server respond to the client with the key that it is in the > header of the soap request ? Depends on the value of the encryptionUser parameter in the rampart configuration. If encryptionUser value is an certificate alias such as "client", server will look at the key store and pick the certificate according to the alias given in the encryptionUser parameter. But encryptionUser has a a special value "useReqSigCert" which tells the server to use the certificate that was used to sign the request to encrypt the response. But it doesn't necessarily mean that request had the certificate in the security header. In some cases, Security header carries the binary certificate and sometimes not. IFAIK the <signatureKeyIdentifier/> is used to decide whether to send the binary certificate in the security header or not. If you use <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> , then security header will contain the binary certificate of the client in the security header of the request. In other cases, different referencing mechanisms will be used. For examples , a subject key identifier may be used an server will pick the certificate according the SKI value to verify the signature of the incoming request and will cache that certificate so that the same certificate can be used to encrypt the response back to the client. But in my case the server use a keystore like the client. > I want to do the response with the key given by the client in the header > soap how I can do that please ? You need to change the encryptionUser value in Rampart configuration in the services.xml to "useReqSigCert". Then add the property <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> to the same configuration. Anyway the server must trust the client's certificate for this to work correctly. For example, the client certificate must be issued by CA that the service trusts. And if you are just starting to use Rampart, I would recommend you to use WS Security Policy based configuration . You can find policy based samples , under samples/policy in the Rampart binary distribution. thanks, nandana Here is my client_axis2.xml in the client side: > <module ref="rampart" /> > <parameter name="InflowSecurity"> > <action> > <items>Encrypt</items> > <passwordCallbackClass> > fr.bull.presto.emetteur.commun.PWCBHandler > </passwordCallbackClass> > <decryptionPropFile>client.properties</decryptionPropFile> > </action> > </parameter> > <parameter name="OutflowSecurity"> > <action> > <items>Encrypt</items> > <encryptionUser>service</encryptionUser> > <encryptionPropFile>client.properties</encryptionPropFile> > </action> > </parameter> > > and here my service.xml in the server side : > <module ref="rampart" /> > <parameter name="OutflowSecurity"> > <action> > <items>Encrypt</items> > <encryptionUser>client</encryptionUser> > <encryptionPropFile> > service.properties > </encryptionPropFile> > </action> > </parameter> > <parameter name="InflowSecurity"> > <action> > <items>Encrypt</items> > <passwordCallbackClass> > fr.bull.presto.recepteur.api.PWCBHandler > </passwordCallbackClass> > <decryptionPropFile> > service.properties > </decryptionPropFile> > </action> > </parameter> > > The client include natively his public key in the soap header or not ? > How can I specify to the server to use this public key of the client to > crypt the response ? > > Thank a lot > > Nandana Mihindukulasooriya a écrit : > > On Wed, Jun 11, 2008 at 7:41 PM, Fabien Couvert <[EMAIL PROTECTED]> >> wrote: >> >> >> >>> Hi all, >>> I have a question about the mechanism of Encryption with asymmetric key. >>> In my application I use 2 keystore, one for the client(specified in the >>> client.properties file) and one for the server (specified in the >>> service.properties). >>> >>> In the client conf file I added : >>> <items>Encrypt</items> >>> <encryptionUser>service</encryptionUser> >>> <encryptionPropFile>client.properties</encryptionPropFile> >>> </action> >>> >>> Everything works fine but how ?! :) >>> >>> How the client can crypt the message with the public key of the server ? >>> (name service) >>> >>> >> >> >> In the keystore of the client, you must be having the service's >> certificate >> with the alias "service". You can check this with the java keytool. Use >> the >> command given bellow to check the content of the key store. >> >> $ keytool -v -list -keystore /path/to/keystore.jks -storepass >> keystore-password >> >> How the client recover the public key of the server ? >> >> It has to be there in the client's key store. But in the server side, if >> you >> have use "useReqSigCert" as the encryption user , binary certificate which >> was in security header of the request can be used to encrypt the message >> back to the client. >> >> >> > > -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/
