Ok it works with this client files :
<parameter name="InflowSecurity">
<action>
<items>Encrypt</items>
<passwordCallbackClass>
fr.bull.presto.emetteur.commun.PWCBHandler
</passwordCallbackClass>
<decryptionPropFile>client.properties</decryptionPropFile>
</action>
</parameter>
<parameter name="OutflowSecurity">
<action>
<items>Signature Encrypt</items>
<user>client</user>
<signaturePropFile>client.properties</signaturePropFile>
<passwordCallbackClass>
fr.bull.presto.emetteur.commun.PWCBHandler
</passwordCallbackClass>
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
<encryptionUser>service</encryptionUser>
<encryptionPropFile>client.properties</encryptionPropFile>
</action>
</parameter>
and the server side :
<module ref="rampart" />
<parameter name="OutflowSecurity">
<action>
<items>Encrypt</items>
<encryptionUser>useReqSigCert</encryptionUser>
<encryptionPropFile>
service.properties
</encryptionPropFile>
</action>
</parameter>
<parameter name="InflowSecurity">
<action>
<items>Signature Encrypt</items>
<signaturePropFile>service.properties</signaturePropFile>
<passwordCallbackClass>
fr.bull.presto.recepteur.api.PWCBHandler
</passwordCallbackClass>
<decryptionPropFile>
service.properties
</decryptionPropFile>
</action>
</parameter>
But now, I have another question :) :
Currently client use the public key of the server store in the keystore.
If I want to give my client application to many user, how I can change
the public and private key of the client in the client keystore (to give
a different key for each client) while keeping the public key of the
server in it ?
Is it possible to generate the keystore for everyclient with server
public key include ?
Thank you very much.
Nandana Mihindukulasooriya a écrit :
Then :
* The client encrypt with the public key of the server wiich is
store in the keystore of the client.
yes.
* The server respond to the client with the key that it is in the
header of the soap request ?
Depends on the value of the encryptionUser parameter in the rampart
configuration. If encryptionUser value is an certificate alias such as
"client", server will look at the key store and pick the certificate
according to the alias given in the encryptionUser parameter. But
encryptionUser has a a special value "useReqSigCert" which tells the server
to use the certificate that was used to sign the request to encrypt the
response. But it doesn't necessarily mean that request had the certificate
in the security header. In some cases, Security header carries the binary
certificate and sometimes not. IFAIK the <signatureKeyIdentifier/> is used
to decide whether to send the binary certificate in the security header or
not. If you use
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> , then
security header will contain the binary certificate of the client in the
security header of the request. In other cases, different referencing
mechanisms will be used. For examples , a subject key identifier may be used
an server will pick the certificate according the SKI value to verify the
signature of the incoming request and will cache that certificate so that
the same certificate can be used to encrypt the response back to the client.
But in my case the server use a keystore like the client.
I want to do the response with the key given by the client in the header
soap how I can do that please ?
You need to change the encryptionUser value in Rampart configuration in the
services.xml to "useReqSigCert".
Then add the property
<signatureKeyIdentifier>DirectReference</signatureKeyIdentifier> to the same
configuration.
Anyway the server must trust the client's certificate for this to work
correctly. For example, the client certificate must be issued by CA that the
service trusts.
And if you are just starting to use Rampart, I would recommend you to use
WS Security Policy based configuration . You can find policy based samples
, under samples/policy in the Rampart binary distribution.
thanks,
nandana
Here is my client_axis2.xml in the client side:
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>Encrypt</items>
<passwordCallbackClass>
fr.bull.presto.emetteur.commun.PWCBHandler
</passwordCallbackClass>
<decryptionPropFile>client.properties</decryptionPropFile>
</action>
</parameter>
<parameter name="OutflowSecurity">
<action>
<items>Encrypt</items>
<encryptionUser>service</encryptionUser>
<encryptionPropFile>client.properties</encryptionPropFile>
</action>
</parameter>
and here my service.xml in the server side :
<module ref="rampart" />
<parameter name="OutflowSecurity">
<action>
<items>Encrypt</items>
<encryptionUser>client</encryptionUser>
<encryptionPropFile>
service.properties
</encryptionPropFile>
</action>
</parameter>
<parameter name="InflowSecurity">
<action>
<items>Encrypt</items>
<passwordCallbackClass>
fr.bull.presto.recepteur.api.PWCBHandler
</passwordCallbackClass>
<decryptionPropFile>
service.properties
</decryptionPropFile>
</action>
</parameter>
The client include natively his public key in the soap header or not ?
How can I specify to the server to use this public key of the client to
crypt the response ?
Thank a lot
Nandana Mihindukulasooriya a écrit :
On Wed, Jun 11, 2008 at 7:41 PM, Fabien Couvert <[EMAIL PROTECTED]>
wrote:
Hi all,
I have a question about the mechanism of Encryption with asymmetric key.
In my application I use 2 keystore, one for the client(specified in the
client.properties file) and one for the server (specified in the
service.properties).
In the client conf file I added :
<items>Encrypt</items>
<encryptionUser>service</encryptionUser>
<encryptionPropFile>client.properties</encryptionPropFile>
</action>
Everything works fine but how ?! :)
How the client can crypt the message with the public key of the server ?
(name service)
In the keystore of the client, you must be having the service's
certificate
with the alias "service". You can check this with the java keytool. Use
the
command given bellow to check the content of the key store.
$ keytool -v -list -keystore /path/to/keystore.jks -storepass
keystore-password
How the client recover the public key of the server ?
It has to be there in the client's key store. But in the server side, if
you
have use "useReqSigCert" as the encryption user , binary certificate which
was in security header of the request can be used to encrypt the message
back to the client.
