On 10/14/2013 09:05 AM, Colm O hEigeartaigh wrote:
Hi Susan,
This sounds like a perfect use-case for XKMS. CXF ships with an XKMS
service, and also a a WSS4J "Crypto" implementation which can ask the
remote service for certificates for WS-Security. For example, see the
following system test:
http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/xkms/
http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/xkms/
I think using XKMS with the Symmetric binding is quite cool, as it means
the client does not need any keystores/certs at all stored locally. I have
a blog entry partially written on this that I must publish :-)
Hi Colm,
Do .NET clients play well with an XKMS server? Interoperability with
.NET clients is an important concern for me. XKMS does sound
interesting, but it also sounds like XKMS would replace the certs issues
by our existing PKI, and that wouldn't work for us.
I guess it comes down to wanting a way to distribute the server cert
back to the client using the mechanisms available from WS-Trust/STS
(signed cert in the headers) and based on what Dennis has said, that
isn't going to be possible.
I'll watch eagerly for that next blog post from you out XKMS though :-)
(http://coheigea.blogspot.com/, right?)
Thanks for the response.
Susan
