For key/certs/keystores, I used the following to test my client / server connectivity (Axis 1.2.1 & WSS4J setup):
Tools:
a) OpenSSL for windows (still command line) version 0.9.8 (05 Jul 2005) - http://www.slproweb.com/products/Win32OpenSSL.html
b). KeyTool GUI 1.6 (2003 Wayne Grant, GPL) - now superceded by KeyTool Explorer - http://www.lazgosoftware.com/kse/ but you can use keytool command line instead
NB. There are more ways to accomplish this - but this is the way I've done it :
To create version 3 X.509 certificates, I've used OpenSSL
1. generate triple des rsa keypair (512 bits)
openssl genrsa -des3 -out ws-server.key 512
2. self-sign & export x509 cert (md5 algo, 365 validity)
openssl req -new -x509 -days 365 -md5 -key ws-server.key -out ws-server.crt
(blank for all attributes except for CN)
**********************************************
Do the same as above for the client(s)
**********************************************
3. convert from PEM format and add to PKCS#12 keystore:
openssl pkcs12 -export -out ws-server.pfx -inkey ws-server.key -in ws-server.crt
**********************************************
Do the same as above for the client(s)
**********************************************
4. load pkcs12 files into KeyTool and import server's public cert in to the clients' keystore - AND VICE VERSA
5. Convert to JKS format (change Keystore type) and set the keypair password
(note: there's a password for the keystore and password for the
keys/certs. password for key/cert should be in
PasswordCallback class and password for keystore should be in
crypto.props file)
Notes:
1. The example above uses 512 bit strength algo's, but this will limit the size of the data you can sign/encrypt - therefore it is recommended that 1024 bits is used
2. This example shows the server needs a keystore with the client's public cert (self-signed). Another way to do this is to sign the public cert using a Certificate Authority, then include the client's X.509 cert in the request -this will allow the server to verify the client's signature and encrypt the response (if required). Please see WSS4J FAQ for more info.
Hope that helps.
Cheers,
Ash
Hi all,
I tried to use the wss4j project for adding security for my web services. For my web service I want to add signature and encryption type of security. First I tested the interop example (tested with 'bob' and 'alice' entries) in the wss4j project. That works fine.
Then I tried to create my key store (using keytool) and generated 2 keypairs one for server and one for client. I configured correctly all properties ( I replace the entries 'bob' and 'alice' with my own aliases name 'affnoserver' and 'affnoclinet'). But for my case client side is working fine (encrypt the request and sign and send) but in the serverside I got an exception (when decrypting).
This is the exception trace ----
org.apache.ws.security.WSSecurityException: Cannot encrypt/decrypt data; nested
exception is:
java.security.UnrecoverableKeyException: Cannot recover key
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncrypte
dKey(EncryptedKeyProcessor.java:268)
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncrypte
dKey(EncryptedKeyProcessor.java:81)
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(En
cryptedKeyProcessor.java:75)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:252)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecur
ityEngine.java:179)
at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.ja
va:159)
this is my key store :
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: affnoserver
Creation date: Dec 2, 2005
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=affnoserver, OU=affno, O=eng, L=col, ST=col, C=sl
Issuer: CN=affnoserver, OU=affno, O=eng, L=col, ST=col, C=sl
Serial number: 43900be2
Valid from: Fri Dec 02 14:54:58 LKT 2005 until: Thu Mar 02 14:54:58 LKT 2006
Certificate fingerprints:
MD5: 23:92:DD:B9:D5:CA:66:5B:AD:92:27:0E:48:11:8C:75
SHA1: AB:13:03:92:32:FD:EA:51:DE:DD:9E:7C:DD:90:DD:35:96:52:25:08
*******************************************
*******************************************
Alias name: affnoclient
Creation date: Dec 2, 2005
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=affnoclient, OU=affno, O=eng, L=col, ST=col, C=SL
Issuer: CN=affnoclient, OU=affno, O=eng, L=col, ST=col, C=SL
Serial number: 43904844
Valid from: Fri Dec 02 19:12:36 LKT 2005 until: Thu Mar 02 19:12:36 LKT 2006
Certificate fingerprints:
MD5: B3:76:5E:F5:81:1A:80:9E:0A:9A:FA:A3:36:8E:D7:C3
SHA1: 51:D7:04:8F:4C:5D:4F:F9:21:B0:41:B3:58:8B:E9:FB:FA:98:6A:D2
*******************************************
*******************************************
I used following commands for creating this key store.
keytool -genkey -keyalg RSA -alias affnoserver -keystore affnoserver.jks -keypass XXXXXXX -storepass password
keytool -genkey -keyalg RSA -alias affnoclient -keystore affnoserver.jks -keypass XXXXXXX -storepass password
Should I use some other commands to create this key store (like openssl or PKCS12 format ...)
Please anybody can help me how to create my own keystore and keypairs for this wss4j project?
Thanks and best regards,
N.Elilvannan
