Hello Werner,
thanks a lot for your answer, which pushed me a big step ahead.
But I've got some questions left:
>> I think that everything I need for the keystore is
>> defined in the "crypto.properties"-file - isn't it?
>
> No, it isn't. The crypto.properties file just defines the type of
> keystore to use,
ACK. That's:
org.apache.ws.security.crypto.merlin.keystore.type=jks
> the provider,
ACK. That's:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> the password for the keystore.
ACK. That's:
org.apache.ws.security.crypto.merlin.file=c:/java/keystore/client.keystore.jks
and
org.apache.ws.security.crypto.merlin.keystore.password=secret
But what about these:
org.apache.ws.security.crypto.merlin.keystore.alias=clientkey
org.apache.ws.security.crypto.merlin.alias.password=secret
Aren't these exactly the informations you write about:
"To sign requests you need to identify the certificate inside the keystore"
!??
If I identify the certificate in the Callback-class and in crypto.properties,
then in my opinion this is double-user/password-cumbersome!??
Besides:
You write about "certificate inside the keystore". Others talk about "keys
inside the keystore". Is there a difference or are these just synonyms?
This was "client-side-confusion". But I've got some "server-side-confusion" too:
> the "user" (usually the alias name of the certificate in the
> keystore) and you need the password to unlock the user's private key
As far as I understand, every keystore-file has a store-password and every
key _within_ the keystore-file has an alias ((PWCallback-)user!?? - right?) and
it's own key-password ((PWCallback-)password!?? - right?).
If I import a client-key into the server-keystore like:
%JAVA_HOME%\bin\keytool -import -alias clientkey -file clientkey.export \
-keystore server.keystore.jks -storepass secret
Which key-password will the imported key have? The one it has in the
client-keystore (which it was exported from) too? In real live the customer
(client) maybe wouldn't tell me about it...
What if I import the client-key into the server-keystore with a different
alias then it has in the client-keystore? Then the user used in wss4j will
only match on one side of the communication!??
I apologise for this annoying beginner-questions!
Thanks again for bearing with me!
Stephan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
