Hi all, I 'm currently working on a prototype to find the way to enable the security features for our existing web services. The main issue I have is the key management, I have successfully created a prototype to demonstrate the encryption and digital sign using WSS4J and Axis 1.3, but I have to exchange public key between server side and client. so created the scenario I described below, and try to only distribute the public key of the server to client. is this make sense to you folks and I'm wondering if this durable using WSS4J
Prepare key stores 1: Create a root CA using OpenSSL 2: Create two Java key store using keytool for both server and client, and generate two certificate requests. 3: Use OpenSSL to sign the certificates 4: Import root ca certificate to both key store as trusted CA 5: import corresponding certificate for each store 6: Distribute server certificate to client - import server certificate to client keys tore Scenario: 1: The Axis client request flow handler will encrypt the SOAP message using the public key of the server, and sign the encrypted message using it's private key, and the public key of the client will send to the server. 2: The Axis server request flow handler will validate the signature using the public inside the SOAP header and decrypt the SOAP message using server's private key. 3: Before send back response, the server side response flow handler will encrypt the SOAP message using the public key come in with request (cached in memory ) and then sing the encrypted message using the server's private key 4: The client response flow handler will validate the signature using the server's public key ( in the SOAP herder or from key store), and decrypt the message using client's private key from it's key store. Thanks in advance Li Geng
