Hi All,
If you want to use secure web services - you have to create your own
certificates. (copyv3.zip is provided only for testing purposes)
You have to install OpenSSL.
Untar-gzip ca.tgz file into your home directory - it is where your CA
will be stored. Now it is empty structure - does not even contain CA
private/public keys. It contains openssl.cnf - CA configuration which
will be used for creating and signing keys.
Edit script gen.sh - change passwords, d-names (note that d-name for CA
and for java key stores are in different forms because CA keys are
generated by OpenSSL and java keys are generated by keytool), number of
days how long certificates will be valid.
Run script ./gen.sh
In your home directory it will create directory keystore.
keystore/server/ - contains files which you will have to copy into
$AS_HOME/domains/domain1/config/ (make copy of original files - just in
case ;) )
You will have to restart application server.
keystore/client/ - contains files which will be used by web service
clients - copy these files into client's META-INF directory.
After you create Web Service (in NetBeans) (and set default security
values) - you have to open wsit-* XML file (found in WEB-INF directory),
find policy responsible for security and change it to (do not change
policy name - copy only inner part (<wsp:ExactlyOne>)) - remember to
change value of storepass parameter:
<wsp:Policy wsu:Id="NewWebServicePortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="
http://www.w3.org/2006/05/addressing/wsdl" />
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sc:KeyStore
wspp:visibility="private"
alias="xws-security-server"
storepass="changeit_WS_server"
type="JKS"
location="keystore.jks"
/>
<sc:TrustStore
wspp:visibility="private"
peeralias="xws-security-client"
storepass="changeit_WS_server"
type="JKS"
location="cacerts.jks"
/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
After you generate web service client (and set default security values)
you have to open wsit client file (found in META-INF directory), find
policy responsible for security and change it with (do not change policy
name - copy only inner part (<wsp:ExactlyOne>)) - remember to change
value of storepass parameter:
<wsp:Policy wsu:Id="NewWebServicePortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sc:CallbackHandlerConfiguration wspp:visibility="private">
<sc:CallbackHandler default="wsitUser" name="usernameHandler"/>
<sc:CallbackHandler default="changeit" name="passwordHandler"/>
</sc:CallbackHandlerConfiguration>
<sc:TrustStore
wspp:visibility="private"
peeralias="xws-security-server"
storepass="changeit_WS_client"
type="JKS"
location="cacerts.jks"
/>
<sc:KeyStore
wspp:visibility="private"
alias="xws-security-client"
storepass="changeit_WS_client"
type="JKS"
location="keystore.jks"
/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Now you are using your own server and client certificates ;)
-
Aleksandras Novikovas
E-mail: an_at_systemtier.com
On Fri, 2009-05-08 at 00:28 -0700, glassfish_at_javadesktop.org wrote:
> No idea. I did do it first but I don't know if it is necessary when your putting your own key in the keystore.
> [Message sent by forum member 'waynetg' (waynetg)]
>
> http://forums.java.net/jive/thread.jspa?messageID=345496
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
- application/x-compressed-tar attachment: ca.tgz
- application/x-shellscript attachment: gen.sh