XML Key Management Service (XKMS)
Use case
CXF security uses asymmetric algorithms for different purposes: encryption of symmetric keys and payloads, signing security tokens and messages, proof of possession.
Normally the public keys (in form of X509 certificates) are stored in java keystores.
...
Currently XKMS Service supports simple file based and LDAP backends.
Sample spring configuration of XKMS handlers for file backend looks like:
Code Block | ||||
---|---|---|---|---|
| ||||
<beans <bean id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator" /> xmlns="http://www.springframework.org/schema/beans" <bean idxmlns:cxf="x509FileLocatorhttp://cxf.apache.org/core" classxmlns:jaxws="orghttp://cxf.apache.cxf.xkms.x509.locator.FileLocator">org/jaxws" <constructor-arg valuexmlns:test="http://apache../conf/certs" /> </bean> <bean id="fileRegisterHandler" class="org.apache.cxf.xkms.x509.handlers.FileRegisterHandler"> org/hello_world_soap_http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation=" http://cxf.apache.org/core <constructor-arg value="../conf/certs" /> http://cxf.apache.org/schemas/core.xsd </bean> <bean id="xkmsProviderBean" class="org.apache.cxf.xkms.service.XKMSService"> http://www.springframework.org/schema/beans <property name="validators"> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd <list> http://cxf.apache.org/jaxws <ref bean="dateValidator" /> </list> </property> <property name="locators"> <list>http://cxf.apache.org/schemas/jaxws.xsd <ref bean="x509FileLocator" />http://www.springframework.org/schema/util </list>http://www.springframework.org/schema/util/spring-util-2.0.xsd"> <bean </property>id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator" /> <bean <property nameid="keyRegisterHandlerstrustedAuthorityValidator"> <list>class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator"> <ref bean="fileRegisterHandler<constructor-arg ref="certificateRepo" /> </bean> </list> <bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator"> <constructor-arg ref="certificateRepo" </property>> </bean> <jaxws:endpoint <bean id="XKMSServicex509Register" xmlns:serviceNamespace="http://www.w3.org/2002/03/xkms#wsdl" serviceName="serviceNamespace:XKMSService" endpointName="serviceNamespace:XKMSPort" class="org.apache.cxf.xkms.x509.handlers.x509Register"> implementor <constructor-arg ref="#xkmsProviderBeancertificateRepo" address="/XKMS"> </jaxws:endpoint> </bean> <!-- LDAP based implementation --> <bean id="certificateRepo" class="org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo"> <constructor-arg ref="ldapServer" /> <constructor-arg ref="ldapSchemaConfig" /> <constructor-arg value="dc=example,dc=com" /> </bean> <bean id="ldapServer" class="org.apache.cxf.xkms.x509.repo.ldap.LdapServer"> <constructor-arg value="ldap://localhost:2389" /> <constructor-arg value="cn=Directory Manager,dc=example,dc=com" /> <constructor-arg value="test" /> <constructor-arg value="2" /> </bean> <bean id="ldapSchemaConfig" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig"> <property name="certObjectClass" value="inetOrgPerson" /> <property name="attrUID" value="uid" /> <property name="attrIssuerID" value="manager" /> <property name="attrSerialNumber" value="employeeNumber" /> <property name="attrCrtBinary" value="userCertificate;binary" /> <property name="constAttrNamesCSV" value="sn" /> <property name="constAttrValuesCSV" value="X509 certificate" /> <property name="serviceCertRDNTemplate" value="cn=%s,ou=services" /> <property name="serviceCertUIDTemplate" value="cn=%s" /> <property name="trustedAuthorityFilter" value="(&(objectClass=inetOrgPerson)(ou:dn:=CAs))" /> <property name="intermediateFilter" value="(objectClass=inetOrgPerson)" /> </bean> <!-- File based implementation --> <!-- bean id="certificateRepo" class="org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo"> <constructor-arg value="../conf/certs" /> </bean--> </beans> |
dateValidator and trustedAuthorityValidator beans are implementations of Validator interface for validity date and trusted chain validation. x509Locator and x509Register are implementations of Locator and Register interfaces for X509 certificates.
Integration XKMS client into CXF security.
...