Versions Compared

Old Version 12

changes.mady.by.user Andrei Shakirin

Saved on

compared with

New Version 13

changes.mady.by.user Andrei Shakirin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

XML Key Management Service (XKMS)

Use case

CXF security uses asymmetric algorithms for different purposes: encryption of symmetric keys and payloads, signing security tokens and messages, proof of possession.
Normally the public keys (in form of X509 certificates) are stored in java keystores.

...

Currently XKMS Service supports simple file based and LDAP backends.
Sample spring configuration of XKMS handlers for file backend looks like:

Code Block
xml
xml
<beans   <bean id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator" />
xmlns="http://www.springframework.org/schema/beans"
   <bean idxmlns:cxf="x509FileLocatorhttp://cxf.apache.org/core" classxmlns:jaxws="orghttp://cxf.apache.cxf.xkms.x509.locator.FileLocator">org/jaxws"
      <constructor-arg valuexmlns:test="http://apache../conf/certs" />
   </bean>

   <bean id="fileRegisterHandler" class="org.apache.cxf.xkms.x509.handlers.FileRegisterHandler">
org/hello_world_soap_http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="
        http://cxf.apache.org/core
       <constructor-arg value="../conf/certs" /> http://cxf.apache.org/schemas/core.xsd
   </bean>

   <bean id="xkmsProviderBean" class="org.apache.cxf.xkms.service.XKMSService"> http://www.springframework.org/schema/beans
      <property name="validators">  http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
         <list>
http://cxf.apache.org/jaxws             <ref bean="dateValidator" />
         </list>
      </property>
      <property name="locators">
         <list>http://cxf.apache.org/schemas/jaxws.xsd
            <ref bean="x509FileLocator" />http://www.springframework.org/schema/util
         </list>http://www.springframework.org/schema/util/spring-util-2.0.xsd">


    <bean  </property>id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator" />

    <bean  <property nameid="keyRegisterHandlerstrustedAuthorityValidator">
         <list>class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator">
            <ref bean="fileRegisterHandler<constructor-arg ref="certificateRepo" />
    </bean>

     </list>
<bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator">
        <constructor-arg ref="certificateRepo" </property>>
    </bean>

   <jaxws:endpoint <bean id="XKMSServicex509Register" xmlns:serviceNamespace="http://www.w3.org/2002/03/xkms#wsdl"

       serviceName="serviceNamespace:XKMSService" endpointName="serviceNamespace:XKMSPort" class="org.apache.cxf.xkms.x509.handlers.x509Register">
      implementor  <constructor-arg ref="#xkmsProviderBeancertificateRepo" address="/XKMS">
   </jaxws:endpoint>
 </bean>


    <!-- LDAP based implementation -->

    <bean id="certificateRepo"
        class="org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo">
        <constructor-arg ref="ldapServer" />
        <constructor-arg ref="ldapSchemaConfig" />
        <constructor-arg value="dc=example,dc=com" />
    </bean>

    <bean id="ldapServer" class="org.apache.cxf.xkms.x509.repo.ldap.LdapServer">
        <constructor-arg value="ldap://localhost:2389" />
        <constructor-arg value="cn=Directory Manager,dc=example,dc=com" />
        <constructor-arg value="test" />
        <constructor-arg value="2" />
    </bean>

    <bean id="ldapSchemaConfig" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig">
        <property name="certObjectClass" value="inetOrgPerson" />
        <property name="attrUID" value="uid" />
        <property name="attrIssuerID" value="manager" />
        <property name="attrSerialNumber" value="employeeNumber" />
        <property name="attrCrtBinary" value="userCertificate;binary" />
        <property name="constAttrNamesCSV" value="sn" />
        <property name="constAttrValuesCSV" value="X509 certificate" />
        <property name="serviceCertRDNTemplate" value="cn=%s,ou=services" />
        <property name="serviceCertUIDTemplate" value="cn=%s" />
	<property name="trustedAuthorityFilter" value="(&#038;(objectClass=inetOrgPerson)(ou:dn:=CAs))" />
	<property name="intermediateFilter" value="(objectClass=inetOrgPerson)" />
    </bean>


    <!-- File based implementation -->

    <!-- bean id="certificateRepo"
        class="org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo">
        <constructor-arg value="../conf/certs" />
    </bean-->

</beans>

dateValidator and trustedAuthorityValidator beans are implementations of Validator interface for validity date and trusted chain validation. x509Locator and x509Register are implementations of Locator and Register interfaces for X509 certificates.

Integration XKMS client into CXF security.

...