Announcement Announcement Module
Collapse
No announcement yet.
XWSS Security problem Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • XWSS Security problem

    Hello,

    I developed a webservice using Spring ws. Now I'm trying to secure it
    by using the Spring's XWSS support. After a bumpy ride I manage to
    make the client part sign the message and call the server side.
    Unfortunatelly I'm facing some problems - the server throws a quite
    strange exception:

    Code:
    INFO: Illegal access: this web application instance has been stopped already.  Could not load org.jcp.xml.dsig.internal.dom.DOMExcC14NMethod.  The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact.
    java.lang.IllegalStateException
            at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1272)
            at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1232)
            at javax.xml.crypto.dsig.XMLDSigSecurity.doGetImpl(XMLDSigSecurity.java:171)
            at javax.xml.crypto.dsig.XMLDSigSecurity.getImpl(XMLDSigSecurity.java:143)
            at javax.xml.crypto.dsig.TransformService.findInstance(TransformService.java:204)
            at javax.xml.crypto.dsig.TransformService.getInstance(TransformService.java:130)
            at org.jcp.xml.dsig.internal.dom.DOMTransform.<init>(DOMTransform.java:55)
            at org.jcp.xml.dsig.internal.dom.DOMCanonicalizationMethod.<init>(DOMCanonicalizationMethod.java:44)
            at org.jcp.xml.dsig.internal.dom.DOMSignedInfo.<init>(DOMSignedInfo.java:118)
            at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:118)
            at org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:161)
            at org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:125)
            at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:354)
            at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:344)
            at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:83)
            at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:237)
            at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:805)
            at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:768)
            at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:235)
            at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:132)
            at org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.validateMessage(XwsSecurityInterceptor.java:160)
            at org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleRequest(AbstractWsSecurityInterceptor.java:104)
            at org.springframework.ws.server.MessageDispatcher.dispatch(MessageDispatcher.java:213)
            at org.springframework.ws.server.MessageDispatcher.receive(MessageDispatcher.java:168)
            at org.springframework.ws.transport.support.WebServiceMessageReceiverObjectSupport.handleConnection(WebServiceMessageReceiverObjectSupport.java:88)
            at org.springframework.ws.transport.http.WebServiceMessageReceiverHandlerAdapter.handle(WebServiceMessageReceiverHandlerAdapter.java:57)
            at org.springframework.ws.transport.http.MessageDispatcherServlet.doService(MessageDispatcherServlet.java:230)
            at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:523)
            at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:463)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
            at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
            at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
            at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
            at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
            at java.lang.Thread.run(Thread.java:595)
    14:43:35,483 WARN  [XwsSecurityInterceptor:256] Could not validate request: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.MarshalException: java.security.NoSuchAlgorithmException: class configured for TransformService: org.jcp.xml.dsig.internal.dom.DOMExcC14NMethod not a TransformService; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.MarshalException: java.security.NoSuchAlgorithmException: class configured for TransformService: org.jcp.xml.dsig.internal.dom.DOMExcC14NMethod not a TransformService
    Also another strange thing is the loading of the trustore file on the server side. Even if I think that everything should go smoothly...I found the following entries in logs of the server application:

    Code:
    14:43:34,827  INFO http-8080-Processor25 KeyStoreFactoryBean:117 - Loading key store from ServletContext resource [/WEB-INF/security/truststore.jks]
    14:43:34,858  WARN http-8080-Processor25 KeyStoreFactoryBean:121 - Creating empty key store
    The configuration of the server:

    HTML Code:
    <bean
    		class="org.springframework.ws.server.endpoint.mapping.PayloadRootQNameEndpointMapping">
    		<property name="mappings">
    			<props>
    				<prop key="{..}ProblemRequest">problemsEndpoint</prop>
    			</props>
    		</property>
    		<property name="interceptors">
    			<list>
    				<bean
    					class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor" />
     			  <ref local="wsSecurityInterceptor" />
    			</list>
    		</property>
    	</bean>
    
     
    	<bean id="wsSecurityInterceptor"
    		class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
    		<property name="policyConfiguration" value="/WEB-INF/security/securityPolicy.xml" />
    		<property name="callbackHandlers">
    			<list>
    				<ref bean="keyStoreHandler" />
    			 	<ref bean="certificateValidationHandler" />  
    			</list>
    		</property>
    	</bean>
    
    	<bean id="keyStoreHandler"
    		class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
    		<property name="trustStore" ref="trustStore" />
    	</bean>
    
    	<bean id="trustStore"
    		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
    		<property name="location" value="WEB-INF/security/truststore.jks" />
    		<property name="password" value="password" />
    	</bean>
    
    	<bean id="certificateValidationHandler"
    		class="org.springframework.ws.soap.security.xwss.callback.SpringCertificateValidationCallbackHandler">
    		<property name="authenticationManager">
    			<bean class="package.KAuthenticationManager" />
    		</property>
    	</bean>
    security file:

    HTML Code:
    <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    	<xwss:RequireSignature requireTimestamp="false"/>
    </xwss:SecurityConfiguration> 

    I tried preatty much everything that came in my mind, maybe you can give me a hand with this. Thanks alot.

    OP

  • #2
    Extra info

    So...i managed to dig a little bit deaper...I would say the reason for my problem is that the KeyStoreBeanFactory is creating an empty key store.

    I added some extra logs....and it seems that the afterproperties method of the KeyStoreBeanFactory si called twice...once creating the needede keystore and the second time, creating an empty one. My question now is WHY? You can see my configuration files in my previous post.

    If you have any ideas, please help...I'm going insane here.

    OP

    Comment


    • #3
      sorry wish i could help

      Comment


      • #4
        Client side

        I added also the client side configuration and class.

        Security client:

        HTML Code:
            <xwss:SecurityConfiguration dumpMessages="true"  
              xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">  
                <xwss:Sign id="signature" includeTimestamp="false">  
                  <xwss:X509Token  certificateAlias="dortman"/>  
                </xwss:Sign>  
            </xwss:SecurityConfiguration>  
        Message signer:

        Code:
         	public MessageSigner(Resource policyFile, KeyStoreCallbackHandler keystoreHandler) 
        	throws Exception {
        		XWSSProcessorFactory factory = XWSSProcessorFactory.newInstance();  
        		
        		xwssProcessor = factory.createProcessorForSecurityConfiguration(policyFile  
        				.getInputStream(), keystoreHandler);
        		
        		processingContext = new ProcessingContext();  
        	}
        	
        	public void doWithMessage(WebServiceMessage wsMessage) throws IOException,
        	TransformerException {
        		try {
        			System.out.println("Signing message!");// TODO remove
        			
        			SaajSoapMessage saajSoapMessage = (SaajSoapMessage)wsMessage;
        			
        			
        			System.out.println("Saaj SOAP message: "); // TODO remove
        			
        			SOAPMessage saajMessage = saajSoapMessage.getSaajMessage();
        
        			System.out.println("SAAJ message: " + saajMessage); // TODO remove
        			
        			processingContext.setSOAPMessage(saajMessage);
        
        			System.out.println("PROCESSING CONTEXT : " + processingContext);// TODO remove
        			
        			SOAPMessage securedMessage = xwssProcessor.secureOutboundMessage(processingContext);
        			
        			System.out.println("SECURED MESSAGE: " + securedMessage);// TODO remove
        			
        			saajSoapMessage.setSaajMessage(securedMessage);
        			
        			System.out.println("Signed message ");// TODO remove
        		} catch (XWSSecurityException e) {
        			System.out.println("Printing the stack trace!");// TODO remove
        			
        			// TODO Auto-generated catch block
        			e.printStackTrace();
        		}
        	}
        OP

        Comment


        • #5
          creating empty keystore

          Originally posted by olimpiu.pop View Post
          So...i managed to dig a little bit deaper...I would say the reason for my problem is that the KeyStoreBeanFactory is creating an empty key store.

          I added some extra logs....and it seems that the afterproperties method of the KeyStoreBeanFactory si called twice...once creating the needede keystore and the second time, creating an empty one. My question now is WHY? You can see my configuration files in my previous post.

          If you have any ideas, please help...I'm going insane here.

          OP
          I have seen the creating empty keystore messages before, even when things were working. I have not traced through the code enough to figure out why it does this, but I don't think that is your problem.

          You have posted your server bean configuration here but not your client. Keep in mind that you must configure security interceptors, keystore handlers, etc. on BOTH the server and client sides. If you do not have a security interceptor on the client side, the cert will not be picked up and included with the web service request.

          Comment


          • #6
            Empty trustore

            When no property pointing the location of the trustore is provided, a default one will be used. In case tha the one provided by the JDK is not available, an empty keystore will be created.

            The client side code is posted also, but not in the same post as the server code - due to the size constraints. I think is my last post on the thread. Anyway I started using ws4j too, I seems that is more reliable.

            Maybe you can give a few hints on how to use WS4J in order to obtained message encryption and signature. For Signature it works and now I just
            started to work with the encryption.

            the part of the client not posted yet:

            HTML Code:
            	<bean id="commonsSender"
            		class="org.springframework.ws.transport.http.CommonsHttpMessageSender" />
            
            	<bean id="wsClient" class="test.WSClient">
            		<property name="endpointUri" value="http://localhost:8080/simpleportlet/services" />
             	<property name="messageSigner" ref="messageSigner" /> 
            		<property name="interceptors">
            			<list>
             			<ref bean="xwsSecurityInterceptor" /> 
            			</list>
            		</property>
            	</bean>
            
            <bean id="xwsSecurityInterceptor"
            		class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
            		<property name="policyConfiguration" value="securityPolicy.xml" />
            		<property name="callbackHandlers">
            			<list>
            				<ref bean="keyStoreHandler" />
            			</list>
            		</property>
            	</bean>
            
            	<bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
            		<property name="keyStore" ref="keyStore" />
            		<property name="privateKeyPassword" value="password" />
            	</bean>
            	
            	<bean id="keyStore"
            		class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
            		<property name="password" value="password" />
            		<property name="location" value="keystore.jks" />
            	</bean>
            <bean id="messageSigner" class="test.MessageSigner">
            		<constructor-arg value="securityPolicy.xml" />
            		<constructor-arg>
            			<bean
            				class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
            				<property name="keyStore">
            					<bean
            						class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
            						<property name="location" ref="signatureKeyStoreFile" />
            						<property name="password" value="password" />
            					</bean>
            				</property>
            				<property name="trustStore">
            					<bean
            						class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
            						<property name="location" ref="signatureKeyStoreFile" />
            						<property name="password" value="password" />
            					</bean>
            				</property>
            				<property name="defaultAlias" value="wsClient" />
            				<property name="privateKeyPassword" value="password" />
            			</bean>
            		</constructor-arg>
            	</bean>
            Thanks!

            OP
            Last edited by olimpiu.pop; Jul 22nd, 2009, 09:58 AM.

            Comment


            • #7
              wss4j configuration

              Here is the wss4j configuration that I have working. Note that the order in which you specify the operations, (sign, timestamp, encrypt) etc. makes a difference.

              You may also want to use the optional securementEncryptionParts if you do not want to encrypt the entire message body. During playing with this, there were times when I wound up encrypting parts of the message that were needed for the processing of the message, which broke everything. SSL is a *lot* of trial and error.
              <!--
              <property name="securementEncryptionParts"
              value="{Content}{http://hrworx.com}CreateAccountRequest" />
              -->

              I also strongly recommend that you go to the documentation and read the section on endpoint mappings carefully. There are a bunch of different ones and they work very differently. I spent a lot of time first working with PayloadRootQNameEndpointMapping only to discover that it did not meet my needs. The example below uses SimpleActionEndpointMapping, but that also has pros and cons, especially with regard to the version of SOAP supported.

              Good luck,
              Bob

              Client side:
              Code:
               
              <bean id="wsclientFolder-wss4j"
                  class="com.hrworx.formworx.ws.client.folder.FolderWebClientImpl">
                  <property name="defaultUri"
                    value="http://localhost:8080/formworx-ws/folderService" />
                  <property name="soapAction" value="http://hrworx.com/CreateNewAccount"/> 
                  <property name="marshaller" ref="marshaller" />
                  <property name="unmarshaller" ref="marshaller" />
                  <property name="interceptors">
                    <list>
                      <ref bean="wsSecurityInterceptor-wss4j" />
                    </list>
                  </property>
                </bean>     
                     
               
                <bean id="marshaller" class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller" />
                <!-- WSS4J -->
              
                <bean id="wsSecurityInterceptor-wss4j"
                  class="com.hrworx.formworx.ws.client.FormworxWss4jSecurityInterceptor">
                  <property name="securementActions" value="Encrypt Timestamp Signature" />
                  <property name="securementEncryptionCrypto" ref="keyStore-wss4j" />
                  <property name="securementEncryptionKeyIdentifier" value="DirectReference" />
                  <property name="securementEncryptionUser" value="hrworxserver" />
              
                  <property name="securementUsername" value="hrworxclient" />
                  <property name="securementPassword" value="xxx" />
                  <property name="securementSignatureCrypto" ref="keyStore-wss4j" />
                  <property name="securementMustUnderstand" value="false" />
                  <property name="securementSignatureKeyIdentifier" value="DirectReference" />
              
                  <property name="enableSignatureConfirmation" value="false" />
                  <property name="validationActions" value="Encrypt Timestamp Signature" />
                  <property name="timestampStrict" value="true" />
                  <property name="timeToLive" value="10" />
                  <property name="validationSignatureCrypto" ref="keyStore-wss4j" />
                  <property name="validationDecryptionCrypto" ref="keyStore-wss4j" />
                  <property name="validationCallbackHandler" ref="decryptionCallbackHandler" />
                </bean>
              
                <bean id="keyStore-wss4j"
                  class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
                  <property name="keyStorePassword" value="xxx" />
                  <property name="keyStoreLocation" value="classpath:/hrworx_client.jks" />
                </bean>
              
                <bean id="decryptionCallbackHandler"
                  class="com.hrworx.formworx.ws.FormworxDecryptionPasswordCallbackHandler">
                  <property name="username" value="hrworxclient" />
                  <property name="password" value="xxx" />
                </bean>
               
              </beans>
              Server side:
              Code:
               <bean id="folderEndpoint" class="com.hrworx.formworx.ws.endpoint.folder.FolderEndpoint">
                  <property name="entitiesService">
                    <ref bean="serviceEntities" />
                  </property>
                  <property name="folderService">
                    <ref bean="serviceFolder" />
                  </property>
                  <property name="marshaller" ref="marshaller" />
                  <property name="unmarshaller" ref="marshaller" />
                </bean>
              
                
                <bean
                  class="org.springframework.ws.soap.addressing.server.SimpleActionEndpointMapping">
                  <property name="mappings">
                    <props>
                      <prop key="http://hrworx.com/CreateNewAccount">folderEndpoint</prop>
                    </props>
                  </property>
              <property name="preInterceptors">
                    <list>
                      <ref local="wsSecurityInterceptor-wss4j" />
                      <bean
                        class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor" />
                    </list>
                  </property>
                </bean>
              
              
                <bean id="folderWebService"
                  class="org.springframework.ws.wsdl.wsdl11.DynamicWsdl11Definition">
                  <property name="builder">
                    <bean
                      class="org.springframework.ws.wsdl.wsdl11.builder.XsdBasedSoap11Wsdl4jDefinitionBuilder">
                      <property name="schema"
                        value="classpath:com/hrworx/formworx/model/xsd/AccountService.xsd" />
                      <property name="portTypeName" value="Folder" />
                      <property name="locationUri" value="/folderService/" />
                      <property name="targetNamespace" value="http://hrworx.com/definitions" />
                    </bean>
                  </property>
                </bean>
              
              
                <bean id="marshaller" class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller" />
              
                <!-- Security -->
              
                <!--WSS4J  -->
              
              
                <bean id="wsSecurityInterceptor-wss4j"
                  class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
                  <property name="validationActions" value="Encrypt Timestamp Signature" />
                  <property name="timestampStrict" value="true" />
                  <property name="timeToLive" value="10" />
                  <property name="validationSignatureCrypto" ref="keyStore-wss4j" />
                  <property name="validationDecryptionCrypto" ref="keyStore-wss4j" />
                  <property name="validationCallbackHandler" ref="decryptionCallbackHandler" />
              
                  <property name="enableSignatureConfirmation" value="true" />
              
                  <property name="securementActions" value="Encrypt Timestamp Signature" />
                  <property name="securementEncryptionCrypto" ref="keyStore-wss4j" />
                  <property name="securementEncryptionKeyIdentifier" value="DirectReference" />
                  <property name="securementEncryptionUser" value="hrworxclient" />
                  <property name="securementEncryptionParts"
                    value="{Content}{http://hrworx.com}CreateAccountResponse" />
                  <property name="securementUsername" value="hrworxserver" />
                  <property name="securementPassword" value="xxx" />
                  <property name="securementSignatureCrypto" ref="keyStore-wss4j" />
                  <property name="securementMustUnderstand" value="false" />
                  <property name="securementSignatureKeyIdentifier" value="DirectReference" />
                </bean>
              
                <bean id="keyStore-wss4j"
                  class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
                  <property name="keyStorePassword" value="xxx" />
                  <property name="keyStoreLocation" value="classpath:hrworx_server.jks" />
                </bean>
              
                <bean id="decryptionCallbackHandler"
                  class="com.hrworx.formworx.ws.FormworxDecryptionPasswordCallbackHandler">
                  <property name="username" value="hrworxserver" />
                  <property name="password" value="xxx" />
                </bean>

              Comment


              • #8
                Thanks and another question :P

                Thanks for the sample, they helped me a lot. Although I have yet
                another couple of questions:

                1. Why did you provided a custom made callbackHandler?

                com.hrworx.formworx.ws.FormworxDecryptionPasswordC allbackHandler

                2. I had some problems with the encryption/ decryption part, from
                the exceptions I came to the conclusion that the key is not the
                appropriate one. So can you please tell me how did you create
                your keys?

                Thank you once again!

                Have a nice week-end,

                OP

                Comment


                • #9
                  Becoming your own SSL Certificate Authority (CA)

                  OP,


                  1. See the javadoc for org.springframework.ws.soap.security.wss4j.callbac k.AbstractWsPasswordCallbackHandler for details.

                  2. You are correct, the keystore configuration has changed since the original post way back when Original Keystore Configuration. Although it should work to have the client and server use the same keystore, in real life that is not the way you would typically want to do it. We decided that for our current purposes we would be our own certificate authority, and the instructions below describe that process. The other option would be to get your certs from a commercial CA such as Verisign, or use certs provided by your customer/client etc., in which case you would have to make appropriate changes to the procedure at various points.

                  A really useful open source tool (I would actually say essential) if you want to be your own CA is OpenSSL It comes bundled with most unix/linux distributions including Mac OS X which I use, but you may have to download it if you are using that other OS.

                  If you choose to be your own CA, protecting the private keys is essential. If you don't, the certs mean nothing. Of course, you must change names of aliases and other artifacts to match your environment.


                  Good luck,
                  Bob


                  Code:
                  Setup OpenSSL to work in our local directory.  These means creating a database file named index.cnf, 
                  and bringing over the serial file. These steps have already be done.
                  
                  
                  From the command line in the CA root directory ([WORKSPACE_HOME]/formworx-ws/src/docs/certificate_authority):
                  
                   Create the CA (Certificate Authority)  Note: you only do this once.
                   ===================================================================
                   create the raw cert
                    openssl req -x509 -days 3650 -newkey rsa:1024 -keyout ca/private/hrworxRootCA_key.pem -out ca/hrworxRootCA.pem 
                   
                   convert the cert into a form that can imported to a keystore 
                    openssl x509 -outform DER -in ca/hrworxRootCA.pem -out ca/hrworxRootCA.cert
                   
                  Create the server keystore:
                  ===========================================================================
                  
                  
                  you have to create a cert to create a keystore,this will be our server cert
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -genkey -alias hrworxserver -keyalg RSA -keystore server/hrworx_server.jks -dname "CN=hrworxserver,OU=Corporate,O=HRWorX LLC,L=Sterling,S=Virginia,C=US"  -keypass xxx -storepass xxx
                  
                  Create a signing request to get a signed cert from our CA:
                  =========================================================================================
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -certreq -v -alias hrworxserver -file server/hrworxserver_csr.pem -keypass xxx -storepass xxx -keystore server/hrworx_server.jks
                  
                  
                  Import the CA public cert that we created in the previous step:
                  =========================================================================================
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -import -trustcacerts -noprompt -file ca/hrworxRootCA.cert -alias hrworxRootCA -keystore server/hrworx_server.jks -storepass xxx
                  
                  Sign the cert
                  ===================================================================
                   openssl ca -config openssl.cnf -out ca/signing/signed_hrworxserver.pem -infiles server/hrworxserver_csr.pem 
                  
                  Convert the format so it can be imported
                   openssl x509 -outform DER -in ca/signing/signed_hrworxserver.pem -out ca/signing/signed_hrworxserver.cert
                  
                  
                  Import the signed SERVER certificate into the keystore
                  ==================================================================
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -import -v -alias hrworxserver -file ca/signing/signed_hrworxserver.cert -keystore server/hrworx_server.jks -keypass xxx -storepass xxx
                  
                  Inspect the results
                  ==================================================================
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -list -v -keystore server/hrworx_server.jks -storepass xxx
                  
                  
                  
                  
                  
                   ***************************************************************************
                   ===========================================================================
                   ***************************************************************************
                   ===========================================================================
                    
                   
                  The following steps are repeated for each new party to whom you wish to issue certificates:
                  
                  From the command line in the CA root directory ([WORKSPACE_HOME]/formworx-ws/src/docs/certificate_authority):
                  
                  
                  Create a new client key in the keystore
                  =================================================================
                  By convention the alias for this key here will match the common name that you use in creating the cert, but
                  it does not have to if there is a business reason to do otherwise.
                  
                  IMPORTANT: For the Common Name (CN) you MUST use the login username of a user in the formworx system.
                  When this cert is sent to formworx, the user will be authenticated to the system based on the Common Name
                  
                  /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -genkey -alias hrworxclient -keyalg RSA -dname "CN=hrworxclient,OU=Corporate,O=HRWorX LLC,L=Sterling,S=Virginia,C=US" -keystore client/hrworx_client.jks -keypass xxx -storepass xxx 
                  
                   
                  Create a signing request for that cert
                  =========================================================================================
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -certreq -v -alias hrworxclient -file client/hrworxclient_csr.pem -keypass xxx -storepass xxx -keystore client/hrworx_client.jks
                  
                  Sign the cert
                  ===================================================================
                   openssl ca -config openssl.cnf -out ca/signing/signed_hrworxclient.pem -infiles client/hrworxclient_csr.pem 
                  
                  Convert the format so it can be imported
                   openssl x509 -outform DER -in ca/signing/signed_hrworxclient.pem -out ca/signing/signed_hrworxclient.cert
                  
                  Import the CA public cert that we created in the previous step:
                  =========================================================================================
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -import -trustcacerts -noprompt -file ca/hrworxRootCA.cert -alias hrworxRootCA -keystore client/hrworx_client.jks -storepass xxx
                  
                  Import the signed CLIENT certificate into the keystore
                  ==================================================================
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -import -v -alias hrworxclient -file ca/signing/signed_hrworxclient.cert -keystore client/hrworx_client.jks -keypass xxx -storepass xxx
                  
                  Import the signed SERVER certificate into the keystore
                  ==================================================================
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -import -v -alias hrworxserver -file ca/signing/signed_hrworxserver.cert -keystore client/hrworx_client.jks -keypass xxx -storepass xxx
                   
                   Import the signed CLIENT certificate into the SERVER keystore
                  ==================================================================
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -import -v -alias hrworxclient -file ca/signing/signed_hrworxclient.cert -keystore server/hrworx_server.jks -keypass xxx -storepass xxx
                  
                  
                  
                  Inspect the results
                  ==================================================================
                   /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin/keytool -list -v -keystore client/hrworx_client.jks -storepass xxx

                  Comment


                  • #10
                    10x again

                    10q for the reply.

                    OP

                    Comment

                    Working...
                    X