Browse DevX
Sign up for e-mail newsletters from DevX


Implementing WS-Security with Java and WSS4J : Page 2

Many organizations have now implemented solutions based on the promise of Web services, exposing those services over the Internet to enjoy maximum exposure—which then leaves them with the dilemma of securing their services to protect data and other resources. Find out how to use Java and Apache's Web Services Security for Java (WSS4J) framework to secure your Web services.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

Keystores and the Java Keytool Utility
Because the WS-Security specification depends on the use of encryption keys and certificates, it's useful to discuss a mechanism to generate and maintain them.

You can use the Java keytool utility, which ships with the JDK, to generate public/private key-pairs and certificates and maintain them in a password-protected keystore so that your Java programs can use them. A keystore is a standard, password-protected repository, also known as PKCS#12, which you can use to store and transport keys and certificates securely.

Creating a Keystore and Key-Pair
The keytool utility can generate a key pair. Typically, you must generate two key-pairs to use one as a certificate/public-key for the other; therefore, execute the keytool with the -genkey option twice, and store each distinct key-pair into a separate keystore.

Here's how to use the keytool utility to generate a key-pair as a private key.

Author's Note: Enter the command lines shown below on a single line.

%JAVA_HOME%\bin\keytool -genkey -alias privkey -keystore privkeystore -dname "cn=privkey" -keypass foobar -storepass foobar

To generate a key-pair to use as a certificate/public-key, use this code (again, enter the entire command on a single line).

%JAVA_HOME%\bin\keytool -genkey -alias pubcert -keystore pubcertkeystore -dname "cn=pubcert" -keypass foobar -storepass foobar

The preceding commands

  • generate separate key-pairs
  • store the key-pairs in separate keystores
  • specify passwords for the keys and the keystores
  • specify the alias/name for each key-pair
  • specify the common name (sometimes referred to as the distinguished name) by which each key-pair will be known within each keystore.
To examine the contents of a keystore, execute the keytool utility with the -list option. For example, to examine the first (privkeystore) contents created earlier use:

%JAVA_HOME%\bin\keytool -list -keystore privkeystore Enter keystore password: foobar Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry privkey, Jul 25, 2005, keyEntry, Certificate fingerprint (MD5): A1:FA:99:E2:A7:E8:1A:FB:D8:B7:87:91:D1:0E:9C:F8

Now, look at the pubcert certificate keystore:

%JAVA_HOME%\bin\keytool -list -keystore pubcertkeystore Enter keystore password: foobar Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry pubcert, Jul 25, 2005, keyEntry, Certificate fingerprint (MD5): 99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62

To examine a key in detail, you can use the keytool utility to display it to the console in RFC 1421 format using the -rfc option, as follows:

%JAVA_HOME%\bin\keytool -export -keystore privkeystore -alias privkey -storepass foobar --rfc

You'll see output on the console similar to the following:

-----BEGIN CERTIFICATE----- MIIBlTCB/wIEQuWjhTANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwd0ZXN 0a2V5MB4XDTA1MDcyNjAyNDQyMVoXDTA1MTAyNDAyNDQyMVowEjEQMA4GA1 UEAxMHdGVzdGtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz/HFY xicr+vonubY3rgnJFdl6OsvbinR2L54U7WKHNz2w7w3cOvTMGqop/xQtePx k3hXIJFs27OBC28Y8jRKYdgGDYMVU5/V0ddlGQUgfU7Xy9jdIPm61ayu3QH 9LcXYSzVfHNeL3HHRcJV3jSwRs1K/vIVZKLNnBRufe2kORK0CAwEAATANBg kqhkiG9w0BAQQFAAOBgQBWAoAzG5B54dNUt7t3iU98Dre0EI9JkEn8HYiix oJxs1SmI/vESDbuAJY9EbjlPnvhHrgZL3rtb8twwzHwbLhnxVeV/LRk2C2e ghkPPEklp3w+UVv5U3dsvoR6LO4z3fTjnc+YbMG0Iss5gkwxJqYy/6qeyYY 3EGoxl8Ehyu/hOw== -----END CERTIFICATE-----

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date