RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Implementing WS-Security with Java and WSS4J : Page 2

Many organizations have now implemented solutions based on the promise of Web services, exposing those services over the Internet to enjoy maximum exposure—which then leaves them with the dilemma of securing their services to protect data and other resources. Find out how to use Java and Apache's Web Services Security for Java (WSS4J) framework to secure your Web services.

Keystores and the Java Keytool Utility
Because the WS-Security specification depends on the use of encryption keys and certificates, it's useful to discuss a mechanism to generate and maintain them.

You can use the Java keytool utility, which ships with the JDK, to generate public/private key-pairs and certificates and maintain them in a password-protected keystore so that your Java programs can use them. A keystore is a standard, password-protected repository, also known as PKCS#12, which you can use to store and transport keys and certificates securely.

Creating a Keystore and Key-Pair
The keytool utility can generate a key pair. Typically, you must generate two key-pairs to use one as a certificate/public-key for the other; therefore, execute the keytool with the -genkey option twice, and store each distinct key-pair into a separate keystore.

Here's how to use the keytool utility to generate a key-pair as a private key.

Author's Note: Enter the command lines shown below on a single line.

   %JAVA_HOME%\bin\keytool -genkey -alias privkey 
       -keystore privkeystore -dname "cn=privkey" 
       -keypass foobar -storepass foobar
To generate a key-pair to use as a certificate/public-key, use this code (again, enter the entire command on a single line).

   %JAVA_HOME%\bin\keytool -genkey -alias pubcert 
      -keystore pubcertkeystore -dname "cn=pubcert" 
      -keypass foobar -storepass foobar
The preceding commands

  • generate separate key-pairs
  • store the key-pairs in separate keystores
  • specify passwords for the keys and the keystores
  • specify the alias/name for each key-pair
  • specify the common name (sometimes referred to as the distinguished name) by which each key-pair will be known within each keystore.
To examine the contents of a keystore, execute the keytool utility with the -list option. For example, to examine the first (privkeystore) contents created earlier use:

   %JAVA_HOME%\bin\keytool -list -keystore privkeystore
   Enter keystore password:  foobar
   Keystore type: jks
   Keystore provider: SUN
   Your keystore contains 1 entry
   privkey, Jul 25, 2005, keyEntry,
   Certificate fingerprint (MD5): 
Now, look at the pubcert certificate keystore:

   %JAVA_HOME%\bin\keytool -list -keystore pubcertkeystore
   Enter keystore password:  foobar
   Keystore type: jks
   Keystore provider: SUN
   Your keystore contains 1 entry
   pubcert, Jul 25, 2005, keyEntry,
   Certificate fingerprint (MD5): 
To examine a key in detail, you can use the keytool utility to display it to the console in RFC 1421 format using the -rfc option, as follows:

   %JAVA_HOME%\bin\keytool -export -keystore privkeystore 
      -alias privkey -storepass foobar --rfc
You'll see output on the console similar to the following:

   -----END CERTIFICATE-----

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date