dcsimg
LinkedIn
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Implementing WS-Security with Java and WSS4J : Page 2

Many organizations have now implemented solutions based on the promise of Web services, exposing those services over the Internet to enjoy maximum exposure—which then leaves them with the dilemma of securing their services to protect data and other resources. Find out how to use Java and Apache's Web Services Security for Java (WSS4J) framework to secure your Web services.


advertisement
Keystores and the Java Keytool Utility
Because the WS-Security specification depends on the use of encryption keys and certificates, it's useful to discuss a mechanism to generate and maintain them.

You can use the Java keytool utility, which ships with the JDK, to generate public/private key-pairs and certificates and maintain them in a password-protected keystore so that your Java programs can use them. A keystore is a standard, password-protected repository, also known as PKCS#12, which you can use to store and transport keys and certificates securely.

Creating a Keystore and Key-Pair
The keytool utility can generate a key pair. Typically, you must generate two key-pairs to use one as a certificate/public-key for the other; therefore, execute the keytool with the -genkey option twice, and store each distinct key-pair into a separate keystore.

Here's how to use the keytool utility to generate a key-pair as a private key.

Author's Note: Enter the command lines shown below on a single line.

   %JAVA_HOME%\bin\keytool -genkey -alias privkey 
       -keystore privkeystore -dname "cn=privkey" 
       -keypass foobar -storepass foobar
To generate a key-pair to use as a certificate/public-key, use this code (again, enter the entire command on a single line).

   %JAVA_HOME%\bin\keytool -genkey -alias pubcert 
      -keystore pubcertkeystore -dname "cn=pubcert" 
      -keypass foobar -storepass foobar
The preceding commands

  • generate separate key-pairs
  • store the key-pairs in separate keystores
  • specify passwords for the keys and the keystores
  • specify the alias/name for each key-pair
  • specify the common name (sometimes referred to as the distinguished name) by which each key-pair will be known within each keystore.
To examine the contents of a keystore, execute the keytool utility with the -list option. For example, to examine the first (privkeystore) contents created earlier use:

   %JAVA_HOME%\bin\keytool -list -keystore privkeystore
   Enter keystore password:  foobar
   
   Keystore type: jks
   Keystore provider: SUN
   
   Your keystore contains 1 entry
   
   privkey, Jul 25, 2005, keyEntry,
   Certificate fingerprint (MD5): 
   A1:FA:99:E2:A7:E8:1A:FB:D8:B7:87:91:D1:0E:9C:F8
Now, look at the pubcert certificate keystore:

   %JAVA_HOME%\bin\keytool -list -keystore pubcertkeystore
   Enter keystore password:  foobar
   
   Keystore type: jks
   Keystore provider: SUN
   
   Your keystore contains 1 entry
   
   pubcert, Jul 25, 2005, keyEntry,
   Certificate fingerprint (MD5): 
   99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62
To examine a key in detail, you can use the keytool utility to display it to the console in RFC 1421 format using the -rfc option, as follows:

   %JAVA_HOME%\bin\keytool -export -keystore privkeystore 
      -alias privkey -storepass foobar --rfc
You'll see output on the console similar to the following:

   -----BEGIN CERTIFICATE-----
   MIIBlTCB/wIEQuWjhTANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwd0ZXN
   0a2V5MB4XDTA1MDcyNjAyNDQyMVoXDTA1MTAyNDAyNDQyMVowEjEQMA4GA1
   UEAxMHdGVzdGtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz/HFY
   xicr+vonubY3rgnJFdl6OsvbinR2L54U7WKHNz2w7w3cOvTMGqop/xQtePx
   k3hXIJFs27OBC28Y8jRKYdgGDYMVU5/V0ddlGQUgfU7Xy9jdIPm61ayu3QH
   9LcXYSzVfHNeL3HHRcJV3jSwRs1K/vIVZKLNnBRufe2kORK0CAwEAATANBg
   kqhkiG9w0BAQQFAAOBgQBWAoAzG5B54dNUt7t3iU98Dre0EI9JkEn8HYiix
   oJxs1SmI/vESDbuAJY9EbjlPnvhHrgZL3rtb8twwzHwbLhnxVeV/LRk2C2e
   ghkPPEklp3w+UVv5U3dsvoR6LO4z3fTjnc+YbMG0Iss5gkwxJqYy/6qeyYY
   3EGoxl8Ehyu/hOw==
   -----END CERTIFICATE-----


Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date