dcsimg
LinkedIn
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Implementing WS-Security with Java and WSS4J : Page 3

Many organizations have now implemented solutions based on the promise of Web services, exposing those services over the Internet to enjoy maximum exposure—which then leaves them with the dilemma of securing their services to protect data and other resources. Find out how to use Java and Apache's Web Services Security for Java (WSS4J) framework to secure your Web services.


advertisement
Self-Signing Certificates
Keys are unusable unless they are signed, but you can use the keytool to self-sign them (for testing purposes only), as follows:

   %JAVA_HOME%\bin\keytool -selfcert -alias privkey 
      -keystore privkeystore -keypass foobar -storepass foobar
Now, the certificate can be self-signed, as follows:

   %JAVA_HOME%\bin\keytool -selfcert -alias pubcert 
      -keystore pubcertkeystore -keypass foobar 
      -storepass foobar
Exporting Certificates with the Keytool Utility
After generating and self-signing the keys/certificates and storing them in the keystores, import each public key into the other key's keystore. This requires two steps: exporting the public key to a certificate file and importing the certificate to the other keystore. To export the public key to a certificate file, use:

   %JAVA_HOME%\bin\keytool -export -keystore pubcertkeystore 
      -alias pubcert -storepass foobar -file pubcert
You should see a response that says:

   Certificate stored in file <pubcert>
You can also use the keytool utility to display the contents of the certificate file using the -printcert option, as follows:

   %JAVA_HOME%\bin\keytool -printcert -file pubcert
The output will look like:

   Owner: CN=pubcert
   Issuer: CN=pubcert
   Serial number: 42e5b3c4
   Valid from: Mon Jul 25 21:53:40 MDT 2005 until: 
      Sun Oct 23 21:53:40 MDT 2005
   Certificate fingerprints:
   MD5:  
   99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62
   
   SHA1: EC:59:92:E9:1F:8A:A6:0A:85:54:EC:76:47:DB:5F:3F:D2:15:78:77
The exported certificate contains the public key and distinguished name given to the certificate (in this case, pubcert).

Importing Certificates into Keystores
To import a public certificate into the keystore of the private key, issue the command:

   %JAVA_HOME%\bin\keytool -import -alias pubcert 
     -file pubcert -keystore privkeystore -storepass foobar
The output looks like:

   Owner: CN=pubcert
   Issuer: CN=pubcert
   Serial number: 42e5b3c4
   Valid from: Mon Jul 25 21:53:40 MDT 2005 until: Sun Oct 23 21:53:40 MDT 2005
   Certificate fingerprints:
   MD5:  
   99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62
   
   SHA1: EC:59:92:E9:1F:8A:A6:0A:85:54:EC:76:47:DB:5F:3F:D2:15:78:77
Answer the following question:
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
Now that the certificate has been imported into the private key's keystore, you can reexamine the contents of the keystore using the keytool utility with the -list option, as follows:

   %JAVA_HOME%\bin\keytool -list -keystore privkeystore
   Enter keystore password:  foobar
   
After entering your password you'll see the following output:

   Keystore type: jks
   Keystore provider: SUN
   
   Your keystore contains 2 entries
   
   privkey, Jul 25, 2005, keyEntry,
   Certificate fingerprint (MD5): 
     E7:4A:D9:D7:67:A6:6D:E7:A5:C4:28:22:3D:C5:C4:30
   pubcert, Jul 25, 2005, trustedCertEntry,
   Certificate fingerprint (MD5): 
     99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62
As the preceding examples illustrated, there are now two entries in the private-key's keystore. The first, with the alias testkey, is identified as a key entry. The second entry is the certificate from the certificate file.

At this point you have performed sufficient key management tasks to use the private-key keystore to perform WS-Security tasks using the Apache Web Services Security for Java framework.



Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date