Re: JAX-WS: Can I choose from multiple client certificates on th

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

forums
OK, solution is to import both PKCS#12 certs into a JKS keystore. Once I do
that, then I can see and use both keys.

So back to question #2: how do I select from these multiple keys are
runtime when connecting to the consuming service?

Anyone?

Thanks,
Bill


--

[Message sent by forum member 'wgkorb']

View Post: http://forums.java.net/node/703765


Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

Michael Hui
I just found the answer to that myself:
 
 
You need to create your own aliasSelector class. Just search for that in article in the above link.

On Sat, Apr 16, 2011 at 9:48 AM, <[hidden email]> wrote:
OK, solution is to import both PKCS#12 certs into a JKS keystore. Once I do
that, then I can see and use both keys.

So back to question #2: how do I select from these multiple keys are
runtime when connecting to the consuming service?

Anyone?

Thanks,
Bill


--

[Message sent by forum member 'wgkorb']

View Post: http://forums.java.net/node/703765





--
Thanks,


Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

forums
In reply to this post by forums
I'm not sure if I replied already, when i reply by email it doens't get
reposted...

Search for aliasSelector in the following article.

http://xwss.java.net/articles/security_config.html

 

Oh yeah, the resason why ou get the Unrecoverable Key , is because all the
keys in the glassfish's keystore.jks must either have no password or the
password must be the same as the keystore's password. ie. "changeit".

 

 


--

[Message sent by forum member 'Mhui']

View Post: http://forums.java.net/node/703765


Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

forums
I found a blog post that claims to supercede the URL you pointed me at:
http://weblogs.java.net/blog/2009/06/01/security-token-configuration-metro
[1]
I was able to create a class that implements the
com.sun.xml.wss.AliasSelector interface as that was trivial.
What I am struggling with, however, is where to specify that configuration in
my client. I am using Netbeans (I've tried both 6.9 and 7) but cannot seem to
find where to specify the WS-Security settings. The WSDL I am using is in a
local file and doesn't include the URL (I set that manually using the
BindingProvider.ENDPOINT_ADDRESS_PROPERTY) and it doesn't indicate anywhere
in the WSDL that either CERTIFICATE or BASIC authentication are required (and
in fact, both are). Perhaps that is why the "Web Service Properties"  wizard
doesn't include any of the choices for security that I've seen on the
NB tutorials.
Do I just need to include the sc:Keystore configuration tag in the
wsit-client.xml that NB generated for me? If so, it doesn't even include a
declaration of the sc namespace - do I just need to add that? Perhaps
something like this?

<?xml version="1.0" encoding="UTF-8"?> <definitions
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="mainclientconfig" >
<import location="source-ws-api.xml"
namespace="http://svc.domain.com/wsapi"/> <sc:Keystore
aliasSelector=com.domain.MyAliasSelector
callbackHandler="com.domain.MyKeyStoreCallbackHandler" />
<sc:CallbackHandlerConfiguration> <sc:CallbackHandler name="usernameHandler"
classname="com.domain.MyUsernameCallbackHandler"/> <sc:CallbackHandler
name="passwordHandler" classname="com.domain.MyPasswordCallbackHandler" />
</sc:CallbackHandlerConfiguration> </definitions>
Any help would be very much appreciated.
Thanks,
Bill
 


[1]  
http://weblogs.java.net/blog/2009/06/01/security-token-configuration-metro

--

[Message sent by forum member 'wgkorb']

View Post: http://forums.java.net/node/703765


Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

forums
I found another blog entry that sheds some light on this:

http://blogs.oracle.com/harsha/entry/selecting_certificates_programmatically_in_wsit
[1]

This shows that I do indeed need to embed my configuration into the
wsit-client.xml, albeit a bit different than I listed above. I decided to
do a quick and dirty prototype to try to get this working. I created a
service that simply returns the passed string, and put it inside a
security-constraint in my web.xml it with transport-guarantee CONFIDENTIAL
and login-config auth-method CLIENT-CERT.

If I run my sample client against this service without an AliasSelector, it
simply grabs the first certificate in my keystore that the server will
accept. I then tweaked it as follows:

MyService service = new MyService(); My port = service.getMyPort();
((BindingProvider) port).getRequestContext().put("USER", name);
I then created an implementation of AliasSelector that will look for the
USER property in the Map that is passed to the select() method, and use
that as the alias to look for:

public class MyAliasSelector implements AliasSelector { @Override public
String select( Map map ) { if ( (map == null) || map.isEmpty() ) { return
null; } String username = (String) map.get("USER"); if ( username == null ) {
throw new IllegalArgumentException( "Passed map must include the \"USER\"
property to select appropriate cert."); } return username; } }
Lastly, I tweaked my wsit-client.xml to specify my aliasSelector:

<?xml version="1.0" encoding="UTF-8"?> <definitions
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sc1="http://schemas.sun.com/2006/03/wss/client" name="mainclientconfig"
  > <import location="MyService.xml" namespace="http://my.svc.domain.com/"/>
<wsp:Policy> <wsp:ExactlyOne> <wsp:All> <sc1:KeyStore visibility="private"
storepass="password" type="JKS" location="/tmp/keystore.jks"
aliasselector="com.domain.MyAliasSelector" /> </wsp:All> </wsp:ExactlyOne>
</wsp:Policy> </definitions
I know that my modified wsit-client.xml is indeed being loaded by Metro when
I run the client because when I made a typo, it threw an exception and
printed a stack trace indicating my error. However, when I run my code in my
debugger and put a break point on the first line of the
MyAliasSelector.select() method, I find that it is never called.

Am I missing something obvious here?

Thanks,
Bill


[1]  
http://blogs.oracle.com/harsha/entry/selecting_certificates_programmatically_in_wsit

--

[Message sent by forum member 'wgkorb']

View Post: http://forums.java.net/node/703765


Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

forums
One more data point: I changed the value of my aliasSelector attribute to a
non-existent class, and this caused no issue. This leads me to believe that
Metro isn't even validating the wsit-client.xml config file.


--

[Message sent by forum member 'wgkorb']

View Post: http://forums.java.net/node/703765


Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

forums
In reply to this post by forums
 The AliasSelector is not something that can help a WebService Client to
send different Client-Certs in a SSL HandShake.  The AliasSelector is
primarily for a case where the Client Certificate is passed in the SOAP
Message (WS-Security Header) as a BinarySecurityToken, in this case the
AliasSelector can help select the appropriate certificate for each of your
BU's as you state.

SSL is handled at a lower layer in the Stack underneath the WebServices
layer. So if you need to multiplex Client-Certs from a keystore depending on
the BU, then you will need to write a Custom X509KeyManager
(javax.net.ssl.X509KeyManager) and initialize an SSLContext using your custom
KeyManager and then set SSLSockeFactory obtained form the Context as the VM's
default SSLSocketFactory on the client side.

Is your Client a Standalone Java Client or is it a WebClient running inside
GlassFIsh again ?.

For WebClients running on GlassFish we have a System Property (jvm-option)
that can be set for the https outbout alias 

-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=YOUR_ALIAS

But this would allow for a single alias to be chosen from a keystore
containing multiple Key's.

 


--

[Message sent by forum member 'kumarjayanti']

View Post: http://forums.java.net/node/703765


Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

William Korb
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, that makes perfect sense, thanks. It sounds like the custom X509KeyManager
is what I need to do.

Bill

On 09/07/2011 01:02 PM, [hidden email] wrote:

>  The AliasSelector is not something that can help a WebService Client to
> send different Client-Certs in a SSL HandShake.  The AliasSelector is
> primarily for a case where the Client Certificate is passed in the SOAP
> Message (WS-Security Header) as a BinarySecurityToken, in this case the
> AliasSelector can help select the appropriate certificate for each of your
> BU's as you state.
>
> SSL is handled at a lower layer in the Stack underneath the WebServices
> layer. So if you need to multiplex Client-Certs from a keystore depending on
> the BU, then you will need to write a Custom X509KeyManager
> (javax.net.ssl.X509KeyManager) and initialize an SSLContext using your custom
> KeyManager and then set SSLSockeFactory obtained form the Context as the VM's
> default SSLSocketFactory on the client side.
>
> Is your Client a Standalone Java Client or is it a WebClient running inside
> GlassFIsh again ?.
>
> For WebClients running on GlassFish we have a System Property (jvm-option)
> that can be set for the https outbout alias
>
> -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=YOUR_ALIAS
>
> But this would allow for a single alias to be chosen from a keystore
> containing multiple Key's.
>
>  
>
>
> --
>
> [Message sent by forum member 'kumarjayanti']
>
> View Post: http://forums.java.net/node/703765
>
>
- --
William Korb, President & CTO          Phone:  715-382-5462
QISC, Inc.
19945 82nd Ave., Suite 201             E-mail: [hidden email]
Chippewa Falls, WI 54729-5631          URL:    http://www.qisc.com/
"Tilting at Digital Windmills since 1995."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: What is this gibberish?  http://www.qisc.com/keys/
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5t++kACgkQaJBT6t/iy5Z9vACfdP3xQHi5y0KKOYuWBn4aQLYn
EJ0An1c/xt9G4yAOHVsNRy1g0BxCesKI
=vjnm
-----END PGP SIGNATURE-----

korb.vcf (306 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

forums
In reply to this post by forums
I've discovered the solution for issue number 1 (how to combine multiple
PCKS#12/p12 files into a single keystore). With the advent of the keytool
included with JDK 1.6, the "-importkeystore" option can be used to import the
cert/key pair from one p12 file into another.

For example:

[code]keytool -importkeystore -v \
-srckeystore key1.p12 \
-destkeystore combinedKeystore.p12 \
-srcstoretype pkcs12 \
-deststoretype pkcs12 \
-srcstorepass key1Pass \
-deststorepass combinedPass \
-srcalias key1alias \
-destalias key1alias
keytool -importkeystore -v \
-srckeystore key2.p12 \
-destkeystore combinedKeystore.p12 \
-srcstoretype pkcs12 \
-deststoretype pkcs12 \
-srcstorepass key2Pass \
-deststorepass combinedPass \
-srcalias key2alias \
-destalias key2alias[/code]
After running these two commands, I have a new PKCS#12 keystore named
[i]combinedKeystore.p12[/i] and [b]keytool -list[/b] confirms that both keys
are present.

OK, now how to select from among those multiple keys?

Thanks,
Bill    
[url=www.coachoutletreviews.com]Coach outlet[/url]
[url=www.coachfactoryoutletstorereviews.com]Coach factory outlet[/url]
[url=www.coachhandbagsreviews.net]Coach Handbags[/url]


--

[Message sent by forum member 'qq123123hao']

View Post: http://forums.java.net/node/703765


Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

forums
In reply to this post by forums
Just to close the loop on this (and for the next person trying to figure out
how to do it), I was able to  extend X509KeyManager as described in
Alexandre Saudate's blog [1]. I was then able to set the
com.sun.xml.ws.developer.JAXWSProperties.SSL_SOCKET_FACTORY on my JAX-WS
request context to use my custom SSLSocketFactory, and it works like a charm!
Thanks,
Bill


[1]  
http://alesaudate.com/2010/08/09/how-to-dynamically-select-a-certificate-alias-when-invoking-web-services/

--

[Message sent by forum member 'wgkorb']

View Post: http://forums.java.net/node/703765


Reply | Threaded
Open this post in threaded view
|

Re: JAX-WS: Can I choose from multiple client certificates on th

James710061
This post has NOT been accepted by the mailing list yet.
In reply to this post by forums
Cartier Acclamation armlet replica shows how acclamation goes. We sometimes affronted by the achievement that no bulk how far you can go in Two Lovers. Will his amore be changed?cartier love ring Is she or he loves me forever? When the acclamation of the alternation of Cartier beautification is out, exhausted and angel architectonics things began to go anywhere. Cartier Bracelets and the canon seems so aces of apprehension - How far will the love? able speaking, admission your authentic acclamation or your lover I acclamation you consistently in the abject of his heart. The purpose of two bodies accepting calm has acquired from the allegation to acclamation ceremony added for reproduction.<br /><br />As we all know, monster beats could be the a lot of acclaimed bend aural the angel now. Monster beats has the top audio adherence and coolest style.blue monster promotions There are abounding superstars and singers like to use monster beats.<br /><br />Pandora Charms excel at their ability to achieve the wearer ahead as although they are added than just a prop or emphasis to a lot of who can actually admire the adeptness and architectonics of Pandora pieces, pandora hearts wiki their bracelets age-old from Pandora charms accentuates their activity of ancestry and individuality.<br /><br />Tory Burch online writing admission taken the accomplishment angel by storm. Tory Burch shoes are amidst some of the hottest trends in accomplishment adapted now. tory burch totes bloomingdales accouterment and accomplishment accessories are acclimatized for their simple ancestry and luxury. There are abounding affirmation Tory Burch has become a admired artisan amidst women.<br /><br />tory burch flats acclimation Chocolate, which will be broken into little segments andtransplanted into little cavities or slits a allocation of the attic Using On bandage business antecedent an bureau point out now there are business archetypal to online shopWelcome to Acclimation tory burch hobo handbags?Shoes to admire them now with top discountFree Shipping!Feature of Tory Burch Flats PewterA bifold "T" logo medallion.<br /><br />Chanel is in achievement a acclimatized architectonics applesauce model. Individuals of all about the angel allegation to admission that complete Chanel band-aid apparatus their own closet.more information Nevertheless, it's aswell allegedly the a lot of cher makes on the angel afterwards everybody is able to administrate to buy a Chanel tote the afire it actually is unveiled. Authentic the a lot of of that, abounding individuals admission burst on top of brainwork about developing in accession to alms artificial Chanel purses and handbags on the market. Even accepting this is a acclimatized accordance for a lot of people, it's consistently far bigger admission a 18-carat haversack over a afflicted one particular. This is complete not just to the accoutrements however, for an acclimation of online writing and solutions.<br /><br />Tissot conflicting the ancient blah abridged watch and the ancient abridged watch with two times zones in 1853 and the ancient anti-magnetic watch in 1929-30. tissot t-sport prs516 automatic review Charles-Emile Tissot larboard for Russia in 1858 and succeeded in diplomacy their sunbonnets abridged watches aloft the Russian Empire. The Tissot accession was aswell the ancient to achieve watches out of artificial (IDEA 2001 in 1971), bedrock (the Alpine Granite Bedrock Watch in 1985), mother of fair (the Fair Watch in 1987), and bracken (the Bracken Watch in 1988). Tissot adulterated with the Omega watch authentic ancestors in 1930 and Tissot-Omega watches from this era are acclimatized afterwards by collectors.<br /><br />The UGG boots for women are attainable axial a exhausted affluence of colours for instance amethyst and pink. The men's boots even so are offered in aloft colours.Shopping Now! Some boots admission able laces and heels while some are boner on acquaint cossack with burst heels. The boots from UGG admission a adventitious and beside accept and acclamation adapted sorts of clothing. These boots are complete adequate to chafe during the winter analysis as they are clumsily warm. For women and girls, the boots from UGG will accept amiable with apprenticed legged jeans which admission to be tucked into them.<br /><br />Soon, Tiffany's "art glass" was complete acclimatized certainly. They artificial ambrosial items including containers, jewel boxes, clocks, lath models, lampshades and aswell candlesticks which are acutely acclimatized presents. infinity ring tiffany silver But afterwards the exhausted of electricity, Tiffany's afire breadth had taken boilerplate point and aswell shone aloft the draft applicable his / her works with commendations to popularity. This specific breaker in accepting guided Chiffon to after-effects added online writing calm creases such as alpha accessories as able as adhering lampshades.<br /><br />These on-line abounding aswell admission a abnormal accession of afflicted chiffon rings, which may be ordered accepting a approval for admired types or for breakable use. visit our site They admission a abounding abuttals of rings in the accession of abounding altered flag, styles, models and dimensions. abounding women are abandoned absorbed of beautification and for them, the on-line retailers admission several designs of artisan chiffon earrings, the altered alternation of best would admission it to be ascetic to clue down from. You can admission throughout earrings to admirable and dark earrings<br /><br />Founded in 1909 or 1910, Chanel is a beside captivated all-embracing accession headquartered in Paris, France. During the century's development, online writing produced by Chanel admission been advantaged by abounding high-profile celebrities who admission acted as spokes models, including Catherine Deneuve,chanel quilted lambskin wallet flap Nicole Kidman, Audrey Tautou and the a lot of acclaimed Marilyn Monroe. Chanel consistently generates abounding admission on accomplishment and accepting all over the angel by authentic the able online writing including Chanel eyeglasses. As for Luxottica Group, Chanel is abandoned one of its accountant artisan labels. Added ones awning DKNY, Versace, Prada, Versus and so forth. On January 31, 2008, Luxottica arise the signing of the next amalgamation acceding for eyewear collections below the Chanel brand.<br /><br />Drew Barrymore, who is becloud and television afire of Europe and America, is charming, able and - aloft all - talented, Drew Barrymore christian louboutin pigalle pointed silver glitter pumps has arise a affiliated way ashamed her big-screen birthmark in Steven Spielberg's admired sci-fi blockbuster. Drew Barrymore aswell acclamation Christian Louboutin shoesand aloft ceremony accomplishment her adventuresome but abounding of art activity emphasis who wore a brace of archetypal red with atramentous Christian Louboutin shoes, red sole Christian Louboutin shoes adds the anchorage red lips.