Petals Documentation > Petals ESB > Petals Components > Components Use Cases > Use Cases for Petals-BC-SOAP

Use Cases for Petals-BC-SOAP

This document contains all the use cases related to the Petals-BC-SOAP component.
Use cases are ordered by their complexity, from the most simple to the most complex ones.

Simple Use Cases

Securing a service running into Petals using 2-Way SSL and WS-Security

This use case runs with the Petals BC SOAP 4.0.9+

The goal of this use-case is to show you that it is possible to mixed SSL and WS-Security to secure an internal endpoint as a webservice using several certificats:

  • a transport certificate identifying the webservice client,
  • a transport certificate to crypt the communication between the serveur and the client,
  • a message certificate to sign the message sent by the client and to warranty its integrity,
  • a message certificate to crypt the SOAP body content,
  • a user name and a password to identify the user of the client,
  • a time-stamp to avoid request re-injection.

So, it is needed to have the following key stores:

  • a key store 'client': keystore-clt.jks (password: keystoreclt), containing:
    • the private keys of the client,
    • the public keys of the serveur
  • a key store 'server': keystore-srv.jks (password: keystoresrv), containing:
    • the private key used to crypt the SOAP body content,
    • the public key of the client used to sign
  • a specific key store 'ssl': keystore-srv-ssl.jks (password: keystoresrv), containing:
    • the SSL private key of the server
    • the SSL public key of the client

The private keys of the client (symetrically, public keys of the server) are:

  • 'sslclt': the private key identifying the client at SSL level (2-way SSL), password: 'keystoreclt',
  • 'wsseclt-sign': the private key to sign the message, password: 'keystoreclt'.

The private keys of the server (symetrically, public keys of the server) are:

  • 'sslsrv': the private key to crypt the communication between the server and the client, password: 'pwsslsrv',
  • 'wsseclt-crypt': the private key to crypt the message, password: 'keystoresrv'.
Although encrypted message is generated by the client, the private key is located on the server side.
to simplify the use-case, all keys are auto-signed.
the version of the SoapUI used as client needs to have keys with the same password than their keystore.

Creation of keys and key stores

Creation of private keys

  • Creation and auto-sign of the private key 'sslclt': 
    keytool -genkey -validity 731 -keystore keystore-clt.jks -storepass keystoreclt -storetype JKS -keyalg RSA -alias sslclt -keypass keystoreclt -dname "CN=SSL Client, OU=PetalsLink, O=EBM, L=Nice, ST=AM, C=FR"
keytool -selfcert -validity 731 -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias sslclt -keypass keystoreclt
  • Creation and auto-sign of the private key 'wsseclt-sign': 
    keytool -genkey -validity 731 -keystore keystore-clt.jks -storepass keystoreclt -storetype JKS -keyalg RSA -alias wsseclt-sign -keypass keystoreclt -dname "CN=WSSE Signature, OU=PetalsLink, O=EBM, L=Nice, ST=AM, C=FR"
keytool -selfcert -validity 731 -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias wsseclt-sign -keypass keystoreclt
  • Creation and auto-sign of the private key 'wsseclt-crypt': 
    keytool -genkey -validity 731 -keystore keystore-srv.jks -storepass keystoresrv -storetype JKS -keyalg RSA -alias wsseclt-crypt -keypass keystoresrv -dname "CN=WSSE Encryption-In, OU=EBM, O=Capgemini, L=Nice, ST=AM, C=FR"
keytool -selfcert -validity 721 -keystore keystore-srv.jks -storetype JKS -storepass keystoresrv -alias wsseclt-crypt -keypass keystoresrv
  • Creation and auto-sign of the private key 'sslsrv': 
    keytool -genkey -validity 731 -keystore keystore-srv-ssl.jks -storepass keystoresrv -storetype JKS -keyalg RSA -alias sslsrv -keypass pwsslsrv -dname "CN=SSL Server, OU=PetalsLink, O=EBM, L=Nice, ST=AM, C=FR"
keytool -selfcert -validity 721 -keystore keystore-srv-ssl.jks -storetype JKS -storepass keystoresrv -alias sslsrv -keypass pwsslsrv

Generation and export/import of public keys

  • Export/Import of public key 'sslclt': 
    keytool -export -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias sslclt -file sslclt.crt
keytool -import -keystore keystore-srv-ssl.jks -storetype JKS -storepass keystoresrv -alias sslclt -file sslclt.crt
  • Export/Import of public key 'wsseclt-sign': 
    keytool -export -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias wsseclt-sign -file wsseclt-sign.crt
keytool -import -keystore keystore-srv.jks -storetype JKS -storepass keystoresrv -alias wsseclt-sign -file wsseclt-sign.crt
  • Export/Import of public key 'wsseclt-crypt': 
    keytool -export -keystore keystore-srv.jks -storetype JKS -storepass keystoresrv -alias wsseclt-crypt -file wsseclt-crypt.crt
keytool -import -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias wsseclt-crypt -file wsseclt-crypt.crt
  • Export/Import of public key 'sslsrv': 
    keytool -export -keystore keystore-srv-ssl.jks -storetype JKS -storepass keystoresrv -alias sslsrv  -file sslsrv.crt
keytool -import -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias sslsrv  -file sslsrv.crt

Complex Use Cases

These use cases involve several Petals components including the Petals-BC-SOAP component.

No content found for label(s) uc-soap.
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.