This document contains all the use cases related to the Petals-BC-SOAP component.
Use cases are ordered by their complexity, from the most simple to the most complex ones.
Simple Use Cases
Securing a service running into Petals using 2-Way SSL and WS-Security
This use case runs with the Petals BC SOAP 4.0.9+ |
The goal of this use-case is to show you that it is possible to mixed SSL and WS-Security to secure an internal endpoint as a webservice using several certificats:
- a transport certificate identifying the webservice client,
- a transport certificate to crypt the communication between the serveur and the client,
- a message certificate to sign the message sent by the client and to warranty its integrity,
- a message certificate to crypt the SOAP body content,
- a user name and a password to identify the user of the client,
- a time-stamp to avoid request re-injection.
So, it is needed to have the following key stores:
- a key store 'client': keystore-clt.jks (password: keystoreclt), containing:
- the private keys of the client,
- the public keys of the serveur
- a key store 'server': keystore-srv.jks (password: keystoresrv), containing:
- the private key used to crypt the SOAP body content,
- the public key of the client used to sign
- a specific key store 'ssl': keystore-srv-ssl.jks (password: keystoresrv), containing:
- the SSL private key of the server
- the SSL public key of the client
The private keys of the client (symetrically, public keys of the server) are:
- 'sslclt': the private key identifying the client at SSL level (2-way SSL), password: 'keystoreclt',
- 'wsseclt-sign': the private key to sign the message, password: 'keystoreclt'.
The private keys of the server (symetrically, public keys of the server) are:
- 'sslsrv': the private key to crypt the communication between the server and the client, password: 'pwsslsrv',
- 'wsseclt-crypt': the private key to crypt the message, password: 'keystoresrv'.
Although encrypted message is generated by the client, the private key is located on the server side. |
to simplify the use-case, all keys are auto-signed. |
the version of the SoapUI used as client needs to have keys with the same password than their keystore. |
Creation of keys and key stores
Creation of private keys
- Creation and auto-sign of the private key 'sslclt':
keytool -genkey -validity 731 -keystore keystore-clt.jks -storepass keystoreclt -storetype JKS -keyalg RSA -alias sslclt -keypass keystoreclt -dname "CN=SSL Client, OU=PetalsLink, O=EBM, L=Nice, ST=AM, C=FR" keytool -selfcert -validity 731 -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias sslclt -keypass keystoreclt
- Creation and auto-sign of the private key 'wsseclt-sign':
keytool -genkey -validity 731 -keystore keystore-clt.jks -storepass keystoreclt -storetype JKS -keyalg RSA -alias wsseclt-sign -keypass keystoreclt -dname "CN=WSSE Signature, OU=PetalsLink, O=EBM, L=Nice, ST=AM, C=FR" keytool -selfcert -validity 731 -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias wsseclt-sign -keypass keystoreclt
- Creation and auto-sign of the private key 'wsseclt-crypt':
keytool -genkey -validity 731 -keystore keystore-srv.jks -storepass keystoresrv -storetype JKS -keyalg RSA -alias wsseclt-crypt -keypass keystoresrv -dname "CN=WSSE Encryption-In, OU=EBM, O=Capgemini, L=Nice, ST=AM, C=FR" keytool -selfcert -validity 721 -keystore keystore-srv.jks -storetype JKS -storepass keystoresrv -alias wsseclt-crypt -keypass keystoresrv
- Creation and auto-sign of the private key 'sslsrv':
keytool -genkey -validity 731 -keystore keystore-srv-ssl.jks -storepass keystoresrv -storetype JKS -keyalg RSA -alias sslsrv -keypass pwsslsrv -dname "CN=SSL Server, OU=PetalsLink, O=EBM, L=Nice, ST=AM, C=FR" keytool -selfcert -validity 721 -keystore keystore-srv-ssl.jks -storetype JKS -storepass keystoresrv -alias sslsrv -keypass pwsslsrv
Generation and export/import of public keys
- Export/Import of public key 'sslclt':
keytool -export -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias sslclt -file sslclt.crt keytool -import -keystore keystore-srv-ssl.jks -storetype JKS -storepass keystoresrv -alias sslclt -file sslclt.crt
- Export/Import of public key 'wsseclt-sign':
keytool -export -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias wsseclt-sign -file wsseclt-sign.crt keytool -import -keystore keystore-srv.jks -storetype JKS -storepass keystoresrv -alias wsseclt-sign -file wsseclt-sign.crt
- Export/Import of public key 'wsseclt-crypt':
keytool -export -keystore keystore-srv.jks -storetype JKS -storepass keystoresrv -alias wsseclt-crypt -file wsseclt-crypt.crt keytool -import -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias wsseclt-crypt -file wsseclt-crypt.crt
- Export/Import of public key 'sslsrv':
keytool -export -keystore keystore-srv-ssl.jks -storetype JKS -storepass keystoresrv -alias sslsrv -file sslsrv.crt keytool -import -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias sslsrv -file sslsrv.crt
Complex Use Cases
These use cases involve several Petals components including the Petals-BC-SOAP component.
No content found for label(s) uc-soap. |