This document contains all the use cases related to the Petals-BC-SOAP component.
Use cases are ordered by their complexity, from the most simple to the most complex ones.
Simple Use Cases
Securing a service running into Petals using 2-Way SSL and WS-Security
This use case runs with the Petals BC SOAP 4.0.9+ |
The goal of this use-case is to show you that it is possible to mixed SSL and WS-Security to secure an internal endpoint as a webservice using several certificats:
- a transport certificate identifying the webservice client,
- a transport certificate to crypt the communication between the serveur and the client,
- a message certificate to sign the message sent by the client and to warranty its integrity,
- a message certificate to crypt the SOAP body content,
- a user name and a password to identify the user of the client,
- a time-stamp to avoid request re-injection.
So, it is needed to have the following key stores:
- a key store 'client': keystore-clt.jks (password: keystoreclt), containing:
- the private keys of the client,
- the public keys of the serveur
- a key store 'server': keystore-srv.jks (password: keystoresrv), containing:
- the private key used to crypt the SOAP body content,
- the public key of the client used to sign
- a specific key store 'ssl': keystore-srv-ssl.jks (password: keystoresrv), containing:
- the SSL private key of the server
- the SSL public key of the client
The private keys of the client (symetrically, public keys of the server) are:
- 'sslclt': the private key identifying the client at SSL level (2-way SSL), password: 'keystoreclt',
- 'wsseclt-sign': the private key to sign the message, password: 'keystoreclt'.
The private keys of the server (symetrically, public keys of the server) are:
- 'sslsrv': the private key to crypt the communication between the server and the client, password: 'pwsslsrv',
- 'wsseclt-crypt': the private key to crypt the message, password: 'keystoresrv'.
Although encrypted message is generated by the client, the private key is located on the server side. |
to simplify the use-case, all keys are auto-signed. |
the version of the SoapUI used as client needs to have keys with the same password than their keystore. |
Creation of keys and key stores
Creation of private keys
Open a command shell and go into the directory $PETALS_HOME/https. $PETALS_HOME/https is not a directory provided by Petals, it is used by this tutorial, so don't forget to create it manually.
- Creation and auto-sign of the private key 'sslclt':
keytool -genkey -validity 731 -keystore keystore-clt.jks -storepass keystoreclt -storetype JKS -keyalg RSA -alias sslclt -keypass keystoreclt -dname "CN=SSL Client, OU=PetalsLink, O=EBM, L=Nice, ST=AM, C=FR" keytool -selfcert -validity 731 -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias sslclt -keypass keystoreclt
- Creation and auto-sign of the private key 'wsseclt-sign':
keytool -genkey -validity 731 -keystore keystore-clt.jks -storepass keystoreclt -storetype JKS -keyalg RSA -alias wsseclt-sign -keypass keystoreclt -dname "CN=WSSE Signature, OU=PetalsLink, O=EBM, L=Nice, ST=AM, C=FR" keytool -selfcert -validity 731 -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias wsseclt-sign -keypass keystoreclt
- Creation and auto-sign of the private key 'wsseclt-crypt':
keytool -genkey -validity 731 -keystore keystore-srv.jks -storepass keystoresrv -storetype JKS -keyalg RSA -alias wsseclt-crypt -keypass keystoresrv -dname "CN=WSSE Encryption-In, OU=EBM, O=Capgemini, L=Nice, ST=AM, C=FR" keytool -selfcert -validity 721 -keystore keystore-srv.jks -storetype JKS -storepass keystoresrv -alias wsseclt-crypt -keypass keystoresrv
- Creation and auto-sign of the private key 'sslsrv':
keytool -genkey -validity 731 -keystore keystore-srv-ssl.jks -storepass keystoresrv -storetype JKS -keyalg RSA -alias sslsrv -keypass pwsslsrv -dname "CN=SSL Server, OU=PetalsLink, O=EBM, L=Nice, ST=AM, C=FR" keytool -selfcert -validity 721 -keystore keystore-srv-ssl.jks -storetype JKS -storepass keystoresrv -alias sslsrv -keypass pwsslsrv
Generation and export/import of public keys
- Export/Import of public key 'sslclt':
keytool -export -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias sslclt -file sslclt.crt keytool -import -keystore keystore-srv-ssl.jks -storetype JKS -storepass keystoresrv -alias sslclt -file sslclt.crt
- Export/Import of public key 'wsseclt-sign':
keytool -export -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias wsseclt-sign -file wsseclt-sign.crt keytool -import -keystore keystore-srv.jks -storetype JKS -storepass keystoresrv -alias wsseclt-sign -file wsseclt-sign.crt
- Export/Import of public key 'wsseclt-crypt':
keytool -export -keystore keystore-srv.jks -storetype JKS -storepass keystoresrv -alias wsseclt-crypt -file wsseclt-crypt.crt keytool -import -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias wsseclt-crypt -file wsseclt-crypt.crt
- Export/Import of public key 'sslsrv':
keytool -export -keystore keystore-srv-ssl.jks -storetype JKS -storepass keystoresrv -alias sslsrv -file sslsrv.crt keytool -import -keystore keystore-clt.jks -storetype JKS -storepass keystoreclt -alias sslsrv -file sslsrv.crt
Creation of the service unit
Using the Petals Studio, create a service unit to deploy on the BC SOAP and consume your service.
Next update its JBI descriptor to add the right configuration of the WS-Security:
<?xml version="1.0" encoding="UTF-8"?> <jbi:jbi version="1.0" xmlns:generatedNs="http://InformationDeProduction.cirtil.cer69.recouv/InformationDeProduction.wsdl" xmlns:jbi="http://java.sun.com/xml/ns/jbi" xmlns:petalsCDK="http://petals.ow2.org/components/extensions/version-5" xmlns:soap="http://petals.ow2.org/components/soap/version-4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <jbi:services binding-component="true"> <jbi:consumes interface-name="generatedNs:InformationDeProductionPortType" service-name="generatedNs:InformationDeProductionService" endpoint-name="InformationDeProductionPort"> <!-- CDK specific elements --> <petalsCDK:timeout>30000</petalsCDK:timeout> <petalsCDK:mep xsi:nil="true" /> <!-- Component specific elements --> <soap:service-name>InformationDeProductionServiceSSLandWSSE</soap:service-name> <soap:mode>SOAP</soap:mode> <soap:enable-http-transport>false</soap:enable-http-transport> <soap:enable-https-transport>true</soap:enable-https-transport> <soap:enable-jms-transport>false</soap:enable-jms-transport> <soap:modules>rampart</soap:modules> <soap:service-parameters> <![CDATA[ <parameter name="InflowSecurity"> <action> <items>Signature Encrypt Timestamp UsernameToken</items> <user>wsseclt-id</user> <passwordCallbackClass>org.ow2.petals.test.PWCBHandler</passwordCallbackClass> <userCertAlias>wsseclt-sign</userCertAlias> <signaturePropFile>service.properties</signaturePropFile> <decryptionPropFile>service.properties</decryptionPropFile> </action> </parameter> ]]> </soap:service-parameters> </jbi:consumes> </jbi:services> </jbi:jbi>
Add the properties file 'service.properties' under the directory 'jbi' and containing:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=keystoresrv org.apache.ws.security.crypto.merlin.file=../https/keystore-srv.jks
Add the class 'PWCBHandler' as password callback:
public class PWCBHandler implements CallbackHandler { public void handle (Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i]; String id = pwcb.getIdentifer(); if (id.equals("wsseclt-id")) { pwcb.setPassword("pwwsseid"); } else if (id.equals("wsseclt-crypt")) { pwcb.setPassword("keystoresrv"); } } } }
Running the use case
Launch a freshly installed Petals ESB.
Install the Petals BC SOAP enabling SSL through the component parameters:
- https-enabled = true
- https-port = 8083
- https-keystore-type = JKS
- https-keystore-file = ../https/keystore-srv-ssl.jks
- https-keystore-password = keystoresrv
- https-key-password = pwsslsrv
- https-client-authentication-enabled = true
Deploy your SU.
Use SoapUI to invoke your secured service !
Complex Use Cases
These use cases involve several Petals components including the Petals-BC-SOAP component.
No content found for label(s) uc-soap. |