Aug 25, 2008

OWSM : Using Keystores

Today I'm going to talk about the creation of the keystore
for client side and server side, using java keytool.


As in earlier post, I talked about the policies to be applied
to secure web service, now I'll show you the creation of keystore
to sign and encrypt your channel between client and server.


> Create Keystores
Here I'm going to use java keytool to generate keystores.
This tool can be found at location
<java_home>/bin
Create two keystores to be used by client and server as :
Go to cmd prompt
keytool -genkey -alias server -keyalg RSA -keysize 1024 -keystore server.jks -storepass oracle_server -keypass server_key -dname "cn=Lalit Jolania, ou=oracle, o=lntinfotech, c=IN"




Above command will create a keystore file called : server.jks
with
private key alias : server
private key password : server_key
keystore password : oracle_server






Similarly create keystore for client : client.jks
with
private key alias : client
private key password : client_key
keystore_password : oracle_client


You can modified the command line option as per your requirement.
Details about keytool can be found here.


>Export Certificate
Now we need to export certificates for above private keys.


To export certificate use following command -
keytool -export -alias server -file server.cert -keystore server.jks -storepass oracle_server




Above command will create a certificate file named server.cert
Similarly export client.cert from client.jks


> Import Certificate
Now we need to exchange these cetificates between client and server keystores.


To import client.cert to server.jks use below command -
keytool -import -alias client_cert -trustcacerts -file client.cert -keystore server.jks -storepass oracle_server


Alias for client's certificate will be client_cert


Similarly import server.cert to client.jks
Alias for server's certificate will be server_cert.


In this way we have created keystores, which are now available
to secure your channel.


Go to OWSM -
Steps for ServerAgent
>Request pipeline
Add step Decrypt and verify signature
Now you can configure it using server.jks
Decryptor's keystore password : oracle_server
Decryptor's private-key alias (*) : server
Decryptor's private-key password : server_key
Verifying Keystore password : oracle_server
Signer's public-key alias (*) : client_cert


>Response pipeline for server agent
Add step Sign Message And Encrypt
Configure it with server.jks
Signing Keystore password :oracle_server
Signer's private-key alias (*): server
Signer's private-key password : server_key
Encryption Keystore password : oracle_server
Decryptor's public-key alias (*) : client_cert


Similiary for client agent
 > Request pipeline
Add step Sign Message And Encrypt


> Response pipeline
Add step Decrypt and verify signature
Configure above steps using client.jks


Hence we have secured our channel in a standard way. You can
clearly visualize how exchange between client and server is
happening. Use Log step in OWSM to see the encrypted and signed
contents of Message.
Posted by
at 2:12 PM
More on :

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)