Aug 25, 2008

OWSM : Using Keystores

Today I'm going to talk about the creation of the keystore
for client side and server side, using java keytool.

As in earlier post, I talked about the policies to be applied
to secure web service, now I'll show you the creation of keystore
to sign and encrypt your channel between client and server.

> Create Keystores
Here I'm going to use java keytool to generate keystores.
This tool can be found at location
Create two keystores to be used by client and server as :
Go to cmd prompt
keytool -genkey -alias server -keyalg RSA -keysize 1024 -keystore server.jks -storepass oracle_server -keypass server_key -dname "cn=Lalit Jolania, ou=oracle, o=lntinfotech, c=IN"

Above command will create a keystore file called : server.jks
private key alias : server
private key password : server_key
keystore password : oracle_server

Similarly create keystore for client : client.jks
private key alias : client
private key password : client_key
keystore_password : oracle_client

You can modified the command line option as per your requirement.
Details about keytool can be found here.

>Export Certificate
Now we need to export certificates for above private keys.

To export certificate use following command -
keytool -export -alias server -file server.cert -keystore server.jks -storepass oracle_server

Above command will create a certificate file named server.cert
Similarly export client.cert from client.jks

> Import Certificate
Now we need to exchange these cetificates between client and server keystores.

To import client.cert to server.jks use below command -
keytool -import -alias client_cert -trustcacerts -file client.cert -keystore server.jks -storepass oracle_server

Alias for client's certificate will be client_cert

Similarly import server.cert to client.jks
Alias for server's certificate will be server_cert.

In this way we have created keystores, which are now available
to secure your channel.

Go to OWSM -
Steps for ServerAgent
>Request pipeline
Add step Decrypt and verify signature
Now you can configure it using server.jks
Decryptor's keystore password : oracle_server
Decryptor's private-key alias (*) : server
Decryptor's private-key password : server_key
Verifying Keystore password : oracle_server
Signer's public-key alias (*) : client_cert

>Response pipeline for server agent
Add step Sign Message And Encrypt
Configure it with server.jks
Signing Keystore password :oracle_server
Signer's private-key alias (*): server
Signer's private-key password : server_key
Encryption Keystore password : oracle_server
Decryptor's public-key alias (*) : client_cert

Similiary for client agent
> Request pipeline
Add step Sign Message And Encrypt

> Response pipeline
Add step Decrypt and verify signature
Configure above steps using client.jks

Hence we have secured our channel in a standard way. You can
clearly visualize how exchange between client and server is
happening. Use Log step in OWSM to see the encrypted and signed
contents of Message.