Aug 25, 2008

OWSM : Using Keystores

Today I'm going to talk about the creation of the keystore
for client side and server side, using java keytool.


As in earlier post, I talked about the policies to be applied
to secure web service, now I'll show you the creation of keystore
to sign and encrypt your channel between client and server.


> Create Keystores
Here I'm going to use java keytool to generate keystores.
This tool can be found at location
<java_home>/bin
Create two keystores to be used by client and server as :
Go to cmd prompt
keytool -genkey -alias server -keyalg RSA -keysize 1024 -keystore server.jks -storepass oracle_server -keypass server_key -dname "cn=Lalit Jolania, ou=oracle, o=lntinfotech, c=IN"




Above command will create a keystore file called : server.jks
with
private key alias : server
private key password : server_key
keystore password : oracle_server






Similarly create keystore for client : client.jks
with
private key alias : client
private key password : client_key
keystore_password : oracle_client


You can modified the command line option as per your requirement.
Details about keytool can be found here.


>Export Certificate
Now we need to export certificates for above private keys.


To export certificate use following command -
keytool -export -alias server -file server.cert -keystore server.jks -storepass oracle_server




Above command will create a certificate file named server.cert
Similarly export client.cert from client.jks


> Import Certificate
Now we need to exchange these cetificates between client and server keystores.


To import client.cert to server.jks use below command -
keytool -import -alias client_cert -trustcacerts -file client.cert -keystore server.jks -storepass oracle_server


Alias for client's certificate will be client_cert


Similarly import server.cert to client.jks
Alias for server's certificate will be server_cert.


In this way we have created keystores, which are now available
to secure your channel.


Go to OWSM -
Steps for ServerAgent
>Request pipeline
Add step Decrypt and verify signature
Now you can configure it using server.jks
Decryptor's keystore password : oracle_server
Decryptor's private-key alias (*) : server
Decryptor's private-key password : server_key
Verifying Keystore password : oracle_server
Signer's public-key alias (*) : client_cert


>Response pipeline for server agent
Add step Sign Message And Encrypt
Configure it with server.jks
Signing Keystore password :oracle_server
Signer's private-key alias (*): server
Signer's private-key password : server_key
Encryption Keystore password : oracle_server
Decryptor's public-key alias (*) : client_cert


Similiary for client agent
> Request pipeline
Add step Sign Message And Encrypt


> Response pipeline
Add step Decrypt and verify signature
Configure above steps using client.jks


Hence we have secured our channel in a standard way. You can
clearly visualize how exchange between client and server is
happening. Use Log step in OWSM to see the encrypted and signed
contents of Message.