Red Hat Summit7.21.2.6. X509 Certificate TokenJBOSSCC-50
To configure encryption, you must specify the items in Example 7.5, “X509 Encryption Configuration”. The configuration is the same for clients and servers.
Example 7.5. X509 Encryption Configuration
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/ws-security/config
http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
(1) <key-store-file>WEB-INF/bob-sign_enc.jks</key-store-file>
<key-store-password>password</key-store-password>
<key-store-type>jks</key-store-type>
<trust-store-file>WEB-INF/wsse10.truststore</trust-store-file>
<trust-store-password>password</trust-store-password>
<config>
<timestamp ttl="300"/>
(2) <sign type="x509v3" alias="1" includeTimestamp="true"/>
(3) <encrypt type="x509v3"
alias="alice"
algorithm="aes-256"
keyWrapAlgorithm="rsa_oaep"
tokenReference="keyIdentifier" />
(4) <requires>
<signature/>
<encryption/>
</requires>
</config>
</jboss-ws-security>- Keystore and Truststore information: location of each store, the password, and type of store.
- Signature configuration: you must provide the certificate and key pair aliases to use.
includeTimestampspecifies whether the timestamp is signed to prevent tampering. - Encryption configuration: you must provide the certificate and key pair aliases to use. Refer to Algorithms for more information.
- Optional security requirements: incoming messages must be both signed, and encrypted.
When replying to multiple clients, a service provider must encrypt a message according to its destination using the correct public key. The JBossWS native implementation of WS-Security obtains the correct key to use from the signature received (and verified) in the incoming message.
Example 7.6. Dynamic Encryption Configuration
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/ws-security/config
http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
<key-store-file>WEB-INF/bob-sign_enc.jks</key-store-file>
<key-store-password>password</key-store-password>
<key-store-type>jks</key-store-type>
<trust-store-file>WEB-INF/wsse10.truststore</trust-store-file>
<trust-store-password>password</trust-store-password>
<config>
<timestamp ttl="300"/>
<sign type="x509v3" alias="1" includeTimestamp="true"/>
(1) <encrypt type="x509v3"
algorithm="aes-256"
keyWrapAlgorithm="rsa_oaep"
tokenReference="keyIdentifier" />
<requires>
(2) <signature/>
<encryption/>
</requires>
</config>
</jboss-ws-security>Asymmetric and symmetric encryption is performed whenever the <encrypt> element is declared. Message data are encrypted using a generated symmetric secured key. This key is written in the SOAP header after being encrypted (wrapped) with the receiver public key. You can set both the encryption and key wrap algorithms.
- AES 128 (aes-128) (default)
- AES 192 (aes-192)
- AES 256 (aes-256)
- Triple DES (triple-des)
- RSA v1.5 (rsa_15) (default)
- RSA OAEP (rsa_oaep)
Note
For interoperability reasons, you may need to configure the type of reference to encryption token to be used. For example, Microsoft Indigo does not support direct reference to local binary security tokens which are the default reference type used by JBossWS.
tokenReference attribute in the <encrypt> element. The values for the tokenReference attribute are:
directReference(default)keyIdentifier- specifies the token data by means of an X509 SubjectKeyIdentifier reference.x509IssuerSerial- uniquely identifies an end entity certificate by its X509 Issuer and Serial Number
Note
JBossWS gives you precise control over elements that must be signed or encrypted. This allows you to encrypt important data only (such as credit card numbers) instead of other, security-trivial, information exchanged by the same service (email addresses, for example). To configure this, you must specify the Qualified Name (qname) of the SOAP elements to encrypt. The default behavior is to encrypt the whole SOAP body.
<encrypt type="x509v3" alias="alice">
<targets>
<target type="qname">{http://www.my-company.com/cc}CardNumber</target>
<target type="qname">{http://www.my-company.com/cc}CardExpiration</target>
<target type="qname" contentOnly="true">{http://www.my-company.com/cc}CustomerData</target>
</targets>
</encrypt>
Signature verification errors can occur in signed message payloads that contain carriage returns (\r) due to the way the special character is parsed by XML parsers. To prevent this issue, you can choose to implement custom encoding before sending the payload. Users can either encrypt the message, or force JBossWS to perform canonical normalization of messages.
true in the MessageContext. The property must be set just before the invocation on the client side and in the endpoint implementation.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}