Creating Key Pairs for WS Trust

WS Trust Web Services Security is only possible in Single Mode.

Usage

Securing (generally) multiple Web services through a Security Token Service (STS) with two key pairs

  • Key for authentication of a client on the STS server

  • Key for authentication of a client on the Web services

How it works

In the initial call of a Web service, the client authenticates itself first on the STS.

After successful authentication, the calling service receives the public key of the Web service from the STS, which enables access to the Web service.

Authentication on the STS is done with WS-Secure-Conversation just once.

To enable access to multiple Web services with a one-time authentication on the STS, all Web services in the group must use the same key pair.

Creating Self-Signed Security Token Service/STS Key Pair

Use

Authentication of a client on a Security Token Service

Proceed as follows

  1. Generate a key pair with the extension SubjectKeyIdentifier.

    Set the options according to your requirements:

    openssl req -x509 -days 9999 -nodes -newkey rsa:2048 -subj "/C=myCountry/ST=myState/L=myCity/O=myOrganization/OU=myDepartment/CN=myServerName" ‑keyout STS.key -out STS.crt -extensions v3_ca

    https://www.openssl.org/docs/apps/req.html

  2. Convert the key pair generated in step 1 into the PKCS12 format in order to enable import into the Java keystore. You must assign a password.

    openssl pkcs12 -export -in STS.crt -inkey STS.key -out STS.p12

  3. Import the PKCS12 file into the Java keystore.

    keytool -importkeystore -srckeystore STS.p12 -srcstoretype pkcs12 ‑srcalias 1 -srcstorepass <yourPassword> -destkeystore STS.keystore.jks ‑destalias tomcat -deststorepass <yourPassword>

    https://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

Generate a JKS truststore with the service certificate. Enter the password assigned in step 2 as the password.

keytool -importcert -keystore STS.truststore.jks -file STS.crt ‑alias tomcat -storepass inubit

Creating a Self-Signed Service Key Pair

Use

Authentication of a client on a Security Token Service-protected Web service

Proceed as follows

  1. Generate a key pair with the extension SubjectKeyIdentifier.

    Set the options according to your requirements:

    openssl req -x509 -days 9999 -nodes -newkey rsa:2048 -subj "/C=myCountry/ST=myState/L=myCity/O=myOrganization/OU=myDepartment/CN=myServerName" ‑keyout SecuredService.key -out SecuredService.crt -extensions v3_ca

  2. Convert the key pair generated in step 1 into the PKCS12 format in order to enable import into the Java keystore. You must assign a password.

    openssl pkcs12 -export -in SecuredService.crt -inkey SecuredService.key ‑out SecuredService.p12

  3. Import the PKCS12 file into the Java keystore.

    keytool -importkeystore -srckeystore SecuredService.p12 ‑srcstoretype pkcs12 -srcalias 1 -srcstorepass INUBIT ‑destkeystore SecuredService.keystore.jks -destalias tomcat ‑deststorepass <yourPassword>
Press Esc to exit full screen
Modal image placeholder
Press Esc to exit full screen