Creating Key Pairs for WS Trust
WS Trust Web Services Security is only possible in Single Mode. |
Usage
Securing (generally) multiple Web services through a Security Token Service (STS) with two key pairs
-
Key for authentication of a client on the STS server
-
Key for authentication of a client on the Web services
How it works
In the initial call of a Web service, the client authenticates itself first on the STS.
After successful authentication, the calling service receives the public key of the Web service from the STS, which enables access to the Web service.
Authentication on the STS is done with WS-Secure-Conversation just once.
To enable access to multiple Web services with a one-time authentication on the STS, all Web services in the group must use the same key pair.
Creating Self-Signed Security Token Service/STS Key Pair
Use
Authentication of a client on a Security Token Service
Proceed as follows
-
Generate a key pair with the extension
SubjectKeyIdentifier
.Set the options according to your requirements:
openssl req -x509 -days 9999 -nodes -newkey rsa:2048 -subj "/C=myCountry/ST=myState/L=myCity/O=myOrganization/OU=myDepartment/CN=myServerName" ‑keyout STS.key -out STS.crt -extensions v3_ca
-
Convert the key pair generated in step 1 into the PKCS12 format in order to enable import into the Java keystore. You must assign a password.
openssl pkcs12 -export -in STS.crt -inkey STS.key -out STS.p12
-
Import the PKCS12 file into the Java keystore.
keytool -importkeystore -srckeystore STS.p12 -srcstoretype pkcs12 ‑srcalias 1 -srcstorepass <yourPassword> -destkeystore STS.keystore.jks ‑destalias tomcat -deststorepass <yourPassword>
Generate a JKS truststore with the service certificate. Enter the password assigned in step 2 as the password.
keytool -importcert -keystore STS.truststore.jks -file STS.crt ‑alias tomcat -storepass inubit
Creating a Self-Signed Service Key Pair
Use
Authentication of a client on a Security Token Service-protected Web service
Proceed as follows
-
Generate a key pair with the extension
SubjectKeyIdentifier
.Set the options according to your requirements:
openssl req -x509 -days 9999 -nodes -newkey rsa:2048 -subj "/C=myCountry/ST=myState/L=myCity/O=myOrganization/OU=myDepartment/CN=myServerName" ‑keyout SecuredService.key -out SecuredService.crt -extensions v3_ca
-
Convert the key pair generated in step 1 into the PKCS12 format in order to enable import into the Java keystore. You must assign a password.
openssl pkcs12 -export -in SecuredService.crt -inkey SecuredService.key ‑out SecuredService.p12
-
Import the PKCS12 file into the Java keystore.
keytool -importkeystore -srckeystore SecuredService.p12 ‑srcstoretype pkcs12 -srcalias 1 -srcstorepass INUBIT ‑destkeystore SecuredService.keystore.jks -destalias tomcat ‑deststorepass <yourPassword>