How is x.509 used with EAP 6?

Solution Verified - Updated -

Environment

Red Hat JBoss EAP 6.x

Issue

Can an FAQ be established for questions pertaining to use of x.509 with EAP 6?

Resolution

What kind of options are available when configuring CXF endpoints with x.509?

There are several ways to configure endpoints with x.509. The options include:
- Use annotations to declare the configuration file, which is held in an external XML file.
- Use annotations to leverage a Policy Set, as documented in the JBossWS documentation.
- Include the policy definition in the WSDL used for top-down development, as explained by JBossWS.

----------------------------------------------------------------------------

Can the endpoint configuration files for x.509 be externalized?

We offer two tools that can be used for this purpose: predefined endpoint configurations and policy sets.

Predefined endpoint configurations are documented at [1], please note the text "The configuration is either coming from a descriptor that is included in the application deployment, or is included in the application server webservices subsystem management model." Wording that differently, we can place these configurations in the application server's deployment descriptor (i.e. standalone.xml) instead of as an application deployment artifact.

Policy Sets are pre-defined sets of policies that don't require a configuration file. These are explained at [2].

[1] https://docs.jboss.org/author/display/JBWS/Predefined+client+and+endpoint+configurations
[2] https://docs.jboss.org/author/display/JBWS/WS-Policy#WS-Policy-Policysets

----------------------------------------------------------------------------

When using x.509, a callback is required. Is such a callback really needed?

Yes, that's way to set/compare the password of the a specific key in the keystore, otherwise can't read a key because it's protected by the password.

Can we somehow get rid of the callback class or use LDAP to manage the authentication?

No, we cannot. In CXF, the password callback class allows you to retrieve the password for a given user, so it really doesn't matter where you store the password, you can store the password in a hardcoded hashmap(which is the most simple way), you can store the password in a properties file. However, normally for LDAP server it's not retrievable and hence can't be used in the callback handler.

----------------------------------------------------------------------------

Is it possible to use different policies for incoming and outgoing messages?

Yes, it's possible. For both the server and client side, the incoming and outgoing message could be applied to different ws-security actions. For the server customer concerned, they can configure the WSS4JInInterceptor with both signed and encrypted action and configure the WSS4JOutInterceptor with encrypted action only. Different policy files can be used for Input and Output messages.

{ @Policy(placement = Policy.Placement.BINDING_OPERATION_INPUT, uri = "x509policy_input.xml", includeInWSDL = true) }
{ @Policy(placement = Policy.Placement.BINDING_OPERATION_OUTPUT uri = "x509policy_output.xml", includeInWSDL = true) }

----------------------------------------------------------------------------

Can the ds:KeyInfo element be suppressed in the returned message, so it matches the message provided by a previous vendor?

KeyInfo is required under EncryptedData with WSS4J (which is used for EAP's ws-security). WSS4J actually defines an exception message
"noKeyinfo = EncryptedKey/EncryptedData does not contain ds:KeyInfo" in ws-security-common/src/main/resources/messages/wss4j_errors.properties

There is a possible way to still achieve the goal. CXF provides a TransformFeature which can be used to do dynamic transformation of inbound and/or outbound XML messages [1]. Please note that ws-security actually prevents modification of the on-wire message to ensure the the message is intact, so the TransformFeature is against ws-security by nature. If the message is only encrypted but not signed, the TransformFeature might be workable.

----------------------------------------------------------------------------

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.