[
Download
]
| [
Documentation Home
] | [
Release Note
]
WSO2 XKMS Implementation (XKMS 2.0)
Contents
Introduction
XML Key Management Service Specification (a.k.a. XKMS) defines a standard way of
generating key pairs, storing public key information and retrieving public
key information. The XKMS services can be exposed as Web services which allow
other applications to delegate some of the key information processing to such
services. That allows the client applications of XKMS services to operate
without worrying about the Public Key Infrastructure which the XKMS services
might be using. XKMS consists of two components. Namely:
- Protocol Exchanges
Consist of sequences of request/response pairs. This will focus on synchronous,
asynchronous
and two-phase request protocols.
- Key Information Service (X-KISS)
This set of services allows the client application to retrieve information
about a public key. This has the following operations,
- Locate
- Validate
- Key Registration Service. (X-KRISS)
This set of services allows the client application to register the public
key of a client generated key-pair, retrieve the private key of a
server generated key-pair, revoke a registered public key and recover
a private key issued by the server. This has the following operations,
- Register
- Reissue
- Revoke
- Recover
Implementation
WS02 XKMS Implementation allows the users to expose a Java key store via the following
XKMS operations.
- Registration of a Key Pair
This allows the client to register a public key with the XKMS service.
The XKMS service uses the metadata specified in
the Register request to a X509Certificate using the given public key
and stores it in underlying Java keystore
as a X509Certificate. If a public key is not specified in the
Register request, the server will generate a RSA
key pair and will send the private key back to the client in an encrypted block.
Please refer to XKMS sample to see how to use an XKMS client to register a public
key with an XKMS server.
- Reissueing of a X509Certificate
This allows the client to reissue a X509Certificate with new credentials specified
in Reissue request. For example, the client may request the server to reissue a
X509Certificate with a new validity interval. However the
specified credentials are only advisory to the service.
Please refer to XKMS sample to see how to use a XKMS client to send a reissue
request to a XKMS Service.
- Recovering a Key Pair
This allows the client to recover the key (and the private key for server-generated
key pairs)
if it is lost. The private key will be presented inside an encrypted bock.
Please refer to XKMS sample to see how to use a XKMS client to send a recover
request
to a XKMS service.
- Locating a Public Key / X509Certificate
This allows the client to use a XKMS service to locate a Public key or
X509Certificate.
The XKMS service may reply with
more than one Public keys or X509Certificates if the query has multiple matches.
the client may use the alias
of the key as the key name in the query.
Please refer to XKMS sample to see how to use a XKMS client to send a locate request
to a XKMS service.
- Validating a Public key or a X509Certificate
This allows the client to validate a Public key or a X509Certificate using the XKMS
service.
The XKMS service will
reply whether the Public key or the X509Certificate is trustworthy.
Please refer to XKMS sample to see how to use a XKMS client to send a validate
request to the
XKMS service.
Configuration
The XKMS service can be configured by editing the following parameters for the service.
-
org.wso2.xkms2.service.crypto.authen.code
Specifies the authentication code used to authenticate client requests.
-
org.wso2.xkms2.service.crypto.keystore.location
Specifies the location of the Java keystore to be used as the key store of XKMS
service.
-
org.wso2.xkms2.service.crypto.keystore.password
Specifies the password of the above keystore.
-
org.wso2.xkms2.service.crypto.server.cert.alias
Specifies the alias of XKMS server certificate. This will be used to sign
entire outgoing XKMS messages.
-
org.wso2.xkms2.service.crypto.server.key.password
Specifies the private key password of the service. This will be used to sign
entire outgoing XKMS messages.
-
org.wso2.xkms2.service.crypto.issuer.cert.alias
Specifies the alias of the the Issuer certificate which will be used as
issuer certificate when generating
certificates for public keys specified in Register requests.
-
org.wso2.xkms2.service.crypto.issuer.key.password
Specifies the password of Issuer private key. This will be used when generating
certificates for public keys
specified in Register requests.
-
org.wso2.xkms2.service.crypto.default.private.key.password
Specifies the password to be used to store server-generated private keys.
-
org.wso2.xkms2.service.crypto.default.expriy.interval
Specifies the default validity interval of generated certificates. Client can
request to
limit the validity
period to a value less than the default but can not increase it more than the
default period.
-
org.wso2.xkms2.service.crypto.persistence.enabled
Sets the flag to enable persistence. If set, it will persist the Java keystore when
the
keys are uploaded.
Enabling WSAS to use an XKMS service
You can configure WSO2 WSAS to use a XKMS server to locate and validate public keys
and x509 Certificates when applying WS-Security. You can do this by un-commenting
the following parameter in the axis2.xml in the AXIS2_HOME/conf directory.
<parameter name="XKMSConfig" enabled="true">
<URL>http://127.0.0.1:9762/services/xkms</URL>
<PassPhrase>secret</PassPhrase>
</parameter>
Once it is enabled, the WSAS Crypto implementation will try to use the XKMS service for
retrieval or validation purposes as the last resort, if the key or the certificate is
not available on local keystores.