XKMS Sample Guide

INTRODUCTION

This sample demonstrates how to register a client-side generated (or server-side generated) key pair, how to send a reissue request to a XKMS server for an issued certificate asking for its credentials to be changed, how to recover a server generated key pair, how to locate a certificate and how to validate a certificate.

HOW TO BUILD THE SAMPLE

XKMS sample is located in the samples directory which is in WSO2WSAS the root directory.

Prerequisites

To build the samples you will need the Apache Ant build tool

Follow these steps:

  1. Start WSO2WSAS server
  2. In another terminal, change directory to XKMS sample directory
  3. e.g. cd C:\wso2wsas-2.1\samples\XKMS
  4. Type ant and press enter
  5. e.g. C:\wso2wsas-x.x\samples\XKMS>ant

HOW TO CONFIGURE SERVICES

To configure the XKMS service, follow the following steps

  1. Sign in to WSAS
  2. Click on Services link on the Manage section on the left hand side panel
  3. Click on the xkms link in the Services column which is in Service and Service Group Management table
  4. Click on Edit Service Parameters link
  5. Change/update the following parameter values
  6. Parameter Name Value
    org.wso2.xkms2.service.crypto.persistence.enabled false
    org.wso2.xkms2.service.crypto.authen.code secret
    org.wso2.xkms2.service.crypto.keystore.password password
    org.wso2.xkms2.service.crypto.default.expriy.interval 365
    org.wso2.xkms2.service.crypto.default.private.key.password password
    org.wso2.xkms2.service.crypto.keystore.location C:\wso2wsas.home\samples\XKMS\conf\keystore.jks
    org.wso2.xkms2.service.crypto.issuer.cert.aliase alice
    org.wso2.xkms2.service.crypto.issuer.key.password password
    org.wso2.xkms2.service.crypto.server.cert.aliase bob
    org.wso2.xkms2.service.crypto.server.key.password password
Figure:XKMS Edit Parameters

RUNNING THE CLIENT

The sample clients will access keystore.jks, which is a Java key store, to retrieve any required key information. e.g. The Reissue service demo will use the certificate with the alias ?bob? and send it to the server with new credentials asking it to reissue the certificate.

Run the XKMS service demo application to see how to use client applications to access the XKMS service

  1. Switch to XKMS sample directory
  2. Run run-client.bat (or run-client.sh if you are in Linux platform)
  3. Enter the number of the demo you want to run
  4. 		[1] Run Registration Servcie Demo (1)
    		[2] Run Registration Servcie Demo (2)
    		[3] Run Reissue Service Demo
    		[4] Run Recovery Service Demo
    		[5] Run Locate Service Demo
    		[6] Run Validate Service Demo
    		[7] Exit
    		Enter your choice :
    		1
    	
  5. The results will be printed on the screen