transportBinding httpsToken not taken from conduit tlsClientParameters

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

transportBinding httpsToken not taken from conduit tlsClientParameters

vlad.balan
Hello

can soneone help me and tell me why HttpsToken policy

                <sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                    <wsp:Policy>
                        <sp:TransportToken>
                            <wsp:Policy>
                                <sp:HttpsToken>
                                    <wsp:Policy>
                                    <sp:RequireClientCertificate/>
                                    </wsp:Policy>
                                </sp:HttpsToken>
                            </wsp:Policy>
                        </sp:TransportToken>
                        <sp:Layout>
                            <wsp:Policy>
                                <sp:Strict/>
                            </wsp:Policy>
                        </sp:Layout>
                        <sp:IncludeTimestamp/>
                        <sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:Basic128/>
                            </wsp:Policy>
                        </sp:AlgorithmSuite>
                    </wsp:Policy>
                </sp:TransportBinding>



does not take its parameters (certificates,etc) from conduit (client
side)/engine (server side)

http:tlsClientParameters element

( sample:


    <http:conduit
name="{http://apache.org/hello_world_soap_http}SoapPort.http-conduit">
        <http:tlsClientParameters  disableCNCheck="true">
            <sec:keyManagers keyPassword="ckpass">
                <sec:keyStore file="src/main/config/clientKeystore.jks"
password="cspass" type="JKS"/>
            </sec:keyManagers>
            <sec:trustManagers>
                <sec:keyStore file="src/main/config/clientKeystore.jks"
password="cspass" type="JKS"/>
            </sec:trustManagers>
           
        </http:tlsClientParameters>
    </http:conduit>
)


and instead needs exlicitly specify them (in properties of client or server
endpoint)




    <jaxws:client name="{http://apache.org/hello_world_soap_http}SoapPort" >
        <jaxws:properties>

            <entry key="security.signature.properties"
value="security.signature.properties"/>
            <entry key="security.encryption.properties"
value="security.signature.properties"/>

....


Thanks




--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Reply | Threaded
Open this post in threaded view
|

Re: transportBinding httpsToken not taken from conduit tlsClientParameters

coheigea
Administrator
The properties you're referring to ("security.signature.properties") are
used for WS-Security (e.g. signing/encrypting the SOAP message). The TLS
keys/certs are used for the Transport layer. In the policy example you
gave, you don't need to configure "security.signature.properties" at all,
as there are no message signing policies.

Colm.

On Mon, Jan 22, 2018 at 2:49 PM, vlad.balan <[hidden email]> wrote:

> Hello
>
> can soneone help me and tell me why HttpsToken policy
>
>                 <sp:TransportBinding
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>                     <wsp:Policy>
>                         <sp:TransportToken>
>                             <wsp:Policy>
>                                 <sp:HttpsToken>
>                                     <wsp:Policy>
>                                         <sp:RequireClientCertificate/>
>                                     </wsp:Policy>
>                                 </sp:HttpsToken>
>                             </wsp:Policy>
>                         </sp:TransportToken>
>                         <sp:Layout>
>                             <wsp:Policy>
>                                 <sp:Strict/>
>                             </wsp:Policy>
>                         </sp:Layout>
>                         <sp:IncludeTimestamp/>
>                         <sp:AlgorithmSuite>
>                             <wsp:Policy>
>                                 <sp:Basic128/>
>                             </wsp:Policy>
>                         </sp:AlgorithmSuite>
>                     </wsp:Policy>
>                 </sp:TransportBinding>
>
>
>
> does not take its parameters (certificates,etc) from conduit (client
> side)/engine (server side)
>
> http:tlsClientParameters element
>
> ( sample:
>
>
>     <http:conduit
> name="{http://apache.org/hello_world_soap_http}SoapPort.http-conduit">
>         <http:tlsClientParameters  disableCNCheck="true">
>             <sec:keyManagers keyPassword="ckpass">
>                 <sec:keyStore file="src/main/config/clientKeystore.jks"
> password="cspass" type="JKS"/>
>             </sec:keyManagers>
>             <sec:trustManagers>
>                 <sec:keyStore file="src/main/config/clientKeystore.jks"
> password="cspass" type="JKS"/>
>             </sec:trustManagers>
>
>         </http:tlsClientParameters>
>     </http:conduit>
> )
>
>
> and instead needs exlicitly specify them (in properties of client or server
> endpoint)
>
>
>
>
>     <jaxws:client name="{http://apache.org/hello_world_soap_http}SoapPort"
> >
>         <jaxws:properties>
>
>             <entry key="security.signature.properties"
> value="security.signature.properties"/>
>             <entry key="security.encryption.properties"
> value="security.signature.properties"/>
>
> ....
>
>
> Thanks
>
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: transportBinding httpsToken not taken from conduit tlsClientParameters

vlad.balan
Thanks for the reply.

I was not clear.

See my othe post


"can supportingToken X509Token come directly from conduit
tlsClientParameters"...

From one of your posts here

http://cxf.547215.n5.nabble.com/x-509-security-token-tp5150380p5485643.html

i understood that supportingToken X509Token can come from
TransportBinding/HttpsToken and since that one comes from
tlsClientParameters it should be enough. But when i tried, it asks for those
client properties.


Thanks.





--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html