March 1, 2021
Hot Topics:

Securing Web Services in JBoss Application Server with WS-Security

  • By Javid Jamae & Peter Johnson
  • Send Email »
  • More Articles »

Generating the certificate

A web service request and response consists of two messages, each of which has to be encrypted. This is illustrated in figure 1. Although you could use the same certificate in both cases, you usually wouldn't want to do so in a production environment because it requires both the server and the client to have the same private key. Usually you want to keep your private key, well, private. Therefore, with a single client and a single server you need two certificates so that's what you generate.

You need two keystores and two truststores. Each keystore contains its own certificate and the public key of the certificate in the other keystore. The truststores contain the public keys of their corresponding certificates. This configuration is illustrated in figure 2.

Figure 2: Note the relationships among the certificates stored in the keystores and truststores. The sender uses the receiver's public key, which is stored in the keystore, to encrypt the message. The receiver uses its certificate, which contains both its public and private keys, to decrypt the message.

Here are the commands used to set up this configuration, using the keytool utility that ships with the JDK:

keytool -genkey -alias server -keyalg RSA -keystore server.keystore
keytool -genkey -alias client -keyalg RSA -keystore client.keystore
keytool -export -alias server -keystore server.keystore \
        -file server_pub.key
keytool -export -alias client -keystore client.keystore \
        -file client_pub.key
keytool -import -alias client -keystore server.keystore \
        -file client_pub.key
keytool -import -alias server -keystore client.keystore \
        -file server_pub.key
keytool -import -alias client -keystore client.truststore \
        -file client_pub.key
keytool -import -alias server -keystore server.truststore \
        -file server_pub.key

When you're creating the certificates (the first two commands), the keytool command asks for a password for both for the keystore and for the certificate. Remember the passwords you used. You'll need them later.

Securing the server using WS-Security

You have to complete two steps: configure the server to use its keystore and truststore and configure the web service to use that configuration.

The jboss-wsse-server.xml file identifies the keystore and the truststore to the server. For a POJO web service, place this file into the WEB-INF directory; for an EJB web service, place it into the META-INF directory. In this file, you also indicate that you want messages to be encrypted. Listing 4 shows the contents of the file.

Listing 4: Encryption-related security configuration file: jboss-wsse-server.xml

   // Reference #1
   // Reference #2
   // Reference #3
   // Reference #4
   // Reference #5
   // Reference #6
      // Reference #7
      <key-password alias="server" password="serverpwd" />
      // Reference #8
      <encrypt type="x509v3" alias="client" />
         // Reference #9
         <encryption />

The locations of the keystore (#1) and truststore (#4) files are relative to the base directory of the WAR file. The keystore and truststore use the same password (#3, #6); you probably want to use stronger passwords. The <key-store-type> (#2) and <trust-store-type> (#5) default to JKS, so you could leave these tags out. The server key password is provided by the <key-passwords> tag (#7) because that password is used to access the server certificate in the keystore. The <encryption/> tag (#9) requests that the message be encrypted using the alias provided by the <encrypt> tag (#8). The client's public key is used to encrypt the message on the server and is decrypted at the client using the client's private key from the client's keystore.

Add the @EndpointConfig annotation to the Hello class to indicate that you want to use WS-Security. Listing 5 is an excerpt from the updated Hello class, highlighting the added lines.

Listing 5: Encryption-related changes to the client

// Reference #1
import org.jboss.ws.annotation.EndpointConfig;
// Reference #2
@EndpointConfig(configName="Standard WSSecurity Endpoint")
public class Hello {...}

Page 2 of 5

This article was originally published on February 13, 2009

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date