Keystore and configuration notes

The files

  • axis2.xml on the client-side defines the security.properties file (sec-client.properties) the user who will sign the message and specfies that outFlow messages are to be signed and time stamped, and that inflow messages are to be time stamped. This file is found by setting the -Daxis2.xml=<pathname> Java option, or programatically by a System.setProperty("axis2.xml",<pathname> )
  • services.xml (part of aar- META-INF/services.xml) references the security.properties file to use on the server side. (sec-server.properties) Specifies that inFlow messages are signed and time stamped and outFlow messages are time stamped.
  • sec-client.properties (name is specified in axis2.xml) Has name and password of the keystore that the client uses when signing a message. This file must be on the classpath of the client.
  • repo/sec-client.properties This is the file that the server uses when it is acting as a client when forwarding a request to an adjacent domain (name is specified in $CATALINA_home/shared/oscars.conf/axis2.repo/axis2.xml). Has name and password of the keystore used when signing a forwarded message. The messages are signed by the server credential, oscars-dev.es.net or oscars-test.es.net. This file must be on the classpath of the client. The ant setupserver task will put it in $CATALINA_HOME/shared/classes/repo.
  • sec-server.properties (name is sepecified in services.xml) Has name and password of the keystore that the server will use to verify signed messages. This file must be on the server's classpath (it is put in the classes file of OSCARS.aar)
  • sec-client.jks has a key entry for the client that is signing the message and trusted cert entries for any trusted CAs, e.g. any CAs in the chain that signed the users certificate. Must be on the classpath.
  • ssl-keystore.jks- used by the client when establishing the ssl connection to Tomcat server. It needs to contain trustedCert entries for the server and its issuer chain. e.g. oscars-dev.es.net, oscars-test.es.ent, ESnet SSL Server Certificates" and "ESnet Root CA 1" Location hard-coded into KeyManagement.java as System.setProperty("javax.net.ssl.trustStore",repo +"/ssl-keystore.jks"); where repo is an input string to setKeyStore(String repo).
  • /root/.keystore The keystore used by the Tomcat server when accepting the ssl connection. The name is specified in $CATALINA_HOME/conf/server.xml as the keystoreFile. It must contain a keyEntry for the server (possibily with alias tomcat) e.g. oscars-dev.es.net and trustedCert entries the issuers of that cert.
  • net/es/oscars/client/security/PWCallback.java contains the password for the keys in sec-client.jks. Must be on classpath.
  • Client side

    Needs an axis2.xml file to generate signed messages.

    Needs sec-client.properties to define the keystore file and password.

    Needs sec-client.jks with the keyEntry for the user who will be signing messages. For the user this should be a file with just the trustedCertEntries to which the user adds his key/cert. see exampleClients.html for instructions on how to do this.

    Needs ssl-keystore.jks to hold the trustedCert enties for the ssl connection to the Tomcat server. The name and the password for this file are hard-coded into net.es.oscars.client.security. KeyManagement.

    The default ant task in examples/javaClients/build.xml will create and populate a repo directory with all these pieces. The user may want to edit the axis2.xml to chose a different user to sign the messaage and may want to add additional keyEntries to sec-client.jks. Any edited files should be copied to someplace safe since the repo directory is purged and recreated each time ant is run.

    Server side

    OSCARS needs the properties and keystore referenced in OSCARS.aar:META-INF/services.xml.
    Services.xml comes from conf/public/server/services.xml. The properties and keystore files are installed at the top level OSCARS.aar and come from conf/public/server. The keystore only needs trustedCertEntires since response messages are not signed.

    Tomcat needs the keystore referenced in ${catalina.home}/conf/server.xml to do server-side ssl.
    If no keystoreFile entry is specified in the https connnector element of server.xml, the file ~/.keystore is used.
    If no keystorePass entry is specified the password is "changeit".
    On oscars-dev keystoreFile element of the Connector for port 9090 is /root/.keystore. The keystore contains a keyEntry for the oscars-dev cert/key with alias tomcat and the trustedcert entries for that key.

    Server acting as client, e.g when forwarding request to next Domain

    Needs trustedCertEnties and oscars-dev keyEntry, (not distributed outside of LBL in conf/private/sec-client.jks). The ant task setupServer will create a repo directory with the necessary axis2.xml, sec-client.properties and sec-client.jks in ${catalina.home}/shared/oscars.conf/axis2-repo directory.