| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| WS-Security Encryption |
« View previous topic :: View next topic » |
| Author |
Message
|
| chet |
 Posted: Wed Aug 18, 2010 7:15 pm Post subject: WS-Security Encryption |
 |
|
Newbie
Joined: 11 Mar 2009
Posts: 2
|
I am trying to setup a PoC to display WS-Security in WMB 6.1 using a third party (CA) signed certificates. I had a look at the AddressBook sample extension for WS-Security and was successfully able to use Signatures, however when I try to extend the sample for encryption, it fails.
The keystores for both the consumer (WS_C) and the provider (WMB) have been setup with the CA certificate as the signer. The truststore contains the CA certificate. I am encrypting the message from the consumer using the public key (ie the truststore - CA) but when the provider tries to decrypt it using its private key (keystore), it throws a fault message saying the certificate (CA) obtained from message does not match with the cert in the keystore (WMB).
The same set of certificates work well for HTTPS (using client auth), and WS-Security using Signatures, so they seem to be fine.
Also, the encryption bit seems to work if I had provider cert as signer in consumer and vice-versa which can only indicate that Policy Set and Bindings are correct.
Can the encryption work with third party signed certs? Any help will be appreciated. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Aug 18, 2010 8:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Looks like you're not using the right cert to encrypt.
Typically you encrypt with your private key and decrypt with the corresponding public key. Now you have to be careful as well of the SSL protocol.
The start is really nothing more than a key exchange where the key gets encrypted by the cert. Once the common keys have been exchanged they can be used for data encryption. In other words you don't use the cert keys for encryption of the data, you use them to encrypt the data encryption keys... before the data exchange.
The cert verifies that you are who you say you are and validates the keys to be exchanged for data encryption usage. This is the way a web server would work with https... as far as I understand it...
It all depends on whether a client cert is required or not. If you are happy with one way authentication getting the public cert of the server is enough. You can then use the public key to encrypt the data.
If you need 2 way authentication but the certs have not yet been exchanged (typical https) you need to first exchange the certs. However you would either encrypt the data using the partner's public key or you would use that to send the public encryption key to your partner... and encrypt using your private key...
As you can understand from the above I have only a very superficial knowledge of all those intricacies. I suggest you avail yourself of some solid examples and check which of the protocols you need to go through as well as how they are handled by default by the JSSE providers.
Most of this happens behind the scenes, and you should let the JSSE provider and the software do the heavy lifting for you. (That's why there is an implementation of SSLSockets and you don't have to write it) 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
