examples/samplekeys/HowToGenerateKeysREADME.html - cxf-fediz - Git at Google


 <html>
 <head/>
 <body>
 <p>The below lists the sample sample (<strong>non-production use!</strong>) self-signed keystores used in running the FEDIZ samples.
 Don't use the provided keystores in production--everyone has them!  At a minimum, regenerate new keys using the scripts (with different
 passwords) below.  These will be just self-signed keys however, for real production use having third-party signed CA keys
 is recommended.</p>

 <table border="1" bgcolor="#FFFFCC" align="center">
 <tr bgcolor="#FFCCCC">
 <th>Keystore (Password)</th><th>Key Alias (Password)</th><th>Location</th><th>Creation Script Used</th><th>Needs to trust</th><th>Is trusted by</th></tr>
 <tr><td colspan="6"><strong><em>Servlet Container Keystores:  The keys can be simply placed in the root folder of each Servlet Container installation.  They are used to configure SSL for the Servlet Container instances as described here for Tomcat: <a href="http://cxf.apache.org/fediz-tomcat.html">http://cxf.apache.org/fediz-tomcat.html</a>.  For Tomcat keys only, the keystore password and the private key password needs to be the same.</em></strong></tr>
 <tr><td>idp-ssl-key.jks (tompass)</td><td>mytomidpkey (tompass)</td><td>base folder of Tomcat instance holding the IDP and IDP STS</td>
     <td><code>keytool -genkeypair -validity 730 -alias mytomidpkey -keystore idp-ssl-server.jks -dname "cn=localhost" -keypass tompass -storepass tompass -keysize 2048 -keyalg RSA</code><br/><br/><code>keytool -keystore idp-ssl-server.jks -storepass tompass -export -alias mytomidpkey -file MyTCIDP.cer</code></td>
     <td>Nobody</td><td>Fediz IDP module<br/><br/>wsclientWebapp's webapp module<br/><br/>Browser</td></tr>
 <tr><td>rp-ssl-key.jks (tompass)</td><td>mytomrpkey (tompass)</td><td>base folder of Tomcat instance holding the relying party applications for both samples (simpleWebapp and wsclientWebapp); STS public cert NOT imported anymore - instead use ststrust.jks</td>
     <td><code>keytool -genkeypair -validity 730 -alias mytomrpkey -keystore rp-ssl-key.jks -dname "cn=localhost" -keypass tompass -storepass tompass -keysize 2048 -keyalg RSA
 </code><br/><br/><code>keytool -keystore rp-ssl-key.jks -storepass tompass -export -alias mytomrpkey -file MyTCRP.cer</code></td>
     <td>Nobody</td><td>Browser<br/><br/>IDP STS</td></tr>
 <tr><td>wsp-ssl-key.jks (tompass)</td><td>mytomwspkey (tompass)</td><td>base folder of Tomcat instance holding the web service provider in the second (wsClientWebapp) sample</td>
     <td><code>keytool -genkeypair -validity 730 -alias mytomwspkey -keystore wsp-ssl-key.jks -dname "cn=localhost" -keypass tompass -storepass tompass -keysize 2048 -keyalg RSA</code><br/><br/><code>keytool -keystore wsp-ssl-key.jks -storepass tompass -export -alias mytomwspkey -file MyTCWSP.cer</code></td>
     <td>Nobody</td><td>wsclientWebapp's webapp module</td></tr>
 <tr><td colspan="6"><strong><em>Service Keystores:  These Fediz services form the core of the product and can be used with both the sample webapps provided and of course your own web applications.</em></strong></tr>
 <tr><td>idp-ssl-trust.jks (ispass)</td><td>N/A (no key, just a truststore)</td><td>services/idp/src/main/resources/idp-ssl-trust.jks and base folder of Tomcat instance holding the IDP and IDP STS</td>
     <td><code>keytool -import -trustcacerts -keystore idp-ssl-trust.jks -storepass ispass -alias mytomidpkey -file MyTCIDP.cer -noprompt</code></td>
     <td>mytomidpkey (because of SSL call to IDP STS)</td><td>IDP STS</td></tr>
 <tr><td>stsrealm_a.jks (storepass)</td><td>realma (realma)</td><td>services/sts/src/main/resources/stsrealm_a.jks</td>
     <td><code>
 keytool -genkeypair -keyalg RSA -validity 3600 -alias realma -keystore stsrealm_a.jks -dname "cn=REALMA" -keypass realma -storepass storepass -keysize 2048<br/><br/>
 keytool -export -rfc -keystore stsrealm_a.jks -storepass storepass -alias realma -file realma.cert
 </code>
 </td>√
     <td>Nobody</td><td>By Relying Party (ststrust.jks)</td></tr>
 <tr><td>stsrealm_b.jks (storepass)</td><td>realmb (realmb)</td><td>services/sts/src/main/resources/stsrealm_b.jks</td>
     <td><code>
 keytool -genkeypair -keyalg RSA -validity 3600 -alias realmb -keystore stsrealm_b.jks -dname "cn=REALMB" -keypass realmb -storepass storepass -keysize 2048<br/><br/>
 keytool -export -rfc -keystore stsrealm_b.jks -storepass storepass -alias realmb -file realmb.cert
 </code>
 </td>
     <td>Nobody</td><td>By Relying Party (ststrust.jks)</td></tr>
 <tr><td>ststrust.jks (storepass)</td><td>N/A (no key, just a truststore)</td><td>examples/samplekeys/ststrust.jks<br/><br/>services/sts/src/main/resources/ststrust.jks</td>
     <td><code>
 keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias realma -file realma.cert -noprompt<br/><br/>
 keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias realmb -file realmb.cert -noprompt<br/><br/>
 keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias rpcert -file MyTCRP.cer -noprompt
 </code>
 </td>
     <td>Nobody</td><td>By Relying Party (Fediz configuration file)</td></tr>
 <tr><td colspan="6"><strong><em>Sample Keystores: No production value, just used for running the "wsclientWebapp" sample provided with Fediz.  (simpleWebapp has/uses no keys).</em></strong></tr>
 <tr><td>webappKeystore.jks (waspass)</td><td>N/A (no key, just a SSL truststore)</td><td>examples/wsclientWebapp/webapp/src/main/resources/webappKeystore.jks</td>
     <td><code>keytool -import -trustcacerts -keystore webappKeystore.jks -storepass waspass -alias mytomidpkey -file MyTCIDP.cer -noprompt<br/><br/>
 keytool -import -trustcacerts -keystore webappKeystore.jks -storepass waspass -alias mytomwspkey -file MyTCWSP.cer -noprompt
 </code></td>
     <td>mytomidpkey (to access IDP STS via HTTPS, mytomwspkey (to access web service via HTTPS)</td><td>Nobody</td></tr>
 </table>

	<html>
	<head/>
	<body>
	<p>The below lists the sample sample (<strong>non-production use!</strong>) self-signed keystores used in running the FEDIZ samples.
	Don't use the provided keystores in production--everyone has them! At a minimum, regenerate new keys using the scripts (with different
	passwords) below. These will be just self-signed keys however, for real production use having third-party signed CA keys
	is recommended.</p>

	<table border="1" bgcolor="#FFFFCC" align="center">
	<tr bgcolor="#FFCCCC">
	<th>Keystore (Password)</th><th>Key Alias (Password)</th><th>Location</th><th>Creation Script Used</th><th>Needs to trust</th><th>Is trusted by</th></tr>
	<tr><td colspan="6"><strong><em>Servlet Container Keystores: The keys can be simply placed in the root folder of each Servlet Container installation. They are used to configure SSL for the Servlet Container instances as described here for Tomcat: <a href="http://cxf.apache.org/fediz-tomcat.html">http://cxf.apache.org/fediz-tomcat.html</a>. For Tomcat keys only, the keystore password and the private key password needs to be the same.</em></strong></tr>
	<tr><td>idp-ssl-key.jks (tompass)</td><td>mytomidpkey (tompass)</td><td>base folder of Tomcat instance holding the IDP and IDP STS</td>
	<td><code>keytool -genkeypair -validity 730 -alias mytomidpkey -keystore idp-ssl-server.jks -dname "cn=localhost" -keypass tompass -storepass tompass -keysize 2048 -keyalg RSA</code><br/><br/><code>keytool -keystore idp-ssl-server.jks -storepass tompass -export -alias mytomidpkey -file MyTCIDP.cer</code></td>
	<td>Nobody</td><td>Fediz IDP module<br/><br/>wsclientWebapp's webapp module<br/><br/>Browser</td></tr>
	<tr><td>rp-ssl-key.jks (tompass)</td><td>mytomrpkey (tompass)</td><td>base folder of Tomcat instance holding the relying party applications for both samples (simpleWebapp and wsclientWebapp); STS public cert NOT imported anymore - instead use ststrust.jks</td>
	<td><code>keytool -genkeypair -validity 730 -alias mytomrpkey -keystore rp-ssl-key.jks -dname "cn=localhost" -keypass tompass -storepass tompass -keysize 2048 -keyalg RSA
	</code><br/><br/><code>keytool -keystore rp-ssl-key.jks -storepass tompass -export -alias mytomrpkey -file MyTCRP.cer</code></td>
	<td>Nobody</td><td>Browser<br/><br/>IDP STS</td></tr>
	<tr><td>wsp-ssl-key.jks (tompass)</td><td>mytomwspkey (tompass)</td><td>base folder of Tomcat instance holding the web service provider in the second (wsClientWebapp) sample</td>
	<td><code>keytool -genkeypair -validity 730 -alias mytomwspkey -keystore wsp-ssl-key.jks -dname "cn=localhost" -keypass tompass -storepass tompass -keysize 2048 -keyalg RSA</code><br/><br/><code>keytool -keystore wsp-ssl-key.jks -storepass tompass -export -alias mytomwspkey -file MyTCWSP.cer</code></td>
	<td>Nobody</td><td>wsclientWebapp's webapp module</td></tr>
	<tr><td colspan="6"><strong><em>Service Keystores: These Fediz services form the core of the product and can be used with both the sample webapps provided and of course your own web applications.</em></strong></tr>
	<tr><td>idp-ssl-trust.jks (ispass)</td><td>N/A (no key, just a truststore)</td><td>services/idp/src/main/resources/idp-ssl-trust.jks and base folder of Tomcat instance holding the IDP and IDP STS</td>
	<td><code>keytool -import -trustcacerts -keystore idp-ssl-trust.jks -storepass ispass -alias mytomidpkey -file MyTCIDP.cer -noprompt</code></td>
	<td>mytomidpkey (because of SSL call to IDP STS)</td><td>IDP STS</td></tr>
	<tr><td>stsrealm_a.jks (storepass)</td><td>realma (realma)</td><td>services/sts/src/main/resources/stsrealm_a.jks</td>
	<td><code>
	keytool -genkeypair -keyalg RSA -validity 3600 -alias realma -keystore stsrealm_a.jks -dname "cn=REALMA" -keypass realma -storepass storepass -keysize 2048<br/><br/>
	keytool -export -rfc -keystore stsrealm_a.jks -storepass storepass -alias realma -file realma.cert
	</code>
	</td>√
	<td>Nobody</td><td>By Relying Party (ststrust.jks)</td></tr>
	<tr><td>stsrealm_b.jks (storepass)</td><td>realmb (realmb)</td><td>services/sts/src/main/resources/stsrealm_b.jks</td>
	<td><code>
	keytool -genkeypair -keyalg RSA -validity 3600 -alias realmb -keystore stsrealm_b.jks -dname "cn=REALMB" -keypass realmb -storepass storepass -keysize 2048<br/><br/>
	keytool -export -rfc -keystore stsrealm_b.jks -storepass storepass -alias realmb -file realmb.cert
	</code>
	</td>
	<td>Nobody</td><td>By Relying Party (ststrust.jks)</td></tr>
	<tr><td>ststrust.jks (storepass)</td><td>N/A (no key, just a truststore)</td><td>examples/samplekeys/ststrust.jks<br/><br/>services/sts/src/main/resources/ststrust.jks</td>
	<td><code>
	keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias realma -file realma.cert -noprompt<br/><br/>
	keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias realmb -file realmb.cert -noprompt<br/><br/>
	keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias rpcert -file MyTCRP.cer -noprompt
	</code>
	</td>
	<td>Nobody</td><td>By Relying Party (Fediz configuration file)</td></tr>
	<tr><td colspan="6"><strong><em>Sample Keystores: No production value, just used for running the "wsclientWebapp" sample provided with Fediz. (simpleWebapp has/uses no keys).</em></strong></tr>
	<tr><td>webappKeystore.jks (waspass)</td><td>N/A (no key, just a SSL truststore)</td><td>examples/wsclientWebapp/webapp/src/main/resources/webappKeystore.jks</td>
	<td><code>keytool -import -trustcacerts -keystore webappKeystore.jks -storepass waspass -alias mytomidpkey -file MyTCIDP.cer -noprompt<br/><br/>
	keytool -import -trustcacerts -keystore webappKeystore.jks -storepass waspass -alias mytomwspkey -file MyTCWSP.cer -noprompt
	</code></td>
	<td>mytomidpkey (to access IDP STS via HTTPS, mytomwspkey (to access web service via HTTPS)</td><td>Nobody</td></tr>
	</table>