| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" |
| "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> |
| <html xmlns="http://www.w3.org/1999/xhtml"> |
| <head> |
| </head> |
| <body> |
| <h1>Apache Rampart - Configuration Guide</h1> |
| <h2>Rampart Configurations</h2> |
| <p>RampartConfig element can have any of the following child elements. Schema is available <a href="rampart-config.xsd">here</a></p> |
| <table class="bodyTable"><tbody> |
| <tr class="a"><td><b>Parameter</b></td><td><b>Description</b></td><td><b>Example</b></td></tr> |
| |
| <tr class="b"><td>user</td><td>The user's name</td><td>Set username of UsernameToken to be used <br></br> |
| <user> bob</user></td></tr> |
| <tr class="a"><td>userCertAlias</td><td>The user's cert alias</td><td>Set alias of the key to be used to sign<br></br> |
| <userCertAlias> bob</userCertAlias></td></tr> |
| <tr class="b"><td>encryptionUser</td><td>The user's name for encryption.</td><td> |
| <encryptionUser>alice</encryptionUser></td></tr> |
| <tr class="a"><td>passwordCallbackClass</td><td>Callback class used to provide the password required to create the |
| UsernameToken or to sign the message</td><td> |
| <pre> |
| <passwordCallbackClass> |
| org.apache.axis2.security.PWCallback |
| </passwordCallbackClass> |
| </pre></td></tr> |
| <tr class="b"><td>policyValidatorCbClass</td><td>Callback class used to provide custom validater </td><td> |
| <pre> |
| <policyValidatorCbClass> |
| org.apache.axis2.security.CustomPolicyValidater |
| </policyValidatorCbClass> |
| </pre></td></tr> |
| <tr class="a"><td>signatureCrypto</td><td>properties to needed perform signature, such as crypto |
| provider, keystore and its password</td><td> |
| <pre> |
| <signatureCrypto> |
| <crypto provider="org.apache.ws.security.components.crypto.Merlin"> |
| <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property> |
| <property name="org.apache.ws.security.crypto.merlin.file">client.jks</property> |
| <property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</property> |
| </crypto> |
| <signatureCrypto> |
| </pre> |
| </td></tr> |
| <tr class="b"><td>encryptionCypto</td><td>properties to needed perform signature, such as crypto |
| provider, keystore and its password</td><td> |
| <pre> |
| <encryptionCypto> |
| ....crypto element ...... |
| </encryptionCypto> |
| </pre></td></tr> |
| <tr class="a"><td>decryptionCrypto</td><td>properties to needed perform signature, such as crypto |
| provider, keystore and its password</td><td> |
| <pre> |
| <decryptionCrypto> |
| ....crypto element ...... |
| </decryptionCrypto></pre></td></tr> |
| <tr class="b"><td>timestampTTL</td><td>Time to live of Timestamp</td><td>The default timestamp time to live is 300 seconds</td></tr> |
| <tr class="a"><td>timestampMaxSkew</td><td>The maximum tolerence limit for timeskew of the timestamp</td><td>Rampart allows timestamps created slightly ahead of the reciever's time.<br/> This parameter allows to specify the tolerence limit</td></tr> |
| <tr class="b"><td>timestampPrecisionInMilliseconds</td><td> Whether the timestamps precision should be milliseconds </td><td>When this value is set false, generated timestamps doesn't contain milliseconds </td></tr> |
| <tr class="a"><td>optimizeParts</td><td></td><td></td></tr> |
| <tr class="b"><td>tokenStoreClass</td><td></td><td></td></tr> |
| <tr class="a"><td>sslConfig</td><td>SSL Configuration need for Transportbinding</td><td>Can specify the properties such as "javax.net.ssl.trustStore" and "javax.net.ssl.trustStorePassword". Please see below for more information.</td></tr> |
| </tbody></table> |
| <br></br> |
| <h3>Crypto Provider</h3> |
| <p>org.apache.ws.security.crypto.provider defines the implementation of |
| the org.apache.ws.security.components.crypto.Crypto interface to provide the |
| crypto information required by WSS4J. The other properties defined are the |
| configuration properties used by the implementation class |
| (org.apache.ws.security.components.crypto.Merlin). |
| <br></br> |
| <a name="ref"></a> |
| <a name="references"></a> |
| </p> |
| <a name="References"></a> |
| <h3>Crypto Caching</h3> |
| <p>Enabling caching of crypto objects will improve the performance of security processing. |
| After |
| enabling crypto caching, the crypto objects will be read from a cache instead of |
| constructing them by reading the keystore files. |
| </p> |
| <p>To enable caching of Crypto objects, two attributes should be added to the crypto elements |
| of signatureCrypto/encryptionCrypto of RampartConfig. |
| </p> |
| <ol> |
| <li xmlns="http://www.w3.org/1999/xhtml" xml:space="preserve"> |
| <b>cryptoKey</b> - <p>As the value of this attribute, specify the property of a Crypto |
| implementation which points to the location of the keystore. For example in |
| Merlin, the |
| property "org.apache.ws.security.crypto.merlin.file" is unique and its pointing to |
| the |
| location of the keystore. Absence of this attribute will not enable caching.</p> |
| </li> |
| <li xmlns="http://www.w3.org/1999/xhtml" xml:space="preserve"> |
| <b>cacheRefreshInterval</b> - <p>This is the cache refresh interval specified in |
| milliseconds. Any |
| object that resides in the cache longer than this period will be considered as |
| expired. |
| Cache will not be refreshed if this attribute is not present in the configuration. |
| If you |
| do not want to refresh the cache, provide only the "cryptoKey" attribute.</p> |
| </li> |
| </ol> |
| <p> |
| A sample configuration is provided below. It uses the Merlin crypto implementation for |
| signing and encryption. Here, the value of the cryptoKey attribute is eqaul to |
| "org.apache.ws.security.crypto.merlin.file" and the cache refresh interval is 300000 |
| milliseconds. |
| </p> |
| <pre xmlns="http://www.w3.org/1999/xhtml" xml:space="preserve"> |
| <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> |
| <ramp:signatureCrypto> |
| <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin" cryptoKey="org.apache.ws.security.crypto.merlin.file" cacheRefreshInterval="300000"> |
| <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> |
| <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> |
| <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">servicePW</ramp:property> |
| </ramp:crypto> |
| </ramp:signatureCrypto> |
| <ramp:encryptionCypto> |
| <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin" cryptoKey="org.apache.ws.security.crypto.merlin.file" cacheRefreshInterval="300000> |
| <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> |
| <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> |
| <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> |
| </ramp:crypto> |
| </ramp:encryptionCypto> |
| </ramp:RampartConfig> |
| </pre> |
| <p>Crypto caching is enabled by default when Merlin is used as the crypto provider. So Rampart will cache the crypto objects |
| with an infinite cache refresh interval. This crypto refresh interval can be overridden by setting the cacheRefreshInterval parameter |
| as described above. If it is required to disable crypto caching when Merlin is used, set the 'enableCryptoCaching' parameter |
| value to 'false'. Please refer to the following example. |
| </p> |
| <pre xmlns="http://www.w3.org/1999/xhtml" xml:space="preserve"> |
| <ramp:signatureCrypto> |
| <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin" enableCryptoCaching="false"> |
| <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> |
| <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> |
| <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">servicePW</ramp:property> |
| </ramp:crypto> |
| </ramp:signatureCrypto> |
| </pre> |
| <br></br> |
| <h3>References</h3>1. |
| <a href="http://ws.apache.org/wss4j">Apache WSS4J -Home</a> |
| </body> |
| </html> |