Google Git
Sign in
apache / axis-site / 3093048f5b6dcd87d976050a42adfd57786946ac / . / axis2 / java / rampart / rampartconfig-guide.html
blob: 76309c16c91fd39d8c3dc97ac779f45ca2af085f [file] [log] [blame]
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 30 Jul 2017
| Rendered using Apache Maven Fluido Skin 1.4
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20170730" />
<meta http-equiv="Content-Language" content="en" />
<title>Apache Rampart &#x2013; </title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.4.min.css" />
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
<script type="text/javascript" src="./js/apache-maven-fluido-1.4.min.js"></script>
</head>
<body class="topBarDisabled">
<div class="container-fluid">
<div id="banner">
<div class="pull-left">
<div id="bannerLeft">
<img src="images/apache-rampart-logo.jpg" />
</div>
</div>
<div class="pull-right"> <a href="http://www.apache.org" id="bannerRight">
<img src="http://www.apache.org/images/asf_logo_wide.png" />
</a>
</div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li id="publishDate">Last Published: 30 Jul 2017
<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.7.1
</li>
<li class="pull-right">
<a href="../core/" title="Apache Axis2/Java">
Apache Axis2/Java</a>
</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">Apache Rampart</li>
<li>
<a href="index.html" title="Home">
<span class="none"></span>
Home</a>
</li>
<li>
<a href="javascript:void(0)" title="Downloads">
<span class="icon-chevron-down"></span>
Downloads</a>
<ul class="nav nav-list">
<li>
<a href="download.html" title="Releases">
<span class="none"></span>
Releases</a>
</li>
<li>
<a href="svn.html" title="Source Code">
<span class="none"></span>
Source Code</a>
</li>
</ul>
</li>
<li>
<a href="javascript:void(0)" title="Release Notes">
<span class="icon-chevron-down"></span>
Release Notes</a>
<ul class="nav nav-list">
<li>
<a href="release-notes/1.6.1.html" title="1.6.1">
<span class="none"></span>
1.6.1</a>
</li>
<li>
<a href="release-notes/1.6.2.html" title="1.6.2">
<span class="none"></span>
1.6.2</a>
</li>
<li>
<a href="release-notes/1.6.3.html" title="1.6.3">
<span class="none"></span>
1.6.3</a>
</li>
<li>
<a href="release-notes/1.6.4.html" title="1.6.4">
<span class="none"></span>
1.6.4</a>
</li>
<li>
<a href="release-notes/1.7.0.html" title="1.7.0">
<span class="none"></span>
1.7.0</a>
</li>
<li>
<a href="release-notes/1.7.1.html" title="1.7.1">
<span class="none"></span>
1.7.1</a>
</li>
</ul>
</li>
<li class="nav-header">Documentation</li>
<li>
<a href="quick-start.html" title="Getting Started">
<span class="none"></span>
Getting Started</a>
</li>
<li>
<a href="samples.html" title="Samples">
<span class="none"></span>
Samples</a>
</li>
<li>
<a href="http://wiki.apache.org/ws/FrontPage/Rampart/FAQ" class="externalLink" title="FAQ">
<span class="none"></span>
FAQ</a>
</li>
<li class="active">
<a href="#"><span class="none"></span>Rampart Configuration</a>
</li>
<li>
<a href="setting-up-sts.html" title="STS Configuration">
<span class="none"></span>
STS Configuration</a>
</li>
<li>
<a href="developer-guide.html" title="Developer Guide">
<span class="none"></span>
Developer Guide</a>
</li>
<li>
<a href="siteHowTo.html" title="Build the Site">
<span class="none"></span>
Build the Site</a>
</li>
<li class="nav-header">Resources</li>
<li>
<a href="articles.html" title="Articles">
<span class="none"></span>
Articles</a>
</li>
<li>
<a href="specifications.html" title="Specifications">
<span class="none"></span>
Specifications</a>
</li>
<li>
<a href="apidocs/index.html" title="Online Javadocs">
<span class="none"></span>
Online Javadocs</a>
</li>
<li class="nav-header">Project Information</li>
<li>
<a href="team-list.html" title="Project Team">
<span class="none"></span>
Project Team</a>
</li>
<li>
<a href="http://issues.apache.org/jira/browse/Rampart" class="externalLink" title="Issue Tracking">
<span class="none"></span>
Issue Tracking</a>
</li>
<li>
<a href="mail-lists.html" title="Mailing Lists">
<span class="none"></span>
Mailing Lists</a>
</li>
<li>
<a href="http://svn.apache.org/viewvc/axis/axis2/java/rampart/" class="externalLink" title="Source Code">
<span class="none"></span>
Source Code</a>
</li>
<li>
<a href="http://www.apache.org/licenses/" class="externalLink" title="License">
<span class="none"></span>
License</a>
</li>
<li>
<a href="http://www.apache.org/foundation/sponsorship.html" class="externalLink" title="Sponsorship">
<span class="none"></span>
Sponsorship</a>
</li>
<li>
<a href="http://www.apache.org/foundation/thanks.html" class="externalLink" title="Thanks">
<span class="none"></span>
Thanks</a>
</li>
<li>
<a href="http://www.apache.org/security/" class="externalLink" title="Security">
<span class="none"></span>
Security</a>
</li>
</ul>
<hr />
<div id="poweredBy">
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
<img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
</a>
</div>
</div>
</div>
<div id="bodyColumn" class="span10" >
<html xmlns="http://www.w3.org/1999/xhtml">
<h1>Apache Rampart - Configuration Guide</h1>
<div class="section">
<h2><a name="Rampart_Configurations"></a>Rampart Configurations</h2>
<p>RampartConfig element can have any of the following child elements. Schema is available <a href="rampart-config.xsd">here</a></p>
<table border="0" class="table table-striped"><tbody>
<tr class="a">
<td><b>Parameter</b></td>
<td><b>Description</b></td>
<td><b>Example</b></td></tr>
<tr class="b">
<td>user</td>
<td>The user's name</td>
<td>Set username of UsernameToken to be used <br /></br>
&lt;user&gt; bob&lt;/user&gt;</td></tr>
<tr class="a">
<td>userCertAlias</td>
<td>The user's cert alias</td>
<td>Set alias of the key to be used to sign<br /></br>
&lt;userCertAlias&gt; bob&lt;/userCertAlias&gt;</td></tr>
<tr class="b">
<td>encryptionUser</td>
<td>The user's name for encryption.</td>
<td>
&lt;encryptionUser&gt;alice&lt;/encryptionUser&gt;</td></tr>
<tr class="a">
<td>passwordCallbackClass</td>
<td>Callback class used to provide the password required to create the
UsernameToken or to sign the message</td>
<td>
<div>
<pre>
&lt;passwordCallbackClass&gt;
org.apache.axis2.security.PWCallback
&lt;/passwordCallbackClass&gt;
</pre></div></td></tr>
<tr class="b">
<td>policyValidatorCbClass</td>
<td>Callback class used to provide custom validater </td>
<td>
<div>
<pre>
&lt;policyValidatorCbClass&gt;
org.apache.axis2.security.CustomPolicyValidater
&lt;/policyValidatorCbClass&gt;
</pre></div></td></tr>
<tr class="a">
<td>signatureCrypto</td>
<td>properties to needed perform signature, such as crypto
provider, keystore and its password</td>
<td>
<div>
<pre>
&lt;signatureCrypto&gt;
&lt;crypto provider=&quot;org.apache.ws.security.components.crypto.Merlin&quot;&gt;
&lt;property name=&quot;org.apache.ws.security.crypto.merlin.keystore.type&quot;&gt;JKS&lt;/property&gt;
&lt;property name=&quot;org.apache.ws.security.crypto.merlin.file&quot;&gt;client.jks&lt;/property&gt;
&lt;property name=&quot;org.apache.ws.security.crypto.merlin.keystore.password&quot;&gt;apache&lt;/property&gt;
&lt;/crypto&gt;
&lt;signatureCrypto&gt;
</pre></div>
</td></tr>
<tr class="b">
<td>encryptionCypto</td>
<td>properties to needed perform signature, such as crypto
provider, keystore and its password</td>
<td>
<div>
<pre>
&lt;encryptionCypto&gt;
....crypto element ......
&lt;/encryptionCypto&gt;
</pre></div></td></tr>
<tr class="a">
<td>decryptionCrypto</td>
<td>properties to needed perform signature, such as crypto
provider, keystore and its password</td>
<td>
<div>
<pre>
&lt;decryptionCrypto&gt;
....crypto element ......
&lt;/decryptionCrypto&gt;</pre></div></td></tr>
<tr class="b">
<td>timestampTTL</td>
<td>Time to live of Timestamp</td>
<td>The default timestamp time to live is 300 seconds</td></tr>
<tr class="a">
<td>timestampMaxSkew</td>
<td>The maximum tolerence limit for timeskew of the timestamp</td>
<td>Rampart allows timestamps created slightly ahead of the reciever's time.<br /> This parameter allows to specify the tolerence limit</td></tr>
<tr class="b">
<td>timestampPrecisionInMilliseconds</td>
<td> Whether the timestamps precision should be milliseconds </td>
<td>When this value is set false, generated timestamps doesn't contain milliseconds </td></tr>
<tr class="a">
<td>optimizeParts</td>
<td></td>
<td></td></tr>
<tr class="b">
<td>tokenStoreClass</td>
<td></td>
<td></td></tr>
<tr class="a">
<td>sslConfig</td>
<td>SSL Configuration need for Transportbinding</td>
<td>Can specify the properties such as &quot;javax.net.ssl.trustStore&quot; and &quot;javax.net.ssl.trustStorePassword&quot;. Please see below for more information.</td></tr>
</tbody></table>
<br /></br>
<div class="section">
<h3><a name="Crypto_Provider"></a>Crypto Provider</h3>
<p>org.apache.ws.security.crypto.provider defines the implementation of
the org.apache.ws.security.components.crypto.Crypto interface to provide the
crypto information required by WSS4J. The other properties defined are the
configuration properties used by the implementation class
(org.apache.ws.security.components.crypto.Merlin).
<br /></br>
<a name="ref"></a>
<a name="references"></a>
</p>
<a name="References"></a>
</div>
<div class="section">
<h3><a name="Crypto_Caching"></a>Crypto Caching</h3>
<p>Enabling caching of crypto objects will improve the performance of security processing.
After
enabling crypto caching, the crypto objects will be read from a cache instead of
constructing them by reading the keystore files.
</p>
<p>To enable caching of Crypto objects, two attributes should be added to the crypto elements
of signatureCrypto/encryptionCrypto of RampartConfig.
</p>
<ol style="list-style-type: decimal">
<li>
<b>cryptoKey</b> -
<p>As the value of this attribute, specify the property of a Crypto
implementation which points to the location of the keystore. For example in
Merlin, the
property &quot;org.apache.ws.security.crypto.merlin.file&quot; is unique and its pointing to
the
location of the keystore. Absence of this attribute will not enable caching.</p>
</li>
<li>
<b>cacheRefreshInterval</b> -
<p>This is the cache refresh interval specified in
milliseconds. Any
object that resides in the cache longer than this period will be considered as
expired.
Cache will not be refreshed if this attribute is not present in the configuration.
If you
do not want to refresh the cache, provide only the &quot;cryptoKey&quot; attribute.</p>
</li>
</ol>
<p>
A sample configuration is provided below. It uses the Merlin crypto implementation for
signing and encryption. Here, the value of the cryptoKey attribute is eqaul to
&quot;org.apache.ws.security.crypto.merlin.file&quot; and the cache refresh interval is 300000
milliseconds.
</p>
<div>
<pre>
&lt;ramp:RampartConfig xmlns:ramp=&quot;http://ws.apache.org/rampart/policy&quot;;&gt;
&lt;ramp:signatureCrypto&gt;
&lt;ramp:crypto provider=&quot;org.apache.ws.security.components.crypto.Merlin&quot; cryptoKey=&quot;org.apache.ws.security.crypto.merlin.file&quot; cacheRefreshInterval=&quot;300000&quot;&gt;
&lt;ramp:property name=&quot;org.apache.ws.security.crypto.merlin.keystore.type&quot;&gt;JKS&lt;/ramp:property&gt;
&lt;ramp:property name=&quot;org.apache.ws.security.crypto.merlin.file&quot;&gt;service.jks&lt;/ramp:property&gt;
&lt;ramp:property name=&quot;org.apache.ws.security.crypto.merlin.keystore.password&quot;&gt;servicePW&lt;/ramp:property&gt;
&lt;/ramp:crypto&gt;
&lt;/ramp:signatureCrypto&gt;
&lt;ramp:encryptionCypto&gt;
&lt;ramp:crypto provider=&quot;org.apache.ws.security.components.crypto.Merlin&quot; cryptoKey=&quot;org.apache.ws.security.crypto.merlin.file&quot; cacheRefreshInterval=&quot;300000&gt;
&lt;ramp:property name=&quot;org.apache.ws.security.crypto.merlin.keystore.type&quot;&gt;JKS&lt;/ramp:property&gt;
&lt;ramp:property name=&quot;org.apache.ws.security.crypto.merlin.file&quot;&gt;service.jks&lt;/ramp:property&gt;
&lt;ramp:property name=&quot;org.apache.ws.security.crypto.merlin.keystore.password&quot;&gt;apache&lt;/ramp:property&gt;
&lt;/ramp:crypto&gt;
&lt;/ramp:encryptionCypto&gt;
&lt;/ramp:RampartConfig&gt;
</pre></div>
<p>Crypto caching is enabled by default when Merlin is used as the crypto provider. So Rampart will cache the crypto objects
with an infinite cache refresh interval. This crypto refresh interval can be overridden by setting the cacheRefreshInterval parameter
as described above. If it is required to disable crypto caching when Merlin is used, set the 'enableCryptoCaching' parameter
value to 'false'. Please refer to the following example.
</p>
<div>
<pre>
&lt;ramp:signatureCrypto&gt;
&lt;ramp:crypto provider=&quot;org.apache.ws.security.components.crypto.Merlin&quot; enableCryptoCaching=&quot;false&quot;&gt;
&lt;ramp:property name=&quot;org.apache.ws.security.crypto.merlin.keystore.type&quot;&gt;JKS&lt;/ramp:property&gt;
&lt;ramp:property name=&quot;org.apache.ws.security.crypto.merlin.file&quot;&gt;service.jks&lt;/ramp:property&gt;
&lt;ramp:property name=&quot;org.apache.ws.security.crypto.merlin.keystore.password&quot;&gt;servicePW&lt;/ramp:property&gt;
&lt;/ramp:crypto&gt;
&lt;/ramp:signatureCrypto&gt;
</pre></div>
<br /></br>
</div>
<div class="section">
<h3><a name="References"></a>References</h3>1.
<a class="externalLink" href="http://ws.apache.org/wss4j">Apache WSS4J -Home</a>
</div>
</html>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p >Copyright &copy; 2005&#x2013;2017
<a href="http://www.apache.org">Apache Software Foundation</a>.
All rights reserved.
</p>
</div>
</div>
</footer>
</body>
</html>