Google Git
Sign in
apache / cxf-site / refs/heads/asf-staging / . / content / docs / xml-key-management-service-xkms.html
blob: 4e8590e537312c38d1440bc02a9efecad9d7cb16 [file] [log] [blame]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<html>
<head>
<link type="text/css" rel="stylesheet" href="/resources/site.css">
<script src='/resources/space.js'></script>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
<meta name="description" content="Apache CXF, Services Framework - XML Key Management Service (XKMS)">
<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css">
<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
<script src='/resources/highlighter/scripts/shCore.js'></script>
<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
<script>
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
</script>
<title>
Apache CXF -- XML Key Management Service (XKMS)
</title>
</head>
<body onload="init()">
<table width="100%" cellpadding="0" cellspacing="0">
<tr>
<td id="cell-0-0" colspan="2">&nbsp;</td>
<td id="cell-0-1">&nbsp;</td>
<td id="cell-0-2" colspan="2">&nbsp;</td>
</tr>
<tr>
<td id="cell-1-0">&nbsp;</td>
<td id="cell-1-1">&nbsp;</td>
<td id="cell-1-2">
<!-- Banner -->
<div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
</td><td align="right" colspan="1" nowrap>
<a shape="rect" href="http://www.apache.org/" title="The Apache Sofware Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
</td></tr></table></div></div>
<!-- Banner -->
<div id="top-menu">
<table border="0" cellpadding="1" cellspacing="0" width="100%">
<tr>
<td>
<div align="left">
<!-- Breadcrumbs -->
<a href="index.html">Index</a>&nbsp;&gt;&nbsp;<a href="xml-key-management-service-xkms.html">XML Key Management Service (XKMS)</a>
<!-- Breadcrumbs -->
</div>
</td>
<td>
<div align="right">
<!-- Quicklinks -->
<div id="quicklinks"><p><a shape="rect" href="http://cxf.apache.org/download.html">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
<!-- Quicklinks -->
</div>
</td>
</tr>
</table>
</div>
</td>
<td id="cell-1-3">&nbsp;</td>
<td id="cell-1-4">&nbsp;</td>
</tr>
<tr>
<td id="cell-2-0" colspan="2">&nbsp;</td>
<td id="cell-2-1">
<table>
<tr valign="top">
<td height="100%">
<div id="wrapper-menu-page-right">
<div id="wrapper-menu-page-top">
<div id="wrapper-menu-page-bottom">
<div id="menu-page">
<!-- NavigationBar -->
<div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
<div>
<input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" size="21">
<input type="submit" name="sa" value="Search">
</div>
</form>
<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script><hr><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API 3.2.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest-3.1.x/">API 3.1.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul><p>&#160;</p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div>
<!-- NavigationBar -->
</div>
</div>
</div>
</div>
</td>
<td height="100%">
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="XMLKeyManagementService(XKMS)-XMLKeyManagementService(XKMS)">XML Key Management Service (XKMS)</h1><p>Available since CXF 2.7.7.</p><h2 id="XMLKeyManagementService(XKMS)-Usecase">Use case</h2><p>CXF uses asymmetric algorithms for different purposes: encryption of symmetric keys and payloads, signing security tokens and messages, proof of possession, etc.<br clear="none"> Normally the public keys (in the form of X509 certificates) are stored in java keystores.</p><p>For example, if the sender encrypts the message payload sending to the receiver, he should have access to the receiver certificate saved in the local keystore. <br clear="none"> The sender uses this certificate for message encryption and receiver decrypts the request with the corresponding private key:</p><p><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image" src="xml-key-management-service-xkms.data/classic-message-encryption.jpg"></span></p><p>Seems to be OK? Imagine now that you have a production environment with 100 different clients of this service and the service certificate is expired. You should reissue and replace the certificate in ALL client keystores! Even more, if keystores are packaged into war files or OSGi bundles &#8211; they should be unpackaged and updated. Not really acceptable for enterprise environments.</p><p>Therefore large service landscapes support central certificates management. It means that X509 certificates are not stored locally in keystores, but are provided and administrated centrally.</p><p>Normally it is a responsibility of <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Public-key_infrastructure" rel="nofollow">Public Key Infrastructure</a> (PKI) established in the organization. PKI is responsible to create, manage, store, distribute, synchronize and revoke public certificates and certification authorities (CAs).</p><h2 id="XMLKeyManagementService(XKMS)-XKMSSpecification">XKMS Specification</h2><p>W3C specifies a protocol to distribute and register public keys, certificates and CAs that can be used for XML-based cryptography, including signature and encryption: <a shape="rect" class="external-link" href="http://www.w3.org/TR/xkms2/" rel="nofollow">XML Key Management Specification</a> (XKMS 2.0). <br clear="none"> The XKMS Specification comprises two parts &#8211; the XML Key Information Service Specification (XKISS) describing the runtime aspects of key lookup and certificate validation, and the XML Key Registration Service Specification (XKRSS) describing the administrative aspects of registering, renewing, revoking and recovering certificates. <br clear="none"> The XKMS Service implements both parts of specification.</p><p>The XKMS SOAP interface can be used as a standard frontend to access the Public Key Infrastructure (PKI). Using XKMS message encryption scenario, the message encryption picture will change in the following way:</p><p><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image" src="xml-key-management-service-xkms.data/classic-message-encryption-PKI-XKMS.jpg"></span></p><p>Receiver X509 certificate is not saved into sender's local keystore anymore. Instead, certificate is stored into central PKI and can be located, validated and administrated using standard XKMS interface. This essentially improves the control on certificates in large services landscape.</p><p>Administrator can update, renew and revoke certificates, manage certification authorities and revocation lists.</p><h3 id="XMLKeyManagementService(XKMS)-IntegratingtheXKMSclientintotheCXFruntime">Integrating the XKMS client into the CXF runtime</h3><p>The XKMS client can be integrated into CXF and WSS4J in pretty elegant way using a custom Crypto provider implementation. In this case, the XKMS service will be automatically invoked when WSS4J asks for the certificates or validates them. Details are described in this <a shape="rect" class="external-link" href="http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html" rel="nofollow">blog</a>. A basic XKMS implementation of WSS4J Crypto interface is available in XKMS Client component (XKMSCryptoProvider and XKMSCryptoProviderFactory). Implementation uses Ehcache to cache certificates received from XKMS service.</p><h3 id="XMLKeyManagementService(XKMS)-XKMSServiceDesign">XKMS Service Design</h3><p>Internal structure of XKMS service is represented in the following figure:</p><p><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image" src="xml-key-management-service-xkms.data/XKMS-cxf.jpg"></span></p><p>The XKMS Service exposes a SOAP interface specified in <a shape="rect" class="external-link" href="http://www.w3.org/TR/xkms2/" rel="nofollow">XKMS 2.0</a>. <br clear="none"> The XKMS implementation realizes <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Chain-of-responsibility_pattern" rel="nofollow">chain of responsibility design pattern </a>.<br clear="none"> Each XKMS operation defines a handler interface and provides one or more implementations of this interface. Handler implementations are connected into a chain. <br clear="none"> Operation implementation invokes handlers one after another from the pre-configured chain until either all handlers will be processed or a critical error will occur. <br clear="none"> This design makes the XKMS internal implementation quite flexible: it is easy to add/remove handlers, change their order, introduce handlers supporting new backends, etc. <br clear="none"> For example, a certificate can be searched firstly in the LDAP repository by LDAP lookup handler and, if it is not found there, additionally looked for in a remote PKI using an appropriate lookup handler. Validation operation logic is organized in a chain is well: first validation handler checks format and expiry date of the X509 certificate, next one checks the certificate trust chain.</p><p>Currently the XKMS Service supports simple file based and LDAP backends.<br clear="none"> Sample spring configuration of XKMS handlers looks like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;beans xmlns="http://www.springframework.org/schema/beans"
xmlns:cxf="http://cxf.apache.org/core" xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:test="http://apache.org/hello_world_soap_http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-2.0.xsd"&gt;
&lt;bean id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator" /&gt;
&lt;bean id="trustedAuthorityValidator"
class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator"&gt;
&lt;constructor-arg ref="certificateRepo" /&gt;
&lt;/bean&gt;
&lt;bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator"&gt;
&lt;constructor-arg ref="certificateRepo" /&gt;
&lt;/bean&gt;
&lt;bean id="x509Register"
class="org.apache.cxf.xkms.x509.handlers.x509Register"&gt;
&lt;constructor-arg ref="certificateRepo" /&gt;
&lt;/bean&gt;
&lt;!-- LDAP based implementation --&gt;
&lt;bean id="certificateRepo"
class="org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo"&gt;
&lt;constructor-arg ref="ldapSearch" /&gt;
&lt;constructor-arg ref="ldapSchemaConfig" /&gt;
&lt;constructor-arg value="dc=example,dc=com" /&gt;
&lt;/bean&gt;
&lt;bean id="ldapSearch" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSearch"&gt;
&lt;constructor-arg value="ldap://localhost:2389" /&gt;
&lt;constructor-arg value="cn=Directory Manager,dc=example,dc=com" /&gt;
&lt;constructor-arg value="test" /&gt;
&lt;constructor-arg value="2" /&gt;
&lt;/bean&gt;
&lt;bean id="ldapSchemaConfig" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig"&gt;
&lt;property name="certObjectClass" value="inetOrgPerson" /&gt;
&lt;property name="attrUID" value="uid" /&gt;
&lt;property name="attrIssuerID" value="manager" /&gt;
&lt;property name="attrSerialNumber" value="employeeNumber" /&gt;
&lt;property name="attrCrtBinary" value="userCertificate;binary" /&gt;
&lt;property name="constAttrNamesCSV" value="sn" /&gt;
&lt;property name="constAttrValuesCSV" value="X509 certificate" /&gt;
&lt;property name="serviceCertRDNTemplate" value="cn=%s,ou=services" /&gt;
&lt;property name="serviceCertUIDTemplate" value="cn=%s" /&gt;
&lt;property name="trustedAuthorityFilter" value="(&amp;#038;(objectClass=inetOrgPerson)(ou:dn:=CAs))" /&gt;
&lt;property name="intermediateFilter" value="(objectClass=inetOrgPerson)" /&gt;
&lt;/bean&gt;
&lt;!-- File based implementation --&gt;
&lt;!-- bean id="certificateRepo"
class="org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo"&gt;
&lt;constructor-arg value="../conf/certs" /&gt;
&lt;/bean--&gt;
&lt;/beans&gt;
</pre>
</div></div><p>The dateValidator and trustedAuthorityValidator beans are implementations of the Validator interface for date and trusted chain validation. <br clear="none"> x509Locator and x509Register are implementations of Locator and Register interfaces for X509 certificates.<br clear="none"> certificateRepo is the repository implementation for LDAP backend. LdapSearch and LdapSchemaConfig contain LDAP configuration described in the following table:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Property</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Sample Value</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>ldapServerConfig arguments</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>&#160;</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>URL, baseDN and credentials of LDAP Server</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>certObjectClass</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>inetOrgPerson</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>LDAP object class used to store certificates</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>attrUID</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>uid</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Attribute containing X509 subject DN</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>attrIssuerID</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>manager</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>LDAP attribute containing X509 issuer DN</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>attrSerialNumber</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>employeeNumber</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>LDAP attribute containing X509 serial number</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">attrEndpoint</td><td colspan="1" rowspan="1" class="confluenceTd">labeledURI</td><td colspan="1" rowspan="1" class="confluenceTd">LDAP attribute containing service endpoint (used in case of endpoint based lookup)</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>attrCrtBinary</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>userCertificate</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>LDAP attribute containing X509 certificate content</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>constAttrNamesCSV</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>sn</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Comma separated list of mandatory LDAP attributes</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>constAttrValuesCSV</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>X509 certificate</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Comma separated list of mandatory LDAP attributes values</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>serviceCertRDNTemplate</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>cn=%s,ou=services</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Relative distinguished name for service certificates</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>serviceCertUIDTemplate</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>cn=%s</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Template to transform service QName to DN for storing into attrUID</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>trustedAuthorityFilter</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>(&amp;(objectClass=inetOrgPerson)(ou:dn:=CAs))</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Filter to determine trusted CAs for trusted chain validation</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>intermediateFilter</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>(objectClass=inetOrgPerson)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Filter to determine intermediate certificates for trusted chain validation</p></td></tr></tbody></table></div><h4 id="XMLKeyManagementService(XKMS)-Supportedcertificatestypes.">Supported certificates types.</h4><p>XKMS distinguishes between the following types of X509 certificates:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>User</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Normal user X509 certificate</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>Service</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Certificate identifies service. Required application "urn:apache:cxf:service:soap" by lookup and registration. Identified as {SERVICE_ NAMESPACE}SERVICE_NAME</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>Trusted CA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>CAs used as trusted anchor by certificates validations. Trusted CAs can be retrieved using trustedAuthorityFilter property</p></td></tr></tbody></table></div><p>XKMS service endpoint is configured in the following way:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"> &lt;bean id="xkmsProviderBean" class="org.apache.cxf.xkms.service.XKMSService"&gt;
&lt;property name="validators"&gt;
&lt;list&gt;
&lt;ref bean="dateValidator" /&gt;
&lt;ref bean="trustedAuthorityValidator" /&gt;
&lt;/list&gt;
&lt;/property&gt;
&lt;property name="locators"&gt;
&lt;list&gt;
&lt;ref bean="x509Locator" /&gt;
&lt;/list&gt;
&lt;/property&gt;
&lt;property name="keyRegisterHandlers"&gt;
&lt;list&gt;
&lt;ref bean="x509Register" /&gt;
&lt;/list&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;jaxws:endpoint id="XKMSService"
xmlns:serviceNamespace="http://www.w3.org/2002/03/xkms#wsdl"
serviceName="serviceNamespace:XKMSService" endpointName="serviceNamespace:XKMSPort"
implementor="#xkmsProviderBean" address="/XKMS"&gt;
&lt;/jaxws:endpoint&gt;
</pre>
</div></div><h4 id="XMLKeyManagementService(XKMS)-DataFormats">Data Formats</h4><p>Input and output data formats are specified in XML Key Management Service Specification Version 2.0 (see <a shape="rect" class="external-link" href="http://www.w3.org/TR/xkms2/" rel="nofollow">XKMS 2.0</a>). The XKMS service supports only a subset of the specified requests and responses.<br clear="none"> Restrictions of formats for request and responses are described in the following table:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Element XPath</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Supporting values</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="3" class="confluenceTd"><p>RootElement/QueryKeyBinding/UseKeyWith@Application</p><p>&#160;</p><p>&#160;</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>urn:ietf:rfc:2459</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Application specifies X509 SubjectDN in Identifier attribute. Used for normal users certificates</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>urn:apache:cxf:service:name</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Application specifies service name in Identifier attribute as {SERVICE_ NAMESPACE}SERVICE_NAME. Used for service certificates</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">urn:apache:cxf:service:endpoint</td><td colspan="1" rowspan="1" class="confluenceTd">Application specifies service endpoint in Identifier attribute</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>RootElement/QueryKeyBinding/UseKeyWith@Identifier</p></td><td colspan="1" rowspan="1" class="confluenceTd"><ul><li>X509 Subject DN;</li><li>Service name as {SERVICE_ NAMESPACE}SERVICE_NAME</li><li>Service endpoint</li></ul></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Depending on Application attribute public key is identified as X509 Subject DN or Service nameservice certificates</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>RootElement/UnverifiedKeyBinding/KeyInfo</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>X509Data/X509Certificate</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Only X509Data with X509Certificate is supported</p></td></tr></tbody></table></div><h4 id="XMLKeyManagementService(XKMS)-ErrorHandling">Error Handling</h4><p>Success and Fault Response formats are specified in <a shape="rect" class="external-link" href="http://www.w3.org/TR/xkms2/" rel="nofollow">XKMS 2.0</a>. Error conditions in XKMS service are reported using ResultMajor and ResultMinor attributes in the root response element.<br clear="none"> The XKMS Service uses the following values for response codes:</p><p>ResultMajor</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Value</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>Success</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The operation succeeded.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>Receiver</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>An error occurred at the receiver.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>Sender</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>An error occurred that was due to the message sent by the sender.</p></td></tr></tbody></table></div><p>ResultMinor</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Value</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>Failure</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The service attempted to perform the request but the operation failed.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>NoMatch</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>No match was found for the search prototype provided.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>TooManyResponses</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The request resulted in the number of responses that exceeded limit determined by the service.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>TimeInstantNotSupported</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The receiver has refused the operation because it does not support the TimeInstant element.</p></td></tr></tbody></table></div><h4 id="XMLKeyManagementService(XKMS)-Deployment">Deployment</h4><p>The XKMS Service can be deployed into web and OSGi containers. The Service implementation was tested with Tomcat and Karaf.</p><h4 id="XMLKeyManagementService(XKMS)-SampleRequestsandResponses">Sample Requests and Responses</h4><p>Sample request for Locate operation:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;ns2:LocateRequest xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns2="http://www.w3.org/2002/03/xkms#"
xmlns:ns3="http://www.w3.org/2001/04/xmlenc#"
Id="I047257513d19456687e6b4f4a2a72606" Service="http://cxf.apache.org/services/XKMS/"&gt;
&lt;ns2:QueryKeyBinding&gt;
&lt;ns2:UseKeyWith Application="urn:ietf:rfc:2459"
Identifier="EMAILADDRESS=client@client.com, CN=www.client.com, OU=IT Department,
O=Sample Client -- NOT FOR PRODUCTION, L=Niagara Falls, ST=New York, C=US" /&gt;
&lt;/ns2:QueryKeyBinding&gt;
&lt;/ns2:LocateRequest&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;
</pre>
</div></div><p>Sample response for Locate operation:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;ns2:LocateResult ResultMajor="http://www.w3.org/2002/03/xkms#Success"
RequestId="I047257513d19456687e6b4f4a2a72606" Id="I0758390284847918129574923948"
Service="http://cxf.apache.org/services/XKMS/"
xmlns:ns2="http://www.w3.org/2002/03/xkms#"
xmlns:ns3="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns5="http://www.w3.org/2002/03/xkms#wsdl"&gt;
&lt;ns2:UnverifiedKeyBinding&gt;
&lt;ns4:KeyInfo&gt;
&lt;ns4:X509Data&gt;
&lt;ns4:X509Certificate&gt;&#8230; &lt;/ns4:X509Certificate&gt;
&lt;/ns4:X509Data&gt;
&lt;/ns4:KeyInfo&gt;
&lt;/ns2:UnverifiedKeyBinding&gt;
&lt;/ns2:LocateResult&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;
</pre>
</div></div><p>Sample error message:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;ns2:LocateResult ResultMajor="http://www.w3.org/2002/03/xkms#Receiver"
ResultMinor="http://www.w3.org/2002/03/xkms#Failure"
RequestId="I047257513d19456687e6b4f4a2a72606" Id="I0758390284847918129574923948"
Service="http://cxf.apache.org/services/XKMS/"
xmlns:ns2="http://www.w3.org/2002/03/xkms#"
xmlns:ns3="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns5="http://www.w3.org/2002/03/xkms#wsdl"&gt;
&lt;ns2:MessageExtension xsi:type="ns5:resultDetails"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"&gt;
&lt;Details&gt;Search certificates failure: Application
identifier not supported&lt;/Details&gt;
&lt;/ns2:MessageExtension&gt;
&lt;/ns2:LocateResult&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;
</pre>
</div></div><h4 id="XMLKeyManagementService(XKMS)-CurrentrestrictionsandToDos">Current restrictions and ToDos</h4><ul><li>only X509 certificates are supported as keys;</li><li>only LDAP and File based backends are supported;</li><li>more integration tests are required</li></ul></div>
</div>
<!-- Content -->
</td>
</tr>
</table>
</td>
<td id="cell-2-2" colspan="2">&nbsp;</td>
</tr>
<tr>
<td id="cell-3-0">&nbsp;</td>
<td id="cell-3-1">&nbsp;</td>
<td id="cell-3-2">
<div id="footer">
<!-- Footer -->
<div id="site-footer">
<a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> -
(<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31820321">edit page</a>)
(<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=31820321&amp;showComments=true&amp;showCommentArea=true#addcomment">add comment</a>)<br>
Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
All other marks mentioned may be trademarks or registered trademarks of their respective owners.
</div>
<!-- Footer -->
</div>
</td>
<td id="cell-3-3">&nbsp;</td>
<td id="cell-3-4">&nbsp;</td>
</tr>
<tr>
<td id="cell-4-0" colspan="2">&nbsp;</td>
<td id="cell-4-1">&nbsp;</td>
<td id="cell-4-2" colspan="2">&nbsp;</td>
</tr>
</table>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-4458903-1");
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>