User Close

Search

THE DEVELOPER PORTAL FOR SOA

Security Using Rampart

vibsha's picture

Submitted by vibsha on April 30, 2007 - 05:31

We are deploying the web services solution created by Axis2 1.1.1 and security using rampart1.1. The deployment comprises of the Apache Web server which receives the HTTP requests and then routes the requests to the Jboss Application server, where axis2 web application along with the services are deployed. I want to have encryption and digital signature in place using rampart. I have tested the application with the sample certifcates in the development environment and it works fine. The questions are pertaining to the production deployment. a) Do i need to have the certifcates key store(signed server certificate, CA self signed certifcate) maintained at the Apache web server? I guess this would be required in case i want to have transport layer security enabled right. b) Since rampart would reside at the Jboss server i would need the keystore at Jboss server also right? this will be required for handling the encrypted and digitaly signed SOAP messages. This keystore would have the private keys of the server, CA self signed certificate, and the signed certificate of the server by the CA. c) I hope the Apache web server does not create issues with the encrypted soap request coming in when the transport layer security is also enabled. It must let it pass through to Jboss as is. d) If rampart is enabled for the web services and the axis2 engine is enabled/configured for REST based services too, would Axis2 engine expect encrypted and digitally signed messages when the consumer sends a POST request? Thanks Vibhor

ruchith's picture

[Identity-dev] Security Using Rampart

Submitted by ruchith on May 15, 2007 - 06:00.

Hi, Please see my response in the axis-user@ list! On point (d) I'd like to mention that in the case where transport level security is used with username token authentication, WSO2-WSAS [1] will handle the REST/POST requests via HTTPS and will enforce HTTP basic auth on those requests! Thanks, Ruchith [1] http://www.wso2.org/projects/wsas/java vibsha wrote: > > We are deploying the web services solution created by Axis2 1.1.1 and > security using rampart1.1. > The deployment comprises of the Apache Web server which receives the > HTTP requests and then routes the requests to the Jboss Application > server, where axis2 web application along with the services are deployed. > I want to have encryption and digital signature in place using rampart. > I have tested the application with the sample certifcates in the > development environment and it works fine. The questions are pertaining > to the production deployment. > > a) Do i need to have the certifcates key store(signed server > certificate, CA self signed certifcate) maintained at the > Apache web server? I guess this would be required in case i want to > have transport layer security enabled right. > > b) Since rampart would reside at the Jboss server i would need the > keystore at Jboss server also right? this will be required for handling > the encrypted and digitaly signed SOAP messages. This keystore would > have the private keys of the server, CA self signed certificate, and the > signed certificate of the server by the CA. > c) I hope the Apache web server does not create issues with the > encrypted soap request coming in when the transport layer security is > also enabled. It must let it pass through to Jboss as is. > > d) If rampart is enabled for the web services and the axis2 engine is > enabled/configured for REST based services too, would Axis2 engine > expect encrypted and digitally signed messages when the consumer sends a > POST request? > Thanks > Vibhor > > _______________________________________________ > Identity-dev mailing list > Identity-dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/identity-dev >

Login or register to post comments

library project main code

Featured

In your cloud environment, if a user is consuming too much of your resources, either you have to control the user's behavior or scale up your resources to cater the situation and charge the user for consuming resources. If you decide to control the user, then, throttling is the answer for you...

WSO2 StratosLive is the public Platform as a Service (PaaS) from WSO2. With its lean, complete and 100% open source model, StratosLive holds key attributes to become competitively prominent in the enterprise cloud space...

Messaging is used with distributed computing to achieve asynchronous communication. An Event is a change of state in a software system. Eventing is referred to as propagating messages which contain those event information through publish and subscribe...

Patterns are essential ingredients for architects when building solutions since patterns make solutions more stable as well as clean. It is important to pick the correct pattern based on the problem or the use-case that is implemented by a solution...

WSO2 Carbon Studio immensely simplifies SOA development by providing a complete Eclipse IDE for service/application development, deployment and execution. This article explains Carbon Studio and its benefits...

Popular Content

Developing Web Services Using Apache Axis2 Eclipse Plugins - Part 1 (456088 reads)
How to Embed an Axis2 based Web Service in your Webapp? (104732 reads)
Hello World with Apache Axis2 (102577 reads)
Web Services Security with Apache Rampart – Part 1 ( Transport Level Security ) (96153 reads)
Downloading a Binary File from a Web Service using Axis2 and SOAP with Attachments (91215 reads)
Developing Web Services Using Apache Axis2 Eclipse Plugins - Part 2 (84679 reads)
Writing Your Own services.xml for Axis2 Web Services (80084 reads)
Reference Guide to Apache Axis2 Client API Parameters (72621 reads)

Learn Cloud

Learn

Cloud

The WSO2 Application Server is a reliable application server that can host your enterprise web applications. The WSO2 Application Server as a Service is offered in StratosLive, the WSO2 Platform as a Service. This article explains how a simple web application can be developed and deployed from Carbon Studio to the WSO2 Application Server...

Latest Webinar

Different groups within an organization need to monitor different Key Performance Indicators (KPIs) - An operations team will be interested in the response times of business services and loads of each service,..

Thursday, February 9th 2012, 09.00 AM (PST)

Thursday, February 9th 2012, 10.00 AM (GMT)

Tags

WS-Policy transports WS-Security WS-Eventing WS-PolicyAttachment Web services WS-ReliableMessaging WS-Trust WS-* WS-Policy