We assume the reader to have prior understanding on the behavior of Axis2/C engine. Moreover, a basic knowledge of cryptography and Web services would definitely help to absorb the content. We have also listed few other articles and Web resources that will help you to bag much needed background knowledge.
Apache Rampart works as a module inside Apache Axis2/C engine. That means Rampart needs to be configured using the configuration mechanisms available in Axis2/C engine. Configuring a module is a very simple process. All you have to do is set a few parameters in a descriptor file. There are two kinds of descriptor files.
In the following discussion we will limit configurations that are necessary only for the SOAP message encryption. If you need to learn how to configure UsernameToken and Timestamps we recommend you to read the article Introducing Rampart/C.
OMXMLSecurity is the XML encryption library used by Rampart. OMXMLSecurity is specifically written for AXIOM (AXis Object Model), which is the XML object model used by Axis2. Although there were other C language implementations of XML Security, they are based on different object models such as DOM (Document Object Model). It was required to implement an XML Security library for AXIOM rather than converting XML data to AXIOM from another model, which is an inefficient process. The first phase of OMXMLSecurity is to support XML encryption as per W3C Recommendations . There is still no support for the XML signatures in Rampart. After completion of phase II we would be able to sign SOAP messages.Right now OMXMLSecurity is packed as a sub module of Rampart. So you don't need to install it separately. Once you install Rampart, OMXMLSecurity is available for you. But OMXMLSecurity uses OpenSSL routines. Thus, in order to use Rampart in your system you need to have OpenSSL installed. OpenSSL is free. Please visit www.openssl.org to get it downloaded.
WS-Security specification provides a wide variety of modes to encrypt SOAP messages. The most common way to encrypt a message is to encrypt a particular portion of the message with a one time (session) key and then deliver it, encrypted with the receiver's public key. This approach is a very secure and efficient way to encrypt SOAP messages for following reasons:
First you need to engage the Rampart module. This means you enable the module to process SOAP messages. This can be done by simply adding the following line to your descriptor file,
This line will enable the Rampart handlers to invoke incoming and outgoing messages. Encryption happens in the OutFlow of messages whilst the decryption happens in the InFlow. Please add following to configure the outflow.
Still Rampart does not encrypt messages. To enable this you have to place Encrypt under the items element as follows:
Now Rampart knows that the outgoing messages should be encrypted. Still it doesn't know where to locate the receiver's certificate. Also you might need to change the default behavior's of Rampart. For example changing an algorithm. Following section will give you the semantics of parameters used by Rampart so that you will know how to perform the above mentioned tasks.
encryptionPropFile: The receiver's certificate. The full path to the file location has to be specified. This certificate should be in PEM format. PEM format is simply base64 encoded data surrounded by --BEGIN CERTIFICATE-- and --END CERTIFICATE-- header lines.
encryptionSymAlgorithm : Sets the algorithm used to encrypt data. This is a symmetric algorithm such as Triple-DES. You may use one of these values for this parameter.
encryptionKeyTransportAlgorithm : Sets the algorithm to encrypt the symmetric key, which is used to encrypt the data. This is an asymmetric key algorithm. Right now the only supported algorithm for this purpose is http://www.w3.org/2001/04/xmlenc#rsa-1_5.
encryptionKeyIdentifier: This will provide information on how to place key information in the out-going message. There are four ways to deliver the key information. Use one of these values.
Alright, now we have an understanding about the parameters that are required to be set. Following is a sample configuration,
If the above configurations are set, Rampart will encrypt the body of the message and place the security information inside the security header element. The outgoing message would be something like this.
In the message you can see that the contents of the body element are replaced by the EncryptedData element, which encapsulates the EncryptedAlgorithm and the CipherData elements. The EncryptedAlgorithm has the value set for the parameter encryptionSymAlgorithm or the default if you haven't. CipherData has another sub element called CipherValue, which carries the base64 encoded cipher text.
Also there are changes in the header as well. A new child element called EncryptedKey has been added to the wsse:Security header. There are four child elements in EncryptedKey.
EncryptionMethod in the header carries the asymmetric encryption algorithm used to encrypt the session key. This is the algorithm set using the parameter "encryptionKeyTransportAlgorithm". KeyInfo carries the information about the public key used to encrypt. CipherData brings the encrypted session key. The ReferenceList element tells what parts of the message are encrypted using the session key. In the above sample we encrypted the body. Thus the value of attribute URI specified in the DataReference refers to the EncryptedData element having the same value as the attribute ID. Note that there can be multiple DataReference elements if the same session key is used to encrypt multiple locations of the message.
Configuring Rampart to decrypt messages is a very easy approach. Similar to the OutFlowSecurity parameters, here we use InflowSecurity parameter. Inside the InflowSecurity we place following parameters.
items: Tells what is expected from incoming messages. Here we expect encrypted messages. Thus the value should be "Encrypt".
decryptionPropFile: This should be either a location to the private key in PEM format or to a pkcs12 key store. For the latter approach you might need to give a password using the password call back mechanism.
encryptionUser: If you have used a pkcs12 key store, you might need to give the correct password to extract the private key. To get the password, you need to give a user name to a password callback module. Use this parameter to specify the user name.
passwordCallBackClass: If you have used a pkcs12 key store as the decryptionPropFile, and specified an encryptionUser as described in the above section, use this parameter to locate the password callback module.
If we have configured as above, we are pretty much ready to decrypt messages. Deploy the sample service "sec_echo" available in rampart/samples/server/. Then use the sample client available in the rampart/samples/client/ to invoke the service. Please refer README files to know how to deploy the service and run the client example.
Apache Rampart/C is a the security module in Axis2/C engine and has extended it's support for SOAP message encryption. By simply configuring the module, Axis2/C users can encrypt SOAP messages. The next phase of Rampart is to enable support for signing and Web Services Security Policy Language.