How do you add WS-Security to a SOAP web service with self signed certificates (created with Java keytool)?

Question

The scenario: Two computers(!) (client, server) that need to communicate.

I want to add WS-Security to a (spring) SOAP web service.

I want to add security described in the way it's described here: http://docs.spring.io/spring-ws/docs/2.2.1.RELEASE/reference/htmlsingle/#security-xws-security-interceptor

If I understand this correctly I have to generate (key) stores.

I'm not sure if this is correct but I believe these are the necessary steps:

1. Create a self-signed certificate (=client-key-pair) in client-keystore.jks (for the client to sign his request)

   keytool -genkey -alias client -keystore keystore.jks -storepass password  -keyalg RSA -validity 360 -keysize 2048
   

2. Extract the client-public-key.cer from client-keystore.jks

   keytool -export -alias client -keystore client-keystore.jks  -storepass password -file client-public-key.cer
   

3. Import client's clientpublickey.cer into server's truststore.jks (for verifying the client's request signature)

   keytool -import -alias client -keystore client-keystore.jks -storepass password -file client-public-key.cer
   

   Now I can receive signed requests from the client, right? But what about signing the response?

4. Create a 2nd self-signed certificate (=server-key-pair) in server-keystore.jks (for the server to sign his response)

   keytool -genkey -alias server -keystore server-keystore.jks -storepass password  -keyalg RSA -validity 360 -keysize 2048
   

5. Extract the server-public-key.cer from server-keystore.jks

   keytool -export -alias server -keystore server-keystore.jks -storepass password -file server-public-key.cer
   

6. Import server-public-key.cer into client-truststore.jks (for verifying the server's response signature)

   keytool -import -alias server -keystore client-truststore.jks -storepass password -file server-public-key.cer
   

   In the end I have four (key) stores containing two different certificates:

   • For the client: client-keystore (client-key-pair) & client-truststore (server-public-key)
   • For the server: server-keystore (server-key-pair) & server-truststore (client-public-key)

Is that correct?

Answer 1

Broadly speaking you need to create a Certificate Authority (CA) (using openssl) on the server side.

You then create a keystore on the server side which will be used as your trust store. You import the CA certificate into this keystore. This process is described in superb detail here:

https://gleichmann.wordpress.com/2009/01/29/ws-security-using-cert-authentication-with-spring-ws-iii-setting-up-the-security-infrastructure/

You then need to create a keystore on the client side and generate a Certificate Signing Request (CSR) to send to the server to be signed by the CA. You then import the CA certificate and the signed certificate (resulting from your CSR) into the client side keystore. Again, this is described brilliantly here:

https://gleichmann.wordpress.com/2009/02/05/ws-security-using-cert-authentication-with-spring-ws-iv-how-to-set-up-your-clients-keystore/

So, in summary. One keystore each on the client and server. A self-signed CA Certificate on the server and a certificate signed by the server CA on the client!

There are a total of five posts in the series that I've referenced. I can't recommend them highly enough.

I hope that helps!