Obtaining and Distributing the Required Security Credentials
The credentials needed to contact the secured service must be made available to both the BPM runtime node (acting as the service consumer) and the system hosting the web service (the service provider):
- The private key must be available on the BPM runtime node, so that the identity provider application can use it to generate the necessary security information in the (outgoing) SOAP message.
- The associated public key/certificate must be available on the external system hosting the web service, so that the service can use it to validate the security information received in the (incoming) SOAP message.
Depending on the scenario, these credentials may be generated and distributed by either party. For this example, we assume that the service provider has:
- generated the credentials required to access the service (as a private key/certificate entry in its keystore).
- stored the corresponding public key/certificate in its own trusted store.
- given a copy of the keystore file containing the private key to the BPM runtime administrator, who has copied it to the BPM runtime node.
You do not need to do anything further. As background information, the following sections provide examples of the commands required to create and distribute the necessary credentials to both parties, using the Java keytool utility.
- Generating a Keypair
The example command can be used to generate a key pair (a public key and associated private key) for the X.500 Distinguished name CN=Clint Hill, OU=Claims, O=EasyAs Insurance, L=Swindon, C=UK. - Exporting the Certificate
The command can be used to export the self-signed certificate for the bskey alias from the keystore to a file called bskey.cert. - Importing the Certificate into the Host System’s Truststore
The bskey.cert file can now be imported into the web service provider’s truststore as a trusted certificate.
Next topic: Creating a Keystore Provider Resource Template
Copyright © Cloud Software Group, Inc. All rights reserved.