Impossible itself says "I M Possible" :) RAGHUVIR's Techonloy Blog..

Here I want to write steps to create a user defined fault  using open-esb's BPEL .  The fault having child elements in detail section.

 In the example , I create a "uninitialized variable" fault and catch it and send it as response. 

 Here are detailed steps :-

1) Create a BPEL process named "FaultUserDefined_Bpel" .

2) Create a simple receive - assign - reply ( drag these from the palette ).

3) Create a XSD with 2 elements :-

<?xml version="1.0" encoding="UTF-8"?>

<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    targetNamespace="http://xml.netbeans.org/schema/faultxsd"
    xmlns:tns="http://xml.netbeans.org/schema/faultxsd"
    elementFormDefault="qualified">
    <xsd:element name="faultdesc" type="tns:soapDetail"/>
    <xsd:complexType name="soapDetail">
        <xsd:sequence>
            <xsd:element name="soapfaultName" type="xsd:string"/>
            <xsd:element name="soapfaultdesc" type="xsd:string"/>
        </xsd:sequence>
    </xsd:complexType>
</xsd:schema>

4) Create a SOAP  WSDL  - RPC literal with fault part as "fault1" and data type is the complex type created in step 3 , i.e. "soapDetail" and part1 as "in" (request) and part1 as "out"(response)

5) Drag the WSDL in the BPEL canvas as partnerlink1 .

 6) Connect the wsdl to receive , reply to wsdl

7) Create a variable using "add variable" button right above the bpel canvas .data type "integer"

8) Double click the assign and assign in to out and use concat to use the newly created variable. Notice that we are using the variable without initialization. So it should throw "Uninitialized variable exception"

9) Now create a "Fault Handler" and add a "catch" and select "catch" and change it Fault name property to "uninitializedVariable" in Standard faults.  Click OK

10) Inside the "catch" drop a "assign" and "reply" .

11) Double click the "assign" and add some string literals to "soapfaultName" and "soapfaultdesc".

12) Double click the "reply" and assign back to the wsdl but change the response as Fault Response . Choose the Fault Name as "fault1" as created in the wsdl. and create a fault variable using the "create" button.

13) Build and check if the BPEL has any errors .

14) Add a composite app , drop the BPEL process to the CASA editor and build and deploy the composite app.

15) Create a new test case , send request and observe the response as fault coming as user defined .

You can get the project here

To create a new domain in glassfish appserver you can use the following command :- 

asadmin> create-domain --adminport 5006 --profile developer --user admin domain3
Please enter the admin password>
Please enter the admin password again>
Please enter the master password [Enter to accept the default]:>
Please enter the master password again [Enter to accept the default]:>
Using port 5006 for Admin.
Default port 8080 for HTTP Instance is in use. Using 4182
Default port 7676 for JMS is in use. Using 4183
Default port 3700 for IIOP is in use. Using 4184
Default port 8181 for HTTP_SSL is in use. Using 4185
Default port 3820 for IIOP_SSL is in use. Using 4186
Default port 3920 for IIOP_MUTUALAUTH is in use. Using 4187
Default port 8686 for JMX_ADMIN is in use. Using 4188
Domain being created with profile:developer, as specified on command line or environment.
Security Store uses: JKS
Domain domain3 created.

 Steps to configure SSL in GFESB (glassfish V2.1.1) using HTTP BC using user defined certificates.

1) Create a simple project that uses HTTPS using http bc. or download the sample project from here.

2) Configure the glassfish server to use the non-default certificates .

 Given below are the steps to configure Glassfish appserver with non-default certificates.

a) First take a backup of the certificates (keystore.jks and cacerts,jks ) present in <as_home>/glassfish/domains/domain1/config

b) delete the files from this folder.

c) Generate a new key pair for the application server

Note;- i am using the default alias s1as so that the user need not modify the domain.xml file.

F:\GlassFishESBv22_20091020-1005\glassfish\domains\domain1\config>keytool -genkey -alias s1as -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
What is your first and last name?
  [Unknown]:  raghuvir-4730D
What is the name of your organizational unit?
  [Unknown]:  sun
What is the name of your organization?
  [Unknown]:  SunMicro
What is the name of your City or Locality?
  [Unknown]:  Bang
What is the name of your State or Province?
  [Unknown]:  Kar
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=raghuvir-4730D, OU=sun, O=SunMicro, L=Bang, ST=Kar, C=IN correct?
  [no]:  yes

d) Export the certificate
F:\GlassFishESBv22_20091020-1005\glassfish\domains\domain1\config>keytool -export -alias s1as -storepass changeit -file server.cer -
keystore keystore.jks
Certificate stored in file <server.cer>

e) Self Sign the certificate
F:\GlassFishESBv22_20091020-1005\glassfish\domains\domain1\config>keytool -selfcert -alias s1as -validity 335 -keystore keystore.jks -storetype JKS
Enter keystore password:changeit

f) Import the certificate to a new trustore cacerts.jks
F:\GlassFishESBv22_20091020-1005\glassfish\domains\domain1\config>keytool -import -v -trustcacerts -alias s1as -file server.cer -key
store cacerts.jks -keypass changeit -storepass changeit
Owner: CN=raghuvir-4730D, OU=sun, O=SunMicro, L=Bang, ST=Kar, C=IN
Issuer: CN=raghuvir-4730D, OU=sun, O=SunMicro, L=Bang, ST=Kar, C=IN
Serial number: 4ae13166
Valid from: Fri Oct 23 10:00:30 IST 2009 until: Thu Jan 21 10:00:30 IST 2010
Certificate fingerprints:
         MD5:  F1:37:15:AB:B3:8C:B3:67:0D:F9:8B:DC:7F:13:86:0A
         SHA1: 89:A0:C2:5A:52:9B:27:68:1F:38:FF:61:04:A8:09:B9:11:9D:29:97
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing cacerts.jks]

 g) verify the import

F:\GlassFishESBv22_20091020-1005\glassfish\domains\domain1\config>keytool -list -v -keystore cacerts.jks -alias s1as -storepass changeit
Alias name: s1as
Creation date: Oct 22, 2009
Entry type: trustedCertEntry

Owner: CN=raghuvir, OU=sun, O=Sunmicro, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=raghuvir, OU=sun, O=Sunmicro, L=Bangalore, ST=Karnataka, C=IN
Serial number: 4ae003fb
Valid from: Thu Oct 22 12:34:27 IST 2009 until: Wed Sep 22 12:34:27 IST 2010
Certificate fingerprints:
         MD5:  43:A5:03:3E:A7:90:CA:BF:6F:8A:7A:A2:F1:A9:D9:AF
         SHA1: 7D:68:DD:E6:D2:52:AA:32:9E:B2:C4:1F:03:73:0B:F8:67:D3:C8:E2
         Signature algorithm name: SHA1withRSA
         Version: 3

h) restart the appserver.

3) Build and deploy the project in GFESB using netbeans.

4) Invoke the webservice in SOAP UI.

You can download the certificates (if needed) from here.

========================================================================================================================

Definitions

Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption. The encryption key is trivially related to the decryption key, in that they may be identical or there is a simple transform to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link.

---

public key cryptography has message encrypted with a recipient's public key cannot be decrypted by anyone except a possessor of the matching private key -- presumably, this will be the owner of that key and the person associated with the public key used. This is used for confidentiality.

---

Confidentiality has been defined by the International Organization for Standardization (ISO) as "ensuring that information is accessible only to those authorized to have access".

========================================================================================================================

NM Property and Dynamic Addressing Demo 

To demonstrate the use of  http bc nm property and dynamic addressing we use bpel. Here are the following steps.

1) First create a simple service - Service 1. Lets say this service is available at the endpoint http://localhost:9080/ServiceWSDLService/ServiceWSDLPort

2) Next create a BPEL to use this service and implement the NM property feature in the BPEL mapper. We use the URL NM Property of HTTP BC .

3)We create a new NM Property and use it in another BPEL , to show that user defined nm property also works fine.

4) Now we deploy the Composite application.

5) we have 3 WSDLs deployed. 1 service , 2 NM property and 1 more is the nmporperty.wsdl which is created automatically.

6) Create 2 test case for the 2 nm property WSDLs and give the endpoint as the input . http://localhost:9080/ServiceWSDLService/ServiceWSDLPort

To extent the logic , any service can be invoked based on the input. For demo purpose I have created a just one service. 

The project can be found here

GET

The HTTP Binding Component supports both the http:urlEncoded and http:urlReplacement

 The WSDL would have the following binding :-

 For  urlEncoded

<binding name="GetServiceWSDLBinding" type="tns:GetServiceWSDLPortType">
        <http:binding verb="GET"/>
        <wsdl:operation name="GetServiceWSDLOperation">
            <http:operation location="(part1)"/>
            <wsdl:input name="input1">
                <http:urlEncoded/>
            </wsdl:input>
            <wsdl:output name="output1"/>
        </wsdl:operation>
    </binding>

For urlReplacement

<binding name="getWsdlBinding" type="tns:getWsdlPortType">
        <http:binding verb="GET"/>
        <wsdl:operation name="getWsdlOperation">
            <http:operation location="(part1)"/>
            <wsdl:input name="input1">
                <http:urlReplacement/>
            </wsdl:input>
            <wsdl:output name="output1"/>
        </wsdl:operation>
    </binding>

The sample WSDL can be downloaded from httpUrlEncoded  and httpUrlReplacement

To test this in GF ESB is simple.

Steps for HTTP URL Encoded:-

1) Create a wsdl to GET the service with the binding as shown above for http url encoded.

2) Create a simple BPEL with receive , reply using the above WSDL . This bpel will get the service .

3) Then create a simple WSDL rpc with part1 , part2 as string.

4) Create a simple BPEL that invokes the above WSDL and sends back a SOAP response.

 Steps for HTTP URL Replacement :-

1) Create a wsdl to get the service from a web application and with the binding as shown above for http url replacement.

2) Create a main wsdl with rpc with part1 , part2

3) Create a simple BPEL that invokes the above WSDL and sends back a SOAP response.

You can download the above project for the following scenarios :-

a) Get URL Encoded - Simple Type

b) Get URL Encoded - Complex Type

c) Get URL Replacement - Simple Type

d) Get URL Replacement - Complex Type

POST

For Post the binding will look like

<binding name="postWSDLBinding" type="tns:postWSDLPortType">
        <http:binding verb="POST"/>
        <wsdl:operation name="postWSDLOperation">
            <http:operation location=""/>
            <wsdl:input name="input1">
                <http:urlEncoded/>
            </wsdl:input>
            <wsdl:output name="output1"/>
        </wsdl:operation>
    </binding>

Sample WSDL can be found here

Projects creation is similar to the one for GET

Some projects can be downloaded here or here

 1) Create a simple WSDL SOAP - RPC .
 2) Add the following line in the service element of the WSDL right below the soap address.
 <wsp:PolicyReference URI="#HttpBasicAuthBindingBindingPolicy"/>
 3) Then add the following Policy just below the service element and just above the Partnerlink 
 <wsp:Policy wsu:Id="HttpBasicAuthBindingBindingPolicy">
        <mysp:MustSupportBasicAuthentication on="true">
            <mysp:BasicAuthenticationDetail>
               <mysp:Realm realmName="file"/>
            </mysp:BasicAuthenticationDetail>
        </mysp:MustSupportBasicAuthentication>
    </wsp:Policy>
 4) Note that I have used the realm as "file" .
 5) Create a simple BPEL Request - Response scenario . 
 6) Build and deploy the project by creating a composite application.
 7) Open SOAP UI and point to the wsdl created in step 1 . 
 8) It will create a default request and then change the HTTPDefaultport in the access point to 8090 (default) 
 9) Now Open Glassfish admin console . Go to Configuration -> Security -> Realms -> file -> manage users
 10) Create a user with some user id , pwd and group list. 
 11) Now in SOAP UI before running the request , in the left hand side , give the username and password.
 12) run the request to get the response. 
 Input request :-
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:bas="http://j2ee.netbeans.org/wsdl/BasicAuthFileRealm/BasicAuthFileRealmWSDL">
   <soapenv:Header/>
   <soapenv:Body>
      <bas:BasicAuthFileRealmWSDLOperation>
         <in>test</in>
      </bas:BasicAuthFileRealmWSDLOperation>
   </soapenv:Body>
</soapenv:Envelope>
 
Output Response :-
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Body>
      <m:BasicAuthFileRealmWSDLOperationResponse xmlns:m="http://j2ee.netbeans.org/wsdl/BasicAuthFileRealm/BasicAuthFileRealmWSDL">
         <out>From BPEL :- test</out>
      </m:BasicAuthFileRealmWSDLOperationResponse>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
 To test the above scenario you can access the project from here


Basic Authentication - UserName and Password in the WSDL 
1) Follow the same steps as above except the following changes.
  a) Paste the following code for the policy
 <wsp:Policy wsu:Id="HttpBasicAuthBindingBindingPolicy">
        <mysp:MustSupportBasicAuthentication>true</mysp:MustSupportBasicAuthentication>
           <mysp:UsernameToken mysp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
       <wsp:Policy>
            <sp:WssUsernameToken10>raghu</sp:WssUsernameToken10>
            <sp:WssPassword>${password}</sp:WssPassword>
       </wsp:Policy>
         </mysp:UsernameToken>
    </wsp:Policy>
The project for this scenario can be downloaded here 
Note here I have used the application variable {password} , this has to be created in the services tab and HTTP Binding properties.
For Access Manager we need to have the following code in the WSDL
 <wsp:Policy wsu:Id="HttpBasicAuthBindingBindingPolicyAM">
        <mysp:MustSupportBasicAuthentication on="true">
            <mysp:BasicAuthenticationDetail>
                <mysp:AccessManager/>
            </mysp:BasicAuthenticationDetail>
        </mysp:MustSupportBasicAuthentication>
    </wsp:Policy>
 

Steps :-

1. Download the binaries from http://www.sunfreeware.com/indexsparc10.html

or download all these from here :- Part1 and Part2

The download will contain the following packages -

db-4.2.52.NC-sol10-sparc-local.gz
openldap-stable-20080813.tgz
libgcc-3.4.6-sol10-sparc-local.gz
openssl-0.9.8j-sol10-sparc-local.gz
openldap-2.4.11-sol10-sparc-local.gz
sasl-2.1.21-sol10-sparc-local.gz

2. Now login to your solaris sparc box as "root" , root access has to be there ,else it wont install.

3. run pkgadd command , to check if it working. then unzip the files using "gunzip filename"

4. run pkgadd -d db-4.2.52.NC-sol10-sparc-local and similarly install all the packages

5. After installing all the packages , configure slapd.conf file based on your requirements .
slapd.conf can be located at /usr/local/etc/openldap

the sample slapd.conf will look like

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema

pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args

database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw adminadmin

directory /usr/local/var/openldap-data
index default pres,eq
index objectClass eq
index uid,cn,sn

6. Start slapd using the command from /usr/local/libexec
./slapd -f ../etc/openldap/slapd.conf

7. Now the connect the open ldap using our ldapbrowser
ensure that "append base dn" is checked .

8. After connecting import the following for the base dn

dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: dcObject
objectClass: organization
o: root
ou: mostral

9. then import the actual data , sample would be like

dn: ou=mostral, dc=example,dc=com
ou: mostral
objectClass: top
objectClass: organizationalunit

dn: uid=scarter,ou=mostral, dc=example,dc=com
givenName: Sam
sn: Carter
telephoneNumber: +1 408 555 4798
userPassword:: e1NTSEF9UmIxZk9JL2x5TlQ3bGFEc0FKaEhJdEs4bW9LbkVBSWZEMWpNU0E9PQ
==
ou: Accounting
ou: mostral
l: Sunnyvale
roomNumber: 4612
mail: scarter@example.com
facsimileTelephoneNumber: +1 408 555 9751
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: scarter
cn: Sam Carter

1. Install Open ssl on unix machine. ( here i have used a solaris sparc machine )

Get the software from http://www.sunfreeware.com/indexsparc10.html
" openssl-0.9.8j-sol10-sparc-local.gz "

Now login to your solaris sparc box as "root" , root access has to be there ,else it wont install.

run pkgadd command , to check if it working. then unzip the files using "gunzip filename"

run pkgadd -d openssl-0.9.8j-sol10-sparc-local and similarly install all the packages

This will get installed in /usr/local/ssl/ by default.

==========================================================================

2. Set the path on the unix machine to use this open ssl .

bash-3.00# PATH=$PATH:/usr/local/ssl/bin:.

bash-3.00# export PATH

bash-3.00# which openssl
/usr/local/ssl/bin/openssl

bash-3.00# echo $PATH
/usr/local/ssl/bin:.

======================================================================

3. Create a CA root certificate

bash-3.00# mkdir openldapcerts


bash-3.00# cd openldapcerts


bash-3.00$ pwd
/home/rk208995/openldapcerts

run the below command , enter the password as "adminadmin" , then enter country , state , city , for Common name , enter the FQDN of the local machine. here it is iecsoa1
At the end it asks for password again , enter "adminadmin"

bash-3.00$ /usr/local/ssl/misc/CA.sh -newca

CA certificate filename (or enter to create)


Making CA certificate ...

Generating a 1024 bit RSA private key

.............++++++

................++++++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:adminadmin

Verifying - Enter PEM pass phrase:adminadmin

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----


Country Name (2 letter code) [AU]:IN

State or Province Name (full name) [Some-State]:Karnataka

Locality Name (eg, city) []:Bangalore

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SMI

Organizational Unit Name (eg, section) []:SMI

Common Name (eg, YOUR name) []:iecsoa1.india.sun.com

Email Address []:


Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /usr/local/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/./cakey.pem:adminadmin

Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Apr 20 03:47:43 2009 GMT
Not After : Apr 19 03:47:43 2012 GMT
Subject:
countryName = IN
stateOrProvinceName = Karnataka
organizationName = SMI
organizationalUnitName = SMI
commonName = iecsoa1.india.sun.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2


Certificate is to be certified until Apr 19 03:47:43 2012 GMT (1095 days)


Write out database with 1 new entries

Data Base Updated

======================================================================
4. Create a CSR for the ldap server

Note: When asked for a 'Common Name', you must enter the ldap url in the following format,
ldaps://:
e.g. ldaps://ldapserver.com:636

This will create a csr “newreq.pem”

bash-3.00$ openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

Generating a 1024 bit RSA private key

.............................++++++

..................++++++

writing new private key to 'newreq.pem'

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:IN

State or Province Name (full name) [Some-State]:Karnataka

Locality Name (eg, city) []:Bangalore

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SMI

Organizational Unit Name (eg, section) []:SMI

Common Name (eg, YOUR name) []:ldaps://iecsoa1.india.sun.com:636

Email Address []:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

An optional company name []:


bash-3.00$ ls

demoCA newreq.pem

=======================================================================

5.Use the CA to sign the CSR , enter password as "adminadmin"

bash-3.00$ /usr/local/ssl/misc/CA.sh -sign

Using configuration from /usr/local/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:adminadmin

Check that the request matches the signature

Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 20 03:54:29 2009 GMT
Not After : Apr 20 03:54:29 2010 GMT
Subject:
countryName = IN
stateOrProvinceName = Karnataka
localityName = Bangalore
organizationName = SMI
organizationalUnitName = SMI
commonName = ldaps://iecsoa1.india.sun.com:636
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:4B:3E:75:0C:2F:CB:23:79:BB:3B:F2:61:61:63:F9:E9:F2:D9:91
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2


Certificate is to be certified until Apr 20 03:54:29 2010 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Certificate:

Data:

Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IN, ST=Karnataka, O=SMI, OU=SMI, CN=iecsoa1.india.sun.com
Validity
Not Before: Apr 20 03:54:29 2009 GMT
Not After : Apr 20 03:54:29 2010 GMT
Subject: C=IN, ST=Karnataka, L=Bangalore, O=SMI, OU=SMI, CN=ldaps://iecsoa1.india.sun.com:636
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:26:62:b3:3a:50:cb:0a:5d:c6:e0:b6:e6:72:
6a:6e:ba:a5:7f:6d:4e:e5:54:36:95:db:72:87:19:
8e:64:f3:07:81:f8:59:51:ef:03:0a:72:13:eb:dc:
8d:38:14:39:cc:ad:cb:16:db:f9:12:44:24:a7:c0:
c8:1e:8a:b6:b3:b3:b4:9e:aa:7f:b2:3e:76:80:8a:
19:70:02:2b:4d:c5:5f:e8:f3:83:71:51:05:61:37:
a1:1b:fd:85:91:6f:74:22:1b:01:e8:5e:e8:4d:15:
b2:9c:2e:f3:0e:c9:b6:a0:5b:8f:1c:4b:b9:ee:77:
bd:ea:69:5b:f9:83:1c:db:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:4B:3E:75:0C:2F:CB:23:79:BB:3B:F2:61:61:63:F9:E9:F2:D9:91
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2

Signature Algorithm: sha1WithRSAEncryption
15:fd:e0:f4:06:92:3d:57:72:1d:9e:43:53:b6:bd:c8:0e:35:
fa:7c:24:6a:c3:d9:f5:63:4d:00:74:de:80:86:4c:9e:7d:6f:
09:f7:cb:de:6c:6b:70:1f:d9:7c:62:98:79:5a:fa:68:96:a0:
a4:45:de:84:43:db:a8:01:d8:f8:45:33:dd:e8:ca:18:5d:51:
28:b2:51:28:45:07:c8:41:e5:72:1b:fd:6c:f3:df:0e:61:47:
e5:7f:ea:6d:ed:a8:15:91:bc:90:be:c8:00:1c:50:1a:ce:50:
be:ac:65:d5:23:96:12:f6:62:2f:9e:7f:24:38:1f:74:32:7d:
a9:0a

-----BEGIN CERTIFICATE-----
MIICyzCCAjSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJJTjES
MBAGA1UECBMJS2FybmF0YWthMQwwCgYDVQQKEwNTTUkxDDAKBgNVBAsTA1NNSTEe
MBwGA1UEAxMVaWVjc29hMS5pbmRpYS5zdW4uY29tMB4XDTA5MDQyMDAzNTQyOVoX
DTEwMDQyMDAzNTQyOVowfTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFr
YTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQwwCgYDVQQKEwNTTUkxDDAKBgNVBAsTA1NN
STEqMCgGA1UEAxMhbGRhcHM6Ly9pZWNzb2ExLmluZGlhLnN1bi5jb206NjM2MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEJmKzOlDLCl3G4LbmcmpuuqV/bU7l
VDaV23KHGY5k8weB+FlR7wMKchPr3I04FDnMrcsW2/kSRCSnwMgeirazs7Seqn+y
PnaAihlwAitNxV/o84NxUQVhN6Eb/YWRb3QiGwHoXuhNFbKcLvMOybagW48cS7nu
d73qaVv5gxzb/wIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUw0s+dQwvyyN5
uzvyYWFj+eny2ZEwHwYDVR0jBBgwFoAU93cUHIbT806a7nzR44AnZlZLD9IwDQYJ
KoZIhvcNAQEFBQADgYEAFf3g9AaSPVdyHZ5DU7a9yA41+nwkasPZ9WNNAHTegIZM
nn1vCffL3mxrcB/ZfGKYeVr6aJagpEXehEPbqAHY+EUz3ejKGF1RKLJRKEUHyEHl
chv9bPPfDmFH5X/qbe2oFZG8kL7IABxQGs5Qvqxl1SOWEvZiL55/JDgfdDJ9qQo=
-----END CERTIFICATE-----


Signed certificate is in newcert.pem



bash-3.00$ ls

demoCA newcert.pem newreq.pem

==================================================================
6.This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem

So far we have created only the certificates needs to be used by the openldap server. Lets see how to configure the openldap using this certificates ...

Stop the openldap if it is already running :-

bash-3.00# ps -ef | grep slapd

root 26718 26710 0 11:09:04 pts/2 0:00 grep slapd

root 7915 1 0 Apr 17 ? 0:00 ./slapd

bash-3.00# kill -9 7915


bash-3.00# ps -ef | grep slapd
root 26720 26710 0 11:09:28 pts/2 0:00 grep slapd


bash-3.00# netstat -an | egrep '389|636'


no process running on port 389 or 636

=======================================================================
7. Copy the certificates to the ldap directory

a ) Copy cacert.pem - CA root certificate from Demo CA folder to /usr/local/var/openldap-data
b ) rename newcert.pem to servercrt.pem
c ) rename newreq.pem to serverkey.pem
d ) Copy servercrt.pem and serverkey.pem to /usr/local/var/openldap-data

so /usr/local/var/openldap-data has 3 new files in it
cacert.pem , servercrt.pem , serverkey.pem


==============================================================================
8. Edit the slapd.conf file from /usr/local/etc/openldap and add the following entry in to it below the entry
"argsfile /usr/local/var/run/slapd.args "

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /usr/local/var/openldap-data/cacert.pem

TLSCertificateFile /usr/local/var/openldap-data/servercrt.pem

TLSCertificateKeyFile /usr/local/var/openldap-data/serverkey.pem


# Client verification not required

TLSVerifyClient never


=================================================================================
9.Start the openldap server by using the following command

# cd /usr/local/libexec

# ../slapd -h “ldap://iecsoa1:389 ldaps://iecsoa1:636”

Enter PEM pass phrase:adminadmin


Check to see the processes are listening in the configured ports

# netstat -an | egrep '389|636'

10.12.185.65.389 *.* 0 0 49152 0 LISTEN

10.12.185.65.636 *.* 0 0 49152 0 LISTEN


Use any external ldap-browser to connect to the both the URLs and check.


=================================================================================
For the client side , we have to use the server certificate , So we have to create keystore and trustore

Steps to create Client Truststore and Keystore from Server certificate .

First Convert from pem to jks format

Now to create Client Trust - store and key store

1. bash-3.00# pwd

/usr/local/ssl/bin


bash-3.00# openssl pkcs8 -topk8 -nocrypt -in /usr/local/ssl/mycerts/demoCA/private/cakey.pem -inform PEM -out key.der -outform DER

Enter pass phrase for /usr/local/ssl/mycerts/demoCA/private/cakey.pem:adminadmin


bash-3.00# openssl x509 -in /usr/local/ssl/mycerts/demoCA/cacert.pem -inform PEM -out cert.der -outform DER

bash-3.00# ls

c_rehash cert.der key.der openssl

======================================================================
2. Create a keystore using the java program

java program can be found at here


======================================================================
3. To view the contents of the keystore use this command
C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -list -v -keystore keystore.jks

Enter keystore password:adminadmin


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: client
Creation date: Apr 20, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012
Certificate fingerprints:
MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]

]

#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false



*******************************************
*******************************************

======================================================================
4. use keytool to generate trust store ( note the default alias is "client" )

C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -export -alias client -storepass adminadmin -file client.cer -keystore keystore.jks

Certificate stored in file


======================================================================
Import the above certificate to a new Truststore named "trustore"

C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -import -alias client -file client.cer -keystore truststore

Enter keystore password:adminadmin

Re-enter new password:adminadmin

Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN

Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN

Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012

Certificate fingerprints:

MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]

]

#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

Trust this certificate? [no]: yes


Certificate was added to keystore

======================================================================
To View contents of the trustore

C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -list -v -keystore truststore
Enter keystore password:adminadmin

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: client
Creation date: Apr 20, 2009
Entry type: trustedCertEntry

Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012
Certificate fingerprints:
MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]

]

#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false



*******************************************
*******************************************


======================================================================

Steps to configure Open DS with SSL

Step 1 :- Create keystore

C:\Documents and Settings\Raghuvir Kamath> keytool -genkey -alias server-cert -keyalg rsa -dname "CN=compapps.india.sun.com,O=SMI,C=IN" -keystore keystore -storetype JKS
Enter keystore password:adminadmin
Re-enter new password:adminadmin

Enter key password for (RETURN if same as keystore password):

This will create "keystore" in the location C:\Documents and Settings\Raghuvir Kamath

Step 2:- Self sign the keystore

Self Sign the certificate using keytool

D:\LDAP\openDS>keytool -selfcert -alias server-cert -validity 1825 -keystore keystore -storetype JKS

Enter keystore password:adminadmin

Step 3 :-Export the public key

D:\LDAP\openDS>keytool -export -alias server-cert -file server-cert.txt -rfc -keystore keystore
Enter keystore password:
Certificate stored in file

Step 4:- Create a new truststore

keytool -import -alias server-cert -file server-cert.txt -keystore truststore -storetype JKS

Type yes when you are prompted about whether you want to trust the certificate.

This step is needed only if the SSL and StartTLS settings were not specified during installation or if you want to change those settings

Step 5:- Install Open DS

Install Open DS 1.0.0 from the web as webinstaller https://opends.dev.java.net/

Step 6:- Configure SSL during installation

While installing , configure OpenDS for SSL , use existing keystore , the one created in step 2. give the keystore as input. Refer screenshots for this.To Check if SSL and TLS is enabled on your LDAP server is use the statuspanel.bat from your LDAP server installation folder.

Installation of Sun Directory Server Enterprise Edition (DSEE) on Windows:-

Here are the complete steps :-

1. through command line
D:\Softwares\LDAP\DSEE.6.3.Windows-X86-full\DSEE_ZIP_Distribution>dsee_deploy.exe install -i C:\DSEE =============================================================================================================================================================
=============================================================================================================================================================
2. accept the license
Do you accept the license terms ? : yesCheck availability of port 11162Checking running Directory Server instancesChecking running Directory Proxy Server instancesUnzipping sun-ldap-base.zip ...Unzipping sun-ldap-perl.zip ...Unzipping sun-ldap-dsrk6.zip ...Unzipping sun-ldapcsdk-tools.zip ...Unzipping sun-ldapcsdk-dev.zip ...Unzipping sun-ldap-ljdk.zip ...Unzipping sun-ldap-jre.zip ...Unzipping sun-ldap-shared.zip ...Unzipping sun-ldap-shared-l10n.zip ...Unzipping sun-ldap-directory.zip ...Unzipping sun-ldap-directory-l10n.zip ...Unzipping sun-ldap-directory-config.zip ...Unzipping sun-ldap-directory-dev.zip ...Unzipping sun-ldap-mfwk.zip ...Unzipping sun-ldap-cacao.zip ...Unzipping sun-ldap-console-agent.zip ...Unzipping sun-ldap-console-cli.zip ...Unzipping sun-ldap-console-common.zip ...Unzipping sun-ldap-console-var.zip ...Unzipping sun-ldap-jdmk.zip ...Unzipping sun-ldap-directory-client.zip ...Unzipping sun-ldap-directory-client-l10n.zip ...Unzipping sun-ldap-proxy.zip ...Unzipping sun-ldap-proxy-l10n.zip ...Unzipping sun-ldap-proxy-client.zip ...Unzipping sun-ldap-proxy-client-l10n.zip ...Unzipping sun-ldap-console-gui.zip ...Unzipping sun-ldap-console-gui-help.zip ...Unzipping sun-ldap-console-gui-l10n.zip ...Unzipping sun-ldap-console-gui-help-l10n.zip ...Creating WAR file for Console
Configuring Cacao at D:/DSEE/dsee6/cacao_2Setting Cacao parameter jdmk-home with default value [D:\DSEE\dsee6\private]Setting Cacao parameter java-home with default value [D:\DSEE\jre]Setting Cacao parameter nss-lib-home with default value [D:\DSEE\dsee6\private\lib]Setting Cacao parameter nss-tools-home with default value [D:\DSEE\dsee6\bin]Registering DSCC agent into cacaoStarting Cacao if necessaryRegistering JESMF agent into CacaoInitializing JESMF...Registering DS in JESMF...Checking Cacao status...Deploying JESMF in Cacao...Deploying DS in JESMF...DS has been successfully registered in JESMF.Making a copy of dsee_deploy.exeMaking a copy of listrunnings.exeYou can now start your Directory Server InstancesYou can now start your Directory Proxy Server Instances
=============================================================================================================================================================
=============================================================================================================================================================
3. Create a Instance.

D:\DSEE\ds6\bin>dsadm create -p 1389 -P 636 D:\DSEE\instance

Warning: 636 is a privileged port ; make sure that user 'Raghuvir Kamath' has right to use it before running start subcommand

Choose the Directory Manager password:adminadmin

Confirm the Directory Manager password:adminadmin

Use 'dsadm start 'C:\DSEE\instance'' tado start the instance
=============================================================================================================================================================
=============================================================================================================================================================
4. Start the instance.

D:\DSEE\ds6\bin>dsadm start D:\DSEE\instance

Waiting for Directory Server instance 'D:/DSEE/instance' to start...Directory Server instance 'D:/DSEE/instance' started: pid=2816
=============================================================================================================================================================
=============================================================================================================================================================

5. Create a suffix

D:\DSEE\ds6\bin>dsconf create-suffix -e -h localhost -p 1389 dc=example,dc=comEnter "cn=Directory Manager" password:adminadmin =============================================================================================================================================================
=============================================================================================================================================================

6. Import the Example.ldif to the directory.

D:\DSEE\ds6\bin>dsconf import -e -h localhost -p 1389 D:\DSEE\ds6\ldif\Example.ldif dc=example,dc=comEnter "cn=Directory Manager" password:New data will override existing data of the suffix "dc=example,dc=com".Initialization will have to be performed on replicated suffixes.Do you want to continue [y/n] ? y## Index buffering enabled with bucket size 40## Beginning import job...## Processing file "D:\DSEE\ds6\ldif\Example.ldif"## Finished scanning file "D:\DSEE\ds6\ldif\Example.ldif" (160 entries)## Workers finished; cleaning up...## Workers cleaned up.## Cleaning up producer thread...## Indexing complete.## Starting numsubordinates attribute generation. This may take a while, please wait for further activity reports.## Numsubordinates attribute generation complete. Flushing caches...## Closing files...## Import complete. Processed 160 entries in 5 seconds. (32.00 entries/sec)
Task completed (slapd exit code: 0).
=============================================================================================================================================================
=============================================================================================================================================================

D:\DSEE\dsrk6\bin>dir

Volume in drive D has no label.

Volume Serial Number is 6C13-6887
Directory of D:\DSEE\dsrk6\bin
08/07/2008 03:41 PM

.08/07/2008 03:41 PM ..03/11/2008 03:53 PM 54,431 authrate.exe03/11/2008 03:53 PM 2,263 cities03/11/2008 03:53 PM 54,449 dsmlmodify.exe03/11/2008 03:53 PM 54,449 dsmlsearch.exe03/11/2008 03:53 PM 3,636 example.template08/07/2008 03:32 PM example_files03/11/2008 03:53 PM 60,238 first.names03/11/2008 03:53 PM 106,146 last.names03/11/2008 03:30 PM 54,431 ldapcmp.exe03/11/2008 03:30 PM 54,431 ldapcompare.exe03/11/2008 03:30 PM 54,431 ldapdelete.exe03/11/2008 03:30 PM 54,431 ldapmodify.exe03/11/2008 03:30 PM 54,431 ldappasswd.exe03/11/2008 03:30 PM 54,431 ldapsearch.exe03/11/2008 03:53 PM 54,449 ldapsubtdel.exe03/11/2008 03:53 PM 54,431 ldifxform.exe03/11/2008 03:53 PM 107,868 logconv03/11/2008 03:53 PM 54,449 makeldif.exe03/11/2008 03:53 PM 54,431 modrate.exe03/11/2008 03:53 PM 54,431 searchrate.exe03/11/2008 03:53 PM 3,259 solaris.template03/11/2008 03:53 PM 153 states03/11/2008 03:53 PM 525 streets08/07/2008 03:41 PM 37,854 test.ldif08/07/2008 03:31 PM 554 test.template 24 File(s) 1,084,602 bytes 3 Dir(s) 36,942,323,712 bytes free D:\DSEE\dsrk6\bin>makeldif -t test.template -o test.ldif

Processing complete.101 total entries written. =============================================================================================================================================================
=============================================================================================================================================================

D:\DSEE\dscc6\bin>dsccsetup ads-create

Choose password for Directory Service Manager:adminadmin

Confirm password for Directory Service Manager:adminadmin

Creating DSCC registry...

DSCC Registry has been created successfully

=============================================================================================================================================================
=============================================================================================================================================================
To Deploy WAR File with Tomcat

just copy the war file from D:\DSEE\var\dscc6 to C:\apache-tomcat-6.0.13\webapps.

Add the emphasized text in the ${CATALINA_BASE}/conf/web.xml file as shown below:

... jsp org.apache.jasper.servlet.JspServlet fork false xpoweredBy false ... enablePooling false 3

Add the following entries in System variables

CATALINA_HOME C:\apache-tomcat-6.0.13

CATALINA_BASE C:\apache-tomcat-6.0.13
Start the tomcat app server from C:\apache-tomcat-6.0.13\bin\startserver.bat
in the console u will see

INFO: Deploying web application archive dscc.warAug 13, 2008 12:30:03 PM org.apache.coyote.http11.Http11Protocol startINFO: Starting Coyote HTTP/1.1 on http-8080Aug 13, 2008 12:30:03 PM org.apache.jk.common.ChannelSocket initINFO: JK: ajp13 listening on /0.0.0.0:8009Aug 13, 2008 12:30:03 PM org.apache.jk.server.JkMain startINFO: Jk running ID=0 time=0/47 config=nullAug 13, 2008 12:30:03 PM org.apache.catalina.startup.Catalina startINFO: Server startup in 9208 ms

==========================================================================================

LDAP BC

LDAP Binding Component provides the services to add, search, update, and delete on LDAP directory. The Binding Component conforms to the JBI specification and enables LDAP server integration in a JBI environment. The LDAP component consists of two modules: run-time JBI module and design-time NetBeans plugin.

LDAP BC is Light weight directory Access protocol (RFC 3377) V3 Compliant.

The LDAP Binding Component helps the JBI components to communicate with the LDAP server. The LDAP Binding Component provides a bunch of features for interacting with the LDAP server. LDAP Binding Component uses the JBI (Java Business Integration JSR 208) specification developed under the JCP (Java Community Process) for implementing Service Oriented Architecture (SOA) based Enterprise Service Bus (ESB). open-esb is the Sun's implementation of the JSR 208.

LDAP BC Features

1)Anonymous Connection :- This feature of LDAP BC helps the user to connect to the LDAP Server without any LDAP Credentials. This is mainly used for search functionality. Where the user has just view only rights.

The user has to just enter the root dn and ldap URL and it will fetch the schemas from the LDAP server.

Create a basic Search LDAP WSDL using the above Wizard.

Select a valid search Filter and result set and click Finish.

The WSDLs and XSD will be created and notice the source for the LDAP search WSDL the credentials will be blank.

 2) Add Entry Node

This feature of LDAP BC enables the user to add a LDAP Entry to the LDAP Directory.

For this user should know the LDAP Principal and credential too ( in addition to base dn and LDAP URL )

i.e.               location = "ldap://ldapserver:389"
                    principal = "Administrator@sun.com"
                    credential = "Password"

Steps to create a project to add an LDAP Entry

1. To add an entry Create a LDAP WSDL with add opeartion - This involves selecting the location where you need to add the entry,specifying the Main Attribute ( RDN)



2. Create a Trigger WSDL ( in my case I am using a SOAP Trigger WSDL)
3. Create a BPEL process which will receive the input from the trigger ,invoke the ldap add operation , and assings the output to the Trigger.

SSL:-Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection. Uses Encryption , Decryption .

SSL uses public key cryptography, which is based on key pairs. Public key , private key.

Digital signature :-The server computes a value and encrypts the value using its private key. The encrypted value is called a digital signature.

keytool:- Keytool is used to generate certificates. The keytool stores the keys and certificates in a file termed a keystore, a repository of certificates used for identifying a client or a server. Typically, a keystore contains one client or one server's identity.

For J2EE ,the server certificate is in keystore.jks. The cacerts.jks file contains all the trusted certificates, including client certificates

Authentication:- To verify that the site(server) is who and what it claims to be. To verify that the client is who and what it claims to be .

Confidentiality:-
Data cannot be deciphered by the third party and the data remains confidential between client and server.

Integrity:-
Data will not be modified in transit by that third party.

KeyStore :-
A KeyStore consists of a database containing a private key and an associated
certificate, or an associated certificate chain. The certificate chain consists of the
client certificate and one or more certification authority (CA) certificates.

TrustStore:-
A TrustStore contains only the certificates trusted by the client. It is a repository of certificates.


Steps to create a keystore,trust store for server :-

1. Generate certificate .keystore.jks

C:\jdk1.5.0_13\bin>keytool -genkey -alias server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks

What is your first and last name? [Unknown]: raghuvir

What is the name of your organizational unit? [Unknown]: india

What is the name of your organization? [Unknown]: sun

What is the name of your City or Locality? [Unknown]: blr

What is the name of your State or Province? [Unknown]: karnataka

What is the two-letter country code for this unit? [Unknown]: ka

Is CN=raghuvir, OU=india, O=sun, L=blr, ST=karnataka, C=ka correct? [no]: yes


2. Export it into file server.cer

C:\jdk1.5.0_13\bin>keytool -export -alias server -storepass changeit -file server.cer -keystore keystore.jks

Certificate stored in file

3. Import server.cer into the trust store (cacerts.jks)

C:\jdk1.5.0_13\bin>keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit

Owner: CN=raghuvir, OU=india, O=sun, L=blr, ST=karnataka, C=kaIssuer: CN=raghuvir, OU=india, O=sun, L=blr, ST=karnataka, C=ka

Serial number: 4892be08Valid from: Fri Aug 01 13:10:56 IST 2008 until: Thu Oct 30 13:10:56 IST 2008Certificate fingerprints: MD5: A3:BD:00:49:35:3B:99:BB:82:15:B9:B0:68:5C:6B:86 SHA1: 09:07:4D:46:8A:22:2A:BE:7C:F4:0C:1E:C5:41:F9:84:B8:83:F3:13Trust this certificate? [no]: yesCertificate was added to keystore[Storing cacerts.jks]


Steps to creat a client keystore and trust store :-
1. Generate client certificate : keystore.jks

C:\jdk1.5.0_13\bin>keytool -genkey -alias client-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks -dname "CN=client_hostname, OU=John,O=Sun, L=Bangalore, S=Karnataka, C=IN"

2. Export client certificate to a file called client.cer

C:\jdk1.5.0_13\bin>keytool -export -alias client-alias -storepass changeit -file client.cer -keystore keystore.jks

Certificate stored in file

3.Create truststore from client.cer , cacerts.jks

C:\jdk1.5.0_13\bin>keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore cacerts.jks -keypass changeit -storepass changeit

Owner: CN=client_hostname, OU=John, O=Sun, L=Bangalore, ST=Karnataka, C=INIssuer: CN=client_hostname, OU=John, O=Sun, L=Bangalore, ST=Karnataka, C=INSerial number: 4892cc92Valid from: Fri Aug 01 14:12:58 IST 2008 until: Thu Oct 30 14:12:58 IST 2008Certificate fingerprints: MD5: 17:C0:51:E9:BB:42:A1:83:20:B3:AD:64:46:1D:F9:19 SHA1: 54:61:C1:14:B0:21:FD:34:6B:EB:EE:32:50:C8:7A:9D:7A:60:FF:96Trust this certificate? [no]: yes

Certificate was added to keystore[Storing cacerts.jks]

All About LDAP