1

I am using the sample project "ws_security_sign_enc" from CXF, which is a client/server project with a simple SOAP service. It only sends greetings (message is encrypted and signed).

For the encryption and signing, the CXF interal security mechanisms are used. Thus encryption and decryption properties are using Apache Merlin for keystore location, passwords and so on.

Now I want to connect a HSM. I have loaded the keystore in form of a KeyStore object via JCE from the HSM.

How can I achieve it, that this keystore object is used for encryption/decryption in my WebService? I guess, that I have to set the WS Security / WSS4j Crypto programmatically for that.

I dont wanna persist the keystore and put its path back into the encryption.properties. Are there other possibilites?

Benjamin Steiner
  • 83
  • 5

1 Answers1

1

The HSM should support PKCS#11. Assuming you've already configured Sun PKCS#11 provider for your HSM (pkcs11.cfg with library path, slot index, etc.), you then have to modify the WSS4J crypto .properties files to make sure that:

  • org.apache.ws.security.crypto.provider=org.apache.wss4j.common.crypto.MerlinDevice
  • org.apache.ws.security.crypto.merlin.keystore.type=PKCS11
  • org.apache.ws.security.crypto.merlin.keystore.file property is removed.
cdan
  • 3,470
  • 13
  • 27
  • Thanks for that hint, but I dont really want to configure PKCS#11 for all of my applications on different server instances. I've build up an own HSMConnectionProvider which extends Merlin, cares of login to HSM and setting the loaded keystore which I got from HSM into the Merlin parent class. Are there any security concerns/optimizations or is this procedure ok? – Benjamin Steiner Aug 17 '18 at 15:07
  • 1
    Not sure I understand. I do not mean to use the same [WSS4J configuration](https://ws.apache.org/wss4j/config.html) for all your applications. You can have a different WSS4J config for each one. If some of your applications do not use PKCS#11, use a different config for them: replace `MerlinDevice` with the `Merlin` class for the `crypto.provider`, and replace `PKCS11` with `PKCS12`, `JKS`, etc. for the `keystore.type`, AND set the `keystore.file` (and the SunPKCS11 provider will be simply ignored). – cdan Aug 17 '18 at 18:19