Identities with Password, Private Key, and Certificate

Identities with Password, Private Key, and Certificate ^Locate

Authentication with password, private key, and certificate requires:

Creating service identity on the server side;
Enforcing trust of service identity on client side.
Creating client identity on client side.
Enforcing trust of client identity on server side.

Let us say that on the server side, a service will authenticate with the identity "ServiceAlias" and password "ServicePassword". On the client side, client will authenticate with identity "ClientAlias" and password "ClientPassword". The following steps are needed to generate these identities:

Create the Service Identity ^Locate

To create the identity "ServiceAlias" on the server:

Assume that admin/changeit is administrator username/password pair.
Be sure that server is run on SERVER_URL (for example, http://myhost.org:6060/ where myhost.org is the full host name of the server.

In a console, issue the command:

PStoreTool newServer -alias ServiceAlias -keyPassword ServicePassword
                    -url SERVER_URL -username admin -password changeit

This may be also performed via the GUI (./PStoreTools --gui).

This creates a private key and certificate for the identity "ServiceAlias" with the password "ServicePassword" and stores it in the KeyStore.

Enforcing Trust of Service Identity ^Locate

Issue the command:

PStoreTool add -alias ServiceAlias -url SERVER_URL -username admin
             -password changeit

This creates a certificate for the service identity that is trusted on the client side.

Create the Client Identity ^Locate

To create the identity of client:

In a console, issue the command:

PStoreTool new -alias ClientAlias -keyPassword ClientPassword
             -username admin -password changeit

This creates a private key and certificate for the identity "ClientAlias" with the password "ClientPassword" and stores it in the KeyStore.

Enforcing Trust of Client Identity ^Locate

To export the client alias' certificate as trusted on the server side:

In a console, issue the command:

PStoreTool addServer -alias ClientAlias -url SERVER_URL -username admin 
            -password changeit

The client's certificate is now trusted on the server side. Its certificate is stored as trusted in the KeyStore of the server.

Assigning Client Certificate to WSO2 SOA Enablement Server User on the Server Side ^Locate

Finally, we have to assign the client certificate to a WSO2 SOA Enablement Server user, that is, assign certificate property to the user. To do so, issue these commands:

UserStoreTool export -alias ClientAlias -certFile clientAlias.cer
                
UserStoreTool -t http://myhost.org:6060/ -a SomeWaspUser -p X509Certificate 
                   -f clientAlias.cer --username admin --password changeit