The below lists the sample sample (non-production use!) self-signed keystores used in running the FEDIZ samples. Don't use the provided keystores in production--everyone has them! At a minimum, regenerate new keys using the scripts (with different passwords) below. These will be just self-signed keys however, for real production use having third-party signed CA keys is recommended.
| Keystore (Password) | Alias (Password) | Location | Creation Script Used | Needs to trust | Is trusted by |
|---|---|---|---|---|---|
| Tomcat Keystores: The Tomcat keys can be simply placed in the root folder of each Tomcat installation. They are used to configure SSL for the Tomcat instances as described here: http://cxf.apache.org/fediz-tomcat.html. For Tomcat keys only, the keystore password and the private key password needs to be the same. | |||||
| tomcat-idp.jks (tompass) | mytomidpkey (tompass) | base folder of Tomcat instance holding the IDP and IDP STS | keytool -genkeypair -validity 730 -alias mytomidpkey -keystore tomcat-idp.jks -dname "cn=localhost" -keypass tompass -storepass tompasskeytool -keystore tomcat-idp.jks -storepass tompass -export -alias mytomidpkey -file MyTCIDP.cer |
Nobody | IDP app |
| tomcat-rp.jks (tompass) | mytomrpkey (tompass) | base folder of Tomcat instance holding the relying party applications for both samples (simpleWebapp and wsclientWebapp); has the STS public cert added to it because this keystore is configured in conf/fediz_config.xml. Note: If desired can avoid adding STS public cert to this keystore if you create a separate truststore for Fediz w/STS public cert (identical to webserviceKeystore.jks below), and use that in fediz_config.xml instead. |
keytool -genkeypair -validity 730 -alias mytomrpkey -keystore tomcat-rp.jks -dname "cn=localhost" -keypass tompass -storepass tompass |
IDP STS (Fediz Tomcat plugin makes STS call) | Nobody |
| tomcat-wsp.jks (tompass) | mytomwspkey (tompass) | base folder of Tomcat instance holding the web service provider in the second (wsClientWebapp) sample | keytool -genkeypair -validity 730 -alias mytomwspkey -keystore tomcat-wsp.jks -dname "cn=localhost" -keypass tompass -storepass tompasskeytool -keystore tomcat-wsp.jks -storepass tompass -export -alias mytomwspkey -file MyTCWSP.cer |
Nobody | wsclientWebapp's webapp module |
| Service Keystores: These Fediz services form the core of the product and can be used with both the sample webapps provided and of course your own web applications. | |||||
| idpstore.jks (ispass) | myidpkey (ikpass) | services/idp/src/main/resources/idpstore.jks | keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myidpkey -keypass ikpass -storepass ispass -keystore idpstore.jkskeytool -import -trustcacerts -keystore idpstore.jks -storepass ispass -alias mytomidpkey -file MyTCIDP.cer -nopromptkeytool -export -rfc -keystore idpstore.jks -storepass ispass -alias myidpkey -file MyIDP.cer |
mytomidpkey (because of SSL call to IDP STS) | IDP STS |
| stsstore.jks (stsspass) | mystskey (stskpass) | services/sts/src/main/resources/stsstore.jks |
keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias mystskey -keypass stskpass -storepass stsspass -keystore stsstore.jks
|
myidpkey (because of X.509 auth between IDP and IDP STS) | wsclientWebapp's webservice |
| Sample Keystores: No production value, just used for running the "wsclientWebapp" sample provided with Fediz. (simpleWebapp has/uses no keys). | |||||
| webappKeystore.jks (waspass) | mywakey (wakpass) | examples/wsclientWebapp/webapp/src/main/resources/webappKeystore.jks | keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias mywakey -keypass wakpass -storepass waspass -keystore webappKeystore.jks |
mytomidpkey (to access IDP STS via HTTPS, mytomwspkey (to access web service via HTTPS) | Nobody |
| webserviceKeystore.jks (wsspass) | N/A (no key, just a truststore) | examples/wsclientWebapp/webservice/service/src/main/resources/webserviceKeystore.jks | keytool -import -trustcacerts -keystore webserviceKeystore.jks -storepass wsspass -alias mystskey -file MySTS.cer -noprompt |
IDP STS (signature verification) | Nobody |