The below lists the sample sample (non-production use!) self-signed keystores used in running the FEDIZ samples. Don't use the provided keystores in production--everyone has them! At a minimum, regenerate new keys using the scripts (with different passwords) below. These will be just self-signed keys however, for real production use having third-party signed CA keys is recommended.
| Keystore (Password) | Key Alias (Password) | Location | Creation Script Used | Needs to trust | Is trusted by |
|---|---|---|---|---|---|
| Servlet Container Keystores: The keys can be simply placed in the root folder of each Servlet Container installation. They are used to configure SSL for the Servlet Container instances as described here for Tomcat: http://cxf.apache.org/fediz-tomcat.html. For Tomcat keys only, the keystore password and the private key password needs to be the same. | |||||
| idp-ssl-server.jks (tompass) | mytomidpkey (tompass) | base folder of Tomcat instance holding the IDP and IDP STS | keytool -genkeypair -validity 730 -alias mytomidpkey -keystore idp-ssl-server.jks -dname "cn=localhost" -keypass tompass -storepass tompasskeytool -keystore idp-ssl-server.jks -storepass tompass -export -alias mytomidpkey -file MyTCIDP.cer |
Nobody | Fediz IDP module wsclientWebapp's webapp module Browser |
| rp-ssl-server.jks (tompass) | mytomrpkey (tompass) | base folder of Tomcat instance holding the relying party applications for both samples (simpleWebapp and wsclientWebapp); STS public cert NOT imported anymore - instead use ststrust.jks | keytool -genkeypair -validity 730 -alias mytomrpkey -keystore rp-ssl-server.jks -dname "cn=localhost" -keypass tompass -storepass tompass |
Nobody | Browser |
| wsp-ssl-server.jks (tompass) | mytomwspkey (tompass) | base folder of Tomcat instance holding the web service provider in the second (wsClientWebapp) sample | keytool -genkeypair -validity 730 -alias mytomwspkey -keystore wsp-ssl-server.jks -dname "cn=localhost" -keypass tompass -storepass tompasskeytool -keystore wsp-ssl-server.jks -storepass tompass -export -alias mytomwspkey -file MyTCWSP.cer |
Nobody | wsclientWebapp's webapp module |
| Service Keystores: These Fediz services form the core of the product and can be used with both the sample webapps provided and of course your own web applications. | |||||
| idp-ssl-trust.jks (ispass) | myidpkey (ikpass) | services/idp/src/main/resources/idp-ssl-trust.jks | keytool -import -trustcacerts -keystore idp-ssl-trust.jks -storepass ispass -alias mytomidpkey -file MyTCIDP.cer -noprompt |
mytomidpkey (because of SSL call to IDP STS) | IDP STS |
| stsrealm_a.jks (storepass) | realma (realma) | services/sts/src/realms/resources/stsrealm_a.jks |
keytool -genkeypair -keyalg RSA -validity 3600 -alias realma -keystore stsrealm_a.jks -dname "cn=REALMA" -keypass realma -storepass storepass
|
Nobody | By Relying Party (ststrust.jks) |
| stsrealm_b.jks (storepass) | realmb (realmb) | services/sts/src/realms/resources/stsrealm_b.jks |
keytool -genkeypair -keyalg RSA -validity 3600 -alias realma -keystore stsrealm_b.jks -dname "cn=REALMB" -keypass realmb -storepass storepass
|
Nobody | By Relying Party (ststrust.jks) |
| ststrust.jks (storepass) | N/A (no key, just a truststore) | examples/samplekeys/ststrust.jks services/sts/src/realms/resources/ststrust.jks |
keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias realma -file realma.cert -noprompt
|
Nobody | By Relying Party (Fediz configuration file) |
| Sample Keystores: No production value, just used for running the "wsclientWebapp" sample provided with Fediz. (simpleWebapp has/uses no keys). | |||||
| webappKeystore.jks (waspass) | N/A (no key, just a SSL truststore) | examples/wsclientWebapp/webapp/src/main/resources/webappKeystore.jks | keytool -import -trustcacerts -keystore webappKeystore.jks -storepass waspass -alias mytomidpkey -file MyTCIDP.cer -noprompt |
mytomidpkey (to access IDP STS via HTTPS, mytomwspkey (to access web service via HTTPS) | Nobody |