简体繁体 English

具有多个证书的CXF SSL安全Web Service客户端

[英]CXF SSL secured Web Service client with multiple certificates

原文 2010-07-27 10:03:59 0 2 java/ web-services/ ssl/ cxf

I have a Java CXF client that connects to a SSL secured Web Service with mutual authentication. 我有一个Java CXF客户端，它通过相互身份验证连接到SSL安全Web服务。 I have my keystore and my truststore properly configured on the client-side and it works fine. 我在客户端正确配置了我的密钥库和我的信任库，它运行正常。

I am concerned here by the fact that my keystore contains only one client certificate and on the CXF configuration it is not possible to say "ok for this SSL communication you'll use this certificate". 我担心的是，我的密钥库只包含一个客户端证书，而且在CXF配置中，不能说“确定此SSL通信就可以使用此证书”。
As I only have one certificate it's not difficult to choose the good one for CXF durign SSL handshake. 因为我只有一个证书，所以选择CXF durign SSL握手的好证书并不困难。 But this client will be deployed in a environment where it will be used with multiple possible client having their own certificate and each of them will be signed by the same certification authority. 但是，此客户端将部署在一个环境中，在该环境中，它将与具有自己的证书的多个可能客户端一起使用，并且每个客户端将由相同的证书颁发机构签名。 When the server will ask for a client certificate that is signed by a specific authority, there will be no way to distinguish one certificate from another. 当服务器要求由特定权限签名的客户端证书时，将无法区分一个证书与另一个证书。
How can I tell CXF (or Java) to use the proper certificate in this context? 如何告诉CXF（或Java）在此上下文中使用正确的证书？

Do I need to build as many SSL context as client certificates? 我是否需要构建与客户端证书一样多的SSL上下文？ (ie. having N keystore each of them containing only one certificate). （即，具有N个密钥库，每个密钥库仅包含一个证书）。 Or is there a way (in CXF conf or in Java) to say "use this certificate in this context"? 或者有没有办法（在CXF conf或Java中）说“在这种情况下使用此证书”？

Thanks in advance for your help. 在此先感谢您的帮助。

2 个解决方案

All the certificates must refer to the same client, otherwise the CAs are derelect in their duty. 所有证书必须指向同一客户，否则CA将在其职责中取消选择。 So they should all have for example the same subjectX500Principal. 所以他们应该都有相同的主题X500Principal。 So why do you need a specific certificate? 那你为什么需要特定的证书呢？ All of them identify the same client, so from an authentication point of view they are all equivalent. 所有这些客户端都标识相同的客户端，因此从身份验证的角度来看，它们都是等效的。

It's starting to sound as though you want to use a particular certificate for authorization purposes, not just to establish identity via authentication. 它开始听起来好像您想要使用特定证书进行授权，而不仅仅是通过身份验证建立身份。 If so it is the wrong approach, a misuse of PKI. 如果是这样，这是错误的方法，滥用PKI。 Authorization is an application-controlled step once you have an authenticated identity: get the identity of of the peer certificate and look up your authorization database to see if that identity is allowed to access this part of the application. 获得经过身份验证的身份后，授权是一个应用程序控制的步骤：获取对等证书的标识并查找授权数据库以查看是否允许该身份访问应用程序的这一部分。 Don't try to use a cacerts file as an authorization database, that's not what it's for. 不要尝试使用cacerts文件作为授权数据库，这不是它的用途。

I don't know if this is an option for you but I've done dynamic alias selection using WSIT before (ie one keystore, many private key entries). 我不知道这是否适合您，但我之前使用WSIT进行了动态别名选择（即一个密钥库，许多私钥条目）。 See this article for more detail. 有关详细信息，请参阅此文章。 (Let me know if that article isn't enough - I can post more detail if you need) （如果那篇文章不够，请告诉我 - 如果您需要，我可以发布更多细节）