Before adding WS-Security to your web services, you must make sure to have:
- Access to a certificate authority (CA) - either your own using OpenSSL for example or an external one like CACert
- Acess to keytool (usually through your Java SDK)
Securing a server
This is quite easy. You need first to create a keystore with a key pair. During that process you will be asked for passwords for protecting your keystore and private key. Let's choose 'groovyws' for both of them. This can be done for example with:
Then you need to generate the Certificate Signing Request like this:
You need to get the server certificate from your CA using the newly generated request. Let's assume you get back the file named ServerCertificate.pem. You need to include that certificate into your keystore. Ususaly this won't be possible unless your keystore contains the certificate of your CA. Let's add those two certificates:
You are now ready to start your server:
In the above example, the client authentication is not required. If you turn the flag to true (or omit the line, it is true by default), the client must trust the server, you therefore have to provide a keystore containing the server certificate.
You may also setup more complex configurations where both the client & server need to trust each others ...