Chapter 5. Security Settings

Configuring keystores, security policies and security configurations

Table of Contents

Keystore Management
Keystore operations
Key Entry operations
WS Policies
Security Configurations
Non-Policy security configuration
Outbound request security
Timestamp
Username Token
Signature
Encryption
SAML Assertion
Binary Security Token (X.509 token)
Inbound response security
Policy-based security configuration
Runtime policy parameters

Keystore Management

Add, Remove or manage keystores

The Security->Keystore Management tab can be used to add, remove and update keystores that can be used for various security-based operations like WS-Security configuration for SOAP requests, SSL connection setup etc. Keystores are files that are used to store a set of keys and certificates. It usually contains two types of entries - Key entry, and , Certificate entry

The Key entry can in turn either be a Key Pair entry (i.e. a private and public asymmetric key pair, and optionally a chain of related certificates) or a secret key entry (symmetric key)

The following keystore file formats are supported -

  • JKS / JCEKS keystore format (.jks files)

  • PKCS#12 keystore format (.p12 files)

To manage keystores using Examine, you have to first upload it using the Import button in the Keystore Management tab. This will bring up the Import Keystore dialog as shown below. Note that since most keystores will be protected by a password, you should enter the keystore password to be able to create the keystore successfully.

Figure 5.1. Keystore Management - Import New Keystore

Keystore Management - Import New Keystore


Once the keystore as been uploaded successfully, the keystore contents will be displayed in a tree format as shown below:

Figure 5.2. Keystore Management - List of configured keystores

Keystore Management - List of configured keystores


The private key entries (such as 'client' and 'client2') are shown with the key icon, while the public key entries that correspond to certificates are shown with the certificate icon.

Keystore operations

Clicking on the keystore name, displays the keystore details on the right side as shown below:

Figure 5.3. Keystore Management - Keystore details

Keystore Management - Keystore details


The following keystore operations are available from the details view:

Delete

Delete the currently selected keystore from the system.

Note

For the delete operation to succeed, you have to ensure that this keystore is not used or referenced by any project. For e.g. if a keystore private key is used as the signing alias in a WS-Security configuration of a SOAP scenario, then trying to delete this keystore will result in an error like this: Keystore is used by other resources. Try removing any associations to this keystore before deleting it.

Rename

Rename the currently selected keystore. This option can be useful if for e.g. you are trying to upload another keystore that has the same name but different set of key entries

Change Password

This option can be used to change the keystore password. Note that you are not prompted for the old password

Import Certificate

This option can be used to import a new X.509 certificate into the selected keystore. This is useful if you would like to add a new certificate to an already existing keystore after it has been created. Note that you specify a certificate entry alias for the new certificate that does not conflict with any existing key aliases. Click on the Browse button in the Upload X.509 Certificate dialog to upload a new valid certificate into this keystore under the given alias name.

Figure 5.4. Keystore Management - Upload a X.509 certificate

Keystore Management - Upload a X.509 certificate


Download

This option can be used to download the keystore file back to your system at a later point if needed.

Key Entry operations

Private Key Entry operations

Clicking on the private key tree item displays the key entry details as shown below.

Figure 5.5. Keystore Management - Key Entry Details

Keystore Management - Key Entry Details


The following operations are available for the selected private key:

Delete

Delete the current private key from this keystore.

Warning

Note that unlike deleting a referenced keystore, there is currently no check done when deleting a key and hence no error is thrown if the key is used elsewhere in some project.

Export Key Pair

This option can be used to export the selected private key and its related public key from the keystore either in PKCS#12 file format or in PEM (base64-encoded) format as shown in the Export Key Pair dialog

Figure 5.6. Keystore Management - Export Key Pair

Keystore Management - Export Key Pair


Export Certificate

This option can be used to export the private key entry's associated public key as an X.509 certificate in either DER (Binary) format or PEM (base64-encoded) format.

Figure 5.7. Keystore Management - Export X.509 Certificate

Keystore Management - Export X.509 Certificate


Public Key (Certificate) Entry operations

The Certificate Entry Details view is displayed when a public-key entry is clicked on the Keystore tree view.

Figure 5.8. Keystore Management - Certificate Entry Details

Keystore Management - Certificate Entry Details


The following operations are available for Certificate entries:

Delete

Delete the currently selected public key entry from the keystore

Export Certificate

This option is used to export the currently selected public key as an X.509 certificate in either DER (binary) or PEM (base64-encoded) format