AnsweredAssumed Answered

PKI Authentication

Question asked by gizmo1969 on Jun 16, 2015
Latest reply on Jun 18, 2015 by Gutis

Starting to look into using pki authentication for web services.  Looking at Page 542 of the implementation guide.

 

Follow these steps:

1. Generate the stub classes with AIXS Tool WSDL2Java. For more information, see the Generating Stub Classes with AXIS Tool WSDL2Java section from the PKI_loginServiceManaged_JAVA_steps file. Find the file in the following location:

$NX_ROOT/samples/sdk/websvc/java/test1_pki

2. Start the CA SDM service.

3. Run pdm_pki -p DEFAULT.

DEFAULT.p12 is created in the current directory. This policy will have the password equal to the policy name (in this case DEFAULT).

Note: This command will also add the Certificate's public key to the field pub_key field (public_key attribute) in the sapolicy table/object.

4. Log into CA SDM

5. Select SOAP Web Services Policy, Policies on the Administration tab.

The SOAP Web Services Access Policy List page opens.

6. Click DEFAULT.

The SOAP Web Services Access Policy Detail page opens.

7. Complete the Proxy Contact field (in this example, ServiceDesk) and confirm that the DEFAULT policy record Has Key field displays "Yes."

8. Copy DEFAULT.p12 (from the directory where command pdm_pki is executed), the JSP file called pkilogin.jsp and the HTML file called pkilogin.htm (from the $NX_ROOT/samples/sdk/websvc/java/test1_pki directory) to the following directory:

$NX_ROOT/bopcfg/www/CATALINA_BASE/webapps/axis

9. Open the HTML form (from the axis directory). For example, http://localhost:8080/axis/pkilogin.htm

Complete the appropriate fields.

Note: The Directory field identifies the location of the Certificate file. Modify the path to the correct location.

10. Click Log me in!

The results page opens.

11. Click the BOPSID URL.

Important! Click this immediately! The BOPSID has a limited life token of about 30 seconds.

The format of a URL using a BOPSID is as follows:

http://<server name>:<port>/CAisd/pdmweb.exe?BOPSID=<BOPSID value>

 

Before I go to far wondering if everything is working as expected....  when I click on the Log Me in! button, i get returned....

 

<!-- pkilogin.jsp -->

<!--

Note: For a Java client program running on AIX to use the loginServiceManaged()

method, you may need to replace a pair of security policy files within your

JAVA_HOME. These files are available as a download from IBM at

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk,

known as the "Unrestricted JCE policy files." The download provides

local_policy.jar and US_export_policy.jar files to replace those in your

JAVA_HOME/lib/security directory.

-->

 

<%@ page import="com.ca.www.UnicenterServicePlus.ServiceDesk.ArrayOfString" %>

<%@ page import="com.ca.www.UnicenterServicePlus.ServiceDesk.USD_WebServiceLocator" %>

<%@ page import="com.ca.www.UnicenterServicePlus.ServiceDesk.USD_WebServiceSoap" %>

 

<%@ page import="java.io.FileInputStream" %>

<%@ page import="java.net.URL" %>

<%@ page import="java.security.KeyStore" %>

<%@ page import="java.security.PrivateKey" %>

<%@ page import="java.security.Signature" %>

<%@ page import="org.apache.axis.encoding.Base64" %>

 

<html>

<head>

    <title>Login...</title>

    <style type="text/css">

        TD{font-family: Verdana;}

        .font1{color:#336699;font:bold 14px;}

        .font2{color:#6A7A94;text-decoration:none;font:bold 11px;padding: 0px 6px 0px 6px;}

    </style>

</head>

<body>

    <table width=99% cellpadding=0 cellspacing=0>

        <tr><td colspan=2><hr></td></tr>

        <tr>

            <td width="10"> </td>

            <td class="font1" valign="middle" align="left">Service Desk - Attempting to Login using PKI</td>

        </tr>

        <tr><td colspan=2><hr></td></tr>

        <tr><td colspan=2> </td></tr>

        <tr>

            <td width=10> </td>

            <td class="font2">

                <p>

 

<%

// Collect the variables sent from the HTML page

String server = request.getParameter("server");

String port = request.getParameter("port");

String dir = request.getParameter("dir");

String accessPolicy = request.getParameter("accessPolicy");

String userId = request.getParameter("userId");

String protocol = request.getParameter("protocol");

 

// Initialize some additional variables

String endPoint = protocol + "://" + server + ":" + port + "/axis/services/USD_R11_WebService";

int SID;

String userHandle;

String bopSid;

  

// Now let's get started

try

{

    // create a new web service instance

    USD_WebServiceLocator ws = new USD_WebServiceLocator();

    java.net.URL url = new java.net.URL(endPoint);

    USD_WebServiceSoap usd = ws.getUSD_WebServiceSoap(url);

    out.print("Created USD_WebServiceSoap object usd<p>");

 

    // Now proceed with PKI togin

    // Getting the appropriate Keystore instance to load the .p12 file

    KeyStore ks = KeyStore.getInstance ( "PKCS12" );

           

    // Creating a password to be used when extracting the private key, it's the

    // same as the name of the access policy

    char[] privateKeyPassword = accessPolicy.toCharArray();

       

    // Loading the certificate, the second parameter refers to an optional

    // password associated with the certificate.

    ks.load( new FileInputStream( dir + "/" + accessPolicy + ".p12" ), privateKeyPassword);

   

    // Extracting the private key, the first parameter is the alias associated

    // with the key which is "servicedesk <accessPolicy>"(all lower case);

    // the second parameter is the password to extract the key (this defaults to

    // the Access Policy name as well ... when using pdm_pki utility)

    PrivateKey key = (PrivateKey) ks.getKey("servicedesk " + accessPolicy.toLowerCase(), privateKeyPassword);

   

    // Creating an instance of the signature class to create a digital signature

    // of the private key...must use the SHA1withRSA algorithm

    Signature s = Signature.getInstance("SHA1withRSA"); 

           

    // Initializing the signature with the private key

    s.initSign(key);

           

    // Updating the signature with the access policy

    s.update(accessPolicy.getBytes());

           

    // Creating the digital signature

    byte sig[] = s.sign();

           

    // Converting the signature to BASE64 text format to pass into loginServiceManaged

    String encryption = Base64.encode(sig);       

                   

    // Logging into Service desk using the access policy as the first parameter

    // and the BASE64 text we created earlier, returning a sessionid

    String sessionid = usd.loginServiceManaged(accessPolicy,encryption);

    SID=Integer.parseInt(sessionid);

    out.print("Login was successful, got Session ID of '" + SID + "'<p>");

 

    // Now lookup the UserId's handle

    userHandle = usd.getHandleForUserid(SID, userId);

    out.print("Got user handle for " + userId + " of '" + userHandle + "'<p>");

 

    // Now get a BOPSID

    bopSid = usd.getBopsid(SID, userId);

    out.print("Got BOPSID for " + userId + " of '" + bopSid + "'<p>");

    out.print("<a href="+protocol+"://"+server+":"+port+"/CAisd/pdmweb.exe?BOPSID="+bopSid+" target=_new>Click here VERY SOON to login seamlessly using the BOPSID as user "+userId+"</a><p>");

 

    // Now logout

    usd.logout(SID);

    out.print("Logout was successful<p>");

}

catch(Exception e)

{

    out.print("Error Message: " + e.getMessage() + "<p> Additional Details: " + e.toString());

}

 

%>

            </td>

        </tr>

        <tr><td colspan=2> </td></tr>

        <tr><td colspan=2> </td></tr>

        <tr>

            <td align="center" colspan=2>

                <input onclick="window.location='pkilogin.htm';" type="button" value="Try Again" tabindex=1>

            </td>

        </tr>

    </table>

</body>

</html>

 

I'm not seeing the BOPSID URL to click on.

Outcomes