[Identity-dev] Security Using Rampart

We are deploying the web services solution created by Axis2 1.1.1 and security using rampart1.1.

The deployment comprises of the Apache Web server which receives the HTTP requests and then routes the requests to the Jboss Application server, where axis2 web application along with the services are deployed.

I want to have encryption and digital signature in place using rampart. I have tested the application with the sample certifcates in the development environment and it works fine. The questions are pertaining to the production deployment.

a) Do i need to have the certifcates key store(signed server certificate, CA self signed certifcate) maintained at the
Apache web server? I guess this would be required in case i want to have transport layer security enabled right.

b) Since rampart would reside at the Jboss server i would need the keystore at Jboss server also right? this will be required for handling
the encrypted and digitaly signed SOAP messages. This keystore would have the private keys of the server, CA self signed certificate, and the
signed certificate of the server by the CA.

c) I hope the Apache web server does not create issues with the encrypted soap request coming in when the transport layer security is also
enabled. It must let it pass through to Jboss as is.

d) If rampart is enabled for the web services and the axis2 engine is enabled/configured for REST based services too, would Axis2 engine
expect encrypted and digitally signed messages when the consumer sends a POST request?

Thanks
Vibhor

_______________________________________________
Identity-dev mailing list
Identity-dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev