This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

XKMS

Owned by Former user (Deleted)
Last updated: Sept 03, 2012Version comment
3 min read

XML Key Management Service Specification (XKMS) defines a standard way of generating key pairs, storing public key information, and retrieving public key information. The XKMS services can be exposed as web services which allow other applications to delegate some of the key information processing functions to such services. That allows the client applications of XKMS services to operate without regard to the public key infrastructure which the XKMS services might be using. XKMS consists of the following components:

  • Protocol Exchanges - Consists of sequences of request/response pairs. Focuses on synchronous, asynchronous, and two-phase request protocols.
  • Key Information Service (X-KISS) - This set of services allows the client application to retrieve information about a public key. X-KISS has the following operations:
    • Locate
    • Validate
  • Key Registration Service (X-KRISS) - This set of services allows the client application to register the public key of a client-generated key-pair, retrieve the private key of a server-generated key-pair, revoke a registered public key, and recover a private key issued by the server. It has the following operations:
    • Register
    • Reissue
    • Revoke
    • Recover

The goal of XKMS is to allow all of the complexity of traditional PKI implementations to be offloaded from the client to an external service.

WS02 XKMS Implementation allows users to expose a Java key store via the following XKMS operations:

  • Registration of a Key Pair - Allows the client to register a public key with the XKMS service. The XKMS service uses the metadata specified in the Register request to a X509Certificate using the given public key and stores it in underlying Java key store as a X509Certificate. If a public key is not specified in the Register request, the server will generate a RSA key-pair and will send the private key back to the client in an encrypted block.
  • Reissuing of an X509Certificate - Allows the client to reissue a X509Certificate with new credentials specified in a Reissue request. For example, the client may request the server to reissue a X509Certificate with a new validity interval. However, the specified credentials are only advisory to the service.
  • Recovering a Key Pair - Allows the client to recover the key (and the private key for server-generated key pairs) if it is lost. The private key will be presented inside an encrypted bock.
  • Locating a Public Key/X509Certificate - Allows the client to use an XKMS service to locate a public key or X509Certificate. The XKMS service may reply with more than one public key or X509Certificate if the query has multiple matches. The client may use the alias of the key as the key name in the query.
  • Validating a Public Key or an X509Certificate - Allows the client to validate a public key or a X509Certificate using the XKMS service. The XKMS service will notify you whether the public key or the X509Certificate is trustworthy.

You can view and update XKMS configurations in the WSO2 Identity Server management console.