XML Key Management Service Specification (XKMS) defines a standard way of generating key pairs, storing public key information and retrieving public key information. The XKMS services can be exposed as Web services which allow other applications to delegate some of the key information processing to such services. That allows the client applications of XKMS services to operate without worrying about the Public Key Infrastructure which the XKMS services might be using. XKMS consists of the following components:
- Protocol Exchanges - Consist of sequences of request/response pairs. This will focus on synchronous, asynchronous and two-phase request protocols.
- Key Information Service (X-KISS) - This set of services allows the client application to retrieve information about a public key. This has the following operations:
- Locate
- Validate
- Key Registration Service (X-KRISS) - This set of services allows the client application to register the public key of a client generated key-pair, retrieve the private key of a server generated key-pair, revoke a registered public key and recover a private key issued by the server. This has the following operations:
- Register
- Reissue
- Revoke
- Recover
In both cases the goal of XKMS is to allow all the complexity of traditional PKI implementations to be offloaded from the client to an external service.
WS02 XKMS Implementation allows the users to expose a Java Key store via the following XKMS operations.
- Registration of a Key Pair -Allows the client to register a public key with the XKMS service. The XKMS service uses the metadata specified in the Register request to a X509Certificate using the given public key and stores it in underlying Java Key store as a X509Certificate. If a public key is not specified in the Register request, the server will generate a RSA key pair and will send the private key back to the client in an encrypted block.
- Reissueing of a X509Certificate - Allows the client to reissue a X509Certificate with new credentials specified in Reissue request. For example, the client may request the server to reissue a X509Certificate with a new validity interval. However the specified credentials are only advisory to the service.
- Recovering a Key Pair - Allows the client to recover the key (and the private key for server-generated key pairs) if it is lost. The private key will be presented inside an encrypted bock.
- Locating a Public Key / X509Certificate- Allows the client to use a XKMS service to locate a Public key or X509Certificate. The XKMS service may reply with more than one Public keys or X509Certificates if the query has multiple matches. the client may use the alias of the key as the key name in the query.
- Validating a Public key or a X509Certificate - Allows the client to validate a Public key or a X509Certificate using the XKMS service. The XKMS service will reply whether the Public key or the X509Certificate is trustworthy.
You can view and update XKMS configurations in the WSO2 ESB management console.