I am using the sample project "ws_security_sign_enc" from CXF, which is a client/server project with a simple SOAP service. It only sends greetings (message is encrypted and signed).
For the encryption and signing, the CXF interal security mechanisms are used. Thus encryption and decryption properties are using Apache Merlin for keystore location, passwords and so on.
Now I want to connect a HSM. I have loaded the keystore in form of a KeyStore object via JCE from the HSM.
How can I achieve it, that this keystore object is used for encryption/decryption in my WebService? I guess, that I have to set the WS Security / WSS4j Crypto programmatically for that.
I dont wanna persist the keystore and put its path back into the encryption.properties. Are there other possibilites?
The HSM should support PKCS#11. Assuming you've already configured Sun PKCS#11 provider for your HSM (pkcs11.cfg with library path, slot index, etc.), you then have to modify the WSS4J crypto .properties files to make sure that:
org.apache.ws.security.crypto.provider=org.apache.wss4j.common.crypto.MerlinDeviceorg.apache.ws.security.crypto.merlin.keystore.type=PKCS11org.apache.ws.security.crypto.merlin.keystore.file property is removed.