OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …

Generating Key Pairs and Importing Public Key Certificates to a Trusted Keystore

Through this I am sharing the most simple scenario to follow in using Java keytool for the requirements of Apache Wookie projects digital signature implementation. Anyway if you are looking to know how to generate a key pair or import a certificate to a Keystore using keytool, still this may be helpful. Refer this segment of Java SE documentation to know in-depth details.

You needs a configuration of Java in your computer to use keytool and that is enough :).

Generating Key Pairs

Use following command in command prompt to generate a keypair with a self-signed certificate
keytool -genkey -alias wookie -keyalg RSA -keystore wookieKeystore.jks -keysize 4096
After  -alias give the alias to be used for keys
          -keylag give the algorithm to be used in key generation
         -keystore give the name of the keystore with type .jks (You can give a path here to store the keystore in a desired place)
          -keysize give the length for the generating key in bits
This will look something as follows,

That's all and you are having a key pair now. :) 
In Aspects of Wookie, now you can sign Widgets using this keystore. But in order to get your widgets verified and deployed in Wookie server you needs to get your public key trusted by server directly or via a third party.

Generating .cer File

To insert a public key certificate into a trusted keystore it needs to be exported as a .cer file. (There are several other options to use too.)
keytool -v -export -file keystore1.cer -keystore wookieKeystore.jks -alias wookie

Importing Public Key Certificates to a Trusted Keystore

To import a trusted certificate to a trusted keystore following command can be used.
keytool -import -alias keystore1 -file keystore1.cer -keystore wookieKeystore.jks
This command simply says to import the public key certificate of key having alias 'keystore1' which is in the file keystore1.cer to the keystore 'wookieKeystore.jks'.

Now any signature generated using the private key of keystore1 aliased key pair, can be properly validated using wookieKeystore.jks.


  1. This comment has been removed by a blog administrator.

  2. are you sure the generated key pair is self-signed?

    1. Yes, it is.. You can confirm on Oracle site, https://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

  3. keytool uses the -selfcert command to generate a self signed certificate. I am also not sure if keytool can export the public key. openssl can.

    1. Yes keytool can export the public cert as of above. Only confusion was regarding exporting the private key as a .p12 file. This is also possible with Java 7 onwards..

  4. Hi Pusphalanka,

    Can u please share the downlinked/full sample code for the Signing SOAP Messages - Generation of Enveloped XML Signatures? When I clicked to the download link its no more there in the Ubuntuone.com.


    1. New link is already there in the comments...

  5. Hello Pushpalanka,

    Do you have also verification part of "Signing SOAP Messages" available? Verification always fails :(

  6. Hi Pushpalanka .. Thanks for wonderful post... need one help .... i created jks file using the same method u suggested. Can you help me what would be the value of keystorepass, privateKeyAlias, privateKeyPass and certificateAlias required in one of the program in which you suggested how to make signed enveloped xml from xml.

    I can understand pass keystorepass and privatekeypass will be my password. But i am unable to know what are the values for privateKeyalias and certificateAlias.


Post a Comment

Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

OPA for HTTP Authorization

How to Write a Custom User Store Manager - WSO2 Identity Server 4.5.0