Secure Messaging for Apache Axis2/C - Kaushalye Kapuruge
By Malinda Kaushalye
- 21 Feb, 2007
Apache Rampart/C has been implemented to support secure messaging for the Apache Axis2/C SOAP engine. In this interview, Kaushalye explains the finer points of Rampart/C and its relationship with Rampart/Java.
Kaushalye Kapuruge, a software engineer at WSO2 Inc, is a core contributor to Rampart/C, the security module of Apache Axis2/C. His experiences include J2EE, Web services, mobile technologies and 3D simulation/visualization techniques. Oxygen Tank (OT): Let's start with the basics. What's the importance of an Apache Rampart implementation in C, for which you are a key contributor? Kaushalye: Apache Rampart/C is the security module for the Apache Axis2/C SOAP engine, and we need Apache Rampart/C to secure the SOAP messages that are being exchanged. So Apache Rampart/C is an effort to implement the Web services security specifications in C language. Right now Apache Rampart/C has the username token support for authentication purposes and encryption support to maintain the confidentiality of messages. It is also capable of sending timestamps. OT : How does Rampart/C work? Kaushalye: The prime purpose of writing Apache Rampart/C is to work as a module in the Apache Axis2/C SOAP engine. A module is a way to extend the capabilities of the core engine. Since modules use handlers as the plug-in unit, Apache Rampart/C hooks itself to the Apache Axis2/C engine with handlers. If a user wants to secure the messages exchanged, he can engage the Rampart module. Also, it is possible to alter the security configurations according to your preferences. To be precise, the security policies. These configurations, rather policies, have to be set to both the inflow and the outflow of the Apache Axis2/C engine. In other words, to incoming messages and to outgoing messages. OT: There is also Apache Rampart/Java . What is the relationship between these two? Kaushalye: Well...Rampart/ Java is our big brother. Just like Apache Rampart/Java serves for Apache Axis2/Java, Apache Rampart/C serves for Apache Axis2/C. We are trying our best to keep both implementations similar, especially to keep the configurations similar. This is a bit challenging due to the differences in the platforms. The C implementation is not just for C developers. Our aim is to let PHP, C++, and Perl developers use Apache Rampart/C. So we have to make the Apache Rampart/C implementation more flexible. We also need to provide easy-to-use APIs for all these platforms. OT :What are the dependencies of Apache Rampart/C? Kaushalye: To build Rampart/C, a user needs OpenSSL. Apart from that, there are no other libraries used. One interesting fact about Apache Rampart/C is that we did not have a proper XML Security library. So we had to implement a new XML Security library called OMXMLSecurity, which was implemented on top of AXIOM or AXis Object Model . Right now this is a part of Apache Rampart/C. OMXLSecurity uses OpenSSL as the crypto library, which can be freely downloaded  to your system. OT: What is the status of OMXMLSecurity now? Kaushalye: In the first phase of OMXMLSecurity, we implemented XML-Encryption. Most importantly it is inter-operable with other implementations such as WSS4J  and XMLSec . Right now we are in the second phase trying to add XML-Signature support. Recently we implemented canonicalization algorithms. This is definitely going to help us in the second phase. OT: You mentioned security policies when describing configurations. Is it the WS-SecurityPolicy or just Apache Rampart/C configurations? Kaushalye: Hmm... I'd say both. I mean Apache Rampart/C configurations are now based on the WS-Security Policy specification . Apart from the assertions specified in the WS-Security policy, we are using our own assertions to keep Rampart specific configurations. For example, where to locate the authentication module, certificate files, etc. OT: So what plans for the future? Kaushalye: We have a lot of plans. First we need to implement the XML-Signature in OMXMLSecurity. Then we will use this in Apache Rampart/C to sign SOAP messages. We also have an idea to implement the Security Assertion Markup Language specification. In the meantime we are trying to get the best use of Rampart/C in languages like PHP, Perl, Ruby etc.OT: Thank you very much Kaushalye! More Information Apache Rampart/C- http://wso2.org/projects/rampart/c Secure Messaging with Apache Rampart/Java by Ruchith Fernando-http://wso2.org/library/695 Axis2/C OM Tutorial- http://ws.apache.org/axis2/c/docs/om_tutorial.html Download OpenSSL as the crypto library used by OMXLSecurity-OpenSSL as the crypto library - http://www.openssl.org/source/ Apache WSS4J- http://ws.apache.org/wss4j/ XML Security Library- http://www.aleksey.com/xmlsec/ WS-SecurityPolicy- http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf