Business Process Management

First of all, how does client authentication with a certificate work in SOAP?
It is not enough to send the certificate like a passport as a proof of identity. Because the certificate can be copied and distributed, it could be stolen from any intercepted message. Therefore the certificate is not the proof of identity.

The trick about the secure identification is more sophisticated. It is important to understand that the certificate contains a public key while the private key is securely stored in the client's environment. The client encrypts a piece of the SOAP message with its private key and sends this encrypted information to the service provider along with the certificate. This encrypted information is called the signature of the client. It is not important which part of the soap message is used to create the signature. The xml string to be encrypted only has to be sufficiently long to make sure that it is difficult to decrypt the signature.
Now this signature is the proof of the identity, because it proofs the possession of the private key.

The service provider can decrypt the signature with the public key from the certificate. If the decryption is successful, he can be sure that the client possesses the private key. The identity is proofen.
This is the strategy behind  asymmetric encryption a.k.a. public key encryption.

A very recommendable tutorial to implement this with Axis2 and Rampart is already available under https://wso2.org/library/3415. I trust that this tutorial works, but I wanted to configure it better and hit some problems which are not solved yet.

These are my issues:

• I want to authenticate one way only (client -> server), because the server has already been authenticated via https. But in the policy definitions I have not understood how I can distinct between
  

1. Policy definition for incoming message. This defines the level of security which the service expects from incoming messages. This definition shows up in the WSDL file.
2. Policy definition for outgoing messages in the service provider's policy. This is the configuration for what the SOAP header of the service response should contain.
   

• I want to separate keystore and truststore. I think it is a bad practice in the java world that the private key and the public keys of others are in the same file. You have to trust the application that they take out the correct key out of this file to send it to clients.