axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Reinhold" <brianreinh...@lampreynetworks.com>
Subject RE: Configure Rampart STS
Date Tue, 30 Oct 2012 17:56:33 GMT
Martin,

 

Thanks, but what is unclear is what else exists? (maybe nothing?), and what
are these: <addRequestedAttachedRef /> <addRequestedUnattachedRef />

In many of the examples the 'saml-issuer-config' had nothing in it. Was it
implied that the user is to fill it in?

 

Brian

 

From: Martin Gainty [mailto:mgainty@hotmail.com] 
Sent: Tuesday, October 30, 2012 1:24 PM
To: java-dev@axis.apache.org; rtercerol@gmail.com
Subject: RE: Configure Rampart STS

 

 MG>Quick answer inlined

From: Brian Reinhold [mailto:brianreinhold@lampreynetworks.com] 
Sent: Tuesday, October 30, 2012 10:38 AM
To: java-dev@axis.apache.org; rtercerol@gmail.com
Subject: Configure Rampart STS

 

I am trying to understand how to configure my own STS service to generate a
custom SAML token. The instructions are confusing.

 

First it states to remove the default rampart.mar from the modules. In my
modules there is both a rampart.mar and a rahas.mar.

Then it states to create a service.xml pointing to one's custom
implementation of the TokenIssuer interface. The contents of the example
service.xml provided looks very similar to the contents of the rahas.mar
module and bears no resemblance to the rampart.mar. 

In addition, there is a 'saml-issuer-config' value of the configuration
element. I have no idea what that element represents. Do I need to make some
type of file containing configuration parameters, and if I do, what are the
elements that go in it?  Has anybody ever done this? Do I have to play with
the axis.xml?

 

MG>only to add in the module name e.g. <module ref="rampart"/>

MG>you will want to configure services.xml in WEB-INF\services only

 

Any insight would be greatly appreciated!

 

Thanks,

 

Brian

 

PS

 

Here is some stuff I found no documentation on with respect to
saml-issuer-config

 

        <parameter name="saml-issuer-config">

            <saml-issuer-config>

                <issuerName>SAMPLE_STS</issuerName>

                <issuerKeyAlias>service</issuerKeyAlias>

MG>alias for the provided key you will need the alias to export the cert out
of the pfx e.g.

MG>keytool -exportcert -alias AlienAlias -keystore steve.jks -keypass steve
-storepass steve -file steve.cert

                <issuerKeyPassword>apache</issuerKeyPassword>

                <cryptoProperties>

                    <crypto
provider="org.apache.ws.security.components.crypto.Merlin">

                        <property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>

MG>safe to stay with JKS although easy enough to convert a p12 format to jks

                        <property
name="org.apache.ws.security.crypto.merlin.file">service.jks</property>

MG>name of the Java Key file..the absolute path must be known in order to
configure a HTTPS connector 

                        <property
name="org.apache.ws.security.crypto.merlin.keystore.password">apache</proper
ty>

MG>password to the keystore file

                    </crypto>

                </cryptoProperties>

                <timeToLive>864000000000</timeToLive>

MG>lifetime of SAML token default to 5 min

                <keySize>256</keySize>

MG>keysize in bits used with generation step e.g. keytool -genkey -keysize
2048 

MG>the longer the keysize the more difficult to crack by brute force

                <addRequestedAttachedRef />

                <addRequestedUnattachedRef />

                <keyComputation>3</keyComputation>

MG><!-- Key computation mechanism 1 - Use Request Entropy 2 - Provide
Entropy 3 - Use Own Key -->

                <proofKeyType>BinarySecret</proofKeyType>

MG><!-- proofKeyType element is valid only if the keyComputation is set to 3
i.e. Use Own Key Valid values are: EncryptedKey & 
MG> BinarySecret -->

                <trusted-services>

                    <service alias="service">*</service>

MG><!-- The service name and the alias of the trusted cert to use -->
<service alias="bob">http://localhost:8080/axis2/services

MG>/STS</service>

MG>the alias is referenced by the trust-store lookup manager to find a
key-entity that was previously inserted its own truststore

                </trusted-services>

            </saml-issuer-config>

        </parameter>

 

There are several xml elements I cannot find documented anywhere except for
the cryptoProperties. Some are easier to GUESS; but it would be nice not to
guess. The bigger question is what other parameters exist that I don't see
in this example? In general, the documentation on the xml part of
Axis2/Rampart is lacking yet is so critical to its use. Does anyone have all
the options one can place into the service.xmls and other xml config files
(where ever they may be) documented?

 

MG>Brian the saml-issuer-config elements are well documented at the WS02
site url

MG>https://svn.wso2.org/repos/wso2/carbon/platform/trunk/dependencies/rampar
t/1.6.1-wso2v4/modules/rampart-trust/sts-aar-resources/saml-issuer-config.xm
l

MG>let me know if you have any questions or concerns

MG>Martin

 

 

 


Mime
View raw message