axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Reinhold" <>
Subject RE: Configure Rampart STS
Date Tue, 30 Oct 2012 17:56:33 GMT


Thanks, but what is unclear is what else exists? (maybe nothing?), and what
are these: <addRequestedAttachedRef /> <addRequestedUnattachedRef />

In many of the examples the 'saml-issuer-config' had nothing in it. Was it
implied that the user is to fill it in?




From: Martin Gainty [] 
Sent: Tuesday, October 30, 2012 1:24 PM
Subject: RE: Configure Rampart STS


 MG>Quick answer inlined

From: Brian Reinhold [] 
Sent: Tuesday, October 30, 2012 10:38 AM
Subject: Configure Rampart STS


I am trying to understand how to configure my own STS service to generate a
custom SAML token. The instructions are confusing.


First it states to remove the default rampart.mar from the modules. In my
modules there is both a rampart.mar and a rahas.mar.

Then it states to create a service.xml pointing to one's custom
implementation of the TokenIssuer interface. The contents of the example
service.xml provided looks very similar to the contents of the rahas.mar
module and bears no resemblance to the rampart.mar. 

In addition, there is a 'saml-issuer-config' value of the configuration
element. I have no idea what that element represents. Do I need to make some
type of file containing configuration parameters, and if I do, what are the
elements that go in it?  Has anybody ever done this? Do I have to play with
the axis.xml?


MG>only to add in the module name e.g. <module ref="rampart"/>

MG>you will want to configure services.xml in WEB-INF\services only


Any insight would be greatly appreciated!








Here is some stuff I found no documentation on with respect to


        <parameter name="saml-issuer-config">




MG>alias for the provided key you will need the alias to export the cert out
of the pfx e.g.

MG>keytool -exportcert -alias AlienAlias -keystore steve.jks -keypass steve
-storepass steve -file steve.cert





MG>safe to stay with JKS although easy enough to convert a p12 format to jks


MG>name of the Java Key file..the absolute path must be known in order to
configure a HTTPS connector 


MG>password to the keystore file




MG>lifetime of SAML token default to 5 min


MG>keysize in bits used with generation step e.g. keytool -genkey -keysize

MG>the longer the keysize the more difficult to crack by brute force

                <addRequestedAttachedRef />

                <addRequestedUnattachedRef />


MG><!-- Key computation mechanism 1 - Use Request Entropy 2 - Provide
Entropy 3 - Use Own Key -->


MG><!-- proofKeyType element is valid only if the keyComputation is set to 3
i.e. Use Own Key Valid values are: EncryptedKey & 
MG> BinarySecret -->


                    <service alias="service">*</service>

MG><!-- The service name and the alias of the trusted cert to use -->
<service alias="bob">http://localhost:8080/axis2/services


MG>the alias is referenced by the trust-store lookup manager to find a
key-entity that was previously inserted its own truststore





There are several xml elements I cannot find documented anywhere except for
the cryptoProperties. Some are easier to GUESS; but it would be nice not to
guess. The bigger question is what other parameters exist that I don't see
in this example? In general, the documentation on the xml part of
Axis2/Rampart is lacking yet is so critical to its use. Does anyone have all
the options one can place into the service.xmls and other xml config files
(where ever they may be) documented?


MG>Brian the saml-issuer-config elements are well documented at the WS02
site url


MG>let me know if you have any questions or concerns





View raw message