axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <>
Subject RE: Configure Rampart STS
Date Tue, 30 Oct 2012 17:23:46 GMT

 MG>Quick answer inlined
From: Brian Reinhold [] 
Sent: Tuesday, October 30, 2012 10:38 AM
Subject: Configure Rampart STS I am trying to understand how to configure my own STS service
to generate a custom SAML token. The instructions are confusing. First it states to remove
the default rampart.mar from the modules. In my modules there is both a rampart.mar and a
rahas.mar.Then it states to create a service.xml pointing to one’s custom implementation
of the TokenIssuer interface. The contents of the example service.xml provided looks very
similar to the contents of the rahas.mar module and bears no resemblance to the rampart.mar.
In addition, there is a ‘saml-issuer-config’ value of the configuration element. I have
no idea what that element represents. Do I need to make some type of file containing configuration
parameters, and if I do, what are the elements that go in it?  Has anybody ever done this?
Do I have to play with the axis.xml?
MG>only to add in the module name e.g. <module ref="rampart"/>MG>you will want
to configure services.xml in WEB-INF\services only Any insight would be greatly appreciated!
Thanks, Brian PS Here is some stuff I found no documentation on with respect to saml-issuer-config
        <parameter name="saml-issuer-config">            <saml-issuer-config>
               <issuerName>SAMPLE_STS</issuerName>                <issuerKeyAlias>service</issuerKeyAlias>MG>alias
for the provided key you will need the alias to export the cert out of the pfx e.g.MG>keytool
-exportcert -alias AlienAlias -keystore steve.jks -keypass steve -storepass steve -file steve.cert
                <issuerKeyPassword>apache</issuerKeyPassword>                <cryptoProperties>
                   <crypto provider="">
                       <property name="">JKS</property>MG>safe
to stay with JKS although easy enough to convert a p12 format to jks
                        <property name="">service.jks</property>MG>name
of the Java Key file..the absolute path must be known in order to configure a HTTPS connector
                        <property name="">apache</property>MG>password
to the keystore file
                    </crypto>                </cryptoProperties>             
  <timeToLive>864000000000</timeToLive>MG>lifetime of SAML token default to
5 min
                <keySize>256</keySize>MG>keysize in bits used with generation
step e.g.  keytool -genkey -keysize 2048 MG>the longer the keysize the more difficult to
crack by brute force
                <addRequestedAttachedRef />                <addRequestedUnattachedRef

       Key computation mechanism
       1 - Use Request Entropy
       2 - Provide Entropy
       3 - Use Own Key
       proofKeyType element is valid only if the keyComputation is set to 3
       i.e. Use Own Key

       Valid values are: EncryptedKey & 
MG> BinarySecret
    -->                <trusted-services>                    <service alias="service">*</service>MG><!--
The service name and the alias of the trusted cert to use -->
		<service alias="bob">http://localhost:8080/axis2/services
MG>/STS</service>MG>the alias is referenced by the trust-store lookup manager
to find a key-entity that was previously inserted its own truststore
                </trusted-services>            </saml-issuer-config>        </parameter>
There are several xml elements I cannot find documented anywhere except for the cryptoProperties.
Some are easier to GUESS; but it would be nice not to guess. The bigger question is what other
parameters exist that I don’t see in this example? In general, the documentation on the
xml part of Axis2/Rampart is lacking yet is so critical to its use. Does anyone have all the
options one can place into the service.xmls and other xml config files (where ever they may
be) documented?
MG>Brian the saml-issuer-config elements are well documented at the WS02 site urlMG>

MG>let me know if you have any questions or concerns

View raw message