Return-Path: X-Original-To: apmail-axis-java-dev-archive@www.apache.org Delivered-To: apmail-axis-java-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4C619D34A for ; Thu, 1 Nov 2012 15:33:52 +0000 (UTC) Received: (qmail 79935 invoked by uid 500); 1 Nov 2012 15:33:51 -0000 Delivered-To: apmail-axis-java-dev-archive@axis.apache.org Received: (qmail 79742 invoked by uid 500); 1 Nov 2012 15:33:51 -0000 Mailing-List: contact java-dev-help@axis.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: java-dev@axis.apache.org Delivered-To: mailing list java-dev@axis.apache.org Received: (qmail 79705 invoked by uid 99); 1 Nov 2012 15:33:49 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Nov 2012 15:33:49 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [67.210.98.185] (HELO ina.lunarmania.com) (67.210.98.185) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Nov 2012 15:33:31 +0000 Received: from 75-147-41-114-newengland.hfc.comcastbusiness.net ([75.147.41.114]:49843 helo=BrianPC) by ina.lunarmania.com with esmtpa (Exim 4.77) (envelope-from ) id 1TTwlT-0006YZ-KW; Thu, 01 Nov 2012 08:33:05 -0700 From: "Brian Reinhold" To: , References: <7BC193B0E43D8646BA8CC9EC26BCD7CB66230B@APSWP0751EVS.ms.ds.uhc.com> <7BC193B0E43D8646BA8CC9EC26BCD7CB6628F2@APSWP0751EVS.ms.ds.uhc.com> <005e01cdb6ac$322ea400$968bec00$@com>,<006b01cdb6b0$f8ea33d0$eabe9b70$@com> ,<007f01cdb6c7$e6b2ff50$b418fdf0$@com> ,<005e01cdb78a$b2f71700$18e54500$@com> ,<001201cdb82b$72f70bf0$58e523d0$@com> In-Reply-To: Subject: RE: Configure Custom Rampart STS Date: Thu, 1 Nov 2012 11:33:06 -0400 Message-ID: <003e01cdb846$3120d830$93628890$@com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003F_01CDB824.AA0F3830" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac24QMU6sluZKHNpS7G/8jGHimukpQAAodkQ Content-Language: en-us X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ina.lunarmania.com X-AntiAbuse: Original Domain - axis.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - lampreynetworks.com X-Source: X-Source-Args: X-Source-Dir: X-Virus-Checked: Checked by ClamAV on apache.org ------=_NextPart_000_003F_01CDB824.AA0F3830 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Martin, =20 I am confused. I already have a rahas.mar module that works fine as long = as I continue to use the default STS implementation. What I can=92t do is = to get the token dispatcher to call MY version of the SAML2TokenIssuer. I COULD modify the rahas source code of the Saml2TokenIssuer class to = make my =91custom=92 STS token. However, that is NOT what I want to do for = obvious reasons. Ideally I want to use the Axis2/Rampart jars and mars as they = are and configure the deployment to use my STS service and not the default = STS service. =20 The instructions say to add the following to the custom service after removing the rampart module (but I only removed the rahas module) Note I insert the element below INTO the existing default STS service xml: =20 =20 =20 =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel= =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate =20 saml-issuer-config =20 http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.= 1#S AMLV1.1 =20 =20 Which is exactly what I have done EXCEPT for the yellow highlighted = code which points to my implementation. The rahas.mar module has been removed from the axis2/web-apps/modules directory as instructed. =20 The above throws the ClassNotFoundException. Change the class to =93org.apache.rahas.impl.SAML2TokenIssuer=94 it works like a charm. (Interestingly what I place in the modules.list file has no effect on = the result.) =20 Thanks (few remarks below) =20 Brian =20 From: Martin Gainty [mailto:mgainty@hotmail.com]=20 Sent: Thursday, November 01, 2012 10:54 AM To: java-dev@axis.apache.org; rtercerol@gmail.com Subject: RE: Configure Custom Rampart STS =20 Both SamlTokenIssuer and SamlTokenIssuerConfig are classes which belong = to rampart-trust module...the pom.xml should look like org.apache.rampart rahas mar ${rahas.mar.version} I will do some research on the meaning of =93engage rahas module to your service AAR=94 be sure to activate afterwards let us know if you have any problem =20 Brian: I have no problem invoking the default behavior. Just can=92t get = the dispatcher to invoke MY class. Martin Gainty=20 ______________________________________________=20 Verzicht und Vertraulichkeitanmerkung/Note de d=E9ni et de = confidentialit=E9 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede = unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese = Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut =EAtre privil=E9gi=E9. Si vous = n'=EAtes pas le destinataire pr=E9vu, nous te demandons avec bont=E9 que pour satisfaire informez l'exp=E9diteur. N'importe quelle diffusion non autoris=E9e ou = la copie de ceci est interdite. Ce message sert =E0 l'information seulement et = n'aura pas n'importe quel effet l=E9galement obligatoire. =C9tant donn=E9 que = les email peuvent facilement =EAtre sujets =E0 la manipulation, nous ne pouvons = accepter aucune responsabilit=E9 pour le contenu fourni. _____ =20 From: brianreinhold@lampreynetworks.com To: java-dev@axis.apache.org; rtercerol@gmail.com Subject: RE: Configure Custom Rampart STS Date: Thu, 1 Nov 2012 08:21:40 -0400 Okay, that was an easy fix. But all the other questions remain a = mystery. So I performed the following experiments: =20 1. Started with default service. Rahas.mar and rampart.mar in = modules; the default service.xml for the STS service is used. Result: It worked. = I got the default SAML20 token 2. Now I modify the rahas.mar module.xml so that becomes . Result: Failure. = Unable to load the class error. (Note that the class LNISAML2ToeknIssuer is a = copy of org.apache.rahas.impl.SAML2TokenIssuer with the package changed. = Required adding public methods to the SAMLTokenIssuerConfig class) 3. Now I follow instructions except I do NOT remove the = rampart.mar file but just the rahas.mar file. I believe that is an error in the instructions. I add the =91operations=92 element to my service.xml. = Result: Failure. Unable to load the class error. I do not know how to better follow the instructions. Why can=92t it find = the class. It IS present in the aar file in the services directory! =20 Thanks, =20 Brian =20 PS: When I figure out how to actually do this I will write some documentation so others won=92t have the same struggles! =20 From: Martin Gainty [mailto:mgainty@hotmail.com]=20 Sent: Wednesday, October 31, 2012 1:28 PM To: java-dev@axis.apache.org; rtercerol@gmail.com Subject: RE: Configure Custom Rampart STS =20 usually that happens when you the version of Tomcat java classes !=3D = webapp java classes go to http://localhost:8080/manager/status write down the version number of java you are using recompile all of the Java classes for your webapp with the same (JDK) = java version from the Tomcat Manager Status repackage and=20 redeploy Martin=20 ______________________________________________=20 To: java-dev@axis.apache.org; rtercerol@gmail.com Subject: RE: Configure Custom Rampart STS Date: Wed, 31 Oct 2012 13:10:58 -0400 Okay, =20 I believe that I have followed the very limited instructions on how to implement a custom STS service given at http://axis.apache.org/axis2/java/rampart/setting-up-sts.html.=20 1. First I took the code for the current default SAML20TokenIssuer class and renamed the class and added it to my service. It=92s a start! a. I had to add some getters to the SAMLTokenIssuerConfig class = since the variables accessed in the SAML20TokenIssuer class were private in = the SAMLTokenIssuerConfig. b. After doing that the exported class built.=20 2. According to the instructions I removed the rampart.mar modules from the modules directory. 3. According to the instructions I made a service.xml pointing to = my new class.=20 a. I already had the example service.xml for the default service = which had saml-issuer-config elements in it as well as the policy and some = rampart crypto and password handler info. =20 The default service.xml had no =91operation=92 element. I added the = elements as shown in the instructions. The yellow highlight below is the name of the = new class to issue the token. Without the =91mar=92 modules I have no idea = how it gets called but that=92s another story! =20 Of course it did not work. I got an unsupported major minor version in = the Tomcat window. =20 The instructions don=92t really make sense anyways since it is the = modules that are telling what routines are accessed. The rampart.mar module = seems like it needs to stay and the rahas module points to the class the = invokes the token issuer. I tried various combinations of that approach and it = also failed. I also got an unsupported major minor version in the Tomcat = window. =20 In short the instructions for implementing a custom STS service make no sense to me and are too thin to know how to proceed when one has = problems or questions. These instructions have not changed as the project has = updated and maybe they are simply out of date (for example there is no mention = of rahas.mar). =20 1. Has anyone actually implemented a custom STS in axis2/rampart 1.6.2? a. If so did you need to have rampart and rahas mar files in the modules? i. = If so did you need to modify them in any way? ii. If = not how does the axis2 architecture know when to call your custom implementation? b. Did you have to make a service xml? c. If so, how is it different than the service.xml needed for the default implementation (where the token issued is a SAML2.0 token)? d. The instructions show a single-line saml-issuer-config value in = the =91service.xml=92. How would you extend that to get the full xml = parameter description of all the saml-issuer-config elements? =20 Here is my service xml for the custom service based upon the service xml = for the default service and the instructions provided in the custom issuer documentation =20 =20 =20 Action mapping to accept RST requests --> =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel = =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel= =20 http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate =20 Issuers. You may have many issuers. --> saml-issuer-config =20 http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.= 1#S AMLV2.0 =20 =20 LNI SAML Token Service service apache JKS service.jks= apache 2592000 256 =20 2 =20 BinarySecret * =20 [Policy xml follows with rampart config info shown below] =20 =20 com.lnihealth.wan.receiver.binding.axis2.Pass= wor dCallback =20 [closing of document] =20 I am fully baffled! Really appreciate any help to get this off the = ground! =20 Brian =20 =20 From: Martin Gainty [mailto:mgainty@hotmail.com]=20 Sent: Tuesday, October 30, 2012 3:06 PM To: java-dev@axis.apache.org; rtercerol@gmail.com Subject: RE: Configure Rampart STS =20 env is a SOAPEnvelope constructed from the input MessageContext SOAPEnvelope env =3D TrustUtil.createSOAPEnvelope(inMsgCtx .getEnvelope().getNamespace().getNamespaceURI()); a parent OMElement is constructed from env.getBody() if addRequestedAttachedRef is true the AttachedRef OMElement gets constructed=20 if (config.addRequestedAttachedRef) { TrustUtil.createRequestedAttachedRef( wstVersion, //Rahas version = (defaults to 1) rstrElem, //OMElement TrustUtil.createRequestSecurityTokenResponseElement(wstVersion,env.getBod= y() ); "#" + assertion.getID(), //link within document = using GUID constructed with UUIDGenerator.getUUID() RahasConstants.TOK_TYPE_SAML_20); //value is http://docs.oasis-open.org/wss/" +"oasis-wss-saml-token-profile-1.1#SAMLV2.0"; } if addRequestedUnattachedRef is true the UnattachedRef OMElement gets constructed=20 if (config.addRequestedUnattachedRef) { TrustUtil.createRequestedUnattachedRef(wstVersion, = //Rahas version (defaults to 1) rstrElem, //OMElement TrustUtil.createRequestSecurityTokenResponseElement(wstVersion,env.getBod= y() ); assertion.getID(), // GUID constructed = with UUIDGenerator.getUUID() RahasConstants.TOK_TYPE_SAML_20); //value is http://docs.oasis-open.org/wss/" +"oasis-wss-saml-token-profile-1.1#SAMLV2.0"; } rstrElem (2nd arg) is a constructed OMElement constructed here public static OMElement createRequestSecurityTokenResponseElement(int version, OMElement parent) throws TrustException { return createOMElement(parent, getWSTNamespace(version), //for 1 = version xmlns:wst=3D"http://schemas.xmlsoap.org/ws/2005/02/trust" =20 RahasConstants.LocalNames.REQUEST_SECURITY_TOKEN_RESPONSE, //RequestSecurityTokenResponse RahasConstants.WST_PREFIX); //wst } youve got a SecurityTokenResponse coming back inlined in Document with TrustUtil.createRequestedAttachedRef if not in the document call TrustUtil.createRequestedUnAttachedRef personally i prefer XML declarators to accomplish the same objective = that way you can see the token-dispatcher-configuration being sent in e.g. services.xml would contain <module ref=3D"rampart" /> <operation name=3D"IssueToken" mep=3D"http://www.w3.org/ns/wsdl/in-out"> <messageReceiver class=3D"org.apache.rahas.STSMessageReceiver"/> <!-- Action mapping to accept RST requests --> =20 <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT&= lt; /actionMapping> =20 <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issu= e&l t;/actionMapping> =20 <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Rene= w&l t;/actionMapping> =20 <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Canc= el& lt;/actionMapping> =20 <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/= Can cel</actionMapping> =20 <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Vali= dat e</actionMapping> <parameter name=3D"token-dispatcher-configuration"> <token-dispatcher-configuration> <!-- Issuers. You may have many issuers. --> <issuer class=3D"org.custom.MyIssuer" default=3D"true"> <configuration =20 type=3D"parameter">saml-issuer-config</configuration> =20 <tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-prof= ile -1.1#SAMLV1.1</tokenType> </issuer> </token-dispatcher-configuration> </parameter> </operation> Martin Gainty=20 ______________________________________________=20 Jogi ?s Bizalmass?gi kinyilatkoztat?s/Verzicht und Vertraulichkeitanmerkung/Note de d?ni et de confidentialit? =20 Ez az ?zenet bizalmas. Ha nem ?n az akinek sz?nva volt, akkor k?rj?k, = hogy jelentse azt nek?nk vissza. Semmif?le tov?bb?t?sa vagy m?solat?nak = k?sz?t?se nem megengedett. Ez az ?zenet csak ismeret cser?t szolg?l ?s semmif?le = jogi alkalmazhat?s?ga sincs. Mivel az electronikus ?zenetek k?nnyen megv?ltoztathat?ak, ez?rt minket semmi felel?s?g nem terhelhet ezen = ?zenet tartalma miatt. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede = unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese = Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut ?tre privil?gi?. Si vous n'?tes pas = le destinataire pr?vu, nous te demandons avec bont? que pour satisfaire informez l'exp?diteur. N'importe quelle diffusion non autoris?e ou la = copie de ceci est interdite. Ce message sert ? l'information seulement et = n'aura pas n'importe quel effet l?galement obligatoire. ?tant donn? que les = email peuvent facilement ?tre sujets ? la manipulation, nous ne pouvons = accepter aucune responsabilit? pour le contenu fourni. =20 _____ =20 From: brianreinhold@lampreynetworks.com To: java-dev@axis.apache.org; rtercerol@gmail.com Subject: RE: Configure Rampart STS Date: Tue, 30 Oct 2012 13:56:33 -0400 Martin, =20 Thanks, but what is unclear is what else exists? (maybe nothing?), and = what are these: In many of the examples the =91saml-issuer-config=92 had nothing in it. = Was it implied that the user is to fill it in? =20 Brian =20 From: Martin Gainty [mailto:mgainty@hotmail.com]=20 Sent: Tuesday, October 30, 2012 1:24 PM To: java-dev@axis.apache.org; rtercerol@gmail.com Subject: RE: Configure Rampart STS =20 MG>Quick answer inlined From: Brian Reinhold [mailto:brianreinhold@lampreynetworks.com]=20 Sent: Tuesday, October 30, 2012 10:38 AM To: java-dev@axis.apache.org; rtercerol@gmail.com Subject: Configure Rampart STS =20 I am trying to understand how to configure my own STS service to = generate a custom SAML token. The instructions are confusing. =20 First it states to remove the default rampart.mar from the modules. In = my modules there is both a rampart.mar and a rahas.mar. Then it states to create a service.xml pointing to one=92s custom implementation of the TokenIssuer interface. The contents of the example service.xml provided looks very similar to the contents of the rahas.mar module and bears no resemblance to the rampart.mar.=20 In addition, there is a =91saml-issuer-config=92 value of the = configuration element. I have no idea what that element represents. Do I need to make = some type of file containing configuration parameters, and if I do, what are = the elements that go in it? Has anybody ever done this? Do I have to play = with the axis.xml? =20 MG>only to add in the module name e.g. MG>you will want to configure services.xml in WEB-INF\services only =20 Any insight would be greatly appreciated! =20 Thanks, =20 Brian =20 PS =20 Here is some stuff I found no documentation on with respect to saml-issuer-config =20 SAMPLE_STS service MG>alias for the provided key you will need the alias to export the cert = out of the pfx e.g. MG>keytool -exportcert -alias AlienAlias -keystore steve.jks -keypass = steve -storepass steve -file steve.cert apache JKS MG>safe to stay with JKS although easy enough to convert a p12 format to = jks service.jks= MG>name of the Java Key file..the absolute path must be known in order = to configure a HTTPS connector=20 apache MG>password to the keystore file 864000000000 MG>lifetime of SAML token default to 5 min 256 MG>keysize in bits used with generation step e.g. keytool -genkey = -keysize 2048=20 MG>the longer the keysize the more difficult to crack by brute force 3 MG> BinarySecret MG> * MG> http://localhost:8080/axis2/services MG>/STS MG>the alias is referenced by the trust-store lookup manager to find a key-entity that was previously inserted its own truststore =20 There are several xml elements I cannot find documented anywhere except = for the cryptoProperties. Some are easier to GUESS; but it would be nice not = to guess. The bigger question is what other parameters exist that I don=92t = see in this example? In general, the documentation on the xml part of Axis2/Rampart is lacking yet is so critical to its use. Does anyone have = all the options one can place into the service.xmls and other xml config = files (where ever they may be) documented? =20 MG>Brian the saml-issuer-config elements are well documented at the WS02 site url MG>https://svn.wso2.org/repos/wso2/carbon/platform/trunk/dependencies/ram= par t/1.6.1-wso2v4/modules/rampart-trust/sts-aar-resources/saml-issuer-config= .xm l MG>let me know if you have any questions or concerns MG>Martin =20 =20 =20 ------=_NextPart_000_003F_01CDB824.AA0F3830 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Martin,

 

I am confused. I already have a rahas.mar module that works fine as = long as I continue to use the default STS implementation. What I = can’t do is to get the token dispatcher to call MY version of the = SAML2TokenIssuer.

I COULD modify the rahas source code of the Saml2TokenIssuer class to = make my ‘custom’ STS token. However, that is NOT what I want = to do for obvious reasons. Ideally I want to use the Axis2/Rampart jars = and mars as they are and configure the deployment to use my STS service = and not the default STS service.

 

The instructions say to add the following to the custom service after = removing the rampart module (but I only removed the rahas module) Note I = insert the element below INTO the existing default STS service = xml:

 

<module ref=3D"rampart" = />

 

<operation = name=3D"IssueToken"

=A0=A0=A0=A0=A0=A0=A0 = mep=3D"http://www.w3.org/2006/01/wsdl/in-out">

=A0=A0=A0 = <messageReceiver

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = class=3D"org.apache.rahas.STSMessageReceiver"/>

 

=A0=A0=A0 <!-- Action mapping to accept RST = requests -->

=A0=A0=A0 = <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT&= lt;/actionMapping>

=A0=A0=A0 = <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issu= e</actionMapping>

=A0=A0=A0 = <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Rene= w</actionMapping>

=A0=A0=A0 = <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Canc= el</actionMapping>

=A0=A0=A0 = <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/= Cancel</actionMapping>

=A0=A0=A0 = <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Vali= date</actionMapping>

 

=A0=A0=A0 <parameter = name=3D"token-dispatcher-configuration">

=A0=A0=A0=A0=A0=A0=A0 = <token-dispatcher-configuration>

=A0=A0=A0=A0=A0=A0=A0 <!-- Issuers. You may have = many issuers. -->

=A0=A0=A0=A0=A0=A0=A0 <issuer class=3D"com.lnihealth.sts.receiv= er.LNISAML2TokenIssuer" = default=3D"true">

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = <configuration

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0 = type=3D"parameter">saml-issuer-config</configuration><= o:p>

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = <tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-prof= ile-1.1#SAMLV1.1</tokenType>

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 = </issuer>

=A0=A0=A0=A0=A0=A0=A0 = </token-dispatcher-configuration>

=A0=A0=A0 </parameter>

 

</operation>

 

Which is exactly what I have done EXCEPT=A0 for the yellow = highlighted code which points to my implementation. The rahas.mar module = has been removed from the axis2/web-apps/modules directory as = instructed.

 

The above throws the ClassNotFoundException. Change the class to = “org.apache.rahas.impl.SAML2TokenIssuer” it works like a = charm. (Interestingly what I place in the modules.list file has no = effect on the result.)

 

Thanks (few remarks below)

 

Brian

 

From:= = Martin Gainty [mailto:mgainty@hotmail.com]
Sent: Thursday, = November 01, 2012 10:54 AM
To: java-dev@axis.apache.org; = rtercerol@gmail.com
Subject: RE: Configure Custom Rampart = STS

 

Both = SamlTokenIssuer and SamlTokenIssuerConfig are classes which belong to = rampart-trust module...the pom.xml should look like

   = <groupId>org.apache.rampart</groupId>
    = <artifactId>rahas</artifactId>
    = <packaging>mar</packaging>
    = <version>${rahas.mar.version}</version

so to compile the = rahas module I first compile then package with
mvn -e -X = compile
mvn -e -X package

should result in = \target\rahas-${rahas.mar.version}.mar

and should contain the = rahas = classes
org.apache.rahas.impl.SAMLTokenIssuer
org.apache.rahas.impl= .SAMLTokenIssuerConfig

 

Brian: It does (and always has)



whic= h you can now deploy to = $CATALINA_HOME\webapps\Axis2Webapp\WEB-INF\modules

 

Brian: which I have done

be = sure to update modules.list
use your Axis2 admin screen to engage rahas module to your = service AAR

 

Brian: I do NOT know what the underlined text above means. In my = service.xml for the aar there is a <module ref=3D"rampart" />

I will do some research on the meaning of “engage = rahas module to your service AAR


be sure = to activate afterwards

let us know if you have any problem

 

Brian: I have no problem invoking the default behavior. Just = can’t get the dispatcher to invoke MY = class.


Martin = Gainty
______________________________________________
Verzicht = und Vertraulichkeitanmerkung/Note de d=E9ni et de = confidentialit=E9


Diese = Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger = sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte = Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese = Nachricht dient lediglich dem Austausch von Informationen und entfaltet = keine rechtliche Bindungswirkung. Aufgrund der leichten = Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt = uebernehmen.

Ce message est confidentiel =
et peut =EAtre privil=E9gi=E9. Si vous n'=EAtes pas le destinataire =
pr=E9vu, nous te demandons avec bont=E9 que pour satisfaire informez =
l'exp=E9diteur. N'importe quelle diffusion non autoris=E9e ou la copie =
de ceci est interdite. Ce message sert =E0 l'information seulement et =
n'aura pas n'importe quel effet l=E9galement obligatoire. =C9tant =
donn=E9 que les email peuvent facilement =EAtre sujets =E0 la =
manipulation, nous ne pouvons accepter aucune responsabilit=E9 pour le =
contenu fourni.



From: brianreinhold@lampreyne= tworks.com
To: java-dev@axis.apache.org; = rtercerol@gmail.com
Subject: = RE: Configure Custom Rampart STS
Date: Thu, 1 Nov 2012 08:21:40 = -0400

Okay, that was an easy fix. But all the other questions remain a = mystery. So I performed the following experiments:<= /span>

 <= /span>

1.     &nb= sp; Started with default service. Rahas.mar and rampart.mar in modules; = the default service.xml for the STS service is used. Result: It worked. = I got the default SAML20 token<= /span>

2.     &nb= sp; Now I modify the rahas.mar module.xml so that <issuer = class=3D"org.apache.rahas.impl.SAML2TokenIssuer"> becomes = <issuer = class=3D"com.lni.sts.receiver.LNISAML2TokenIssuer">. = Result: Failure. Unable to load the class error. (Note that the class = LNISAML2ToeknIssuer is a copy of org.apache.rahas.impl.SAML2TokenIssuer = with the package changed. Required adding public methods to the = SAMLTokenIssuerConfig class)<= /span>

3.     &nb= sp; Now I follow instructions except I do NOT remove the rampart.mar file = but just the rahas.mar file. I believe that is an error in the = instructions. I add the ‘operations’ element to my = service.xml. Result: Failure. Unable to load the class = error.<= /span>

I do not know how to better follow the instructions. Why can’t = it find the class. It IS present in the aar file in the services = directory!<= /span>

 <= /span>

Thanks,<= /span>

 <= /span>

Brian<= /span>

 <= /span>

PS: When I figure out how to actually do this I will write some = documentation so others won’t have the same struggles!<= /span>

 <= /span>

From:= = Martin Gainty [mailto:mgainty@hotmail.com] =
Sent: Wednesday, October 31, 2012 1:28 PM
To: java-dev@axis.apache.org; = rtercerol@gmail.com
Subject= : RE: Configure Custom Rampart = STS

 <= /o:p>

usually = that happens when you the version of Tomcat java classes !=3D webapp = java classes

go to http://localhost:8080/manager/status
write down = the version number of java you are using

recompile all of the = Java classes for your webapp with the same (JDK) java version from the = Tomcat Manager Status
repackage
and
redeploy

Martin =
______________________________________________ =

To: java-dev@axis.apache.org; = rtercerol@gmail.com
Subject: = RE: Configure Custom Rampart STS
Date: Wed, 31 Oct 2012 13:10:58 = -0400

Okay,<= /span>

 <= /span>

I believe that I have followed the very limited instructions on how = to implement a custom STS service given at http://axis.apache.org/axis2/java/rampart/setting-up-st= s.html. <= /span>

1.       First I took the code for the current default SAML20TokenIssuer class = and renamed the class and added it to my service. It’s a = start!<= /span>

a.        I had to add some getters to the SAMLTokenIssu= erConfig class since the variables accessed in the SAML20TokenIssuer class = were private in the SAMLTokenIssu= erConfig.<= /span>

b.      After doing that the exported class built. <= /span>

2.       According to the instructions I removed the rampart.mar modules from = the modules directory.<= /span>

3.       According to the instructions I made a service.xml pointing to my new = class. <= /span>

a.       I already had the example service.xml for the default service which = had saml-issuer-config elements in it as well as the policy and some = rampart crypto and password handler info.<= /span>

 <= /span>

The default service.xml had no ‘operation’ element. I = added the elements as shown in the instructions. The yellow highlight = below is the name of the new class to issue the token. Without the = ‘mar’ modules I have no idea how it gets called but = that’s another story!<= /span>

 <= /span>

Of course it did not work. I got an unsupported major minor version = in the Tomcat window.<= /span>

 <= /span>

The instructions don’t really make sense anyways since it is = the modules that are telling what routines are accessed. The rampart.mar = module seems like it needs to stay and the rahas module points to the = class the invokes the token issuer. I tried various combinations of that = approach and it also failed. I also got an unsupported major minor = version in the Tomcat window.<= /span>

 <= /span>

In short the instructions for implementing a custom STS service make = no sense to me and are too thin to know how to proceed when one has = problems or questions. These instructions have not changed as the = project has updated and maybe they are simply out of date (for example = there is no mention of rahas.mar).<= /span>

 <= /span>

1.        Has anyone actually implemented a custom STS in axis2/rampart = 1.6.2?<= /span>

a.       If so did you need to have rampart and rahas mar files in the = modules?<= /span>

            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;  i.      If so did you need to modify them in any way?<= /span>

            =             &= nbsp;           &n= bsp;           &nb= sp;            = ii.      If not how does the axis2 architecture know when to call your custom = implementation?<= /span>

b.      Did you have to make a service xml?<= /span>

c.       If so, how is it different than the service.xml needed for the = default implementation (where the token issued is a SAML2.0 = token)?<= /span>

d.      The instructions show a single-line saml-issuer-c= onfig value in the ‘service.xml’. How would you extend that to = get the full xml parameter description of all the saml-issuer-config = elements?<= /span>

 <= /span>

Here is my service xml for the custom service based upon the service = xml for the default service and the instructions provided in the custom = issuer documentation<= /span>

 <= /span>

  &= nbsp; <service name=3D"STS_Username">   = <= /span>

  &= nbsp;     <module ref=3D"rampart" /><= /span>

  &= nbsp;     <module ref=3D"addressing" /><= /span>

  &= nbsp;     <module ref=3D"rahas" /><= /span>

  &= nbsp;     <operation name=3D"IssueToken" mep=3D"http://www.w3.org/2006/01/wsdl/in-out"<= /i>><= /span>

  &= nbsp;         <messageRece= iver class=3D"org.apache.rahas.STSMessageReceiver"/><= /span>

 <= /span>

  &= nbsp;         <!--&nbs= p; --> Action = mapping to accept RST requests --><= /span>

  &= nbsp;         <actionMappi= ng>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT<= /actionMapping><= /span>

  &= nbsp;         <actionMappi= ng>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue&l= t;/actionMapping><= /span>

  &= nbsp;         <actionMappi= ng>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew&l= t;/actionMapping><= /span>

  &= nbsp;         <actionMappi= ng>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel&= lt;/actionMapping><= /span>

  &= nbsp;         <actionMappi= ng>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Can= cel</actionMapping><= /span>

  &= nbsp;         <actionMappi= ng>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validat= e</actionMapping><= /span>

 <= /span>

  &= nbsp;         <parameter name=3D"token-dispatcher-configuration"= ><= /span>

  &= nbsp;           &n= bsp; <token-dispa= tcher-configuration><= /span>

  &= nbsp;           &n= bsp;     <!--&nbs= p; --> Issuers. = You may have many issuers. --><= /span>

  &= nbsp;           &n= bsp;     <issuer class=3D"com.lnihealth.sts.receiver.LNISAML2TokenIssue= r" default=3D"true"><= /span>

  &= nbsp;           &n= bsp;         <configurati= on type=3D"parameter">saml-issuer-config</configuration><= /span>

  &= nbsp;           &n= bsp;         <tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-pro= file-1.1#SAMLV2.0</tokenType><= /span>

  &= nbsp;           &n= bsp;     </issuer><= /span>

  &= nbsp;           &n= bsp; </token-dispa= tcher-configuration><= /span>

  &= nbsp;         </parameter><= /span>

 <= /span>

  &= nbsp;     </operation><= /span>

 <= /span>

  &= nbsp;     <parameter name=3D"saml-issuer-config"><= /span>

  &= nbsp;         <saml-issuer= -config><= /span>

  &= nbsp;           &n= bsp; <issuerName<= /span>>LNI SAML = Token Service</issuerName<= /span>><= /span>

  &= nbsp;           &n= bsp; <issuerKeyAl= ias>service</issuerKeyAl= ias><= /span>

  &= nbsp;           &n= bsp; <issuerKeyPa= ssword>apache= </issuerKeyPa= ssword><= /span>

  &= nbsp;           &n= bsp; <cryptoPrope= rties><= /span>

  &= nbsp;           &n= bsp;     <crypto provider=3D"org.apache.ws.security.components.crypto.Me= rlin"><= /span>

  &= nbsp;           &n= bsp;         <property name=3D"org.apache.ws.security.crypto.merlin.keysto= re.type">JKS</property><= /span>

  &= nbsp;           &n= bsp;         <property name=3D"org.apache.ws.security.crypto.merlin.file&q= uot;>service.jks</property><= /span>

  &= nbsp;           &n= bsp;         <property name=3D"org.apache.ws.security.crypto.merlin.keysto= re.password">apache</property><= /span>

  &= nbsp;           &n= bsp;     </crypto><= /span>

  &= nbsp;           &n= bsp; </cryptoPrope= rties><= /span>

  &= nbsp;           &n= bsp; <!--&nbs= p; 30 days --><= /span>

  &= nbsp;           &n= bsp; <timeToLive<= /span>>2592000</timeToLive<= /span>><= /span>

  &= nbsp;           &n= bsp; <keySize>256</keySize><= /span>

  &= nbsp;           &n= bsp; <addRequeste= dAttachedRef /><= /span>

  &= nbsp;           &n= bsp; <addRequeste= dUnattachedRef /><= /span>

 <= /span>

  &= nbsp;           &n= bsp; <!--<= /span>

  = ;            =      Key computation mechanism<= /span>

  = ;            =      1 - Use Request Entropy<= /span>

  = ;            =      2 - Provide Entropy<= /span>

  = ;            =      3 - Use Own Key<= /span>

  = ;            =   --><= /span>

  &= nbsp;           &n= bsp; <keyComputat= ion>2</keyComputat= ion><= /span>

 <= /span>

  &= nbsp;           &n= bsp; <!--<= /span>

  = ;            =      proofKeyType element is valid only if the = keyComputation is set to 3<= /span>

  = ;            =      i.e. Use Own Key<= /span>

 <= /span>

  = ;            =      Valid values are: EncryptedKey & = BinarySecret<= /span>

  = ;            =   --><= /span>

  &= nbsp;           &n= bsp; <proofKeyTyp= e>BinarySecret<= /span></proofKeyTyp= e><= /span>

  &= nbsp;           &n= bsp; <trusted-ser= vices><= /span>

  &= nbsp;           &n= bsp;     <service alias=3D"service">*</service><= /span>

  &= nbsp;           &n= bsp; </trusted-ser= vices><= /span>

  &= nbsp;         </saml-issuer= -config><= /span>

  &= nbsp;     </parameter><= /span>

 <= /span>

[Policy xml follows with rampart config info shown below]<= /span>

  &= nbsp; <= /span>

  &= nbsp;           <!--&nbs= p; These elements are clearly rampart specific and are not part of = WS-Policy or WS-SecurePolicy --><= /span>

  &= nbsp;           = <ramp:Rampar= tConfig = xmlns:ramp=3D"http://ws.apache.org/rampart/policy"><= /span>

  &= nbsp;           = <ramp:passwo= rdCallbackClass>com.lnihealth= .wan.receiver.binding.axis2.PasswordCallback</ramp:passwo= rdCallbackClass><= /span>

  &= nbsp;           = </ramp:Rampar= tConfig><= /span>

  &= nbsp;           = <!--&nbs= p; End of rampart specific area. This stuff should be removed when = exchanging policies --><= /span>

  &= nbsp;     <= /span>

[closing of document]<= /span>

 <= /span>

I am fully baffled! Really appreciate any help to get this off the = ground!<= /span>

 <= /span>

Brian<= /span>

 <= /span>

 <= /span>

From:= = Martin Gainty [mailto:mgainty@hotmail.com] =
Sent: Tuesday, October 30, 2012 3:06 PM
To: java-dev@axis.apache.org; = rtercerol@gmail.com
Subject= : RE: Configure Rampart STS

 <= /o:p>

env is a = SOAPEnvelope constructed from the input MessageContext
SOAPEnvelope = env =3D TrustUtil.createSOAPEnvelope(inMsgCtx = .getEnvelope().getNamespace().getNamespaceURI());
a parent OMElement = is constructed from env.getBody()

if addRequestedAttachedRef is true the = AttachedRef OMElement gets constructed

if = (config.addRequestedAttachedRef) = {
           &n= bsp;    = TrustUtil.createRequestedAttachedRef(
     &n= bsp;           &nb= sp;           &nbs= p;       wstVersion,   //Rahas = version (defaults to 1)
            =                     =         rstrElem,  //OMElement = TrustUtil.createRequestSecurityTokenResponseElement(wstVersion,env.getBod= y());
          &nbs= p;         "#" + = assertion.getID(),   //link within document using GUID = constructed with = UUIDGenerator.getUUID()
RahasConstants.TOK_TYPE_SAML_20); //value is = http://docs.oasis-open.org/wss/" = +"oasis-wss-saml-token-profile-1.1#SAMLV2.0";
  &n= bsp;         }

if = addRequestedUnattachedRef is true the UnattachedRef OMElement gets = constructed =

           = ; if (config.addRequestedUnattachedRef) = {
           &n= bsp;    = TrustUtil.createRequestedUnattachedRef(wstVersion, //Rahas version = (defaults to 1)
              =                     =        rstrElem, //OMElement = TrustUtil.createRequestSecurityTokenResponseElement(wstVersion,env.getBod= y());
          &nbs= p;            =         assertion.getID(), // GUID constructed with = UUIDGenerator.getUUID()
  RahasConstants.TOK_TYPE_SAML_20); = //value is http://docs.oasis-open.org/wss/" = +"oasis-wss-saml-token-profile-1.1#SAMLV2.0";
  &n= bsp;         }

rstrElem = (2nd arg) is a constructed OMElement constructed here
 public = static = OMElement
          =   createRequestSecurityTokenResponseElement(int = version,
          &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;       OMElement parent) throws = TrustException {
        return = createOMElement(parent,
       &nbs= p;            = ;           = getWSTNamespace(version),    //for 1 version = xmlns:wst=3D"http://schemas.xmlsoap.org/ws/2005/02/trust"            = ;            =        = RahasConstants.LocalNames.REQUEST_SECURITY_TOKEN_RESPONSE,  = //RequestSecurityTokenResponse
      &nb= sp;           &nbs= p;            = RahasConstants.WST_PREFIX);   //wst
    = }

youve got a SecurityTokenResponse coming back inlined in = Document with TrustUtil.createRequestedAttachedRef
if not in the = document call TrustUtil.createRequestedUnAttachedRef

personally i = prefer XML declarators to accomplish the same objective that way you can = see the token-dispatcher-configuration being sent in = e.g.
services.xml would contain

&lt;module = ref=3D"rampart" /&gt;

&lt;operation = name=3D"IssueToken"
      &nbs= p; mep=3D"http://www.w3.org/ns/wsdl/in-out"&gt;
&= nbsp;   = &lt;messageReceiver
       &nbs= p;    = class=3D"org.apache.rahas.STSMessageReceiver"/&gt;

&= nbsp;   &lt;!-- Action mapping to accept RST requests = --&gt;
    = &lt;actionMapping&gt;http://schemas.xmlsoap.org/ws/2005/02/trust/= RST/SCT&lt;/actionMapping&gt;
    = &lt;actionMapping&gt;http://schemas.xmlsoap.org/ws/2005/02/trust/= RST/Issue&lt;/actionMapping&gt;
    = &lt;actionMapping&gt;http://schemas.xmlsoap.org/ws/2005/02/trust/= RST/Renew&lt;/actionMapping&gt;
    = &lt;actionMapping&gt;http://schemas.xmlsoap.org/ws/2005/02/trust/= RST/Cancel&lt;/actionMapping&gt;
    = &lt;actionMapping&gt;http://schemas.xmlsoap.org/ws/2005/02/trust/= RST/SCT/Cancel&lt;/actionMapping&gt;
    = &lt;actionMapping&gt;http://schemas.xmlsoap.org/ws/2005/02/trust/= RST/Validate&lt;/actionMapping&gt;

    = &lt;parameter = name=3D"token-dispatcher-configuration"&gt;
  =       = &lt;token-dispatcher-configuration&gt;
    = ;    &lt;!-- Issuers. You may have many issuers. = --&gt;
        &lt;issuer = class=3D"org.custom.MyIssuer" = default=3D"true"&gt;
      = ;          = &lt;configuration
        =             &= nbsp;   = type=3D"parameter"&gt;saml-issuer-config&lt;/configurat= ion&gt;
         &nbs= p;      = &lt;tokenType&gt;http://docs.oasis-open.org/wss/oasis-wss-saml-to= ken-profile-1.1#SAMLV1.1&lt;/tokenType&gt;
   &= nbsp;        = &lt;/issuer&gt;
        = &lt;/token-dispatcher-configuration&gt;
    = &lt;/parameter&gt;

&lt;/operation&gt;
Martin = Gainty
______________________________________________
Jogi ?s = Bizalmass?gi kinyilatkoztat?s/Verzicht und Vertraulichkeitanmerkung/Note = de d?ni et de confidentialit?

 <= /o:p>

Ez az = ?zenet bizalmas.  Ha nem ?n az akinek sz?nva volt, akkor k?rj?k, = hogy jelentse azt nek?nk vissza. Semmif?le tov?bb?t?sa vagy m?solat?nak = k?sz?t?se nem megengedett.  Ez az ?zenet csak ismeret cser?t = szolg?l ?s semmif?le jogi alkalmazhat?s?ga sincs.  Mivel az = electronikus ?zenetek k?nnyen megv?ltoztathat?ak, ez?rt minket semmi = felel?s?g nem terhelhet ezen ?zenet tartalma miatt.

Diese = Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger = sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte = Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese = Nachricht dient lediglich dem Austausch von Informationen und entfaltet = keine rechtliche Bindungswirkung. Aufgrund der leichten = Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt = uebernehmen.

Ce message est confidentiel =
et peut ?tre privil?gi?. Si vous n'?tes pas le destinataire pr?vu, nous =
te demandons avec bont? que pour satisfaire informez l'exp?diteur. =
N'importe quelle diffusion non autoris?e ou la copie de ceci est =
interdite. Ce message sert ? l'information seulement et n'aura pas =
n'importe quel effet l?galement obligatoire. ?tant donn? que les email =
peuvent facilement ?tre sujets ? la manipulation, nous ne pouvons =
accepter aucune responsabilit? pour le contenu =
fourni.

 <= /o:p>

From: brianreinhold@lampreyne= tworks.com
To: java-dev@axis.apache.org; = rtercerol@gmail.com
Subject: = RE: Configure Rampart STS
Date: Tue, 30 Oct 2012 13:56:33 = -0400

Martin,<= /span>

 <= /span>

Thanks, but what is unclear is what else exists? (maybe nothing?), =
and what are these: =
<addRequestedAttachedRef /> <addRequestedUnattachedRef =
/>

In many of the examples the ‘saml-issuer-config’ had = nothing in it. Was it implied that the user is to fill it = in?<= /span>

 <= /span>

Brian<= /span>

 <= /span>

From:= = Martin Gainty [mailto:mgainty@hotmail.com] =
Sent: Tuesday, October 30, 2012 1:24 PM
To: java-dev@axis.apache.org; = rtercerol@gmail.com
Subject= : RE: Configure Rampart STS

 <= /o:p>

 MG>Quick = answer inlined<= /span>

From:= = Brian Reinhold [mailto:brianreinhold@la= mpreynetworks.com]
Sent: Tuesday, October 30, 2012 10:38 = AM
To: java-dev@axis.apache.org; = rtercerol@gmail.com
Subject= : Configure Rampart STS

 <= /o:p>

I am trying to understand how to configure my own STS service to = generate a custom SAML token. The instructions are = confusing.<= /span>

 <= /span>

First it states to remove the default rampart.mar from the modules. = In my modules there is both a rampart.mar and a rahas.mar.<= /span>

Then it states to create a service.xml pointing to one’s custom = implementation of the TokenIssuer interface. The contents of the example = service.xml provided looks very similar to the contents of the rahas.mar = module and bears no resemblance to the rampart.mar. <= /span>

In addition, there is a ‘saml-issuer-config’ value of the = configuration element. I have no idea what that element represents. Do I = need to make some type of file containing configuration parameters, and = if I do, what are the elements that go in it?  Has anybody ever = done this? Do I have to play with the axis.xml?<= /span>

 <= /o:p>

MG>only to add in the module name e.g. <module = ref=3D"rampart"/><= /span>

MG>you will want to configure services.xml in WEB-INF\services = only<= /span>

 <= /span>

Any insight would be greatly appreciated!<= /span>

 <= /span>

Thanks,<= /span>

 <= /span>

Brian<= /span>

 <= /span>

PS<= /span>

 <= /span>

Here is some stuff I found no documentation on with respect to = saml-issuer-config<= /span>

 <= /span>

  &= nbsp;     <parameter name=3D"saml-issuer-config"><= /span>

  &= nbsp;         <saml-issuer= -config><= /span>

  &= nbsp;           &n= bsp; <issuerName<= /span>>SAMPLE_STS</issuerName<= /span>><= /span>

  &= nbsp;           &n= bsp; <issuerKeyAl= ias>service</issuerKeyAl= ias><= /span>

MG>alias = for the provided key you will need the alias to export the cert out of = the pfx e.g.

MG>keytoo= l -exportcert -alias AlienAlias -keystore steve.jks -keypass steve = -storepass steve -file steve.cert

  &= nbsp;           &n= bsp; <issuerKeyPa= ssword>apache= </issuerKeyPa= ssword><= /span>

  &= nbsp;           &n= bsp; <cryptoPrope= rties><= /span>

  &= nbsp;           &n= bsp;     <crypto provider=3D"org.apache.ws.security.components.crypto.Me= rlin"><= /span>

  &= nbsp;           &n= bsp;         <property name=3D"org.apache.ws.security.crypto.merlin.keysto= re.type">JKS</property><= /span>

MG>safe = to stay with JKS although easy enough to convert a p12 format to = jks

  &= nbsp;           &n= bsp;         <property name=3D"org.apache.ws.security.crypto.merlin.file&q= uot;>service.jks</property><= /span>

MG>name = of the Java Key file..the absolute path must be known in order to = configure a HTTPS connector

  &= nbsp;           &n= bsp;         <property name=3D"org.apache.ws.security.crypto.merlin.keysto= re.password">apache</property><= /span>

MG>passwo= rd to the keystore file

  &= nbsp;           &n= bsp;     </crypto><= /span>

  &= nbsp;           &n= bsp; </cryptoPrope= rties><= /span>

  &= nbsp;           &n= bsp; <timeToLive<= /span>>864000000000<= /span></timeToLive<= /span>><= /span>

MG>lifeti= me of SAML token default to 5 min

  &= nbsp;           &n= bsp; <keySize>256</keySize><= /span>

MG>keysiz= e in bits used with generation step e.g. keytool -genkey -keysize = 2048 

MG>the = longer the keysize the more difficult to crack by brute = force

  &= nbsp;           &n= bsp; <addRequeste= dAttachedRef /><= /span>

  &= nbsp;           &n= bsp; <addRequeste= dUnattachedRef /><= /span>

  &= nbsp;           &n= bsp; <keyComputat= ion>3</keyComputat= ion><= /span>

MG><!-= - Key computation mechanism 1 - Use Request Entropy 2 - Provide Entropy = 3 - Use Own Key -->

  &= nbsp;           &n= bsp; <proofKeyTyp= e>BinarySecret<= /span></proofKeyTyp= e><= /span>

MG><!-= - proofKeyType element is valid only if the keyComputation is set to = 3 i.e. Use Own Key Valid values are: EncryptedKey &
MG> = BinarySecret -->

  &= nbsp;           &n= bsp; <trusted-ser= vices><= /span>

  &= nbsp;           &n= bsp;     <service alias=3D"service">*</service><= /span>

MG><!-= - The service name and the alias of the trusted cert to use --> = <service alias=3D"bob">http://localhost:8080/axis2/services

MG>/STS&l= t;/service>

MG>the = alias is referenced by the trust-store lookup manager to find a = key-entity that was previously inserted its own = truststore

  &= nbsp;           &n= bsp; </trusted-ser= vices><= /span>

  &= nbsp;         </saml-issuer= -config><= /span>

  &= nbsp;     </parameter><= /span>

 <= span = style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'><= /span>

There are several xml elements I cannot find documented anywhere = except for the cryptoProperties. Some are easier to GUESS; but it would = be nice not to guess. The bigger question is what other parameters exist = that I don’t see in this example? In general, the documentation on = the xml part of Axis2/Rampart is lacking yet is so critical to its use. = Does anyone have all the options one can place into the service.xmls and = other xml config files (where ever they may be) documented?<= /span>

 <= /o:p>

MG>Brian the saml-issuer-config elements are well documented at = the WS02 site url<= /span>

MG>https://svn.wso2.org/repos/wso2/carbon/platform/trunk/d= ependencies/rampart/1.6.1-wso2v4/modules/rampart-trust/sts-aar-resources/= saml-issuer-config.xml

MG>let me know if you have any = questions or concerns

MG>Martin<= /span>

 <= span = style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'><= /span>

 <= /span>

 <= /o:p>

------=_NextPart_000_003F_01CDB824.AA0F3830--