MG>Quick answer inlined
From: Brian Reinhold [mailto:brianreinh...@lampreynetworks.com]
Sent: Tuesday, October 30, 2012 10:38 AM
To: java-dev@axis.apache.org; rterce...@gmail.com
Subject: Configure Rampart STS I am trying to understand how to configure my
own STS service to generate a custom SAML token. The instructions are
confusing. First it states to remove the default rampart.mar from the modules.
In my modules there is both a rampart.mar and a rahas.mar.Then it states to
create a service.xml pointing to one’s custom implementation of the TokenIssuer
interface. The contents of the example service.xml provided looks very similar
to the contents of the rahas.mar module and bears no resemblance to the
rampart.mar. In addition, there is a ‘saml-issuer-config’ value of the
configuration element. I have no idea what that element represents. Do I need
to make some type of file containing configuration parameters, and if I do,
what are the elements that go in it? Has anybody ever done this? Do I have to
play with the axis.xml?
MG>only to add in the module name e.g. <module ref="rampart"/>MG>you will want
to configure services.xml in WEB-INF\services only Any insight would be greatly
appreciated! Thanks, Brian PS Here is some stuff I found no documentation on
with respect to saml-issuer-config <parameter
name="saml-issuer-config"> <saml-issuer-config>
<issuerName>SAMPLE_STS</issuerName>
<issuerKeyAlias>service</issuerKeyAlias>MG>alias for the provided key you will
need the alias to export the cert out of the pfx e.g.MG>keytool -exportcert
-alias AlienAlias -keystore steve.jks -keypass steve -storepass steve -file
steve.cert
<issuerKeyPassword>apache</issuerKeyPassword>
<cryptoProperties> <crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>MG>safe
to stay with JKS although easy enough to convert a p12 format to jks
<property
name="org.apache.ws.security.crypto.merlin.file">service.jks</property>MG>name
of the Java Key file..the absolute path must be known in order to configure a
HTTPS connector <property
name="org.apache.ws.security.crypto.merlin.keystore.password">apache</property>MG>password
to the keystore file
</crypto> </cryptoProperties>
<timeToLive>864000000000</timeToLive>MG>lifetime of SAML token default to 5 min
<keySize>256</keySize>MG>keysize in bits used with generation
step e.g. keytool -genkey -keysize 2048 MG>the longer the keysize the more
difficult to crack by brute force
<addRequestedAttachedRef />
<addRequestedUnattachedRef />
<keyComputation>3</keyComputation>MG><!--
Key computation mechanism
1 - Use Request Entropy
2 - Provide Entropy
3 - Use Own Key
-->
<proofKeyType>BinarySecret</proofKeyType>MG><!--
proofKeyType element is valid only if the keyComputation is set to 3
i.e. Use Own Key
Valid values are: EncryptedKey &
MG> BinarySecret
--> <trusted-services> <service
alias="service">*</service>MG><!-- The service name and the alias of the
trusted cert to use -->
<service alias="bob">http://localhost:8080/axis2/services
MG>/STS</service>MG>the alias is referenced by the trust-store lookup manager
to find a key-entity that was previously inserted its own truststore
</trusted-services> </saml-issuer-config>
</parameter> There are several xml elements I cannot find documented anywhere
except for the cryptoProperties. Some are easier to GUESS; but it would be nice
not to guess. The bigger question is what other parameters exist that I don’t
see in this example? In general, the documentation on the xml part of
Axis2/Rampart is lacking yet is so critical to its use. Does anyone have all
the options one can place into the service.xmls and other xml config files
(where ever they may be) documented?
MG>Brian the saml-issuer-config elements are well documented at the WS02 site
urlMG>https://svn.wso2.org/repos/wso2/carbon/platform/trunk/dependencies/rampart/1.6.1-wso2v4/modules/rampart-trust/sts-aar-resources/saml-issuer-config.xml
MG>let me know if you have any questions or concerns
MG>Martin
