Re: Explanation of certificates used in Fediz STS / IDP

Mon, 30 Jan 2012 05:06:21 -0800

Articles #17 and #18 here: http://www.jroller.com/gmazza/entry/blog_article_index, may give you more background on the purpose of each key. Of course, a key is used whenever an actor needs to sign or encrypt a message, so you'll see it employed in a WS-Trust scenario whenever any actor (client, STS, or WSP) is performing one of those actions, which depends on how you are implementing WS-Trust (e.g., UsernameToken or X509 authentication of the client with the STS, and the signature/encryption requirements of the security token created by the STS).
For myservicekey, symmetric binding can be used between the WSP and WSC after the latter has the security token and is ready to make a SOAP call, hence the need for the WSC to have it (to encrypt the SOAP call), and the STS uses the WSP's (public) key for token validation and if the STS needs to encrypt the issued token such that only the WSP can read it. 

HTH,
Glen

On 01/30/2012 04:41 AM, Christian Stettler wrote:

Dear list,

while playing with the Fediz IDP / STS, some questions arose in the context of 
certificates used:

In the sample keystores of IDP (clientstore.jks) and STS (stsstore.jks), there 
are a number of certificates included:

IDP (clientstore.jks)
- mystskey, Feb 9, 2011, trustedCertEntry
- myservicekey, Feb 28, 2011, trustedCertEntry
- myclientkey, Feb 9, 2011, PrivateKeyEntry

STS (stsstore.jks)
- mystskey, Feb 9, 2011, PrivateKeyEntry
- myservicekey, Feb 9, 2011, trustedCertEntry
- myclientkey, Feb 9, 2011, trustedCertEntry

We currently have the following understanding:

- mystskey: private key of the STS, used for signing the requested token (???), 
imported into IDP trust store for the SSL connection to the STS (in case the 
STS key is used as the SSL certificate)
- myservicekey: purpose unclear
- myclientkey: private key of the IDP, used to authentication against the STS, 
if client authentication is enabled

Is our understanding correct so far? It would be great if someone could shed 
some more light on the various certificates involved and their purpose.

A few other questions in this area:
- is (or should) the IDP use mutual SSL authentication to the STS?
- which certificates need to be known to the Tomcat plugin? The STS certificate 
for validating the token? Or is the Tomcat plugin ever connecting to the IDP 
issue URL and therefore would also need to have the IDP HTTPS endpoint 
certificate in the trust store?

Thank you&  regards,
Christian



--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza























					Reply via email to