> Ok, I get it now. I think Colm already answered your question. > Btw: is there special reasons to use symmetric, not transport binding for > communication with STS in your case?
Yes Colm answered it. Thanks. SSL may be used but we can't enforce it as we don't control the systems our services get deployed to. > Josh Hill Senior Java Developer sovereign finance and banking software A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899 E [email protected] W http://www.finzsoft.com Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you. -----Original Message----- > From: Andrei Shakirin [mailto:[email protected]] > Sent: Tuesday, 7 May 2013 4:40 a.m. > To: [email protected] > Subject: RE: SymmetricBinding key exchange and signing > > Hi, > > > Yes I have the IssuedToken policy on the WSP (not shown). The below > > policies are on my STS service. The question was in regards to > > connecting to the STS service to have a token issued (or renewed, or > > validated). I authenticate using the SignedEncryptedSupportingTokens > UsernameToken. > > What I'm trying to figure out is how the key generated by the client > > for symmetric binding is exchanged with the STS service so that it can > > sign/verify encrypt/decrypt messages with the client. > > Ok, I get it now. I think Colm already answered your question. > Btw: is there special reasons to use symmetric, not transport binding for > communication with STS in your case? > > Regards, > Andrei. > > > -----Original Message----- > > From: Josh Hill [mailto:[email protected]] > > Sent: Sonntag, 5. Mai 2013 21:56 > > To: [email protected]; [email protected] > > Subject: RE: SymmetricBinding key exchange and signing > > > > Andrei, > > > > Yes I have the IssuedToken policy on the WSP (not shown). The below > > policies are on my STS service. The question was in regards to > > connecting to the STS service to have a token issued (or renewed, or > > validated). I authenticate using the SignedEncryptedSupportingTokens > UsernameToken. > > What I'm trying to figure out is how the key generated by the client > > for symmetric binding is exchanged with the STS service so that it can > > sign/verify encrypt/decrypt messages with the client. > > > > > > Colm, > > > > Is there not some exchange of the generated key between the client and > > STS? If the client signs (and encrypts) the request how does the STS > > have the generated key to verify signature and decrypt? My original > > question suggested that it is exchanged by encrypting it with the STS > > public key but not sure how it is signed in this exchange. Perhaps the > > exchange of the generated key isn't signed? > > > > I appreciate your time. > > > > Josh > > > > > > > > > Josh Hill > > Senior Java Developer > > > > > > sovereign finance and banking software > > > > A Level 1, Building C, Millennium Centre, 602 Great South Road, > > Greenlane, Auckland, New Zealand > > D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899 > > E [email protected] W http://www.finzsoft.com > > > > Please note: This email contains information that is confidential and > > may be privileged. If you are not the intended recipient, you must not > > peruse, use, disseminate, distribute or copy this email or > > attachments. If you have received this in error, please notify > > Finzsoft Solutions (New Zealand) Ltd immediately by return email and > delete this email. Thank you. > > -----Original Message----- > > > > > From: Colm O hEigeartaigh [mailto:[email protected]] > > > Sent: Saturday, 4 May 2013 12:36 a.m. > > > To: [email protected] > > > Subject: Re: SymmetricBinding key exchange and signing > > > > > > The Symmetric key that the client generates signs (and encrypts) the > > > request (SOAP Body). There is no need for a signing certificate as > > > you are using the Symmetric binding. Authentication is enforced via > > > the UsernameToken SupportingToken. > > > > > > Colm. > > > > > > > > > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <[email protected]> wrote: > > > > > > > My understanding is that the client generates the symmetric key > > > > (as defined by the sp:ProtectionToken i.e. a sp:X509Token) and > > > > encrypts it using the STS's public key (configured on client using > > > > "ws-security.encryption.properties\username"). When sending this > > > > encrypted key to the STS what is it signed with? I haven't set the > > > > "ws-security.signature.properties\username" on my client but the > > > > input policy on the STS requires the sp:Body be signed. **** > > > > > > > > ** ** > > > > > > > > ...**** > > > > > > > > <entry key="ws-security.sts.client">**** > > > > > > > > <bean > > > > class="org.apache.cxf.ws.security.trust.STSClient">* > > > > *** > > > > > > > > <constructor-arg ref="cxf" />**** > > > > > > > > <property name="wsdlLocation" value=" > > > > http://localhost:8080/STS?wsdl"; />**** > > > > > > > > <property name="serviceName" > > > > value="{ > > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenSer > > > > vi > > > > ce > > > > " /> > > > > **** > > > > > > > > <property name="endpointName" > > > > value="{ http://docs.oasis-open.org/ws-sx/ws- > trust/200512/}STS_Port" > > > > />**** > > > > > > > > <property name="properties">**** > > > > > > > > <map>**** > > > > > > > > > > > > <entry key="ws-security.username" value="bob" />**** > > > > > > > > > > > > <entry key="ws-security.callback-handler" > value="ClientCallbackHandler" > > > > />**** > > > > > > > > > > > > <entry key="ws-security.encryption.properties" > > > > value="clientKeystore.properties" /> > > > > **** > > > > > > > > > > > > <entry key="ws-security.encryption.username" value="stskey" />**** > > > > > > > > </map>**** > > > > > > > > </property>**** > > > > > > > > </bean>**** > > > > > > > > </entry>**** > > > > > > > > .**** > > > > > > > > ** ** > > > > > > > > <wsp:Policy wsu:Id="STS-UT-Policy">**** > > > > > > > > <wsp:ExactlyOne>**** > > > > > > > > <wsp:All>**** > > > > > > > > > > > > <sp:SymmetricBinding>**** > > > > > > > > > > > > <wsp:Policy>**** > > > > > > > > > > > > <sp:ProtectionToken>**** > > > > > > > > > > > > <wsp:Policy>**** > > > > > > > > > > > > <sp:X509Token sp:IncludeToken=" > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeT > > > > ok > > > > en > > > > /Never > > > > ">**** > > > > > > > > > > > > <wsp:Policy>**** > > > > > > > > > > > > <sp:RequireDerivedKeys/>**** > > > > > > > > > > > > <sp:RequireThumbprintReference/>**** > > > > > > > > > > > > <sp:WssX509V3Token10/>**** > > > > > > > > > > > > </wsp:Policy>**** > > > > > > > > > > > > </sp:X509Token>**** > > > > > > > > > > > > </wsp:Policy>**** > > > > > > > > > > > > </sp:ProtectionToken>**** > > > > > > > > > > > > <sp:AlgorithmSuite>**** > > > > > > > > > > > > <wsp:Policy>**** > > > > > > > > > > > > <sp:Basic256/>**** > > > > > > > > > > > > </wsp:Policy>**** > > > > > > > > > > > > </sp:AlgorithmSuite>**** > > > > > > > > > > > > <sp:Layout>**** > > > > > > > > > > > > <wsp:Policy>**** > > > > > > > > > > > > <sp:Lax/>**** > > > > > > > > > > > > </wsp:Policy>**** > > > > > > > > > > > > </sp:Layout>**** > > > > > > > > > > > > <sp:IncludeTimestamp/>**** > > > > > > > > > > > > <sp:EncryptSignature/>**** > > > > > > > > > > > > <sp:OnlySignEntireHeadersAndBody/>**** > > > > > > > > > > > > </wsp:Policy>**** > > > > > > > > > > > > </sp:SymmetricBinding>**** > > > > > > > > > > > > <sp:SignedEncryptedSupportingTokens>**** > > > > > > > > > > > > <wsp:Policy>**** > > > > > > > > > > > > <sp:UsernameToken sp:IncludeToken=" > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeT > > > > ok > > > > en > > > > /AlwaysToRecipient > > > > ">**** > > > > > > > > > > > > <wsp:Policy>**** > > > > > > > > > > > > <sp:HashPassword/>**** > > > > > > > > > > > > <sp:WssUsernameToken10/>**** > > > > > > > > > > > > </wsp:Policy>**** > > > > > > > > > > > > </sp:UsernameToken>**** > > > > > > > > > > > > </wsp:Policy>**** > > > > > > > > > > > > </sp:SignedEncryptedSupportingTokens>**** > > > > > > > > <sp:Wss11>**** > > > > > > > > > > > > <wsp:Policy>**** > > > > > > > > > > > > <sp:MustSupportRefKeyIdentifier/>**** > > > > > > > > > > > > <sp:MustSupportRefIssuerSerial/>**** > > > > > > > > > > > > <sp:MustSupportRefThumbprint/>**** > > > > > > > > > > > > <sp:MustSupportRefEncryptedKey/>**** > > > > > > > > > > > > </wsp:Policy>**** > > > > > > > > </sp:Wss11>**** > > > > > > > > <sp:Trust13>**** > > > > > > > > > > > > <wsp:Policy>**** > > > > > > > > > > > > <sp:MustSupportIssuedTokens/>**** > > > > > > > > > > > > <sp:RequireClientEntropy/>**** > > > > > > > > > > > > <sp:RequireServerEntropy/>**** > > > > > > > > > > > > </wsp:Policy>**** > > > > > > > > </sp:Trust13>**** > > > > > > > > </wsp:All>**** > > > > > > > > </wsp:ExactlyOne>**** > > > > > > > > </wsp:Policy>**** > > > > > > > > ** ** > > > > > > > > <wsp:Policy wsu:Id="STS-Input-Policy">**** > > > > > > > > <wsp:ExactlyOne>**** > > > > > > > > <wsp:All>**** > > > > > > > > > > > > <sp:SignedParts>**** > > > > > > > > > > > > <sp:Body/> > > > > **** > > > > > > > > > > > > </sp:SignedParts>**** > > > > > > > > > > > > <sp:EncryptedParts>**** > > > > > > > > > > > > <sp:Body/> > > > > **** > > > > > > > > > > > > </sp:EncryptedParts>**** > > > > > > > > </wsp:All>**** > > > > > > > > </wsp:ExactlyOne>**** > > > > > > > > </wsp:Policy>**** > > > > > > > > ** ** > > > > > > > > <wsp:Policy wsu:Id="STS-Output-Policy">**** > > > > > > > > <wsp:ExactlyOne>**** > > > > > > > > <wsp:All>**** > > > > > > > > > > > > <sp:SignedParts>**** > > > > > > > > > > > > <sp:Body/> > > > > **** > > > > > > > > > > > > </sp:SignedParts>**** > > > > > > > > > > > > <sp:EncryptedParts>**** > > > > > > > > > > > > <sp:Body/> > > > > **** > > > > > > > > > > > > </sp:EncryptedParts>**** > > > > > > > > </wsp:All>**** > > > > > > > > </wsp:ExactlyOne>**** > > > > > > > > </wsp:Policy>**** > > > > > > > > > > > > > > > > *Josh Hill* > > > > Senior Java Developer > > > > > > > > > > > > > > > > [image: Finzsoft - Your Vision + Our Innovations] > > > > > > > > > > > > > > > > sovereign finance and banking software > > > > > > > > > > > > > > > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road, > > > > Greenlane, Auckland, New Zealand > > > > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899 > > > > *E* [email protected] *W* www.finzsoft.com > > > > > > > > > > > > *Please note*: This email contains information that is > > > > confidential and may be privileged. If you are not the intended > > > > recipient, you must not peruse, use, disseminate, distribute or > > > > copy this > > > email or attachments. > > > > If you have received this in error, please notify Finzsoft > > > > Solutions (New > > > > Zealand) Ltd immediately by return email and delete this email. > > > > Thank > > you. > > > > > > > > > > > > > > > > > > __________________________________________________________ > > > ____________ > > > > This email has been scanned by the Symantec Email Security.cloud > > service. > > > > > > > > > > __________________________________________________________ > > > ____________ > > > > > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > __________________________________________________________ > > > ____________ > > > This email has been scanned by the Symantec Email Security.cloud > service. > > > > > > __________________________________________________________ > > > ____________ > > > > > __________________________________________________________ > > ____________ > > This email has been scanned by the Symantec Email Security.cloud service. > > > __________________________________________________________ > > ____________ > > __________________________________________________________ > ____________ > This email has been scanned by the Symantec Email Security.cloud service. > __________________________________________________________ > ____________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________
