Chapter 7 Encrypting Data in a Secure Attribute Exchange in OpenSSO Enterprise 8.0 Update 1

Secure Attribute Exchange (also referred to as Virtual Federation) allows one application to communicate identity data to a second application in a different domain. This chapter contains information on how to encrypt the data using the com.sun.identity.sae.api package, including:

• How Secure Attribute Exchange Data Encryption Works

• Planning the Encryption Specifics

• To Use the com.sun.identity.sae.api

• To Set Up the Identity Provider

• To Set Up the Service Provider

• To Test the Configurations

How Secure Attribute Exchange Data Encryption Works

When data encryption is used, attributes pushed from the identity provider application to its local instance of OpenSSO are encrypted as well as attributes sent from the local instance of OpenSSO on the service provider side to the service provider application. Both symmetric and asymmetric data encryption is supported in a Secure Attribute Exchange.

For symmetric encryption, the encryption key is the same shared secret used to sign the data. For asymmetric encryption, the sender will encrypt the encryption key using the receiving party's public key. Upon receipt of the encrypted data, the receiving party will decrypt the encryption key using its private key, and then decrypt the data using the encryption key.

Planning the Encryption Specifics

Before getting into the application coding and configuration of OpenSSO for Secure Attribute Exchange encryption, the administrator must decide:

• The encryption algorithm (for example, AES or DES)

• The key strength (key size)

• The security mechanism (symmetric or asymmetric)

  If using asymmetric encryption, make sure the identity provider's public key is accessible (for example, in a keystore or through a URL) to the application on the identity provider side. Additionally, add the public key of the application on the service provider side to the service provider's keystore.

To Use the com.sun.identity.sae.api

1. Initialize an instance of com.sun.identity.sae.api.SecureAttrs using the:

   SecureAttrs.init(String instance-name, String type, Properties properties) method.

   Be sure to add values for SAE_CONFIG_DATA_ENCRYPTION_ALG and SAE_CONFIG_ENCRYPTION_KEY_STRENGTH to Properties.

2. To encrypt the data, call the:

   saInstance.getEncodedString(Map attrs, String secret, String encSecret) method. If encSecret is null, the data is not encrypted. This is the same as calling:

   saInstance.getEncodedString(Map attrs, String secret)

3. To decrypt the data, call the:

   saInstance.verifyEncodedString(String str, String secret, String encSecret) method. If encSecret is null (or the data is not encrypted), decryption is not done. This would be equal to calling the saInstance.verifyEncodedString(String str, String secret) method.

See the OpenSSO Java API Reference for specifics on the parameters. This Javadoc can be found in the docs directory of the exploded opensso.war. Sample code can be found in the saeIDPApp.jsp and saeSPApp.jsp files included with the Secure Attribute Exchange sample. Be sure to include the SAE class files in your web application; they are included in Client SDK jars.

To Set Up the Identity Provider

1. Login to the OpenSSO console as the administrator.

2. Click the Federation tab.

3. Select the name of the appropriate hosted identity provider.

4. Click the Advanced tab.

5. Add one entry for each identity provider application as a value of the Application Security Configuration attribute. Each application should have one entry using the one of following formats:

   • url=IDPAppURL|type=symmetric|secret=encoded-shared-secret|encryptionalgorithm=encryption-algorithm|encryptionkeystrength=encryption-strength

     Sample Symmetric Entry

     url=http://www.idpapp.com:8080/idpapp/samples/saml2/sae/saeIDPApp.jsp| type=symmetric|secret=AQICNeg4ahYuOLmXG5w5yUgvmCUP0rr1HFGf| encryptionalgorithm=DES|encryptionkeystrength=56

   • url=IDPAppURL|type=asymmetric|pubkeyalias=IDPApp-signing-certificate|encryptionalgorithm=encryption-algorithm|encryptionkeystrength=encryption-strength

     Sample Asymmetric Entry

     url=http://www.idpapp.com:8080/idpapp/samples/saml2/sae/saeIDPApp.jsp| type=asymmetric|pubkeyalias=idpapp-cert|encryptionalgorithm=DES| encryptionkeystrength=56

6. Save the configuration.

7. Log out of the console.

To Set Up the Service Provider

1. Login to the OpenSSO console as the administrator.

2. Click the Federation tab.

3. Select the name of the appropriate hosted service provider.

4. Click the Advanced tab.

5. Add one entry for each service provider application as a value of the Application Security Configuration attribute. Each application should have one entry using the one of following formats:

   • url=SPAppURL|type=symmetric|secret=encoded-shared-secret|
     encryptionalgorithm=encryption-algorithm|
     encryptionkeystrength=encryption-strength

     Sample Symmetric Entry

     url=http://www.spapp.com:8080/spapp/samples/saml2/sae/saeSPApp.jsp| type=symmetric|secret=AQICNeg4ahYuOLmXG5w5yUgvmCUP0rr1HFGf| encryptionalgorithm=DES|encryptionkeystrength=56

   • url=SPAppURL|type=asymmetric|privatekeyalias=
     SP-signing-certificate-alias|encryptionalgorithm=encryption-algorithm|
     encryptionkeystrength=encryption-strength|
     pubkeyalias=SPApp-public-key-alias

     The privatekeyalias attribute may be omitted if the signing-certificate-alias is already configured in the service provider metadata.

     Sample Asymmetric Entry

     url=http://www.spapp.com:8080/spapp/samples/saml2/sae/saeSPApp.jsp| type=asymmetric|privatekeyalias=test|encryptionalgorithm=DES| encryptionkeystrength=56|pubkeyalias=spapp-cert

6. Save the configuration.

7. Log out of the console.

To Test the Configurations

Use the SAE sample included with OpenSSO to test the configuration. You can find it in the samples/saml2/sae directory of the opensso.war or in the saml2/sae directory of the opensso-client-jdk14.war or the opensso-client-jdk15.war.