10 Configuring SAML Bearer Using WS-Trust with OpenSSO STS

You can refer to the use case description, solution summary, components involved, and the linked documentation resources to configure SAML bearer using WS-Trust with OpenSSO STS.

Use Case

Configure SAML bearer using WS-Trust with OpenSSO STS.

Solution

Attach Oracle Web Services Manager (OWSM) SAML bearer with message protection using WS-Trust policies to the web service and client, and configure OpenSSO STS.

Components
  • Oracle WebLogic Server

  • Oracle Web Services Manager (OWSM)

  • OpenSSO STS

  • Web service and client applications to be secured

Additional Resources on Oracle Web Services Manager

This use case demonstrates the steps required to:

  • Attach the appropriate OWSM security policies to enforce SAML bearer with message-level protection using WS-Trust with OpenSSO STS.

    The WS-Trust 1.3 specification defines extensions to WS-Security that provide a framework for requesting and issuing security tokens, and to broker trust relationships. WS-Trust extensions provide methods for issuing, renewing, and validating security tokens. To secure communication between a Web service client and a Web service, the two parties must exchange security credentials. As defined in the WS-Trust specification, these credentials can be obtained from a trusted Security Token Service (STS), which acts as trust broker. That is, the Web service client and the Web service do not explicitly trust each other; instead, they implicitly trust each other because they both trust the STS. For more information, see "Overview of Web Services WS-Trust" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

    Specifically, you attach the following policies to the client and service, respectively:

    • oracle/ws11_sts_issued_saml_bearer_token_over_ssl_client_policy

    • oracle/wss11_sts_issued_saml_bearer_token_over_ssl_service_policy and oracle/sts_trust_config_service_policy

  • Configure OpenSSO STS.

This use case consists of a Java EE web service and SOA Composite client.

For more information on how to implement this use case, see Use Case: Implementing SAML Bearer Using WS-Trust with OpenSSO STS.

10.1 Use Case: Implementing SAML Bearer Using WS-Trust with OpenSSO STS

To implement the use case configure OpenSSO STS, and then configure SAML bearer message protection using WS-Trust with OpenSSO STS.

10.1.1 Configuring OpenSSO STS

To implement the use case SAML Bearer Using WS-Trust with OpenSSO STS, first configure OpenSSO STS.

To configure OpenSSO STS:

  1. Log in to the OpenSSO STS instance.

  2. Navigate to Configuration > Global > Security Token Service.

  3. Under Security: Security Mechanism: Security Token Accepted by STS Services, enable all options.

  4. Under the Credential for User Token section, add a new credential for the token with the username and password set as required.

    For this example, set the username and password both to test.

  5. Under the On Behalf of Token section, select ldapService from the Authentication Chain for On Behalf of Token drop-down list.

  6. Under the Signing section, enable the following options:

    - Is Request Signature Verified

    - Is Response Signed Enabled (select Body and Timestamp)

  7. Under the Encryption section, enable the following options:

    - Is Request Decrypted (select Body and Header)

    - Is Response Encrypted

  8. Select AES from the Encryption Algorithm drop-down list, and select 128 from the Encryption Strength drop-down list.

  9. To support the WS-Security 1.1 Kerberos token with message protection requestor token, under the Kerberos Configuration section and configure the following values:

    • Kerberos Domain Server

      Fully qualified hostname of the domain server.

    • Kerberos Domain

      Domain name.

    • Kerberos Service Principal

      Service principal name in the following format: <host>/<machine name>@<REALM NAME>

    • Kerberos Key Tab File

      Location of the key tab file created for the STS.

    • Is Verify Kerberos Signature

      Enable only when JDK6 is used.

  10. To support SSL, perform the following steps:

    1. In the Token Issuance Attributes section, edit the SSL Endpoint based on your OpenSSO instance.

    2. Under Signing, enable the Disable signature validation when transport is secured with SSL option.

    3. Under Encryption, enable the Disable decryption when transport is secured with SSL option.

  11. To support SSL on the server hosting the OpenSSO STS:

    On the WebLogic Server hosting the OpenSSO STS, to configure SSL, perform the steps described in "Configuring Keystores for SSL" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

    On the GlassFish server hosting the Open SSO STS, perform the following steps:

    1. Generate a new key pair for the application server by issuing the following command:

      keytool -genkey -keyalg <algorithm for generating the key pair> -keystore keystore.jks -validity <days> -alias <alias_name>

      For example:

      keytool -genkey -keyalg RSA -keystore <glassfish_install_dir>/domains/<sts_deploy_domain>/config/keystore.jks -validity 365 -alias owsm

      When prompted for first and last name, enter the hostname of the machine for which the certificate is to be generated. Enter the appropriate details for the other prompts.

    2. Generate a Certificate Signing Request (CSR) by issuing the following command:

      keytool -certreq -alias owsm -file owsm.csr -keystore keystore.jks -storepass changeit

      The request that is generated and written to the owsm.csr file needs to be submitted to a Certificate Authority in order to get a valid certificate. For example, the Certificate Management Server maintained by the OpenSSO QA team at https://mahogany.red.iplanet.com.

    3. Access the Certificate Management Server at https://mahogany.red.iplanet.com, click SSL Server in the left pane, and paste the contents of the .csr file, starting from BEGIN CERTIFICATE REQUEST and ending at END CERTIFICATE REQUEST, into the PKCS # 10 Request field.

      Fill out the other fields, as appropriate, and submit the request. Once the request is approved, the certificate can be retrieved from the retrieval tab on the same page.

    4. Copy the certificate content (PKCS # 7 format) starting from BEGIN CERTIFICATE to END CERTIFICATE into a file with .cert extension and import the server certificate into the <glassfish_install_dir>/domains/<sts_deploy_domain>/config/keystore.jks file by using the following keytool command:

      keytool -import -v -alias owsm -file owsm.cert -keystore keystore.jks -storepass changeit

      Enter YES when prompted if you trust the certificate.

    5. Access the Certificate Authority's SSL Certificate. Go to https://mahogany.red.iplanet.com and navigate to SSL Server -> Retrieval tab -> List Certificates -> Find. Click on the first Details button on the page and copy the Base 64 encoded certificate into another .cert file. For example: mahogany.cert

    6. Import this certificate with alias as rootca into the <glassfish_install_dir>/domains/<sts_deploy_domain>/config/cacerts.jks file, using the following command:

      keytool -import -v -alias rootca -file mahogany.cert -keystore cacerts.jks -storepass changeit

    7. The previous step may need to be repeated for client side truststore.jks file. Delete any existing rootca aliases from that file and import the new one as shown above (changing the location of the keystore file).

    8. To configure GlassFish with the new certificate, access the Administration Console at http://hostname:admin-port/, navigate to Configuration -> HTTP Service -> http-listener2 (default SSL enabled port) -> SSL, and change the certificate nickname from s1as (self-signed cert) to owsm.

    9. Restart Glassfish.

10.1.2 Configuring SAML Bearer With Message Protection Using WS-Trust with OpenSSO STS

After configuring the OpenSSO STS, configure SAML bearer with message protection using WS-Trust with OpenSSO STS.

To configure SAML bearer with message protection using WS-Trust with OpenSSO STS:
  1. Configure the STS service policy. For the complete procedure, see "Setting Up Automatic Policy Configuration for STS" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

    Make a copy of oracle/sts_trust_config_service_policy and edit the policy configuration, as described below, based on the requestor token type.

    To support WS-Security 1.0 username token with message protection requestor token:

    • orasp:port-uri="http://<host>:<port>/openssosts/sts/wss10un"

    • orasp:wsdl-uri="http://<host>:<port>/openssosts/sts/wss10un?wsdl" (Optional)

    To support WS-Security 1.0 username token over SSL with message protection requestor token:

    • orasp:port-uri="https://<host>:<sslport>/openssosts/sts/tlswss10un"

    • orasp:wsdl-uri="https://<host>:<sslport>/openssosts/sts/tlswss10un?wsdl" (Optional)

    To support WS-Security 1.0 X509 token with message protection requestor token:

    • orasp:port-uri="http://<host>:<port>/openssosts/sts/wss10x509"

    • orasp:wsdl-uri="http://<host>:<port>/openssosts/sts/wss10x509?wsdl" (Optional)

    To support WS-Security 1.1 Kerberos token with message protection requestor token:

    • orasp:port-uri="http://<host>:<port>/openssosts/sts/wss11kerberos"

    • orasp:wsdl-uri="http://<host>:<port> (Optional)

  2. Configure the Web service. For the complete procedure, see "Configuring a Web Service for Automatic Policy Configuration" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

    Attach the policy created in step 1 followed by the oracle/wss11_sts_issued_saml_bearer_token_over_ssl_service_policy. For the complete procedure, see "Attaching Policies Directly to a Single Subject Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Configure the Web service client. For the complete procedure, see "Configuring a Web Service Client for Automatic Policy Configuration" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

    Attach the oracle/ws11_sts_issued_saml_bearer_token_over_ssl_client_policy policy to the SOA composite client and override the client configuration properties described in "oracle/ws11_sts_issued_saml_bearer_token_over_ssl_client_template" in Securing Web Services and Managing Policies with Oracle Web Services Manager, as required for your requestor token. For the complete procedure, see "Attaching Policies Directly to a Single Subject Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

    The sts.auth.user.csf.key should be set to the user credentials available in the default OpenSSO STS configuration. Namely, username test, with password set to test. Though, it is not required to be set for the X509 requestor token.

    For more information about overriding client configuration properties when attaching a policy, see "Attaching Policies Directly to Web Service Clients Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.