Sun OpenSSO Enterprise 8.0 Administration Reference

Chapter 5 Centralized Agent Configuration Attributes

The Centralized Agent Configuration provides an agent administrator with a means to manage multiple agent configurations from one central place. The agent configurations are stored in OpenSSO Enterprise's data repository and managed by an administrator via the OpenSSO Enterprise Console.

Agent Configuration Attributes

Once you have created an agent, you can customize each agent's behavior. To do so, first click the name of the agent you wish to configure, and then modify the agent's attributes. See the following sections for definitions for each agent type:

Web Policy Agent

A web agent instance can be configured using this interface. The properties described only apply if during agent creation, centralized configuration was chosen. If local configuration was selected, the properties related to this agent must be edited in the OpenSSOAgentConfiguration.properites file in the agent installation directory.

For definitions of the Web Policy Agent attributes, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents, or the online help.

J2EE Policy Agent

A J2EE agent instance can be configured using this interface. The properties described only apply if during agent creation, centralized configuration was chosen. If local configuration was selected, the properties related to this agent must be edited in the OpenSSOAgentConfiguration.properites file in the agent installation directory.

For definitions of the J2EE Policy Agent attributes, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents, or the online help.

Web Service Provider

The Web Service Provider agent profile describes the configuration that is used for validating web service requests from web service clients and securing web service responses from a web service provider. The name of the web service provider must be unique across all agents.

General

The following General attributes define basic web service provider properties:

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the web service provider agent

Password Confirm

Confirm the password.

Status

Defines whether the web service provider agent will be Active or Inactive in the system. By default, it is set to Active, meaning that the agent will participate in validating web service requests from web service clients and securing service responses from a web service provider.

Universal Identifier

Lists the basic LDAP properties, that uniquely defines the web service provider agent.

Security

The following attributes define web service provider security attributes:

Security Mechanism

Defines the type of security credential that are used to validate the web service request. The type of security mechanism is part of the web service request from a web service client and is accepted by a web service provider. Choose from the following types:

Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos security tokens.
LibertyBearerToken – Uses the Liberty-defined bearer token.
LibertySAMLToken – Uses the Liberty-defined SAML token.
LibertyX509Token – Uses the Liberty-defined X509 certificate.
SAML-HolderOfKey - Uses the SAML 1.1 assertion type Holder-Of-Key..
SAML-SenderVouches - Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey – Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches – Uses the SAML 2.0 assertion token type Sender Vouches.
UserNameToken – Uses a user name token.
UserNameToken-Plain – Uses a user name token with a clear text password.
X509Token – Uses the X509 certificate.

Authentication Chain

Defines the authentication chain or service name that can be used to authenticate to the OpenSSO Enterprise authentication service using the credentials from an incoming web service request's security token to generate OpenSSO Enterprise's authenticated SSOToken.

Token Conversion Type

Defines the type of token that will be converted when a web service provider requests a token conversion from the Security Token service. The token is converted to the specified SAML or SSOToken (session token) with the same identity, but with attribute definitions specific to the token type. This new token can be used by the web service provider making a web service call to another web service provider. The token types you can define are:

SAML 1.1 token
SAML2 token
SSOToken

In order to use this attribute, any SAML token must be selected in the Security Mechanism attribute and any authentication chain defined for the web service provider.

Preserve Security Headers in Message

When enabled, this attribute defines that the SOAP security headers are preserved by the web service provider for further processing.

Private Key Type

Defines the key type used by the web service provider during the web service request signature verification process. The default value is PublicKey.

Liberty Service Type URN

The URN (Universal Resource Name) describes a Liberty service type that the web service provider will use for service lookups.

Credential for User Token

This attribute represents the username/password shared secrets that are used by the web service provider to validate a username security token from an incoming web service request. These credentials are compared against the credentials from the username security token from an incoming web service request.

SAML Configuration

The following attributes configure the Security Assertion Markup Language (SAML) for the web service provider:

SAML Attribute Mapping

This configuration represents a SAML attribute that needs to be generated as an Attribute Statement during SAML assertion creation by the Security Token Service for a web service provider. The format is SAML_attr_name=Real_attr_name.

SAML_attr_name is the SAML attribute name from a SAML assertion from an incoming web service request. Real_attr_name is the attribute name that is fetched from either the authenticated SSOToken or the identity repository.

SAML NameID Mapper Plugin

Defines the NameID mapper plug-in class that is used for SAML account mapping.

SAML Attributes Namespace

Defines the name space used for generating SAML attributes.

Include Memberships

If enabled, this attribute defines that the principal's membership must be included as a SAML attribute.

Signing and Encryption

The following attributes define signing and encryption configuration for web provider security:

Is Response Signed

When enabled, the web service provider signs the response using its X509 certificate.

Is Response Encrypted

When enabled, the web service response will be encrypted.

Is Request Signature Verified

When enabled, the web service request signature is verified.

Is Request Header Decrypted

When enabled, the web service client request's security header will be decrypted.

Is Request Decrypted

When enabled, the web service client request will be decrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the wsp response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used to encrypt the web service response.

Encryption Strength

Sets the encryption strength used by he Security Token service to encrypt the web service response. Select a greater value for greater encryption strength.

Key Store

The following attributes configure the keystore to be used for certificate storage and retrieval:

Public Key Alias of Web Service Client

This attribute defines the public certificate key alias that is sued to encrypt the web service response or verify the signature of the web service request.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service response or decrypt the web service request.

Key Storage Usage

This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:

Location of Key Store
Password of Key Store
Password of Key

End Points

The following attributes define web service endpoints:

Web Service Proxy End Point

This attribute defines a web service end point to which the web service client is making a request. The end point is optional unless it is configured to use web security proxy.

Web Service End Point

This attribute defines a web service end point to which the web service client is making a request.

Kerberos Configuration

Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the Kerberos principal as the owner of the generated Security token.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.

Kerberos Key Tab File

This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:

hostname.HTTP.keytab

hostname is the hostname of the OpenSSO Enterprise instance.

Verify Kerberos Signature

If enabled, this attribute specifies that the Kerberos token is signed.

Web Service Client Attributes

The Web Service Client agent profile describes the configuration that is used for securing outbound web service requests from a web service client. The name of the web service client must be unique across all agents.

General

The following General attributes define basic web service client properties:

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the web service client agent.

Password Confirm

Confirm the password.

Status

Defines whether the web service client agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.

Universal Identifier

Lists the basic LDAP properties, that uniquely defines the web service client agent.

Security

The following attributes define web service client security attributes:

Security Mechanism

Defines the type of security credential that is used to secure the web service client request. You can choose one of the following security credential types:

Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos security tokens.
LibertyDiscoverySecurity — Uses Liberty-based security tokens.
SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.
SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.
STSSecurity — Uses the security token generated from the Security Token service for a given web service provider.
UserNameToken — Uses User Name Token with digest password.
UserNameToken-Plain — Uses a user name token with a clear text password for securing web service requests.
X509Token — Uses the X509 certificate.

STS Configuration

This attribute is enabled when the web service client uses Security Token service (STS) as the Security Mechanism. This configuration describes a list of STS agent profiles that are used to communicate with and secure the web service requests to the STS service.

Discovery Configuration

This attribute is enabled when the web service client is enabled for Discovery Service security. This configuration describes a list of Discovery Agent profiles that are used to secure requests made to the Discovery service.

User Authentication Required

When enabled, this attribute defines that the services client's protected page requires a user to be authenticated in order to gain access.

Preserve Security Headers in Message

When enabled, this attribute defines that the SOAP security headers are preserved by the web service client for further processing.

Use Pass Through Security Token

When enabled, this attribute indicates that the web service client will pass through the received Security token from the Subject. It will not try to create the token locally or from STS communication.

Liberty Service Type URN

The URN (Universal Resource Name) describes a Liberty service type that the web service client will use for service lookups.

Credential for User Token

The attribute represents the username/password shared secrets that are used by the web service client to generate a Username security token.

Signing and Encryption

The following attributes define signing and encryption configuration for web service security:

Is Request Signed

When enabled, the web services client signs the request using a given token type.

Is Request Header Encrypted

When enabled, the web services client security header will be encrypted.

Is Request Encrypted

When enabled, the web services client request will be encrypted.

Is Response Signature Verified

When enabled, the web services response signature is verified.

Is Response Decrypted

When enabled, the web services response will be decrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the WSC response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used to encrypt the web service response.

Encryption Strength

Sets the encryption strength used by he Security Token service to encrypt the web service response. Select a greater value for greater encryption strength.

Key Store

The following attributes configure the keystore to be used for certificate storage and retrieval:

Public Key Alias of Web Service Provider

This attribute defines the public certificate key alias that is used to encrypt the web service request or verify the signature of the web service response.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.

Key Storage Usage

This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:

Location of Key Store
Password of Key Store
Password of Key

End Points

The following attributes define web service endpoints:

Web Service Security Proxy End Point

This attribute defines a web service end point to which the web service client is making a request. This end point is optional unless it is configured as a web security proxy.

Web Service End Point

This attribute defines a web service end point to which the web service client is making a request.

Kerberos Configuration

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (KDC) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the web service principal registered with the KDC.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

Kerberos Ticket Cache Directory

Specifies the Kerberos TGT (Ticket Granting Ticket) cache directory. When the user authenticates to the desktop or initializes using kinit (the command used to obtain the TGT from KDC), the TGT is stored in the local cache, as defined in this attribute.

STS Client

The Security Token Service (STS) Client interface allows you to create and configure a client that communicates with OpenSSO Enterprise's Security Token service in order to obtain a Security Token. OpenSSO Enterprise provides the mechanism to create the following types of STS client agents:

Discovery Agent: Allows you to configure a Discovery Agent Client that communicates with the Liberty Discovery Service to obtain a Liberty-based security token. This configuration defines the attributes for securing Liberty requests from the Discovery client to the Liberty Discovery end point.

Security Token Service Agent: Allows you to configure a Security Token Service agent that communicates with OpenSSO Enterprise's Security Token Service to obtain web service-based security tokens. This configuration defines the attributes for securing web service Trust requests from the STS client to the STS end point.

Discovery Agent Attributes

The Discovery Agent profile holds a trust authority configuration that is used by the web services' client/profile to communicate with the Liberty Discovery service for web service lookups, registration, and for obtaining security credentials.

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the Discovery Agent.

Password Confirm

Confirm the password.

Status

Defines whether the agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.

Location of Agent Configuration Repository

This attribute defines the agent location of the configuration repository for the Discovery Agent.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.

Discovery Service End Point

This attribute defines the Discovery service end point where the trust authority client establishes communications for service registrations and lookups.

Authentication Web Service End Point

This attribute defines the authentication service end point which the web services client uses to authenticate using the end user's SSOToken to receive the Discovery service resource offering (also referred to as bootstrap resource offering.)

Security Token Service Agent Attributes

A Security Token Service is a Web service that provides issuance and management of security tokens. That is, it makes security statements or claims often, although not required to be, in encrypted sets. These statements are based on the receipt of evidence that it can directly verify security tokens from authorities that it trusts. To assert trust, a service might prove its right to assert a set of claims by providing a security token or set of security tokens issued by an STS, or it could issue a security token with its own trust statement (note that for some security token formats this can just be a re-issuance or co-signature). This forms the basis of trust brokering.

General

The following General attributes define basic Security Token service properties:

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the Security Token service agent.

Password Confirm

Confirm the password.

Status

WS-Trust Version

Specifies the version of WS-Trust to use, either 1.0 or 1.3.

Universal Identifier

Lists the basic LDAP properties, that uniquely defines the Security Token service agent.

Security

The following attributes define Security Token service security attributes:

Security Mechanism

Defines the type of security credential that is used to secure the STS request. You can choose one of the following security credential types:

Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos security tokens.
LibertyDiscoverySecurity — Uses Liberty-based security tokens.
SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.
SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.
STSSecurity — Uses the security token generated from the Security Token service for a given web service provider.
UserNameToken — Uses User Name Token with digest password.
UserNameToken-Plain — Uses a user name token with a clear text password for securing web service requests.
X509Token — Uses the X509 certificate.

STS Configuration

This attribute is enabled when the Security Token service agent uses Security Token service (STS) as the Security Mechanism. This configuration describes a list of STS agent profiles that are used to communicate with and secure the requests to the STS service.

Preserve Security Headers in Message

When enabled, this attribute defines that the SOAP security headers are preserved by the Security Token service agent for further processing.

Credential for User Token

The attribute represents the username/password shared secrets that are used by the Security Token service agent to generate a Username security token.

Signing and Encryption

The following attributes define signing and encryption configuration for the Security Token service:

Is Request signed

When enabled, the Security Token service agent signs the request using a given token type.

Is Request Header Encrypted

When enabled, the Security Token service agent security header will be encrypted.

Is Request Encrypted

When enabled, the Security Token service request will be encrypted.

Is Response Signature Verified

When enabled, the Security Token service response signature is verified.

Is Response Decrypted

When enabled, the Security Token service response will be decrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the WSC response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used to encrypt the response.

Encryption Strength

Sets the encryption strength to encrypt the response. Select a greater value for greater encryption strength.

Key Store

The following attributes configure the keystore to be used for certificate storage and retrieval:

Public Key Alias of Web Service Provider

This attribute defines the public certificate key alias that is sued to encrypt the web service request or verify the signature of the web service response.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.

Key Storage Usage

This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:

Location of Key Store
Password of Key Store
Password of Key

End Points

The following attributes define web service endpoints:

Security Token Service End Point

This field takes a value equal to:

%protocol://%host:%port%uri/sts

This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.

Security Token Service MEX End Point

This field takes a value equal to:

%protocol://%host:%port%uri/sts/mex

This syntax allows for dynamic substitution of the Security Token Service MEX Endpoint URL based on the specific session parameters.

Kerberos Configuration

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

Kerberos Service Principal

Specifies the Security Token Service principal registered with the KDC.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

Kerberos Ticket Cache Directory

2.2 Policy Agent

OpenSSO Enterprise is backward compatible with Policy Agent 2.2. Policy Agent 2.2 must be configured locally from the deployment container on which it is installed. Therefore, from the OpenSSO Enterprise Console, a very limited number of Policy Agent 2.2 options can be configured.

Password

The password was set when you created the agent profile. However, you can change the password at any time in the future.

Password Confirm

The confirmation of the password was performed when you created the agent profile. If you change the password, you must confirm the change.

Status

The Active option is selected when the agent is created. Choose Inactive only if you want to remove the protection the agent provides.

Description

A description of the agent, which you can add if desired.

Agent Key Value

A required setting when enabling CDSSO and when configuring the deployment to prevent cookie hijacking.

This attribute serves as a key in a pairing of a key and a value. This attribute is used by OpenSSO Enterprise to receive agent requests for credential assertions about users. Only one attribute is valid in this key-value pairing. All other attributes are ignored. Use the following format:

agentRootURL=protocol://hostname:port/

The entry must be precise. For example, the string representing the key, agentRootURL, is case sensitive.

Agent Authenticator

An agent authenticator is a type of agent that, once it is authenticated, can obtain the read-only data of agent profiles that are selected for the agent authenticator to read. The agent profiles can be of any type (J2EE, WSP, Discovery, and so forth), but must exist in the same realm. Users that have the agent authenticator's credentials (username and password) can read the agent profile data, but do not have the create, update, or delete permissions of the Agent Admin.

The agent Authenticator contains the following attributes:

Password

The password was set when you created the agent authenticator profile. However, you can change the password at any time in the future.

Password Confirm

The confirmation of the password was performed when you created the agent authenticator profile. If you change the password, you must confirm the change.

Status

The Active option is selected when the agent authenticator is created. Choose Inactive only if you want to remove the protection the agent provides.

Agent Profiles Allowed to Read

This attribute defines a list of OpenSSO Enterprise agents whose profile data is read by the agent authenticator. The agents can be of any type (J2EE, WSP, Discovery, and so forth), but must exist in the same realm. To add an agent to the list, select the agent name and click Add.