10 Configuring SAML Bearer Using WS-Trust with OpenSSO STS
You can refer to the use case description, solution summary, components involved, and the linked documentation resources to configure SAML bearer using WS-Trust with OpenSSO STS.
- Use Case
-
Configure SAML bearer using WS-Trust with OpenSSO STS.
- Solution
-
Attach Oracle Web Services Manager (OWSM) SAML bearer with message protection using WS-Trust policies to the web service and client, and configure OpenSSO STS.
- Components
-
-
Oracle WebLogic Server
-
Oracle Web Services Manager (OWSM)
-
OpenSSO STS
-
Web service and client applications to be secured
-
- Additional Resources on Oracle Web Services Manager
This use case demonstrates the steps required to:
-
Attach the appropriate OWSM security policies to enforce SAML bearer with message-level protection using WS-Trust with OpenSSO STS.
The WS-Trust 1.3 specification defines extensions to WS-Security that provide a framework for requesting and issuing security tokens, and to broker trust relationships. WS-Trust extensions provide methods for issuing, renewing, and validating security tokens. To secure communication between a Web service client and a Web service, the two parties must exchange security credentials. As defined in the WS-Trust specification, these credentials can be obtained from a trusted Security Token Service (STS), which acts as trust broker. That is, the Web service client and the Web service do not explicitly trust each other; instead, they implicitly trust each other because they both trust the STS. For more information, see "Overview of Web Services WS-Trust" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Specifically, you attach the following policies to the client and service, respectively:
-
oracle/ws11_sts_issued_saml_bearer_token_over_ssl_client_policy
-
oracle/wss11_sts_issued_saml_bearer_token_over_ssl_service_policy
andoracle/sts_trust_config_service_policy
-
-
Configure OpenSSO STS.
This use case consists of a Java EE web service and SOA Composite client.
For more information on how to implement this use case, see Use Case: Implementing SAML Bearer Using WS-Trust with OpenSSO STS.
10.1 Use Case: Implementing SAML Bearer Using WS-Trust with OpenSSO STS
To implement the use case configure OpenSSO STS, and then configure SAML bearer message protection using WS-Trust with OpenSSO STS.
10.1.1 Configuring OpenSSO STS to Implement SAML Bearer
To implement the use case SAML Bearer Using WS-Trust with OpenSSO STS, first configure OpenSSO STS.
To configure OpenSSO STS:
-
Log in to the OpenSSO STS instance.
-
Navigate to Configuration > Global > Security Token Service.
-
Under Security: Security Mechanism: Security Token Accepted by STS Services, enable all options.
-
Under the Credential for User Token section, add a new credential for the token with the username and password set as required.
For this example, set the username and password both to password.
-
Under the On Behalf of Token section, select ldapService from the Authentication Chain for On Behalf of Token drop-down list.
-
Under the Signing section, enable the following options:
- Is Request Signature Verified
- Is Response Signed Enabled (select Body and Timestamp)
-
Under the Encryption section, enable the following options:
- Is Request Decrypted (select Body and Header)
- Is Response Encrypted
-
Select AES from the Encryption Algorithm drop-down list, and select 128 from the Encryption Strength drop-down list.
-
To support the WS-Security 1.1 Kerberos token with message protection requestor token, under the Kerberos Configuration section and configure the following values:
-
Kerberos Domain Server
Fully qualified hostname of the domain server.
-
Kerberos Domain
Domain name.
-
Kerberos Service Principal
Service principal name in the following format: <host>/<machine name>@<REALM NAME>
-
Kerberos Key Tab File
Location of the key tab file created for the STS.
-
Is Verify Kerberos Signature
Enable only when JDK6 is used.
-
-
To support SSL, perform the following steps:
-
In the Token Issuance Attributes section, edit the SSL Endpoint based on your OpenSSO instance.
-
Under Signing, enable the Disable signature validation when transport is secured with SSL option.
-
Under Encryption, enable the Disable decryption when transport is secured with SSL option.
-
-
To support SSL on the server hosting the OpenSSO STS:
On the WebLogic Server hosting the OpenSSO STS, to configure SSL, perform the steps described in "Configuring Keystores for SSL" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
On the GlassFish server hosting the Open SSO STS, perform the following steps:
-
Generate a new key pair for the application server by issuing the following command:
keytool -genkey -keyalg <algorithm for generating the key pair> -keystore keystore.jks -validity <days> -alias <alias_name>
For example:
keytool -genkey -keyalg RSA -keystore <glassfish_install_dir>/domains/<sts_deploy_domain>/config/keystore.jks -validity 365 -alias owsm
When prompted for first and last name, enter the hostname of the machine for which the certificate is to be generated. Enter the appropriate details for the other prompts.
-
Generate a Certificate Signing Request (CSR) by issuing the following command:
keytool -certreq -alias owsm -file owsm.csr -keystore keystore.jks -storepass changeit
The request that is generated and written to the
owsm.csr
file needs to be submitted to a Certificate Authority in order to get a valid certificate. For example, the Certificate Management Server maintained by the OpenSSO QA team athttps://mahogany.red.iplanet.com
. -
Access the Certificate Management Server at
https://mahogany.red.iplanet.com
, click SSL Server in the left pane, and paste the contents of the.csr
file, starting fromBEGIN CERTIFICATE REQUEST
and ending atEND CERTIFICATE REQUEST
, into the PKCS # 10 Request field.Fill out the other fields, as appropriate, and submit the request. Once the request is approved, the certificate can be retrieved from the retrieval tab on the same page.
-
Copy the certificate content (PKCS # 7 format) starting from
BEGIN CERTIFICATE
toEND CERTIFICATE
into a file with.cert
extension and import the server certificate into the<glassfish_install_dir>/domains/<sts_deploy_domain>/config/keystore.jks
file by using the following keytool command:keytool -import -v -alias owsm -file owsm.cert -keystore keystore.jks -storepass changeit
Enter YES when prompted if you trust the certificate.
-
Access the Certificate Authority's SSL Certificate. Go to
https://mahogany.red.iplanet.com
and navigate to SSL Server -> Retrieval tab -> List Certificates -> Find. Click on the first Details button on the page and copy the Base 64 encoded certificate into another.cert
file. For example:mahogany.cert
-
Import this certificate with alias as
rootca
into the<glassfish_install_dir>/domains/<sts_deploy_domain>/config/cacerts.jks
file, using the following command:keytool -import -v -alias rootca -file mahogany.cert -keystore cacerts.jks -storepass changeit
-
The previous step may need to be repeated for client side
truststore.jks
file. Delete any existingrootca
aliases from that file and import the new one as shown above (changing the location of the keystore file). -
To configure GlassFish with the new certificate, access the Administration Console at
http://hostname:admin-port/
, navigate to Configuration -> HTTP Service -> http-listener2 (default SSL enabled port) -> SSL, and change the certificate nickname froms1as
(self-signed cert) toowsm
. -
Restart Glassfish.
-