This chapter describes how to configure SAML holder-of-key (HOK) with message protection using WS-Trust with OpenSSO STS.
This chapter contains the following sections:
The use case summary helps you quickly determine whether information in this chapter meets your needs.
The following table summarizes the use case goals, solution, and components. Links to required documentation are also provided.
| Use Case | Configure SAML holder-of-key (HOK) with message protection using WS-Trust with OpenSSO STS. | 
| Solution | Attach Oracle Web Services Manager (OWSM) SAML HOK with message protection using WS-Trust policies to the web service and client, and configure OpenSSO STS. | 
| Components | 
 | 
This use case demonstrates the steps required to:
Attach the appropriate OWSM security policies to enforce SAML HOK with message-level protection using WS-Trust with OpenSSO STS.
The WS-Trust 1.3 specification defines extensions to WS-Security that provide a framework for requesting and issuing security tokens, and to broker trust relationships. WS-Trust extensions provide methods for issuing, renewing, and validating security tokens. To secure communication between a Web service client and a Web service, the two parties must exchange security credentials. As defined in the WS-Trust specification, these credentials can be obtained from a trusted Security Token Service (STS), which acts as trust broker. That is, the Web service client and the Web service do not explicitly trust each other; instead, they implicitly trust each other because they both trust the STS. For more information, see "Overview of Web Services WS-Trust" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Specifically, you attach the following policies to the client and service, respectively:
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy and oracle/sts_trust_config_service_policy
Configure OpenSSO STS.
This use case consists of a Java EE web service and SOA Composite client.
This use case describes the following tasks to implement SAML HOK message protection using WS-Trust with OpenSSO STS:
To configure OpenSSO STS
Log in to the OpenSSO STS instance.
Navigate to Configuration > Global > Security Token Service.
Under Security: Security Mechanism: Security Token Accepted by STS Services, enable all options.
Under the Credential for User Token section, add a new credential for the token with the username and password set as required.
For this example, set the username and password both to test.
Under the On Behalf of Token section, select ldapService from the Authentication Chain for On Behalf of Token drop-down list.
Under the Signing section, enable the following options:
- Is Request Signature Verified
- Is Response Signed Enabled (select Body and Timestamp)
Under the Encryption section, enable the following options:
- Is Request Decrypted (select Body and Header)
- Is Response Encrypted
Select AES from the Encryption Algorithm drop-down list, and select 128 from the Encryption Strength drop-down list.
To support the WS-Security 1.1 Kerberos token with message protection requestor token, under the Kerberos Configuration section and configure the following values:
Table 7-1 OpenSSO STS Kerberos Token With Message Protection Configuration
| Configure this property . . . | To specify . . . | 
|---|---|
| Kerberos Domain Server | Fully qualified hostname of the domain server. | 
| Kerberos Domain | Domain name. | 
| Kerberos Service Principal | Service principal name in the following format:  | 
| Kerberos Key Tab File | Location of the key tab file created for the STS. | 
| Is Verify Kerberos Signature | Enable only when JDK6 is used. | 
To support SSL, perform the following steps:
In the Token Issuance Attributes section, edit the SSL Endpoint based on your OpenSSO instance.
Under Signing, enable the Disable signature validation when transport is secured with SSL option.
Under Encryption, enable the Disable decryption when transport is secured with SSL option.
To support SSL on the server hosting the OpenSSO STS:
On the WebLogic Server hosting the OpenSSO STS, to configure SSL, perform the steps described in "Configuring Keystores for SSL" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
On GlassFish server hosting the Open SSO STS, perform the following steps:
Generate a new key pair for the application server by issuing the following command:
keytool -genkey -keyalg <algorithm for generating the key pair> -keystore keystore.jks -validity <days> -alias <alias_name>
For example:
keytool -genkey -keyalg RSA -keystore <glassfish_install_dir>/domains/<sts_deploy_domain>/config/keystore.jks -validity 365 -alias owsm
When prompted for first and last name, enter the hostname of the machine for which the certificate is to be generated. Enter the appropriate details for the other prompts.
Generate a Certificate Signing Request (CSR) by issuing the following command:
keytool -certreq -alias owsm -file owsm.csr -keystore keystore.jks -storepass changeit
The request that is generated and written to the owsm.csr file needs to be submitted to a Certificate Authority in order to get a valid certificate. For example, the Certificate Management Server maintained by the OpenSSO QA team at https://mahogany.red.iplanet.com.
Access the Certificate Management Server at https://mahogany.red.iplanet.com, click SSL Server in the left pane, and paste the contents of the .csr file, starting from BEGIN CERTIFICATE REQUEST and ending at END CERTIFICATE REQUEST, into the PKCS # 10 Request field.
Fill out the other fields, as appropriate, and submit the request. Once the request is approved, the certificate can be retrieved from the retrieval tab on the same page.
Copy the certificate content (PKCS # 7 format) starting from BEGIN CERTIFICATE to END CERTIFICATE into a file with .cert extension and import the server certificate into the <glassfish_install_dir>/domains/<sts_deploy_domain>/config/keystore.jks file by using the following keytool command:
keytool -import -v -alias owsm -file owsm.cert -keystore keystore.jks -storepass changeit
Enter YES when prompted if you trust the certificate.
Access the Certificate Authority's SSL Certificate. Go to https://mahogany.red.iplanet.com and navigate to SSL Server -> Retrieval tab -> List Certificates -> Find. Click on the first Details button on the page and copy the Base 64 encoded certificate into another .cert file. For example: mahogany.cert
Import this certificate with alias as rootca into the <glassfish_install_dir>/domains/<sts_deploy_domain>/config/cacerts.jks file, using the following command:
keytool -import -v -alias rootca -file mahogany.cert -keystore cacerts.jks -storepass changeit
The previous step may need to be repeated for client side truststore.jks file. Delete any existing rootca aliases from that file and import the new one as shown above (changing the location of the keystore file).
To configure GlassFish with the new certificate, access the Administration Console at http://hostname:admin-port/, navigate to Configuration -> HTTP Service -> http-listener2 (default SSL enabled port) -> SSL, and change the certificate nickname from s1as (self-signed cert) to owsm.
Restart Glassfish.
To configure SAML holder-of-key with message protection using WS-Trust with OpenSSO STS:
Configure the STS service policy. For the complete procedure, see "Configuring a Policy for Automatic Policy Configuration" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Make a copy of oracle/sts_trust_config_service_policy and edit the policy configuration, as described below, based on the requestor token type.
To support WS-Security 1.0 username token with message protection requestor token:
orasp:port-uri="http://<host>:<port>/openssosts/sts/wss10un"
orasp:wsdl-uri="http://<host>:<port>/openssosts/sts/wss10un?wsdl" (Optional)
To support WS-Security 1.0 username token over SSL with message protection requestor token:
orasp:port-uri="https://<host>:<sslport>/openssosts/sts/tlswss10un"
orasp:wsdl-uri="https://<host>:<sslport>/openssosts/sts/tlswss10un?wsdl" (Optional)
To support WS-Security 1.0 X509 token with message protection requestor token:
orasp:port-uri="http://<host>:<port>/openssosts/sts/wss10x509"
orasp:wsdl-uri="http://<host>:<port>/openssosts/sts/wss10x509?wsdl" (Optional)
To support WS-Security 1.1 Kerberos token with message protection requestor token:
orasp:port-uri="http://<host>:<port>/openssosts/sts/wss11kerberos"
orasp:wsdl-uri="http://<host>:<port> (Optional)
Configure the Web service. For the complete procedure, see "Configuring a Web Service for Automatic Policy Configuration" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy created in step 1, followed by the oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy to the Java EE web service. For the complete procedure, see "Attaching Policies Directly to a Single Subject Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Note:
By default, theoracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy policy is configured with token type of SAML 1.1. If you wish to configure the token type to be SAML 2.0, you will need to make a copy of the policy and edit it, as described in "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager. (This value should match the client policy.)Configure the Web service client policy. For the complete procedure, see "Configuring a Web Service Client for Automatic Policy Configuration" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy policy to the SOA composite client and override the client configuration properties, described in "oracle/ws11_sts_issued_saml_hok_with_message_protection_client_template" in Securing Web Services and Managing Policies with Oracle Web Services Manager, as required for your requestor token.
The sts.auth.user.csf.key should be set to the user credentials available in the default OpenSSO STS configuration. Namely, username test, with password set to test. Though, it is not required to be set for the X509 requestor token.
For more information about overriding client configuration properties when attaching a policy, see "Attaching Policies Directly to Web Service Clients Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Note:
By default, theoracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy policy is configured with token type of SAML 1.1. If you wish to configure the token type to be SAML 2.0, you will need to make a copy of the policy and edit it, as described in "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.See the following resources for more information about the technologies and tools used to implement the solutions in this chapter: