You can refer to the use case description, solution summary, components involved, and the linked documentation resources to configure SAML bearer using WS-Trust with OpenSSO STS.
Configure SAML bearer using WS-Trust with OpenSSO STS.
Attach Oracle Web Services Manager (OWSM) SAML bearer with message protection using WS-Trust policies to the web service and client, and configure OpenSSO STS.
Oracle WebLogic Server
Oracle Web Services Manager (OWSM)
Web service and client applications to be secured
This use case demonstrates the steps required to:
Attach the appropriate OWSM security policies to enforce SAML bearer with message-level protection using WS-Trust with OpenSSO STS.
The WS-Trust 1.3 specification defines extensions to WS-Security that provide a framework for requesting and issuing security tokens, and to broker trust relationships. WS-Trust extensions provide methods for issuing, renewing, and validating security tokens. To secure communication between a Web service client and a Web service, the two parties must exchange security credentials. As defined in the WS-Trust specification, these credentials can be obtained from a trusted Security Token Service (STS), which acts as trust broker. That is, the Web service client and the Web service do not explicitly trust each other; instead, they implicitly trust each other because they both trust the STS. For more information, see "Overview of Web Services WS-Trust" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Specifically, you attach the following policies to the client and service, respectively:
Configure OpenSSO STS.
This use case consists of a Java EE web service and SOA Composite client.
For more information on how to implement this use case, see Use Case: Implementing SAML Bearer Using WS-Trust with OpenSSO STS.
To implement the use case configure OpenSSO STS, and then configure SAML bearer message protection using WS-Trust with OpenSSO STS.
To implement the use case SAML Bearer Using WS-Trust with OpenSSO STS, first configure OpenSSO STS.
To configure OpenSSO STS:
Log in to the OpenSSO STS instance.
Navigate to Configuration > Global > Security Token Service.
Under Security: Security Mechanism: Security Token Accepted by STS Services, enable all options.
Under the Credential for User Token section, add a new credential for the token with the username and password set as required.
For this example, set the username and password both to test.
Under the On Behalf of Token section, select ldapService from the Authentication Chain for On Behalf of Token drop-down list.
Under the Signing section, enable the following options:
- Is Request Signature Verified
- Is Response Signed Enabled (select Body and Timestamp)
Under the Encryption section, enable the following options:
- Is Request Decrypted (select Body and Header)
- Is Response Encrypted
Select AES from the Encryption Algorithm drop-down list, and select 128 from the Encryption Strength drop-down list.
To support the WS-Security 1.1 Kerberos token with message protection requestor token, under the Kerberos Configuration section and configure the following values:
Kerberos Domain Server
Fully qualified hostname of the domain server.
Kerberos Service Principal
Service principal name in the following format: <host>/<machine name>@<REALM NAME>
Kerberos Key Tab File
Location of the key tab file created for the STS.
Is Verify Kerberos Signature
Enable only when JDK6 is used.
To support SSL, perform the following steps:
In the Token Issuance Attributes section, edit the SSL Endpoint based on your OpenSSO instance.
Under Signing, enable the Disable signature validation when transport is secured with SSL option.
Under Encryption, enable the Disable decryption when transport is secured with SSL option.
To support SSL on the server hosting the OpenSSO STS:
On the WebLogic Server hosting the OpenSSO STS, to configure SSL, perform the steps described in "Configuring Keystores for SSL" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
On the GlassFish server hosting the Open SSO STS, perform the following steps:
Generate a new key pair for the application server by issuing the following command:
keytool -genkey -keyalg <algorithm for generating the key pair> -keystore keystore.jks -validity <days> -alias <alias_name>
keytool -genkey -keyalg RSA -keystore <glassfish_install_dir>/domains/<sts_deploy_domain>/config/keystore.jks -validity 365 -alias owsm
When prompted for first and last name, enter the hostname of the machine for which the certificate is to be generated. Enter the appropriate details for the other prompts.
Generate a Certificate Signing Request (CSR) by issuing the following command:
keytool -certreq -alias owsm -file owsm.csr -keystore keystore.jks -storepass changeit
The request that is generated and written to the
owsm.csr file needs to be submitted to a Certificate Authority in order to get a valid certificate. For example, the Certificate Management Server maintained by the OpenSSO QA team at
Access the Certificate Management Server at
https://mahogany.red.iplanet.com, click SSL Server in the left pane, and paste the contents of the
.csr file, starting from
BEGIN CERTIFICATE REQUEST and ending at
END CERTIFICATE REQUEST, into the PKCS # 10 Request field.
Fill out the other fields, as appropriate, and submit the request. Once the request is approved, the certificate can be retrieved from the retrieval tab on the same page.
Copy the certificate content (PKCS # 7 format) starting from
BEGIN CERTIFICATE to
END CERTIFICATE into a file with
.cert extension and import the server certificate into the
<glassfish_install_dir>/domains/<sts_deploy_domain>/config/keystore.jks file by using the following keytool command:
keytool -import -v -alias owsm -file owsm.cert -keystore keystore.jks -storepass changeit
Enter YES when prompted if you trust the certificate.
Access the Certificate Authority's SSL Certificate. Go to
https://mahogany.red.iplanet.com and navigate to SSL Server -> Retrieval tab -> List Certificates -> Find. Click on the first Details button on the page and copy the Base 64 encoded certificate into another
.cert file. For example:
Import this certificate with alias as
rootca into the
<glassfish_install_dir>/domains/<sts_deploy_domain>/config/cacerts.jks file, using the following command:
keytool -import -v -alias rootca -file mahogany.cert -keystore cacerts.jks -storepass changeit
The previous step may need to be repeated for client side
truststore.jks file. Delete any existing
rootca aliases from that file and import the new one as shown above (changing the location of the keystore file).
To configure GlassFish with the new certificate, access the Administration Console at
http://hostname:admin-port/, navigate to Configuration -> HTTP Service -> http-listener2 (default SSL enabled port) -> SSL, and change the certificate nickname from
s1as (self-signed cert) to
After configuring the OpenSSO STS, configure SAML bearer with message protection using WS-Trust with OpenSSO STS.
Make a copy of
oracle/sts_trust_config_service_policy and edit the policy configuration, as described below, based on the requestor token type.
To support WS-Security 1.0 username token with message protection requestor token:
To support WS-Security 1.0 username token over SSL with message protection requestor token:
To support WS-Security 1.0 X509 token with message protection requestor token:
To support WS-Security 1.1 Kerberos token with message protection requestor token:
Attach the policy created in step 1 followed by the
oracle/wss11_sts_issued_saml_bearer_token_over_ssl_service_policy. For the complete procedure, see "Attaching Policies Directly to a Single Subject Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
oracle/ws11_sts_issued_saml_bearer_token_over_ssl_client_policy policy to the SOA composite client and override the client configuration properties described in "oracle/ws11_sts_issued_saml_bearer_token_over_ssl_client_template" in Securing Web Services and Managing Policies with Oracle Web Services Manager, as required for your requestor token. For the complete procedure, see "Attaching Policies Directly to a Single Subject Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
sts.auth.user.csf.key should be set to the user credentials available in the default OpenSSO STS configuration. Namely, username
test, with password set to
test. Though, it is not required to be set for the X509 requestor token.
For more information about overriding client configuration properties when attaching a policy, see "Attaching Policies Directly to Web Service Clients Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.