Configuring a Security Token Service (STS) for Sender-Vouches Processing
To configure a Security Token Service (STS) for SAML Sender-Vouches processing
1. In Integration Server, create a keystore that acts as the keystore for the STS, as described in the Keystores and Truststores section in the webMethods Integration Server Administrator’s Guide.
2. Open the Integration Server Administrator if it is not already open.
3. In the Navigation panel, select Solutions > Mediator > STS.
The Security Token Service (STS) Configuration page is displayed.
4. If you want to use Integration Server’s default STS, select DefaultSTS and proceed to step 5.
If you want to use a third-party STS, proceed to step 7.
Note: | If you want to use TcpMon to view the request or response, edit the default endpsoint displayed on this page to point to the TcpMon port and forward the request to the actual STS endpoint. This can be useful if Mediator sends back a SOAP fault to the client with an error about retrieving the SAML token. |
5. If you selected Integration Server’s default STS (DefaultSTS), edit the corresponding configuration file to specify the keystore and alias so that the STS can sign the SAML assertion it is issuing.
The configuration file is present at the following location:
Integration Server_directory\instances\instance_name\config\security\saml\esb_sts.xml
Use the comments as a guide to configure this file for your system. The contents of the file are as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!-- This configuration file is used to configure the IntegrationServer
token issuer that generates the SAML Sender Vouches token for Mediator
outbound requests -->
<IDataXMLCoder version="1.0">
<record javaclass="com.wm.data.ISMemDataImpl">
<!-- IssuerName - will be used as the IssuerName for each SAML token
issued by this Service; the default value is ESB_STS -->
<value name="IssuerName">ESB_STS</value>
<!-- IssuerKeystoreAlias - specify an Integration Server Keystore
Alias that contains the private keys that can be used to sign the
generated SAML Assertion -->
<value name="IssuerKeystoreAlias">STS</value>
<!-- IssuerKeyAlias - the name of the key alias within the
IssuerKeystoreAlias that points to the private key files -->
<value name="IssuerKeyAlias">sts</value>
<!-- TimeToLiveSeconds - how long in seconds the generated token
should be valid? the default is 300 seconds (i.e. 5 minutes) from the
time of token creation -->
<number name="TimeToLiveSeconds" type="java.lang.Integer">300</number>
</record>
</IDataXMLCoder>
6. After you edit the file, restart Integration Server.
The DefaultSTS is now ready to issue SAML tokens.
7. Alternatively, you can use a third-party STS that has been defined in the Integration Server (as described in the Web Services Developer’s Guide, in the section Securing Web Services Using Policies Based on WS-SecurityPolicy). To do this, click Add new STS configuration and set the parameters on the Add Security Token Service (STS) Configuration screen as follows:
For this parameter... | Specify... |
Name | A unique name for the STS being configured. If this value changes after creating an STS, the previous STS configuration is deleted and replaced with the new one. |
Endpoint | The STS endpoint to which Mediator sends the WS-Trust request to obtain the SAML token. |
Token Type | The type of token that Mediator must request from the STS. Value can be SAML_11 or SAML_20. |
WS-Trust Version | The version of WS-Trust that Mediator must use to send the RST to the SAML Issuer. Value can be VERSION_05_02 or VERSION_05_12. |
Time To Live (TTL) | Indicates the time-to-live value in seconds that is specified in the RST. If not specified, the default is 300 seconds (5 minutes). |
KeyStore / Signing Alias / Encryption Alias | Select a configured IS keystore. If the STS requires a signed and encrypted request, also specify the signing alias and the encryption alias. |
HTTP Basic Authentication Username and Password | If the STS requires authentication, enter the HTTP username and password. |
WS-Security Username | The WS-Security username token to send to the STS. |
WS-Security Password | The password of the WS-Security username token. |
WS-Security Password Type | The type of password of the WS-Security username token. |