SOA Governance and API Management : Administering Mediator : Mediator Configurations : Configuring SAML Support in Mediator : Configuring for SAML Holder-of-Key Processing : Configuring a Security Token Service (STS) for Holder-of-Key Processing : Configuring Axis2 STS for Holder-of-Key Processing
Configuring Axis2 STS for Holder-of-Key Processing
1. Download Apache Axis2 1.5 and Rampart 1.5.
2. Run policy\sample05 per the instructions in Rampart (ant service.05).
3. Ensure that the service is deployed and accessible on the following link: http://localhost:8080/axis2/services/STS?wsdl.
This Axis2 STS is now capable of issuing SAML 1.1 or 2.0 tokens.
4. Follow the instructions in policy\sample05 to get the sample working if there are any problems.
Example
Notice that the services.xml file contains the description and configuration for the Axis2 STS, as follows:
<service name="STS">
<module ref="rampart" />
<module ref="addressing" />
<module ref="rahas" />
<parameter name="saml-issuer-config"
<saml-issuer-config>
<issuerName>SAMPLE_STS</issuerName>
<issuerKeyAlias>sts</issuerKeyAlias>
<issuerKeyPassword>apache</issuerKeyPassword>
<cryptoProperties>
<crypto provider="org.apache.ws.security.
components.crypto.Merlin">
<property name="org.apache.ws.security.
crypto.merlin.keystore.type">
JKS
</property>
<property name="org.apache.ws.security.
crypto.merlin.file">
sts.jks
</property>
<property name="org.apache.ws.security.
crypto.merlin.keystore.password">
apache
</property>
</crypto>
</cryptoProperties
<timeToLive>300000</timeToLive>
Note that in the services.xml file the following modules are engaged:
*rampart, for security handling.
*addressing, for WS-Addressing header processing.
*rahas, for WS-Trust request/response processing.
The saml-issuer-config parameter specifies the configuration information for the STS, such as:
*issuerName: The name of this STS; will be used in the IssuerName element in the SAML Assertion.
*timeToLive: Specifies the duration of validity for the SAML Token.
*issuerKeyAlias: Refers to the private key in the specified keystore to use to sign the assertion.
*issuerKeyPassword: The password to access the private key in the keystore.
In addition, the services.xml file specifies the security requirements to access the STS through a WS-Security Policy, as shown below. The policy specifies that the client must sign the request body using an X.509 Token. Also note that the RampartConfig element specifies the configuration for the keystore to use by the STS.
.
.
.
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>sts</ramp:user>
<ramp:encryptionUser>client</ramp:encryptionUser>
<ramp:passwordCallbackClass>
com.softwareag.mediator.sts.PWCBHandler
</ramp:passwordCallbackClass>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property:name="org.apache.ws.security.crypto.
merlin.keystore.type">
JKS
</ramp:property>
<ramp:property:name="org.apache.ws.security.crypto.merlin.file">
sts.jks>sts.jks
</ramp.property>
<ramp:property:name="org.apache.ws.security.crypto.merlin.
keystore.password">
apache
</ramp:property>
.
.
.
Copyright © 2015- 2016 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback