Configuring Axis2 STS for Holder-of-Key Processing
1. Download Apache Axis2 1.5 and Rampart 1.5.
2. Run policy\sample05 according to the instructions in Rampart (ant service.05).
3. Ensure that the service is deployed and accessible on the following link: http://localhost:8080/axis2/services/STS?wsdl.
This Axis2 STS is now capable of issuing SAML 1.1 or 2.0 tokens.
4. Follow the instructions in policy\sample05 to get the sample working if there are any problems.
Example
The services.xml file contains the description and configuration for the Axis2 STS, as follows:
<service name="STS">
<module ref="rampart" />
<module ref="addressing" />
<module ref="rahas" />
<parameter name="saml-issuer-config"
<saml-issuer-config>
<issuerName>SAMPLE_STS</issuerName>
<issuerKeyAlias>sts</issuerKeyAlias>
<issuerKeyPassword>apache</issuerKeyPassword>
<cryptoProperties>
<crypto provider="org.apache.ws.security.
components.crypto.Merlin">
<property name="org.apache.ws.security.
crypto.merlin.keystore.type">
JKS
</property>
<property name="org.apache.ws.security.
crypto.merlin.file">
sts.jks
</property>
<property name="org.apache.ws.security.
crypto.merlin.keystore.password">
apache
</property>
</crypto>
</cryptoProperties
<timeToLive>300000</timeToLive>
In the services.xml file, the following modules are verified:
rampart, for security handling.
addressing, for WS-Addressing header processing.
rahas, for WS-Trust request/response processing.
The saml-issuer-config parameter specifies the configuration information for the STS, such as:
issuerName: The STS name used in the IssuerName element in the SAML Assertion.
timeToLive: The duration of validity for the SAML Token.
issuerKeyAlias: Refers to the private key used to sign the assertion.
issuerKeyPassword: The password to access the private key in the keystore.
In addition, the services.xml file specifies the security requirements to access the STS through a WS-Security Policy. The policy specifies that the client must sign the request body using an X.509 Token. The RampartConfig element specifies the configuration for the keystore to use by the STS. For example,
.
.
.
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>sts</ramp:user>
<ramp:encryptionUser>client</ramp:encryptionUser>
<ramp:passwordCallbackClass>
com.softwareag.mediator.sts.PWCBHandler
</ramp:passwordCallbackClass>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property:name="org.apache.ws.security.crypto.
merlin.keystore.type">
JKS
</ramp:property>
<ramp:property:name="org.apache.ws.security.crypto.merlin.file">
sts.jks>sts.jks
</ramp.property>
<ramp:property:name="org.apache.ws.security.crypto.merlin.
keystore.password">
apache
</ramp:property>
.
.
.