Rampart Policy Sample Details

[Marc Novakouski <no...@sei.cmu.edu>]

Hello,
I was wondering if someone can clear up some simple questions with respect to the policy examples provided with the latest version of Rampart.  Unfortunately I'm relatively new to the WS-* world so I'm not entirely clear on some of the details of the WS-* standards, so any clarification that anyone can provide would be much appreciated.  As for why I am asking these questions, I am attempting to benchmark various WS-* standards to write an academic paper on the tradeoffs associated with them.

Question 1:  Sample04 is an implementation of WS-SecureConversation.  Which type of WS-SecConv is it?  Looking at the bootstrap request xml documents on the sample page seems to imply that it is type 3 (from here: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-secureconversation-1.3-os.html), in which a challenge/response system is used.  This is opposed to Type 1, where a security token service is used, and type 2, where a trusted client propogates the SCT.  If someone can confirm this I would very much appreciate it.

Question 1a: In an attempt to answer question 1 myself, I ran a simple test of running client.04 on a server we'll call server "a" and server.04 on another server, server "b".  I set up the communication ports and policies so that the test itself works fine.  I attempted to capture the communication between the two applications by setting up a listening point using TCPmon on server "a", having client.04 set the port listened by TCPmon as its target, and having TCPmon forward the messages to the waiting port on server "b".  All this worked, except for the fact that TCPmon did not capture any of the bootstrapping messages for whatever reason.  The content recorded by TCPmon only contained the normal messages in the communication (the test had 10 messages sent and responded to as a baseline), and did not have any of the bootstrapping messages I expected.  i.e., doing a search of the recorded messages resulted in 0 occurences of the <wst:RequestSecurityToken> or <wst:RequestSecurityTokenResponse>, either or both of which I would have expected to see in a non security token service implementation.  Does anyone have any ideas why this would be?  If someone answers question 1 straight up I don't need to rerun the test, however I would like to know what the deal is with WS-SecureConversation bootstrapping.  Any insight into this would be much appreciated.  I'm attaching the TCPmon log for all 3 tests I ran for reference.

Question 2: It is my understanding that SAML tokens are different from the SCT token which would be issued by a security token service for that implementation of WS-SecureConversation.  Therefore, my assumption is that there is no sample which is provided by Rampart which tests the other 2 methods of bootstrapping WS-SecureConversation.  If anyone can verify or disprove this, I would very much appreciate it.

Question 3: What is the difference between policy samples Sample05 and Sample06?  Both issue SAML tokens through a Security Token Service.  The only difference mentioned is that Sample06 uses "WS Metada Exchange".  What does that mean, and is it the sum total of the difference?

Again, any help anyone can provide would be very much appreciated.

Thanks,
Marc Novakouski

_______________________________________________________________________________
Marc Novakouski
Software Engineering Institute
Member of the Technical Staff - SoS Engineering (SoSE) Team
Research, Technology and Systems Solutions (RTSS) Program
System of Systems Practice (SoSP) Initiative
Phone: (412) 268-4274