You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by chris snow <ch...@gmail.com> on 2013/05/03 21:25:43 UTC
Fediz STS - how does it know where to find the public certs for
verifying the UsernameToken in the IDP request?
In the STS stsstore.jks, the myidpkey is imported:
keytool -import -trustcacerts -keystore stsstore.jks -storepass stsspass
-alias myidpkey -file MyIDP.cer -noprompt
How does the code know how to use this keystore and certificate for
verifying the UsernameToken in the requests?
The following code appears to point to the keystore and the private key,
but I can't see in the code how the STS is configured to find the public
keys like the myidpkey:
<bean id="transportSTSProperties"
class="org.apache.cxf.sts.StaticSTSProperties">
<property name="signaturePropertiesFile" value="stsKeystore.properties" />
<property name="signatureUsername" value="mystskey" />
<property name="callbackHandlerClass"
value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
<property name="encryptionPropertiesFile" value="stsKeystore.properties" />
<property name="issuer" value="DoubleItSTSIssuer" />
<property name="encryptionUsername" value="myservicekey" />
</bean>
Many thanks,
Chris
Re: Fediz STS - how does it know where to find the public certs for
verifying the UsernameToken in the IDP request?
Posted by snowch <ch...@gmail.com>.
I'm not sure if my question is clear. Maybe I should reword it to this...
If I want to put the public keys that I trust in a separate truststore to
stsstore.jks, where would I configure STS to look for this new truststore?
Many thanks,
Chris
--
View this message in context: http://cxf.547215.n5.nabble.com/Fediz-STS-how-does-it-know-where-to-find-the-public-certs-for-verifying-the-UsernameToken-in-the-IDP-tp5727184p5727259.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: Fediz STS - how does it know where to find the public certs for
verifying the UsernameToken in the IDP request?
Posted by Oliver Wulff <ow...@talend.com>.
There are two requests to the STS. The first request is sent only once with username/password of the browser user (TransportBinding policy with UsernameToken as SupportingToken). The second request is on-behalf-of the browser user where there is no WS-Security header sent but you must provide a valid token. I think we should fix that.
The easiest solution would be to configure the IDP cert/private key (must be generated, not part of distribution) and configure the public key in the truststore of the tomcat connector. The policy engine (update transport binding to requireClientCert) will validate whether a trusted certificate was used on HTTPS.
Thanks
Oli
________________________________________
From: Glen Mazza [glen.mazza@gmail.com]
Sent: 07 May 2013 12:31
To: users@cxf.apache.org
Subject: Re: Fediz STS - how does it know where to find the public certs for verifying the UsernameToken in the IDP request?
Would this answer your question:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co
Glen
On 05/07/2013 06:22 AM, snowch wrote:
> Hi Glen,
>
> Thanks for the response.
>
> How does the CXF STS know where to look for the truststore?
>
> Looking through the following configuration
> (/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-transport.xml), it seems that
> only the outgoing encryption/signing is being configured:
>
> <bean id="transportSTSProperties"
> class="org.apache.cxf.sts.StaticSTSProperties">
> <property name="signaturePropertiesFile" value="stsKeystore.properties" />
> <property name="signatureUsername" value="mystskey" />
> <property name="callbackHandlerClass"
> value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
> <property name="encryptionPropertiesFile" value="stsKeystore.properties"
> />
> <property name="issuer" value="DoubleItSTSIssuer" />
> <property name="encryptionUsername" value="myservicekey" />
> </bean>
>
> Unless some of the above setters are configuring the incoming
> decryption/signature verification?
>
> Many thanks,
>
> Chris
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Fediz-STS-how-does-it-know-where-to-find-the-public-certs-for-verifying-the-UsernameToken-in-the-IDP-tp5727184p5727336.html
> Sent from the cxf-user mailing list archive at Nabble.com.
Re: Fediz STS - how does it know where to find the public certs for
verifying the UsernameToken in the IDP request?
Posted by Glen Mazza <gl...@gmail.com>.
Would this answer your question:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co
Glen
On 05/07/2013 06:22 AM, snowch wrote:
> Hi Glen,
>
> Thanks for the response.
>
> How does the CXF STS know where to look for the truststore?
>
> Looking through the following configuration
> (/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-transport.xml), it seems that
> only the outgoing encryption/signing is being configured:
>
> <bean id="transportSTSProperties"
> class="org.apache.cxf.sts.StaticSTSProperties">
> <property name="signaturePropertiesFile" value="stsKeystore.properties" />
> <property name="signatureUsername" value="mystskey" />
> <property name="callbackHandlerClass"
> value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
> <property name="encryptionPropertiesFile" value="stsKeystore.properties"
> />
> <property name="issuer" value="DoubleItSTSIssuer" />
> <property name="encryptionUsername" value="myservicekey" />
> </bean>
>
> Unless some of the above setters are configuring the incoming
> decryption/signature verification?
>
> Many thanks,
>
> Chris
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Fediz-STS-how-does-it-know-where-to-find-the-public-certs-for-verifying-the-UsernameToken-in-the-IDP-tp5727184p5727336.html
> Sent from the cxf-user mailing list archive at Nabble.com.
Re: Fediz STS - how does it know where to find the public certs for
verifying the UsernameToken in the IDP request?
Posted by snowch <ch...@gmail.com>.
Hi Glen,
Thanks for the response.
How does the CXF STS know where to look for the truststore?
Looking through the following configuration
(/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-transport.xml), it seems that
only the outgoing encryption/signing is being configured:
<bean id="transportSTSProperties"
class="org.apache.cxf.sts.StaticSTSProperties">
<property name="signaturePropertiesFile" value="stsKeystore.properties" />
<property name="signatureUsername" value="mystskey" />
<property name="callbackHandlerClass"
value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
<property name="encryptionPropertiesFile" value="stsKeystore.properties"
/>
<property name="issuer" value="DoubleItSTSIssuer" />
<property name="encryptionUsername" value="myservicekey" />
</bean>
Unless some of the above setters are configuring the incoming
decryption/signature verification?
Many thanks,
Chris
--
View this message in context: http://cxf.547215.n5.nabble.com/Fediz-STS-how-does-it-know-where-to-find-the-public-certs-for-verifying-the-UsernameToken-in-the-IDP-tp5727184p5727336.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Fediz STS - how does it know where to find the public certs for
verifying the UsernameToken in the IDP request?
Posted by Glen Mazza <gl...@gmail.com>.
On 05/03/2013 03:25 PM, chris snow wrote:
> In the STS stsstore.jks, the myidpkey is imported:
>
> keytool -import -trustcacerts -keystore stsstore.jks -storepass stsspass
> -alias myidpkey -file MyIDP.cer -noprompt
>
> How does the code know how to use this keystore and certificate for
> verifying the UsernameToken in the requests?
Usually the SubjectKeyIdentifier or Certificate fingerprints of the
incoming SOAP message are matched with what's in the truststore, see the
certificate at Step #3 here:
http://www.jroller.com/gmazza/entry/creating_certificates_with_openssl .
HTH,
Glen
>
> The following code appears to point to the keystore and the private key,
> but I can't see in the code how the STS is configured to find the public
> keys like the myidpkey:
>
> <bean id="transportSTSProperties"
> class="org.apache.cxf.sts.StaticSTSProperties">
> <property name="signaturePropertiesFile" value="stsKeystore.properties" />
> <property name="signatureUsername" value="mystskey" />
> <property name="callbackHandlerClass"
> value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
> <property name="encryptionPropertiesFile" value="stsKeystore.properties" />
> <property name="issuer" value="DoubleItSTSIssuer" />
> <property name="encryptionUsername" value="myservicekey" />
> </bean>
>
> Many thanks,
>
> Chris
>