Romanticizing the OpenSSO WSSAuth Authentication Module
By docteger on May 01, 2009
The WS-Security specifies the Username Token Profile for providing basic authentication information. The profile describes how the
UsernameTokenelement can be used as a means for communicating a user identifier and password between a web service provider (WSP) and web service client (WSC). The OpenSSO WSSAuth authentication module validates the credentials presented by the WSC using the UsernameToken profile. The UsernameToken profile contains an element to present a hash of the user's password - the
PasswordDigestelement. Using this element adds security as the password is not exposed as clear text. The following steps show how to configure for authentication using the Username Token profile with a one way hash password.
- Login into the OpenSSO console as administrator.
- Navigate to Access Control -> / (Top Level Realm) -> Agents -> Web Service Client -> wsc
- Select UserName Token as the value of Security Mechanism.
This uses the
- Enable User Authentication Required to generate a user token.
- Change the Name and Password values for the Credential for User Token.
This attribute contains the shared secrets used by the WSC to generate a user token. The password should be the same as the hashed password stored in the OpenSSO configuration data store. Use
ldapsearchif the data store is Directory Server. NOTE: This step is for demonstration purposes only. In real deployments, the WSC and WSP would have a common agreement about their password storage policy.
- Navigate to Access Control -> / (Top Level Realm) -> Authentication.
- Create a new authentication chain named
See Configuring an Authentication Process Using the OpenSSO Enterprise Console.
wssauthchainin the list of authentication chains.
- Add WSSAuth as the required Authentication Mechanism and click Save.
- Navigate to Access Control -> / (Top Level Realm) -> Agents -> Web Service Provider -> wsp
- Select UserName Token as the value of Security Mechanism and
wssauthchainas the authentication chain.
- Click Save.