Dynamic Key Stores Configuration and STS

With Metro security, one can manage service and user certificates and keys dynamically with Callback handlers for key store and trust store:


<sc:KeyStore xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
callbackHandler="common.KeyStoreCallbackHandler" alias="wssip"/>
<sc:TrustStore xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
callbackHandler="common.TrustStoreCallbackHandler"/>

Here KeyStoreCallbackHandler implements javax.security.auth.callback.CallbackHandler and handles
com.sun.xml.wss.impl.callback.KeyStoreCallback and com.sun.xml.wss.impl.callback.PrivateKeyCallback;
while TrustStoreCallbackHandler implements javax.security.auth.callback.CallbackHandler and handles
com.sun.xml.wss.impl.callback.KeyStoreCallback.

See Kumar's blog for more details.

This dynamic mechanism can also be used with an Metro based STS.
For STS, keys and certificates for STS and the trusted service providers are used not only for securing the messages, but also used in the STS layer to protect the issued tokens:

1. The certificate and private key of the STS need to be used to sign issued tokens.
2. Certificate of each registered service provider needs to be used to encrypt the proof key and/or the issued token itself for the targeted service provider.

Originally an issue was found to make it work on the STS part. It is now fixed and should be working fine.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jiandong Guo

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today