Dynamic Key Stores Configuration and STS
By Jiandong Guo-Oracle on Feb 26, 2009
With Metro security, one can manage service and user certificates and keys dynamically with Callback handlers for key store and trust store:
Here KeyStoreCallbackHandler implements javax.security.auth.callback.CallbackHandler and handles
com.sun.xml.wss.impl.callback.KeyStoreCallback and com.sun.xml.wss.impl.callback.PrivateKeyCallback;
while TrustStoreCallbackHandler implements javax.security.auth.callback.CallbackHandler and handles
See Kumar's blog for more details.
This dynamic mechanism can also be used with an Metro based STS.
For STS, keys and certificates for STS and the trusted service providers are used not only for securing the messages, but also used in the STS layer to protect the issued tokens:
1. The certificate and private key of the STS need to be used to sign issued tokens.
2. Certificate of each registered service provider needs to be used to encrypt the proof key and/or the issued token itself for the targeted service provider.
Originally an issue was found to make it work on the STS part. It is now fixed and should be working fine.