Reforwarding...had accidentally just sent to Gina directly:
-----------------------------------------------------------------------------
Hi Gina, just before reading this email I just checked in a change
adding the IDP STS public cert to the Tomcat-RP keystore, and with that
Tomcat RP fediz-config.xml no longer needs to point to its own
stsstore.jks but to the tomcat-rp.jks in the Tomcat base folder.
(Sorry, that was a mistake on my end when I updated the keys.) That
saves the need for one truststore. The link below has been updated with
that information.
Glad you sent the below because I forgot to update the fediz-config.xml
files in the examples folder--I just checked that in now.
Does this change answer/simplify your questions?
Glen
On 07/19/2012 11:05 AM, Gina Choi wrote:
Hi Glen,
I am looking at your update on keystores right now.
<<<<
Hi Gina, I updated Fediz trunk a few days ago with new specific
keystores (all provided in the download) for each portion of the
application and also fully spelled out the trust requirements between
the various components. I also provided scripts on how to make your
own keys should you wish to update yours:
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co
>>>
I am looking at fediz_config.xml under
trunk\examples\wsclientWebapp\webapp\src\main\config and there are
following content. Since you created webappKeystore.jks for
wsclientWebapp/webapp, shouldn't following highlighted in yellow part
need to be updated to information corresponding webappKeystore.jks?
Like keyStore file should reference to location of webappKeystore.jks
and password should reference to "waspass". And idp-sts certificate
also need to be imported to webappKeystore.jks. As we know idp-sts and
wsclientWepapp are running on different Tomcat instances, I don't
undertsand why does stsstore.jks has to be copied over to the Tomcat
instance which running wsclientWepapp.
<certificateStores>
<trustManager>
<keyStore file="_conf/stsstore.jks_"
password="_stsspass_" type="JKS" />
</trustManager>
</certificateStores>
<trustedIssuers>
<issuer subject=".*CN=www.sts.com.*"
certificateValidation="ChainTrust"
name="DoubleItSTSIssuer" />
</trustedIssuers>
Gina
--
Glen Mazza
Talend Community Coders
coders.talend.com
blog:www.jroller.com/gmazza
