Andrei, Yes I have the IssuedToken policy on the WSP (not shown). The below policies are on my STS service. The question was in regards to connecting to the STS service to have a token issued (or renewed, or validated). I authenticate using the SignedEncryptedSupportingTokens UsernameToken. What I'm trying to figure out is how the key generated by the client for symmetric binding is exchanged with the STS service so that it can sign/verify encrypt/decrypt messages with the client.
Colm, Is there not some exchange of the generated key between the client and STS? If the client signs (and encrypts) the request how does the STS have the generated key to verify signature and decrypt? My original question suggested that it is exchanged by encrypting it with the STS public key but not sure how it is signed in this exchange. Perhaps the exchange of the generated key isn't signed? I appreciate your time. Josh > Josh Hill Senior Java Developer sovereign finance and banking software A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899 E [email protected] W http://www.finzsoft.com Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you. -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Saturday, 4 May 2013 12:36 a.m. > To: [email protected] > Subject: Re: SymmetricBinding key exchange and signing > > The Symmetric key that the client generates signs (and encrypts) the request > (SOAP Body). There is no need for a signing certificate as you are using the > Symmetric binding. Authentication is enforced via the UsernameToken > SupportingToken. > > Colm. > > > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <[email protected]> wrote: > > > My understanding is that the client generates the symmetric key (as > > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it > > using the STS's public key (configured on client using > > "ws-security.encryption.properties\username"). When sending this > > encrypted key to the STS what is it signed with? I haven't set the > > "ws-security.signature.properties\username" on my client but the input > > policy on the STS requires the sp:Body be signed. **** > > > > ** ** > > > > ...**** > > > > <entry key="ws-security.sts.client">**** > > > > <bean > > class="org.apache.cxf.ws.security.trust.STSClient">* > > *** > > > > <constructor-arg ref="cxf" />**** > > > > <property name="wsdlLocation" value=" > > http://localhost:8080/STS?wsdl"; />**** > > > > <property name="serviceName" value="{ > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService > > " /> > > **** > > > > <property name="endpointName" value="{ > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port"; />**** > > > > <property name="properties">**** > > > > <map>**** > > > > <entry > > key="ws-security.username" value="bob" />**** > > > > <entry > > key="ws-security.callback-handler" value="ClientCallbackHandler" > > />**** > > > > <entry > > key="ws-security.encryption.properties" > > value="clientKeystore.properties" /> > > **** > > > > <entry > > key="ws-security.encryption.username" value="stskey" />**** > > > > </map>**** > > > > </property>**** > > > > </bean>**** > > > > </entry>**** > > > > .**** > > > > ** ** > > > > <wsp:Policy wsu:Id="STS-UT-Policy">**** > > > > <wsp:ExactlyOne>**** > > > > <wsp:All>**** > > > > > > <sp:SymmetricBinding>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:ProtectionToken>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:X509Token sp:IncludeToken=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken > > /Never > > ">**** > > > > > > <wsp:Policy>**** > > > > > > <sp:RequireDerivedKeys/>**** > > > > > > <sp:RequireThumbprintReference/>**** > > > > > > <sp:WssX509V3Token10/>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:X509Token>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:ProtectionToken>**** > > > > > > <sp:AlgorithmSuite>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:Basic256/>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:AlgorithmSuite>**** > > > > > > <sp:Layout>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:Lax/>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:Layout>**** > > > > > > <sp:IncludeTimestamp/>**** > > > > > > <sp:EncryptSignature/>**** > > > > > > <sp:OnlySignEntireHeadersAndBody/>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:SymmetricBinding>**** > > > > > > <sp:SignedEncryptedSupportingTokens>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:UsernameToken sp:IncludeToken=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken > > /AlwaysToRecipient > > ">**** > > > > > > <wsp:Policy>**** > > > > > > <sp:HashPassword/>**** > > > > > > <sp:WssUsernameToken10/>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:UsernameToken>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:SignedEncryptedSupportingTokens>**** > > > > <sp:Wss11>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:MustSupportRefKeyIdentifier/>**** > > > > > > <sp:MustSupportRefIssuerSerial/>**** > > > > > > <sp:MustSupportRefThumbprint/>**** > > > > > > <sp:MustSupportRefEncryptedKey/>**** > > > > > > </wsp:Policy>**** > > > > </sp:Wss11>**** > > > > <sp:Trust13>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:MustSupportIssuedTokens/>**** > > > > > > <sp:RequireClientEntropy/>**** > > > > > > <sp:RequireServerEntropy/>**** > > > > > > </wsp:Policy>**** > > > > </sp:Trust13>**** > > > > </wsp:All>**** > > > > </wsp:ExactlyOne>**** > > > > </wsp:Policy>**** > > > > ** ** > > > > <wsp:Policy wsu:Id="STS-Input-Policy">**** > > > > <wsp:ExactlyOne>**** > > > > <wsp:All>**** > > > > <sp:SignedParts>**** > > > > > > <sp:Body/> > > **** > > > > </sp:SignedParts>**** > > > > > > <sp:EncryptedParts>**** > > > > > > <sp:Body/> > > **** > > > > > > </sp:EncryptedParts>**** > > > > </wsp:All>**** > > > > </wsp:ExactlyOne>**** > > > > </wsp:Policy>**** > > > > ** ** > > > > <wsp:Policy wsu:Id="STS-Output-Policy">**** > > > > <wsp:ExactlyOne>**** > > > > <wsp:All>**** > > > > <sp:SignedParts>**** > > > > > > <sp:Body/> > > **** > > > > </sp:SignedParts>**** > > > > > > <sp:EncryptedParts>**** > > > > > > <sp:Body/> > > **** > > > > > > </sp:EncryptedParts>**** > > > > </wsp:All>**** > > > > </wsp:ExactlyOne>**** > > > > </wsp:Policy>**** > > > > > > > > *Josh Hill* > > Senior Java Developer > > > > > > > > [image: Finzsoft - Your Vision + Our Innovations] > > > > > > > > sovereign finance and banking software > > > > > > > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road, > > Greenlane, Auckland, New Zealand > > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899 > > *E* [email protected] *W* www.finzsoft.com > > > > > > *Please note*: This email contains information that is > > confidential and may be privileged. If you are not the intended > > recipient, you must not peruse, use, disseminate, distribute or copy this > email or attachments. > > If you have received this in error, please notify Finzsoft Solutions > > (New > > Zealand) Ltd immediately by return email and delete this email. Thank you. > > > > > > > __________________________________________________________ > ____________ > > This email has been scanned by the Symantec Email Security.cloud service. > > > __________________________________________________________ > ____________ > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > __________________________________________________________ > ____________ > This email has been scanned by the Symantec Email Security.cloud service. > __________________________________________________________ > ____________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________
