Hi, > Yes I have the IssuedToken policy on the WSP (not shown). The below > policies are on my STS service. The question was in regards to connecting to > the STS service to have a token issued (or renewed, or validated). I > authenticate using the SignedEncryptedSupportingTokens UsernameToken. > What I'm trying to figure out is how the key generated by the client for > symmetric binding is exchanged with the STS service so that it can sign/verify > encrypt/decrypt messages with the client.
Ok, I get it now. I think Colm already answered your question. Btw: is there special reasons to use symmetric, not transport binding for communication with STS in your case? Regards, Andrei. > -----Original Message----- > From: Josh Hill [mailto:[email protected]] > Sent: Sonntag, 5. Mai 2013 21:56 > To: [email protected]; [email protected] > Subject: RE: SymmetricBinding key exchange and signing > > Andrei, > > Yes I have the IssuedToken policy on the WSP (not shown). The below > policies are on my STS service. The question was in regards to connecting to > the STS service to have a token issued (or renewed, or validated). I > authenticate using the SignedEncryptedSupportingTokens UsernameToken. > What I'm trying to figure out is how the key generated by the client for > symmetric binding is exchanged with the STS service so that it can sign/verify > encrypt/decrypt messages with the client. > > > Colm, > > Is there not some exchange of the generated key between the client and > STS? If the client signs (and encrypts) the request how does the STS have the > generated key to verify signature and decrypt? My original question > suggested that it is exchanged by encrypting it with the STS public key but > not sure how it is signed in this exchange. Perhaps the exchange of the > generated key isn't signed? > > I appreciate your time. > > Josh > > > > > Josh Hill > Senior Java Developer > > > sovereign finance and banking software > > A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, > Auckland, New Zealand > D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899 > E [email protected] W http://www.finzsoft.com > > Please note: This email contains information that is confidential and may be > privileged. If you are not the intended recipient, you must not peruse, use, > disseminate, distribute or copy this email or attachments. If you have > received this in error, please notify Finzsoft Solutions (New Zealand) Ltd > immediately by return email and delete this email. Thank you. > -----Original Message----- > > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Saturday, 4 May 2013 12:36 a.m. > > To: [email protected] > > Subject: Re: SymmetricBinding key exchange and signing > > > > The Symmetric key that the client generates signs (and encrypts) the > > request (SOAP Body). There is no need for a signing certificate as you > > are using the Symmetric binding. Authentication is enforced via the > > UsernameToken SupportingToken. > > > > Colm. > > > > > > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <[email protected]> wrote: > > > > > My understanding is that the client generates the symmetric key (as > > > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts > > > it using the STS's public key (configured on client using > > > "ws-security.encryption.properties\username"). When sending this > > > encrypted key to the STS what is it signed with? I haven't set the > > > "ws-security.signature.properties\username" on my client but the > > > input policy on the STS requires the sp:Body be signed. **** > > > > > > ** ** > > > > > > ...**** > > > > > > <entry key="ws-security.sts.client">**** > > > > > > <bean > > > class="org.apache.cxf.ws.security.trust.STSClient">* > > > *** > > > > > > <constructor-arg ref="cxf" />**** > > > > > > <property name="wsdlLocation" value=" > > > http://localhost:8080/STS?wsdl"; />**** > > > > > > <property name="serviceName" > > > value="{ > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenServi > > > ce > > > " /> > > > **** > > > > > > <property name="endpointName" > > > value="{ http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port"; > > > />**** > > > > > > <property name="properties">**** > > > > > > <map>**** > > > > > > > > > <entry key="ws-security.username" value="bob" />**** > > > > > > > > > <entry key="ws-security.callback-handler" value="ClientCallbackHandler" > > > />**** > > > > > > > > > <entry key="ws-security.encryption.properties" > > > value="clientKeystore.properties" /> > > > **** > > > > > > > > > <entry key="ws-security.encryption.username" value="stskey" />**** > > > > > > </map>**** > > > > > > </property>**** > > > > > > </bean>**** > > > > > > </entry>**** > > > > > > .**** > > > > > > ** ** > > > > > > <wsp:Policy wsu:Id="STS-UT-Policy">**** > > > > > > <wsp:ExactlyOne>**** > > > > > > <wsp:All>**** > > > > > > > > > <sp:SymmetricBinding>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:ProtectionToken>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:X509Token sp:IncludeToken=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeTok > > > en > > > /Never > > > ">**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:RequireDerivedKeys/>**** > > > > > > > > > <sp:RequireThumbprintReference/>**** > > > > > > > > > <sp:WssX509V3Token10/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:X509Token>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:ProtectionToken>**** > > > > > > > > > <sp:AlgorithmSuite>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:Basic256/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:AlgorithmSuite>**** > > > > > > > > > <sp:Layout>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:Lax/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:Layout>**** > > > > > > > > > <sp:IncludeTimestamp/>**** > > > > > > > > > <sp:EncryptSignature/>**** > > > > > > > > > <sp:OnlySignEntireHeadersAndBody/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:SymmetricBinding>**** > > > > > > > > > <sp:SignedEncryptedSupportingTokens>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:UsernameToken sp:IncludeToken=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeTok > > > en > > > /AlwaysToRecipient > > > ">**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:HashPassword/>**** > > > > > > > > > <sp:WssUsernameToken10/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:UsernameToken>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:SignedEncryptedSupportingTokens>**** > > > > > > <sp:Wss11>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:MustSupportRefKeyIdentifier/>**** > > > > > > > > > <sp:MustSupportRefIssuerSerial/>**** > > > > > > > > > <sp:MustSupportRefThumbprint/>**** > > > > > > > > > <sp:MustSupportRefEncryptedKey/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > </sp:Wss11>**** > > > > > > <sp:Trust13>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:MustSupportIssuedTokens/>**** > > > > > > > > > <sp:RequireClientEntropy/>**** > > > > > > > > > <sp:RequireServerEntropy/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > </sp:Trust13>**** > > > > > > </wsp:All>**** > > > > > > </wsp:ExactlyOne>**** > > > > > > </wsp:Policy>**** > > > > > > ** ** > > > > > > <wsp:Policy wsu:Id="STS-Input-Policy">**** > > > > > > <wsp:ExactlyOne>**** > > > > > > <wsp:All>**** > > > > > > <sp:SignedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > > > > </sp:SignedParts>**** > > > > > > > > > <sp:EncryptedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > > > > </sp:EncryptedParts>**** > > > > > > </wsp:All>**** > > > > > > </wsp:ExactlyOne>**** > > > > > > </wsp:Policy>**** > > > > > > ** ** > > > > > > <wsp:Policy wsu:Id="STS-Output-Policy">**** > > > > > > <wsp:ExactlyOne>**** > > > > > > <wsp:All>**** > > > > > > <sp:SignedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > > > > </sp:SignedParts>**** > > > > > > > > > <sp:EncryptedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > > > > </sp:EncryptedParts>**** > > > > > > </wsp:All>**** > > > > > > </wsp:ExactlyOne>**** > > > > > > </wsp:Policy>**** > > > > > > > > > > > > *Josh Hill* > > > Senior Java Developer > > > > > > > > > > > > [image: Finzsoft - Your Vision + Our Innovations] > > > > > > > > > > > > sovereign finance and banking software > > > > > > > > > > > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road, > > > Greenlane, Auckland, New Zealand > > > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899 > > > *E* [email protected] *W* www.finzsoft.com > > > > > > > > > *Please note*: This email contains information that is > > > confidential and may be privileged. If you are not the intended > > > recipient, you must not peruse, use, disseminate, distribute or copy > > > this > > email or attachments. > > > If you have received this in error, please notify Finzsoft Solutions > > > (New > > > Zealand) Ltd immediately by return email and delete this email. Thank > you. > > > > > > > > > > > > __________________________________________________________ > > ____________ > > > This email has been scanned by the Symantec Email Security.cloud > service. > > > > > > __________________________________________________________ > > ____________ > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > __________________________________________________________ > > ____________ > > This email has been scanned by the Symantec Email Security.cloud service. > > > __________________________________________________________ > > ____________ > > __________________________________________________________ > ____________ > This email has been scanned by the Symantec Email Security.cloud service. > __________________________________________________________ > ____________
