On 05/03/2013 03:25 PM, chris snow wrote:
In the STS stsstore.jks, the myidpkey is imported:
keytool -import -trustcacerts -keystore stsstore.jks -storepass stsspass
-alias myidpkey -file MyIDP.cer -noprompt
How does the code know how to use this keystore and certificate for
verifying the UsernameToken in the requests?
Usually the SubjectKeyIdentifier or Certificate fingerprints of the
incoming SOAP message are matched with what's in the truststore, see the
certificate at Step #3 here:
http://www.jroller.com/gmazza/entry/creating_certificates_with_openssl .
HTH,
Glen
The following code appears to point to the keystore and the private key,
but I can't see in the code how the STS is configured to find the public
keys like the myidpkey:
<bean id="transportSTSProperties"
class="org.apache.cxf.sts.StaticSTSProperties">
<property name="signaturePropertiesFile" value="stsKeystore.properties" />
<property name="signatureUsername" value="mystskey" />
<property name="callbackHandlerClass"
value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
<property name="encryptionPropertiesFile" value="stsKeystore.properties" />
<property name="issuer" value="DoubleItSTSIssuer" />
<property name="encryptionUsername" value="myservicekey" />
</bean>
Many thanks,
Chris