Thanx, Andrei, I will give it a look. Stephen W. Chappell
-----Original Message----- From: Andrei Shakirin [mailto:ashaki...@talend.com] Sent: Wednesday, May 28, 2014 8:20 AM To: users@cxf.apache.org Cc: Chappell, Stephen CTR (FAA) Subject: RE: Trust between multiple STS Hi, If you choose trusted certificates alternative, you can also evaluate XKMS service to store CAs and trusted certificates. In this case XKMS Crypto provider will communicate with XKMS in order to get and validate certificate (including revocation lists and trust chain checks). http://cxf.apache.org/docs/xml-key-management-service-xkms.html Managing certificates in keystores/truststores can become inconvenient for large enterprise environments. Regards, Andrei. > -----Original Message----- > From: Colm O hEigeartaigh [mailto:cohei...@apache.org] > Sent: Mittwoch, 28. Mai 2014 14:11 > To: users@cxf.apache.org > Subject: Re: Trust between multiple STS > > Yes, importing the trusted certs in the various STS instances should work. > Another alternative is to use a distributed TokenStore implementation > (such as the Hazelcast one in sts-core), which means that the STS > instances all share the same cache + should then automatically trust a > token issued by another STS that shares the same cache. > > Colm. > > > On Wed, May 28, 2014 at 12:21 PM, <stephen.ctr.chapp...@faa.gov> wrote: > > > In order to support high availability and domain segregation > > requirements, our STS deployment will likely consist of multiple STS > > being deployed between two or more domains, each with their own > > certificate. In theory, all of the STS should trust each other, > > i.e., each STS should accept tokens issued by any of the other STS > > when passed in through the RST/ActAs element or when passed into the > > Validate interface. Can the CXF STS be configured with this sort of > > trust relationship, maybe through importing all the trusted certs > > into the STS > keystore or trust store? > > > > Thanx, > > > > Stephen W. Chappell > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
