PicketLink Federation configuration for the STS and/or the SAML IDP/SP include passwords. Based on PLFED-73, we should be able to mask the password in the configuration files.
This should be available as of 1.0.3.CR4 and later (May 2010).
Availability
- Since PicketLink Federation 1.0.3
Usage
- Locate the picketlink-fed-core jar on your operating system. Use the file finder feature.
- Go to that directory and perform the following:
java -cp picketlink-fed-core-1.0.3.CR3-SNAPSHOT.jar org.picketlink.identity.federation.core.util.PBEUtils 18273645 56 testpass Encoded password: MASK-j0zEeKjP7IBywzHTUBd0MQ==
- Note: In your case, the jar file may just be "picketlink-fed-core.jar"
Now you can see that for a password called "testpass", the encoded password is "MASK-j0zEeKjP7IBywzHTUBd0MQ==". Now copy paste this into the password field of your configuration. In addition, add two properties, one for "salt" and the other for "iterationCount".
- In this example, the salt is 18273645 and iterationCount is 56
Important Points To Remember
- Input to the PBEUtils class is a salt (8 character string) and an iterationCount( an integer value).
- Please do not use the same salt and iterationCount as used in this wiki article. Please use your own 8 character salt and an integer based iterationCount.
Example
Before Password Masking
<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" STSName="Test STS" TokenTimeout="7200" EncryptToken="false"> <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="keystore/sts_keystore.jks"/> <Auth Key="KeyStorePass" Value="testpass"/> <Auth Key="SigningKeyAlias" Value="sts"/> <Auth Key="SigningKeyPass" Value="keypass"/> <ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/> <ValidatingAlias Key="http://services.testcorp.org/provider2" Value="service2"/> </KeyProvider> <RequestHandler>org.picketlink.identity.federation.core.wstrust.StandardRequestHandler</RequestHandler> <TokenProviders> <TokenProvider ProviderClass="org.picketlink.test.identity.federation.core.wstrust.SpecialTokenProvider" TokenType="http://www.tokens.org/SpecialToken" TokenElement="SpecialToken" TokenElementNS="http://www.tokens.org"> <Property Key="Property1" Value="Value1"/> <Property Key="Property2" Value="Value2"/> </TokenProvider> <TokenProvider ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"/> </TokenProviders> <ServiceProviders> <ServiceProvider Endpoint="http://services.testcorp.org/provider1" TokenType="http://www.tokens.org/SpecialToken" TruststoreAlias="service1"/> <ServiceProvider Endpoint="http://services.testcorp.org/provider2" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" TruststoreAlias="service2"/> </ServiceProviders> </PicketLinkSTS>
Running the commands:
java -cp picketlink-fed-core-1.0.3.CR3-SNAPSHOT.jar org.picketlink.identity.federation.core.util.PBEUtils 18273645 56 testpass Encoded password: MASK-j0zEeKjP7IBywzHTUBd0MQ== java -cp picketlink-fed-core-1.0.3.CR3-SNAPSHOT.jar org.picketlink.identity.federation.core.util.PBEUtils 18273645 56 keypass Encoded password: MASK-ir6cKDE6OoQ=
After masking,
<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" STSName="Test STS" TokenTimeout="7200" EncryptToken="false"> <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="keystore/sts_keystore.jks"/> <Auth Key="KeyStorePass" Value="MASK-j0zEeKjP7IBywzHTUBd0MQ=="/> <Auth Key="SigningKeyAlias" Value="sts"/> <Auth Key="SigningKeyPass" Value="MASK-ir6cKDE6OoQ="/> <Auth Key="salt" Value="18273645"/> <Auth Key="iterationCount" Value="56"/> <ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/> <ValidatingAlias Key="http://services.testcorp.org/provider2" Value="service2"/> </KeyProvider> <RequestHandler>org.picketlink.identity.federation.core.wstrust.StandardRequestHandler</RequestHandler> <TokenProviders> <TokenProvider ProviderClass="org.picketlink.test.identity.federation.core.wstrust.SpecialTokenProvider" TokenType="http://www.tokens.org/SpecialToken" TokenElement="SpecialToken" TokenElementNS="http://www.tokens.org"> <Property Key="Property1" Value="Value1"/> <Property Key="Property2" Value="Value2"/> </TokenProvider> <TokenProvider ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"/> </TokenProviders> <ServiceProviders> <ServiceProvider Endpoint="http://services.testcorp.org/provider1" TokenType="http://www.tokens.org/SpecialToken" TruststoreAlias="service1"/> <ServiceProvider Endpoint="http://services.testcorp.org/provider2" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" TruststoreAlias="service2"/> </ServiceProviders> </PicketLinkSTS>
Troubleshooting
- Error java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long Solution: Ensure a salt of 8 characters long.
Section for PicketLink Developers
If you want to make use of this functionality, as of PicketLink v2, there is a
org/picketlink/identity/federation/core/util/StringUtil.java that has a decode method.
Ensure that you pass the masked password, salt and iteration Count. All these 3 entities come from your config files.
Comments