1 Reply Latest reply on Nov 15, 2012 10:21 AM by Abhishekh Padmanabhan

    ws-trust using picketlink-sts in JBoss AS7

    Abhishekh Padmanabhan Newbie

      I have the picketlink-sts example (jboss-as7 examples) ws deployed to JBoss AS7 as my STS  and a sample POJO web service service provider configured with handlers and the its security domain configured with SAML2STSLoginModule as below.

       

      I have a picketlink-sts ws client that obtains a saml assertion and can get the saml assertion created above to be validated and subsequently invoking my sample POJO web service using the configuration that contacts the picketlink STS to validate the token however I cannot get the local validation to work.

       

       

      {code:title=standalone.xml}

                      <security-domain name="sts">

                          <authentication>

                              <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule" flag="required">

                                  <module-option name="configFile" value="sts-config.properties"/>

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                  <module-option name="localValidation" value="true"/>

                                  <module-option name="localValidationSecurityDomain" value="sts"/>

                              </login-module>

                              <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

                                  <module-option name="usersProperties" value="sts-users.properties"/>

                                  <module-option name="rolesProperties" value="sts-roles.properties"/>

                                  <module-option name="password-stacking" value="useFirstPass"/>

                              </login-module>

                          </authentication>

                          <jsse keystore-password="testpass" keystore-url="C:\picketlink\stores\sts_keystore.jks" truststore-password="testpass" truststore-url="C:\jboss\jboss-as-7.1.1.Final-new\standalone\configuration\sts_keystore.jks" server-alias="sts" client-alias="sts"/>

                      </security-domain>

       

      {code}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               {code}

       

       

       

       

       

      I am running into a problem with the keystore provided in the picketlink-sts that I  have configured in the jsse for the sts-client security domain.

       

      {noformat}

      Caused by: java.security.UnrecoverableKeyException: Cannot recover key      at sun.security.provider.KeyProtector.recover(Unknown Source) [rt.jar:1.7.0]

      {noformat}

       

      Am i missing anything. Any tutorial on how to get local validation of SAML assertion working without having to dispatch to the picketlink-sts ?

       

        • 1. Re: ws-trust using picketlink-sts in JBoss AS7
          Abhishekh Padmanabhan Newbie

          I got the jsse keystore to work by modifying the keypass of the private key in the picklink sts_keystore.jks to match the key store password. For some reason the only option available in the jsse element that defines configuration for keystores and truststores in the security subsystem configuration only has an attribute for keystore-password and apparently requires the keypass to be the same or atleast I had to ensure the keypass was same as the keystore password to get it working.

           

          Not sure why that would be required ?