PicketLink Configuration: Mask password

    PicketLink Federation configuration for the STS and/or the SAML IDP/SP include passwords.  Based on PLFED-73, we should be able to mask the password in the configuration files.

     

    This should be available as of 1.0.3.CR4 and later (May 2010).

    Availability

    • Since PicketLink Federation 1.0.3

    Usage

    • Locate the picketlink-fed-core jar on your operating system. Use the file finder feature.
    • Go to that directory and perform the following:
    •  

    • java -cp picketlink-fed-core-1.0.3.CR3-SNAPSHOT.jar org.picketlink.identity.federation.core.util.PBEUtils 18273645 56 testpass
      Encoded password: MASK-j0zEeKjP7IBywzHTUBd0MQ==
      
    • Note: In your case, the jar file may just be "picketlink-fed-core.jar"
    • Now you can see that for a password called "testpass", the encoded password is "MASK-j0zEeKjP7IBywzHTUBd0MQ==". Now copy paste this into the password field of your configuration.  In addition, add two properties, one for "salt" and the other for "iterationCount".

    • In this example, the salt is 18273645  and iterationCount is 56

     

    Important Points To Remember

    • Input to the PBEUtils class is a salt (8 character string) and an iterationCount( an integer value).
    • Please do not use the same salt and iterationCount as used in this wiki article. Please use your own 8 character salt and an integer based iterationCount.

     

    Example

    Before Password Masking

     

    <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0"
        STSName="Test STS" TokenTimeout="7200" EncryptToken="false">
        <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
            <Auth Key="KeyStoreURL" Value="keystore/sts_keystore.jks"/> 
              <Auth Key="KeyStorePass" Value="testpass"/>
              <Auth Key="SigningKeyAlias" Value="sts"/>
              <Auth Key="SigningKeyPass" Value="keypass"/>
              <ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/>
              <ValidatingAlias Key="http://services.testcorp.org/provider2" Value="service2"/>
        </KeyProvider>
        <RequestHandler>org.picketlink.identity.federation.core.wstrust.StandardRequestHandler</RequestHandler>
        <TokenProviders>
            <TokenProvider ProviderClass="org.picketlink.test.identity.federation.core.wstrust.SpecialTokenProvider"
                TokenType="http://www.tokens.org/SpecialToken"
                TokenElement="SpecialToken"
                TokenElementNS="http://www.tokens.org">
                <Property Key="Property1" Value="Value1"/>
                <Property Key="Property2" Value="Value2"/>
            </TokenProvider>
            <TokenProvider ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider"
                TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                TokenElement="Assertion"
                TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"/>
        </TokenProviders>
        <ServiceProviders>
            <ServiceProvider Endpoint="http://services.testcorp.org/provider1" TokenType="http://www.tokens.org/SpecialToken"
                TruststoreAlias="service1"/>
            <ServiceProvider Endpoint="http://services.testcorp.org/provider2" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                TruststoreAlias="service2"/>
        </ServiceProviders>
    </PicketLinkSTS>
    

     

    Running the commands:

    java -cp picketlink-fed-core-1.0.3.CR3-SNAPSHOT.jar org.picketlink.identity.federation.core.util.PBEUtils 18273645 56 testpass
    Encoded password: MASK-j0zEeKjP7IBywzHTUBd0MQ==
    
    
    java -cp picketlink-fed-core-1.0.3.CR3-SNAPSHOT.jar org.picketlink.identity.federation.core.util.PBEUtils 18273645 56 keypass
    Encoded password: MASK-ir6cKDE6OoQ=
    

     

    After masking,

     

     

    <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0"
        STSName="Test STS" TokenTimeout="7200" EncryptToken="false">
        <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
            <Auth Key="KeyStoreURL" Value="keystore/sts_keystore.jks"/> 
              <Auth Key="KeyStorePass" Value="MASK-j0zEeKjP7IBywzHTUBd0MQ=="/>
              <Auth Key="SigningKeyAlias" Value="sts"/>
              <Auth Key="SigningKeyPass" Value="MASK-ir6cKDE6OoQ="/>
              <Auth Key="salt" Value="18273645"/>
              <Auth Key="iterationCount" Value="56"/>
              <ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/>
              <ValidatingAlias Key="http://services.testcorp.org/provider2" Value="service2"/>
        </KeyProvider>
        <RequestHandler>org.picketlink.identity.federation.core.wstrust.StandardRequestHandler</RequestHandler>
        <TokenProviders>
            <TokenProvider ProviderClass="org.picketlink.test.identity.federation.core.wstrust.SpecialTokenProvider"
                TokenType="http://www.tokens.org/SpecialToken"
                TokenElement="SpecialToken"
                TokenElementNS="http://www.tokens.org">
                <Property Key="Property1" Value="Value1"/>
                <Property Key="Property2" Value="Value2"/>
            </TokenProvider>
            <TokenProvider ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider"
                TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                TokenElement="Assertion"
                TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"/>
        </TokenProviders>
        <ServiceProviders>
            <ServiceProvider Endpoint="http://services.testcorp.org/provider1" TokenType="http://www.tokens.org/SpecialToken"
                TruststoreAlias="service1"/>
            <ServiceProvider Endpoint="http://services.testcorp.org/provider2" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
                TruststoreAlias="service2"/>
        </ServiceProviders>
    </PicketLinkSTS>
    

     

     

    Troubleshooting

     

    1. Error  java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long    Solution: Ensure a salt of 8 characters long.

     

     

     

    If you want to make use of this functionality,  as of PicketLink v2, there is a

    org/picketlink/identity/federation/core/util/StringUtil.java  that has a decode method.

    Ensure that you pass the masked password, salt and iteration Count. All these 3 entities come from your config files.