OpenSSO Secure Token Server – 2

This blog is the second in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here.

Configure the WebLogic Trust Keystores

Ensure that the WebLogic containers are using the keystore and trusted certificate stores crea:ted previously.  In Windows this can be done by editing the create service command file as follows

  • Edit the createSvc.cmd file to include the following JAVA_OPTIONS parameters for the web service container and save as createWSPSvc.cmd:
  • Repeat for the web service client and OpenSSO containers.
  • Run the commands to create the services.
    For example:
    echo off
    set DOMAIN_NAME=wsp
    set USERDOMAIN_HOME=C:\Sun\Middleware\user_projects\domains\wss
    set SERVER_NAME=AdminServer
    set PRODUCTION_MODE=false
    set JAVA_VENDOR=Sun
    set JAVA_HOME=C:\Sun\Middleware\jdk160_24
    set MEM_ARGS=-Xms256m -Xmx512m
    set JAVA_OPTIONS=\Sun\Middleware\user_projects\domains\wsp\resources\cacerts\Sun\Middleware\user_projects\domains\wsp\resources\server.jks
    call “C:\Sun\Middleware\wlserver_10.3\server\bin\installSvc.cmd”

Configure OpenSSO Web Service Profiles

Web Services Client
Web Services Provider
OpenSSO Server
This deployment uses the default WSC and WSP profiles shipped with OpenSSO.

  • Access the OpenSSO Console by entering the following URL:
  • Log in to the OpenSSO Console as amadmin.
  • Go to Access Control -> Default realm -> Agents, as shown below:

Update the Web Service Client Profile

  • Select the Web Service Client tab:

  • In the Agent panel select WSC.
  • Click the WSC profile to edit it.
  • In the Security section select the STSSecurity as the Security Mechanism, SecurityTokenService as the STS Configuration and set Preserve Security Headers in Message as true.

  • Check Is Request Signed Enabled and Is Response Signature Verified in the Signing and Encryption section then uncheck all signing values except Body.

  • Enter the key aliases, keystore location and password

  • Save the changes.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s