OpenSSO Secure Token Server – 2

This blog is the second in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here.

Configure the WebLogic Trust Keystores

Ensure that the WebLogic containers are using the keystore and trusted certificate stores crea:ted previously.  In Windows this can be done by editing the create service command file as follows

  • Edit the createSvc.cmd file to include the following JAVA_OPTIONS parameters for the web service container and save as createWSPSvc.cmd:
    set JAVA_OPTIONS=-Djavax.net.ssl.trustStore=C:\Sun\Middleware\user_projects\domains\wss\resources\cacerts
    -Djavax.net.ssl.keyStore=C:\Sun\Middleware\user_projects\domains\wss\resources\server.jks
    -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStorePassword=changeit
  • Repeat for the web service client and OpenSSO containers.
  • Run the commands to create the services.
    For example:
    echo off
    SETLOCAL
    set DOMAIN_NAME=wsp
    set USERDOMAIN_HOME=C:\Sun\Middleware\user_projects\domains\wss
    set SERVER_NAME=AdminServer
    set PRODUCTION_MODE=false
    set JAVA_VENDOR=Sun
    set JAVA_HOME=C:\Sun\Middleware\jdk160_24
    set MEM_ARGS=-Xms256m -Xmx512m
    set JAVA_OPTIONS=
    -Djavax.net.ssl.trustStore=C:\Sun\Middleware\user_projects\domains\wsp\resources\cacerts
    -Djavax.net.ssl.keyStore=C:\Sun\Middleware\user_projects\domains\wsp\resources\server.jks
    -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStorePassword=changeit
    call “C:\Sun\Middleware\wlserver_10.3\server\bin\installSvc.cmd”
    ENDLOCAL

Configure OpenSSO Web Service Profiles

Web Services Client http://ws-client.ltes.com:8001
Web Services Provider
http://ws-provider.ltes.com:7001
OpenSSO Server
http://opensso.ltes.com
This deployment uses the default WSC and WSP profiles shipped with OpenSSO.

  • Access the OpenSSO Console by entering the following URL:
    http://opensso.ltes.com/opensso
  • Log in to the OpenSSO Console as amadmin.
  • Go to Access Control -> Default realm -> Agents, as shown below:

Update the Web Service Client Profile

  • Select the Web Service Client tab:

  • In the Agent panel select WSC.
  • Click the WSC profile to edit it.
  • In the Security section select the STSSecurity as the Security Mechanism, SecurityTokenService as the STS Configuration and set Preserve Security Headers in Message as true.

  • Check Is Request Signed Enabled and Is Response Signature Verified in the Signing and Encryption section then uncheck all signing values except Body.

  • Enter the key aliases, keystore location and password

  • Save the changes.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s