OpenSSO Secure Token Server – 3

This blog is the third in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here and part 2 is available here.

Update the Web Service Provider Profile

The following steps describe how to create the Web Service Provider profile.

  • Click Web Service Provider. Under Agent click WSP.

  • Select all Security Mechanisms and set Preserve Security Headers in Message to true.

  • Click the checkboxes for Is Request Signature Verified, Is Response Signed.

  • Enter the Web Service End Point URL:

  • Enter the key aliases, keystore location and password.

  • Save the changes.

Update the Agent Authenticator Profile

This Agent Authenticator (agentAuth) acts as the application user. It authenticates WSS agents to the OpenSSO server through the OpenSSO client SDK in order to retrieve agent profiles or configurations from the OpenSSO server. To do its job, agentAuth requires permission to read the configuration information of the newly created WSC and WSP agent profiles.

Set the agentAuth read permission as follows:

  • Select the Agent Authenticator tab.

  • Under Agent, click agentAuth to edit it.
  • Under the heading Agent Profiles allowed ensure that WSC and WSP are selected.
  • Save the changes and log out of OpenSSO.

Edit the Security Token Service Configuration Parameters

Log onto OpenSSO and navigate to Configuration -> Global -> Security Token Service.

Make the following changes:

  • In the Token Issuance Attributes section change the issuer to Self-CA and the Certificate Alias Name to opensso

  • In the Key Store section change the Private Key Alias and the Public Key Alias of Web Service (WS-Trust) Client to opensso.

  • In the Token Validation Attributes section change the Trusted Issuers to cacert:Self-CA.

Change the Cookie c66Encode Flag

The c66Encode flag resolves a problem whereby some application servers return the wrong cookie id if certain characters are used in the id.  C66Encoding ensures that those characters are not used in the cookie id.

Follow these steps to turn c66Encoding on.

  • Log onto the OpenSSO console and navigate to Configuration -> Servers and Sites.
  • Click the Default Servers Settings button.
  • Select the Advanced tab.
  • Change the value of to true

  • Save the changes
  • Restart the OpenSSO web container

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s