OpenSAML user discussion

[Mike Stock <>]

Hi Scott,

Your "prototype" actually worked with a few modifications. I had to add configuration options for truststores and store types. For your information, I attached the modified source of SAMLSOAPBinding below. Maybe it's of use for someone else facing the same scenario. Client-Authentication for Attribute Queries became relevant when we had to limit access to some of the attributes to a specific SHAR. The Shibboleth Origin implementation does this based on the SHAR Client-Authentication.

Thanks for your hints,
-mike


starting at line 148:
------------------------------ snip ----------------------------------
            if (conn instanceof javax.net.ssl.HttpsURLConnection)
            {
                String ks_path=config.getProperty("ssl-keystore");
                if (ks_path != null)
                {
                    String ks_pwd=config.getProperty("ssl-keystore-pwd");
                    String ks_type=config.getProperty("ssl-keystore-type");
                    String key_pwd=config.getProperty("ssl-key-pwd");
                    KeyStore ks=KeyStore.getInstance(ks_type != null ? ks_type : "JKS");
                    ks.load(new FileInputStream(ks_path),(ks_pwd!=null) ? ks_pwd.toCharArray() : null);
                   
                    SSLContext ctx=SSLContext.getInstance("TLS");
                    KeyManagerFactory kmf=KeyManagerFactory.getInstance("SunX509");
                    kmf.init(ks,(key_pwd!=null) ? key_pwd.toCharArray() : null);

                    TrustManagerFactory tmf = null;
                    String ts_path = config.getProperty("ssl-truststore");
                    if (ts_path != null) {
                        String ts_pwd = config.getProperty("ssl-truststore-pwd");
                        String ts_type = config.getProperty("ssl-truststore-type");
                        KeyStore ts = KeyStore.getInstance(ts_type != null ? ts_type : "JKS");
                        ts.load(new FileInputStream(ts_path),(ts_pwd!=null) ? ts_pwd.toCharArray() : null);
                        tmf = TrustManagerFactory.getInstance("SunX509");
                        tmf.init(ts);
                    }
                    ctx.init(kmf.getKeyManagers(), tmf != null ? tmf.getTrustManagers() : null, null);
                    ((javax.net.ssl.HttpsURLConnection)conn).setSSLSocketFactory(ctx.getSocketFactory());
                }
            }

------------------------------ snip ----------------------------------


Scott Cantor wrote:

Can someone elaborate on how I'll have to configure OpenSAML 
to do correct client authentication? I already configured 
Tomcat with the correct Certificate, but this is for Server 
Authentication, if I am correct on this. Do I have to set the 
SSL Properties in opensaml.properties?
    

If it works at all, then yes, there are system properties that it would use
to determine what to apply. It's apparently working to some limited degree,
but it needs to be rewritten with some kind of interface to a credential and
trust callback.

I've never used that part of the code and it's untested and mostly just a
prototype.

-- Scott

  

-- 
Mike Stock 
http://www.id.unizh.ch/mels

Center for Computing Services
Multimedia- & E-Learning Services
University of Zurich             Phone: +41 1 63 56791
Winterthurerstrasse 190
CH-8057 Zuerich                  FAX:   +41 1 63 54505