Securing the Client-STS communication with WS-Security

The configured STS endpoint can be secured with WS-Security settings which can be enforced for the request coming to the STS and the response sent from the STS back to the client.

Request security

To enable WS-Security for the client request coming to the STS, click on the Request Security tab and select the Enable Request Security checkbox as shown below:

Figure 8.5. STS Request WS-Security configuration

STS Request WS-Security configuration


The following WS-Security Request settings can be configured -

Require Timestamp

Enabling this checkbox will require that the timestamp be present in the WS-Security header in the RST request from the client

Require Username Token

Enabling this checkbox will require that the client send a WSS UsernameToken in the request. To authenticate the credentials, the list of allowed usernames and passwords must be specified under the Allowed username token principals table.

Require Signed request

To require that the RST request SOAP Body must be signed by the client, select the Require Signed request checkbox and click on the Truststore button to open the Truststore selection dialog and choose a public key alias from the list of available keystores.

Require encrypted SOAP Body

To require that the RST request SOAP Body must be encrypted by the client, select the Require encrypted SOAP Body checkbox and select the private key alias that should be used to decrypt the encrypted data by clicking on the Keystore button.

Response security

To enable WS-Security for the RSTR sent by the STS to the client, switch to the Response tab and select the Enable Response Security checkbox. The available configuration options are as shown below:

Figure 8.6. STS Response WS-Security configuration

STS Response WS-Security configuration


Timestamp

Select the Add Timestamp checkbox to add a Timestamp element to the WSS header in the RSTR. The timestamp duration defaults to 5 minutes / 300 seconds.

Response Signature

To sign the RSTR SOAP Body element, select the Sign response checkbox, and pick the signing alias by clicking on the Select alias button. This brings up the Signing Alias selection dialog that displays all the available keystores. Make sure you that you specify the alias password or select the Use Keystore Password checkbox to use the keystore password instead.

Response Encryption

To encrypt the SOAP Body of the RSTR, select the Encrypt response SOAP body checkbox and select the public key that corresponds to the client. The Encryption alias dialog is as shown below:

Figure 8.7. STS Encrypt Response alias selection

STS Encrypt Response alias selection


Note that if you select a public key alias that corresponds to a client, then only that specific client can decrypt the RSTR. As an alternative, you can enable the Use request signature certificate option if the client sends its public key in a certificate in the request after signing the RST SOAP Body. However, this option will only work if the client signs the request and its public key is available either in the request or accessible through the configured truststore (as described in the section Response Signature above)