Security Token Service Configuration - 8.0

Talend ESB Infrastructure Services Configuration Guide

Version
8.0
Language
English
Product
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Module
Talend ESB
Talend Runtime
Content
Design and Development
Installation and Upgrade
Last publication date
2024-03-13

The Security Token Service provides the following methods as described in the below snippet, which is defined in SecurityTokenService.war/WEB-INF/wsdl/ws-trust-1.4-service.wsdl

<wsdl:service name="SecurityTokenService">
   <wsdl:port name="UT_Port" binding="tns:UT_Binding">
      <soap:address location=
         "http://localhost:8080/SecurityTokenService/UT"/>
   </wsdl:port>
   <wsdl:port name="X509_Port" binding="tns:X509_Binding">
      <soap:address location=
         "http://localhost:8080/SecurityTokenService/X509"/>
   </wsdl:port>
   <wsdl:port name="Transport_Port" binding="tns:Transport_Binding">
      <soap:address location="/Transport"/>
   </wsdl:port>
   <wsdl:port name="UTEncrypted_Port" binding="tns:UTEncrypted_Binding">
      <soap:address location="/UTEncrypted"/>
   </wsdl:port>
</wsdl:service>

As above snippet shows, the Security Token Service can issue (or validate) UserName Token or X509 Token, and so on.

In Talend Runtime Container, the configuration of Security Token Service can be defined in the file <TalendRuntimePath>/etc/org.talend.esb.sts.server.cfg:

stsServiceUrl=/SecurityTokenService/UT
stsX509ServiceUrl=/SecurityTokenService/X509
loginModule=TIDM
jaasContext=karaf
signatureProperties=file:${tesb.home}/etc/keystores/stsKeystore.properties
signatureUsername=mystskey
bspCompliant=false
tidmServiceUrl=http://localhost:8080/syncope/cxf/
tidmUsername=${env:TESB_TIDM_USERNAME:-${TESB_TIDM_USERNAME:-admin}}
tidmPassword=${env:TESB_TIDM_PASSWORD:-${TESB_TIDM_PASSWORD}}
useMessageLogging=false
samlTokenLifetime=1800

By default, Security Token Service is configured to use JAAS interface to verify the user credentials and perform authentication. As shown above, Security Token Service uses karaf JAAS Context which is the default context configured for Talend Runtime Container and uses PropertiesLoginModule of Karaf. This login module uses the file located in /etc/users.properties which contains a list of users and their password, hence the users which are needed to be authenticated via the Security Token Service should be listed here. A different login module can be configured for the Security Token Service by updating the jaasContext parameter in the above configuration. A Talend Runtime Container comes with several login modules that can be used to integrate into your environment, the modules are listed below:

  • PropertiesLoginModule
  • OsgiConfigLoginModule
  • JDBCLoginModule
  • LDAPLoginModule

The signatureProperties file, which is located in: /etc/keystores/stsKeystore.properties, defines the signature configuration as shown below:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.cr
ypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=stsspass
org.apache.ws.security.crypto.merlin.keystore.alias=mystskey
org.apache.ws.security.crypto.merlin.keystore.file=./etc/keystores/stsstore.jks

The keystore file name can be changed by altering its value in the stsKeystore.properties file. With the default configuration as shown above, the Talend Runtime Container will expect the STS' private key to have the alias of mystskey, this can be changed by altering the alias and signatureUsername values in the two configuration files listed above.

The samlTokenLifetime property in the <TalendRuntimePath>/etc/org.talend.esb.sts.server.cfg file allows you to set the lifetime of the SAML token. The default is 1800 seconds. You can change it as needed.