Deploying and Using a Security Token Service (STS) - 7.1

Talend ESB STS User Guide

author
Talend Documentation Team
EnrichVersion
7.1
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB
Talend Runtime

You have created the service and client keystores as in the previous section. Now create the STS keystore as follows:

Note: Replace <PW-Ts>, <PW-Tk> in the example below with your own passwords.
openssl req -x509 -days 3650 -newkey rsa:1024 -keyout stskey.pem -out 
   stscert.pem -passout pass:<PW-Ts>
openssl pkcs12 -export -inkey stskey.pem -in stscert.pem -out sts.p12 
   -name mystskey -passin pass:<PW-Ts> -passout pass:<PW-Tk>
keytool -importkeystore -destkeystore stsstore.jks -deststorepass <PW-Ts> 
   -srckeystore sts.p12 -srcstorepass <PW-Tk> -srcstoretype pkcs12
keytool -list -keystore stsstore.jks -storepass <PW-Ts>
keytool -exportcert -alias mystskey -storepass <PW-Ts> -keystore 
   stsstore.jks -file sts.cer
keytool -printcert -file sts.cer
rm *.pem *.p12

To fix any issues with fixed paths to the keystore and truststore locations within the WSDLs, the source code download uses Maven resource filtering to allow for a relative path to the project base directory to be used instead.

Next, the service keystore will need to have the STS public key added so it trusts it, and vice-versa. Also, the client will need to have the STS' and WSP's certificates added to its truststore, as it relies on symmetric binding to encrypt the SOAP requests it makes to both:

keytool -keystore servicestore.jks -storepass <PW-Sk> -import -noprompt 
   -trustcacerts -alias mystskey -file sts.cer
keytool -keystore stsstore.jks -storepass <PW-Ts> -import -noprompt 
   -trustcacerts -alias myservicekey -file service.cer 
keytool -keystore clientstore.jks -storepass <PW-Cs> -import -noprompt 
   -trustcacerts -alias mystskey -file sts.cer
keytool -keystore clientstore.jks -storepass <PW-Cs> -import -noprompt 
   -trustcacerts -alias myservicekey -file service.cer

If you plan on using X.509 authentication of the WSC to the STS (instead of UsernameToken), the former's public key will need to be in the latter's truststore. This can be done with the following commands:

keytool -exportcert -alias myclientkey -storepass <PW-Cs> -keystore 
   clientstore.jks -file client.cer
keytool -keystore stsstore.jks -storepass <PW-Ts> -import -noprompt 
   -trustcacerts -alias myclientkey -file client.cer

Since the service does not directly trust the client (the purpose for our use of the STS to begin with), we will not add the client's public certificate to the service's truststore as normally done with message-layer encryption.