Security Token Service Configuration - 7.1

Talend ESB STS User Guide

author
Talend Documentation Team
EnrichVersion
7.1
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB
Talend Runtime

The Security Token Service provides the following methods as described in the below snippet, which is defined in SecurityTokenService.war/WEB-INF/wsdl/ws-trust-1.4-service.wsdl

<wsdl:service name="SecurityTokenService">
   <wsdl:port name="UT_Port" binding="tns:UT_Binding">
      <soap:address location=
         "http://localhost:8080/SecurityTokenService/UT"/>
   </wsdl:port>
   <wsdl:port name="X509_Port" binding="tns:X509_Binding">
      <soap:address location=
         "http://localhost:8080/SecurityTokenService/X509"/>
   </wsdl:port>
   <wsdl:port name="Transport_Port" binding="tns:Transport_Binding">
      <soap:address location="/Transport"/>
   </wsdl:port>
   <wsdl:port name="UTEncrypted_Port" binding="tns:UTEncrypted_Binding">
      <soap:address location="/UTEncrypted"/>
   </wsdl:port>
</wsdl:service>

As above snippet shows, the Security Token Service can issue (or validate) UserName Token or X509 Token, and so on.

In Talend Runtime Container, the configuration of Security Token Service can be defined in the file <TalendRuntimePath>/etc/org.talend.esb.sts.server.cfg:

stsServiceUrl=/SecurityTokenService/UT
stsX509ServiceUrl=/SecurityTokenService/X509
loginModule=TIDM
jaasContext=karaf
signatureProperties=file:${tesb.home}/etc/keystores/stsKeystore.properties
signatureUsername=mystskey
bspCompliant=false
tidmServiceUrl=http://localhost:8080/syncope/cxf/
tidmUsername=admin
tidmPassword=password
useMessageLogging=false
samlTokenLifetime=1800

By default, Security Token Service is configured to use JAAS interface to verify the user credentials and perform authentication. As shown above, Security Token Service uses karaf JAAS Context which is the default context configured for Talend Runtime Container and uses PropertiesLoginModule of Karaf. This login module uses the file located in /etc/users.properties which contains a list of users and their password, hence the users which are needed to be authenticated via the Security Token Service should be listed here. A different login module can be configured for the Security Token Service by updating the jaasContext parameter in the above configuration. A Talend Runtime Container comes with several login modules that can be used to integrate into your environment, the modules are listed below:

  • PropertiesLoginModule
  • OsgiConfigLoginModule
  • JDBCLoginModule
  • LDAPLoginModule

The signatureProperties file, which is located in: /etc/keystores/stsKeystore.properties, defines the signature configuration as shown below:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.cr
ypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=stsspass
org.apache.ws.security.crypto.merlin.keystore.alias=mystskey
org.apache.ws.security.crypto.merlin.keystore.file=./etc/keystores/stsstore.jks

The keystore file name can be changed by altering its value in the stsKeystore.properties file. With the default configuration as shown above, the Talend Runtime Container will expect the STS' private key to have the alias of mystskey, this can be changed by altering the alias and signatureUsername values in the two configuration files listed above.

The samlTokenLifetime property in the <TalendRuntimePath>/etc/org.talend.esb.sts.server.cfg file allows you to set the lifetime of the SAML token. The default is 1800 seconds. You can change it as needed.