Access Management 7.3.2

Enable signing and encryption in a Fedlet

By default, when you create the Java Fedlet, signing and encryption are not configured. You can, however, set up AM and the Fedlet to sign and to verify XML signatures, and to encrypt and to decrypt data such as SAML assertions.

Enabling signing and encryption for the Java Fedlet involves the following high-level stages:

  • Before you create the Fedlet, configure the IDP to sign and encrypt data. See Realms > Realm Name > Applications > Federation > Entity Providers > IDP Name > Signing and Encryption in the AM admin UI.

    For evaluation, you can use the test certificate delivered with AM.

  • Initially deploy and configure the Fedlet, but do not use the Fedlet until you finish.

  • On the Fedlet side, set up a JCEKS keystore used for signing and encryption. For evaluation, you can use copy the keystore.jceks file delivered with AM. You can find the file in the $HOME/openam/security/keystores/ directory for a server instance with the base URI openam. The built-in keystore includes the test certificate.

    You must also set up the .storepass and .keypass files using the fedletEncode.jsp page, such as https://openam.example.com:8443/fedlet/fedletEncode.jsp, to encode passwords on the Fedlet side.

    The passwords for the test keystore and private key are recorded in the AM .storepass and .keypass files. These files are located in the /path/to/openam/security/secrets/defaults/ directory.

  • Configure the Fedlet to perform signing and encryption by ensuring the Fedlet has access to the keystore, and by updating the SP metadata for the Fedlet.

  • Import the updated SP metadata into the IDP to replace the default Fedlet configuration.

  • Restart the Fedlet or container in which the Fedlet runs for the changes you made on the Fedlet side to take effect.

Configure the Fedlet for signing and encryption

The FederationConfig.properties file specifies the paths to the keystore holding the signing or encryption keys for the Fedlet, the keystore password file, and the private key password file.

  1. After setting up your keystore and password files as described above, edit the properties file in the configuration directory, such as $HOME/fedlet/FederationConfig.properties, to point to the keystore and password files.

  2. Export the certificate to use for signing and encryption purposes.

    $ keytool -export -rfc -keystore keystore.jceks -alias test
    Enter keystore password:
    -----BEGIN CERTIFICATE-----
    MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVL
    MRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlG
    b3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAz
    MTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI
    EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sx
    DzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEB
    BQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXC
    AaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuV
    YWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyi
    P+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/Ml
    SBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpb
    aHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0O
    BBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ2
    9/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkm
    t+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjIt
    cGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ
    0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx
    7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCe
    ksu7Y48BmkUqw6E9
    -----END CERTIFICATE-----
  3. Edit the standard metadata file for the Fedlet, such as $HOME/fedlet/sp.xml, to include the certificate in KeyDescriptor elements, that are children of the SPSSODescriptor element.

    <EntityDescriptor
        xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
        entityID="http://www.example.com:8080/fedlet">
     <SPSSODescriptor
         AuthnRequestsSigned="true"
         WantAssertionsSigned="true"
         protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
         <ds:X509Certificate>
          MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVL
          MRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlG
          b3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAz
          MTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI
          EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sx
          DzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEB
          BQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXC
          AaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuV
          YWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyi
          P+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/Ml
          SBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpb
          aHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0O
          BBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ2
          9/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkm
          t+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjIt
          cGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ
          0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx
          7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCe
          ksu7Y48BmkUqw6E9
         </ds:X509Certificate>
        </ds:X509Data>
       </ds:KeyInfo>
      </KeyDescriptor>
      <KeyDescriptor use="encryption">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
         <ds:X509Certificate>
          MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVL
          MRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlG
          b3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAz
          MTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI
          EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sx
          DzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEB
          BQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXC
          AaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuV
          YWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyi
          P+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/Ml
          SBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpb
          aHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0O
          BBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ2
          9/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkm
          t+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjIt
          cGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ
          0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx
          7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCe
          ksu7Y48BmkUqw6E9
         </ds:X509Certificate>
        </ds:X509Data>
       </ds:KeyInfo>
       <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
        <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
         128
        </xenc:KeySize>
       </EncryptionMethod>
      </KeyDescriptor>
      <SingleLogoutService
          Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
          Location="http://www.example.com:8080/fedlet/fedletSloRedirect"
          ResponseLocation="http://www.example.com:8080/fedlet/fedletSloRedirect" />
      <SingleLogoutService
          Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
          Location="http://www.example.com:8080/fedlet/fedletSloPOST"
          ResponseLocation="http://www.example.com:8080/fedlet/fedletSloPOST" />
      <SingleLogoutService
          Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
          Location="http://www.example.com:8080/fedlet/fedletSloSoap" />
      <NameIDFormat>
       urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      </NameIDFormat>
      <AssertionConsumerService
          index="0"
          isDefault="true"
          Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
          Location="http://www.example.com:8080/fedlet/fedletapplication" />
      <AssertionConsumerService
          index="1"
          Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
          Location="http://www.example.com:8080/fedlet/fedletapplication" />
     </SPSSODescriptor>
     <RoleDescriptor
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
         xsi:type="query:AttributeQueryDescriptorType"
         protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     </RoleDescriptor>
     <XACMLAuthzDecisionQueryDescriptor
         WantAssertionsSigned="false"
         protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
    </EntityDescriptor>
  4. Edit the extended metadata file for the Fedlet, such as $HOME/fedlet/sp-extended.xml.

    Set the certificate alias names to the alias for the Fedlet certificate, and the want*Signed and want*Encrypted values to true.

    If you reformat the file, take care not to add white space around string values in elements.

    <?xml version="1.0"?>
    <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig"
     xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig"
     hosted="1"
     entityID="http://www.example.com:8080/fedlet">
      <SPSSOConfig metaAlias="/sp">
        <Attribute name="description">
          <Value/>
        </Attribute>
        <Attribute name="signingCertAlias">
          <Value>test</Value>
        </Attribute>
        <Attribute name="encryptionCertAlias">
          <Value>test</Value>
        </Attribute>
        <Attribute name="basicAuthOn">
          <Value>false</Value>
        </Attribute>
        <Attribute name="basicAuthUser">
          <Value/>
        </Attribute>
        <Attribute name="basicAuthPassword">
          <Value/>
        </Attribute>
        <Attribute name="autofedEnabled">
          <Value>false</Value>
        </Attribute>
        <Attribute name="autofedAttribute">
          <Value/>
        </Attribute>
        <Attribute name="transientUser">
          <Value>anonymous</Value>
        </Attribute>
        <Attribute name="spAdapter">
          <Value/>
        </Attribute>
        <Attribute name="spAdapterEnv">
          <Value/>
        </Attribute>
        <Attribute name="fedletAdapter">
          <Value>com.sun.identity.saml2.plugins.DefaultFedletAdapter</Value>
        </Attribute>
        <Attribute name="fedletAdapterEnv">
          <Value/>
        </Attribute>
        <Attribute name="spAccountMapper">
          <Value>com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper</Value>
        </Attribute>
        <Attribute name="useNameIDAsSPUserID">
          <Value>false</Value>
        </Attribute>
        <Attribute name="spAttributeMapper">
          <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
        </Attribute>
        <Attribute name="spAuthncontextMapper">
          <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
        </Attribute>
        <Attribute name="spAuthncontextClassrefMapping">
          <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\|0\|default</Value>
        </Attribute>
        <Attribute name="spAuthncontextComparisonType">
          <Value>exact</Value>
        </Attribute>
        <Attribute name="attributeMap">
          <Value>*=*</Value>
        </Attribute>
        <Attribute name="saml2AuthModuleName">
          <Value/>
        </Attribute>
        <Attribute name="localAuthURL">
          <Value/>
        </Attribute>
        <Attribute name="intermediateUrl">
          <Value/>
        </Attribute>
        <Attribute name="defaultRelayState">
          <Value/>
        </Attribute>
        <Attribute name="appLogoutUrl">
          <Value>http://www.example.com:8080/fedlet/logout</Value>
        </Attribute>
        <Attribute name="assertionTimeSkew">
          <Value>300</Value>
        </Attribute>
        <Attribute name="wantAttributeEncrypted">
          <Value>true</Value>
        </Attribute>
        <Attribute name="wantAssertionEncrypted">
          <Value>true</Value>
        </Attribute>
        <Attribute name="wantNameIDEncrypted">
          <Value>true</Value>
        </Attribute>
        <Attribute name="wantPOSTResponseSigned">
          <Value/>
        </Attribute>
        <Attribute name="wantArtifactResponseSigned">
          <Value/>
        </Attribute>
        <Attribute name="wantLogoutRequestSigned">
          <Value/>
        </Attribute>
        <Attribute name="wantLogoutResponseSigned">
          <Value/>
        </Attribute>
        <Attribute name="wantMNIRequestSigned">
          <Value/>
        </Attribute>
        <Attribute name="wantMNIResponseSigned">
          <Value/>
        </Attribute>
        <Attribute name="responseArtifactMessageEncoding">
          <Value>URI</Value>
        </Attribute>
        <Attribute name="cotlist">
          <Value>fedlet-cot</Value>
        </Attribute>
        <Attribute name="saeAppSecretList">
         </Attribute>
        <Attribute name="saeSPUrl">
          <Value/>
        </Attribute>
        <Attribute name="saeSPLogoutUrl">
         </Attribute>
        <Attribute name="ECPRequestIDPListFinderImpl">
          <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value>
        </Attribute>
        <Attribute name="ECPRequestIDPList">
          <Value/>
        </Attribute>
        <Attribute name="ECPRequestIDPListGetComplete">
          <Value/>
        </Attribute>
        <Attribute name="enableIDPProxy">
          <Value>false</Value>
        </Attribute>
        <Attribute name="idpProxyList">
          <Value/>
        </Attribute>
        <Attribute name="idpProxyCount">
          <Value>0</Value>
        </Attribute>
        <Attribute name="useIntroductionForIDPProxy">
          <Value>false</Value>
        </Attribute>
        <Attribute name="spSessionSyncEnabled">
          <Value>false</Value>
        </Attribute>
        <Attribute name="relayStateUrlList">
         </Attribute>
      </SPSSOConfig>
      <AttributeQueryConfig metaAlias="/attrQuery">
        <Attribute name="signingCertAlias">
          <Value>test</Value>
        </Attribute>
        <Attribute name="encryptionCertAlias">
          <Value>test</Value>
        </Attribute>
        <Attribute name="wantNameIDEncrypted">
          <Value>true</Value>
        </Attribute>
        <Attribute name="cotlist">
          <Value>fedlet-cot</Value>
        </Attribute>
      </AttributeQueryConfig>
      <XACMLAuthzDecisionQueryConfig metaAlias="/pep">
        <Attribute name="signingCertAlias">
          <Value>test</Value>
        </Attribute>
        <Attribute name="encryptionCertAlias">
          <Value>test</Value>
        </Attribute>
        <Attribute name="basicAuthOn">
          <Value>false</Value>
        </Attribute>
        <Attribute name="basicAuthUser">
          <Value/>
        </Attribute>
        <Attribute name="basicAuthPassword">
          <Value/>
        </Attribute>
        <Attribute name="wantXACMLAuthzDecisionResponseSigned">
          <Value>false</Value>
        </Attribute>
        <Attribute name="wantAssertionEncrypted">
          <Value>true</Value>
        </Attribute>
        <Attribute name="cotlist">
          <Value>fedlet-cot</Value>
        </Attribute>
      </XACMLAuthzDecisionQueryConfig>
    </EntityConfig>
  5. Make a copy of the sp-extended.xml file, called sp-extended-copy.xml, and set hosted="0" in the root element of the copy.

    Use the copied file, sp-extended-copy.xml, when importing the Fedlet configuration into AM. AM must register the Fedlet as a remote service provider.

  6. In the AM admin UI, delete the original SP entity configuration for the Fedlet, and then import the updated metadata for the new configuration into AM on the IDP side.

  7. Restart the Fedlet or the container in which it runs in order for the Fedlet to pick up the changes to the configuration properties and the metadata.