Global Federated Identity and
Privilege Management (GFIPM)
Web Services
Developer Documentation
Java/Metro Implementation
June 12, 2012
Copyright (c) 2012, Georgia Tech Research Institute. All Rights Reserved.
1
2
1
INTRODUCTION ............................................................................................................................................. 5
1.1
1.2
1.3
2
PURPOSE AND SCOPE .........................................................................................................................................5
INTENDED AUDIENCE .........................................................................................................................................5
TERMINOLOGY, DEFINITIONS, ACRONYMS, ABBREVIATIONS ......................................................................................5
GFIPM-WS S2S SIP MODELS DESCRIPTION ..................................................................................................... 5
2.1
REQUIREMENTS ................................................................................................................................................5
2.2
ARCHITECTURE OVERVIEW ..................................................................................................................................6
2.2.1 Development Approach ...........................................................................................................................6
2.2.2 Components .............................................................................................................................................6
2.2.3 Build environment ....................................................................................................................................7
2.3
MESSAGE EXCHANGES .......................................................................................................................................8
2.4
SERVICE CONTRACT ...........................................................................................................................................9
2.4.1 Information Exchange Data Model ........................................................................................................10
2.4.2 Service Contract WSDL ...........................................................................................................................11
2.4.3 Service Level Agreement (SLA Security Policies).....................................................................................12
2.4.3.1
2.4.3.2
2.4.3.3
2.4.3.4
2.4.3.5
2.4.3.6
2.4.3.7
2.4.3.8
2.4.3.9
SOAP Version ................................................................................................................................................ 13
WS-Policy Version ......................................................................................................................................... 13
WS-SecurityPolicy Version ............................................................................................................................ 13
WS-Addressing .............................................................................................................................................. 13
MTOM ........................................................................................................................................................... 13
WS-I Basic Profile .......................................................................................................................................... 13
WS-I Basic Secure Profile .............................................................................................................................. 13
SAML 2.0 Token ............................................................................................................................................ 14
WS-ReliableMessaging .................................................................................................................................. 14
2.5
INTEGRATION POINTS.......................................................................................................................................15
2.6
GFIPM SECURITY MODEL ................................................................................................................................16
2.6.1 GFIPM User Assertions ...........................................................................................................................16
2.6.2 GFIPM Entity Assertions .........................................................................................................................16
2.6.3 GFIPM Cryptographic Trust Fabric .........................................................................................................17
2.6.4 Model Certificates ..................................................................................................................................17
2.6.4.1
Updating certificates ..................................................................................................................................... 18
2.6.4.1.1 Trust Keystores......................................................................................................................................... 18
2.6.4.1.2 Private Keystores...................................................................................................................................... 18
3
GFIPM-WS S2S PROFILE SAMPLE IMPLEMENTATION (GWSS2SPSI) .............................................................. 19
3.1
SAMPLE IMPLEMENTATION COMPONENTS ...........................................................................................................19
3.1.1 GFIPM CTF Library ..................................................................................................................................19
3.1.1.1
3.1.1.2
3.1.1.3
3.1.2
3.1.3
3.1.4
CTF Library API .............................................................................................................................................. 19
CTF Scripts ..................................................................................................................................................... 20
CTF Command Line Utility ............................................................................................................................. 21
GFIPM Web Services Auxiliary Library ...................................................................................................22
Information Exchange Service Contract Implementation Library ..........................................................24
GFIPM WS S2S Consumer-Provider (Model 1) Implementation .............................................................25
3.1.4.1
3.1.4.2
WSC Implementation (Model 1) ................................................................................................................... 25
WSP Implementation (Model 1) ................................................................................................................... 26
3
3.1.4.2.1
3.1.4.2.2
3.1.4.2.3
3.1.5
WSP SLA Implementation ......................................................................................................................... 26
Certificate Validation................................................................................................................................ 27
WSP Service Implementation ................................................................................................................... 28
GFIPM WS S2S User-Consumer-Provider (Model 2/Model 8) Implementation......................................29
3.1.5.1
IDP/ADS STS Implementation (Model 8) ....................................................................................................... 29
3.1.5.1.1 Token Generation .................................................................................................................................... 30
3.1.5.1.2 Attribute Generation ................................................................................................................................ 31
3.1.5.1.3 IDP SLA Implementation .......................................................................................................................... 32
3.1.5.1.4 ADS SLA Implementation ......................................................................................................................... 33
3.1.5.1.5 ADS Certificate Validation ........................................................................................................................ 33
3.1.5.2
WSC Implementation (Model 2) ................................................................................................................... 34
3.1.5.2.1 WSC Service Implementation ................................................................................................................... 34
3.1.5.2.2 WSC Client Implementation ..................................................................................................................... 36
3.1.5.3
WSP Implementation (Model 2) ................................................................................................................... 39
3.1.5.3.1 WSP SLA Implementation ......................................................................................................................... 40
3.1.5.3.2 Certificate Validation................................................................................................................................ 41
3.1.5.3.3 SAML Assertion Validation ....................................................................................................................... 42
3.1.5.3.4 WSP Service Implementation ................................................................................................................... 43
3.1.5.4
GFIPM Client (Model 2) ................................................................................................................................. 45
3.2
DEBUGGING ...................................................................................................................................................47
3.2.1 Message Logging ...................................................................................................................................47
3.2.2 Applications Logging ..............................................................................................................................48
4
REFERENCES ................................................................................................................................................ 49
5
APPENDIXES ................................................................................................................................................ 52
5.1
5.2
5.3
5.4
5.5
5.6
5.7
5.8
5.9
5.10
ATTACHMENT A: GFIPM SAML USER ASSERTION SAMPLE ....................................................................................52
ATTACHMENT B: GFIPM SAML METADATA ENTITY ASSERTION SAMPLE ..................................................................53
ATTACHMENT C: GFIPM CTF LIBRARY API .........................................................................................................54
ATTACHMENT D: SAMPLE SLA SECURITY POLICY FOR IDP STS ................................................................................56
ATTACHMENT E: SAMPLE SLA SECURITY POLICY FOR ADS STS ................................................................................59
ATTACHMENT F: SAMPLE SLA SECURITY POLICY FOR WSP MODEL 1 .......................................................................60
ATTACHMENT G: SAMPLE SLA SECURITY POLICY FOR WSP MODEL 2 .......................................................................61
ATTACHMENT H: SAMPLE SLA SECURITY POLICY FOR MESSAGE ENCRYPTION AND SIGNATURE ......................................63
ATTACHMENT I: SAMPLE SLA POLICY FOR WS-RELIABLEMESSAGING 1.1 ..................................................................63
ATTACHMENT J: SAMPLE SLA POLICY FOR ALGORITHM SUITE..................................................................................63
4
1 Introduction
1.1 Purpose and Scope
The Global Federated Identity and Privilege Management (GFIPM) program has published a number of
technical documents to support implementation of Web Services. This document provides an example
of how to develop web services conforming to the GFIPM Web Services System-to-System Profile,
version 1.0 (S2S) using Oracle Java technologies and the Metro [METRO] web services stack. The
purpose of this document is to support the understanding and interpretation of the conformance
criteria of the profile using the GFIPM WS S2S Profile Sample Implementation (GWSS2SPSI) project
accompanying this document. GWSS2SPSI is designed according to the Global Reference Architecture
(GRA) and Service Oriented Architecture (SOA) development guidelines [GRAGIDES] and S2S
[GFIPMS2SP] conformance requirements. The described methods and code samples are only one
approach; there might be other, equally valid approaches. The sample implementation project code is
available for use by implementers as a template for their own development or as an example that can
be used for reference purposes.
1.2 Intended Audience
This document is intended for software developers and system architects. It is expected that the
developer has programming experience with Java. It is expected that the developer has basic
understanding of the Public Key Infrastructure (PKI), and has working knowledge of SOAP-based Web
Services. In addition the developer should be familiar with the Apache Maven [MAVEN] software
project management tool. Finally, the developer is expected to be familiar with the GRA [GRA] and S2S
[GFIPMS2SP].
1.3 Terminology, Definitions, Acronyms, Abbreviations
This document contains language that uses technical terms related to federations, identity
management, web services, and other related technologies. To minimize confusion for readers, it is
important that each technical term have a precise definition. Accordingly, technical terms in this
document are to be interpreted as described in [GFIPMTERMS]. In addition, technical terms specific to
this system to system web services implementation are described in S2S [GFIPMS2SP].
2 GFIPM-WS S2S SIP Models Description
The GWSS2SPSI project includes implementation for the following SIPs:
 GFIPM-WS Consumer-Provider Service Interaction Profile [GFIPMS2SP 8.1]
 GFIPM-WS User-Consumer-Provider Service Interaction profile [GFIPMS2SP 8.2]
 GFIPM-WS SAML Assertion Delegate Service Interaction Profile [GFIPMS2SP 8.8]
2.1 Requirements
The following software is required for GWSS2SPSI:
Java (Java SE 7) [JAVA]
Metro Web Services stack (2.2) [METRO]
Glassfish (3.1.2) [GLASSFISH]
Maven (2.2.1) [MAVEN]
5
2.2 Architecture Overview
2.2.1 Development Approach
The standard information exchange specification is developed, published and distributed in the form of
a GRA Service Specification Package (GRA SSP), which includes WSDL, XML Schemas, and other business
artifacts. For the purposes of this project, a simple document exchange contract was developed in
accordance with GRA SOA development guidelines and best practices.
2.2.2 Components
The following diagrams depict major components for each corresponding service interaction model.
curewscm1
curewspm1
1
WSC
WSP
2
GFIPM CTF
Figure 1: GFIPM WS Consumer-Provider SIP (Model 1)
cureidpm2
IDP/ADS STS
3 RST
4 RSTR
6 - RST OnBehalfOf
Client
1/2
5
7 - RSTR
curewscm2
10
curewspm2
WSC Service
8
9
WSP
WSC Client
GFIPM CTF
Figure 2: GFIPM WS User-Consumer-Provider SIP (Model 2) / Assertion Delegate Service SIP (Model 8)
The following notations used in the diagrams:
WSC – Web Service Consumer
STS – Security Token Service
6
WSP – Web Service Provider
IDP – Identity Provider
ADS – Assertion Delegate Service
Client – Command line application
RST – Request Security Token
RSTR – Request Security Token Response
SIP – Service Interaction Profile
GFIPM CTF – GFIPM Cryptographic Trust Fabric
The detailed sequence of steps for the Model 1 sample implementation is described in S2S Section 8.1.
The detailed sequence of steps for the Model 2 sample implementation involves several additional steps
not fully covered by S2S Sections 8.2 and 8.8. Additional steps (1-5, 10) involve obtaining initial SAML
token from user’s IDP STS and are outside of the scope of the S2S.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
The command line application (Client) on behalf of the user connects to the WSC service to
retrieve the security requirements for the service. The WSC’s requires a SAML assertion for
the user to be included with the message.
The Client is statically configured with the information about an IDP, used for obtaining of a
SAML assertion for the user.
The Client sends a Request Security Token (RST) message to the IDP. The request is secured
with the IDP certificate. User authentication is performed according to the IDP policies.
The IDP issues a SAML user assertion containing user attributes and returns a Request
Security Token Response (RSTR) message with the issued token to the Client. The SAML
user assertion includes GFIPM user attributes.
The Client sends another request to the WSC service, this time with the SAML user assertion
from the IDP for authentication and secured with the WSC service certificate.
The WSC client sends a Request Security Token (RST) message to the Assertion Delegate
Service (ADS). The message contains the SAML user assertion received in step 4 by the WSC
service and is included inside of “OnBehalfOf” element. The RST message is secured with
the ADS certificate. The message requests the ADS for a re-issued token so the WSC client
can access the WSP, acting on behalf of the user.
The ADS issues a new SAML user assertion that is signed with the ADS certificate and then
sends a Request Security Token Response (RSTR) message with the issued token to the WSC
client.
The WSC client sends a request to the WSP. The message includes the re-issued SAML
assertion and is secured with the WSC certificate. The WSP validates the SAML assertion
according to the security policy.
The WSP sends a response to the WSC.
The WSC sends a response to the Client.
2.2.3 Build environment
The GWSS2SPSI is tightly integrated with the Apache Maven [MAVEN] build environment. The sample
implementation is a multi-module project, and contains several subprojects that can be independent
and reused in a production implementation. For details on the sample implementation libraries and
components see the Sample Implementation Components chapter.
7
2.3 Message Exchanges
Figure 3: Consumer-Provider SIP
Figure 4: User-Consumer-Provider SIP
8
2.4 Service Contract
The Web Service Contract defines a data format (data model), what a service does (functionality), how
to access the service (technology), and where a service is located (instance). The GWSS2SPSI described
in this document assumes a contract-first development approach. The Web Service implementation is
developed using classes generated from the WSDL. This approach is in contrast to the implementationfirst approach, where the WSDL is automatically generated from the implementation code. The WSDLfirst approach is recommended by GRA reference architecture. The Figure 5 below reflects the structure
of the simple Web Service Contract used in the GWSS2SPSI:
Figure 5: Web Service Contract
Each deployable service component (WSC, WSP) of the GWSS2SPSI contains a service contract that is
located under “$COMPONENT_NAME/src/wsdl” directory and has the following files:




src/wsdl/CommercialVehicleCollisionExchangeSchema.xsd
src/wsdl/CommercialVehicleCollisionMessageSchema.xsd
src/wsdl/CommercialVehicleCollisionWebserviceImpl.wsdl
src/wsdl/CommercialVehicleCollisionWebserviceIntf.wsdl
9
2.4.1 Information Exchange Data Model
The Web Service Contract WSDL uses XML Schema [XSD2004] to define document exchange types for
the Information Exchange Data Model (IEDM). The GWSS2SPSI project includes simplified IEDM that can
be used for reference purposes and should be substituted with the production information data
exchange.
The information exchange schemas are split into two parts:


Exchange contract message schema (CommercialVehicleCollisionMessageSchema.xsd)
Exchange message data model schema (CommercialVehicleCollisionExchangeSchema.xsd)
Figure 6: Exchange Contract Message Schema (CommercialVehicleCollisionMessageSchema.xsd)
10
Figure 7: Exchange Message Data Model Schema (CommercialVehicleCollisionExchangeSchema.xsd)
2.4.2 Service Contract WSDL
The Service Contract WSDL includes types, messages, port types, bindings, and service endpoint
locations.
The Service Contract WSDL is split into two functional sections:


Service Interface WSDL (CommercialVehicleCollisionWebserviceImpl.wsdl)
Service Implementation WSDL (CommercialVehicleCollisionWebserviceIntf.wsdl)
The Service Interface WSDL imports the Information Exchange Data Model described in the previous
section. Based on the imported data model types the Service Interface WSDL defines messages,
operations, and ports as shown on the Figure 8 below.
11
Figure 8: Service Contract WSDL Messages, Operations, and Ports
The Service Interface WSDL also includes service bindings and the associated GFIPM Service Level
Agreement (SLA) as shown on the code snippet below (some of the content is not shown for the sake of
brevity). The SLA is described in detail in the Service Level Agreement (SLA Security Policies) section.
Figure 9: Service Bindings and Service Level Agreement
2.4.3 Service Level Agreement (SLA Security Policies)
The Service Level Agreement defines service access policies for message authentication, authorization,
integrity, non-repudiation, and confidentiality required to connect to the service. This section addresses
conformance requirements outlined in S2S.
While the WSDL file is not the complete documentation for a real service, which would require an
additional documentation (such as business-level documents) to describe the service behavior, the
WSDL file contains a formal, machine-interpretable specification of the service interface and includes an
SLA expressed using WS-Policy and WS-SecurityPolicy [SPEOAIS]. The WSDL for each model meets S2S
functional requirements and GRA RS WS-SIP service interface conformance targets.
12
2.4.3.1 SOAP Version
The WSDL uses SOAP 1.1 and includes XML Namespace and corresponding prefix declaration:
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
2.4.3.2 WS-Policy Version
The WSDL uses WS-Policy 1.2 and includes XML Namespace and corresponding prefix declaration:
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
2.4.3.3 WS-SecurityPolicy Version
The WSDL uses WS-SecurityPolicy 1.2 [WS-SECURITYPOLICY] and includes XML Namespace and
corresponding prefix declaration:
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
2.4.3.4 WS-Addressing
The WSDL uses WS-Addressing 1.0 - WSDL Binding [WSAWSDL] and includes XML Namespace and
corresponding prefix declaration:
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl".
The addressing policy is specified using the WS-Policy 1.2 and the “UsingAddressing” assertion element
as follows: “<wsaw:UsingAddressing wsp:Optional="false"/>”
2.4.3.5 MTOM
The WSDL uses WS-MTOMPolicy 1.0 [MTOM] and includes XML Namespace and corresponding prefix
declaration
xmlns:wsoma="http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization".
The server policy to accept MTOM message format is specified using
“wsoma:OptimizedMimeSerialization” policy assertion.
2.4.3.6 WS-I Basic Profile
The WSDL meets all applicable conformance target outlined in WS-I Basic Profile 1.2 [WSIBP12].
2.4.3.7 WS-I Basic Secure Profile
The GFIPM WS S2S normative conformance requirements [8.1.2, 8.2.2, 8.8.2] in accordance with WS-I
Basic Security Profile 1.1 Section 9, “XML-Signature” demand that the following parts of the messages
are properly signed and encrypted (if necessary): SOAP Body and SOAP Attachments, Timestamp, WSAddressing headers, WS-Security Token for User’s SAML Assertion (if present). The policy uses
“sp:SignedParts” and “sp:EncryptedParts” elements to indicate which parts of the SOAP messages are to
be signed and encrypted as shown in the Attachment H: Sample SLA Security Policy for Message
Encryption and Signature.
13
To address GFIPM WS S2S normative conformance requirement to include a timestamp, the policy uses
the “sp:IncludeTimestamp” element. An explicit assertion is not needed for signing the timestamp
because if the timestamp is included it will be signed by default.
The policy uses the “sp:AsymmetricBinding” security policy assertion to implement SOAP message
protection using asymmetric key algorithms. Using asymmetric binding policy for SOAP message
protection allows selection of the particular parts of a message to protect (for ex: individual headers,
body), while transport layer security (“sp:TransportBinding” security policy assertion) can operate only
on the whole message. An asymmetric binding policy must be applied to an endpoint policy subject.
There are interoperability issues between Metro and .Net when using the “sp:AsymmetricBinding”
security policy assertion. To avoid these interoperability issues, the “sp:TransportBinding” security policy
assertion can be used. When “sp:TransportBinding” security policy assertion is used “sp:EncryptedParts”
and “sp:SignedParts” security policy assertions are ignored. The “sp:TransportBinding” security policy
assertion must be used with “RequireClientCertificate” attribute set to “true”.
The policy uses “sp:OnlySignEntireHeadersAndBody” security policy assertion to apply the signature only
to an entire body or to entire headers, not to sub-elements of the body or sub-elements of a header.
The policy uses “sp:RequireSignatureConfirmation” security policy assertion to require the request
message signatures to be confirmed as part of the response message as specified by S2S normative
conformance requirements. To confirm the request message signatures at run-time the service includes
and signs, in the response, all the signatures included in the request.
The policy uses the “sp:Basic256Sha256” element within the “sp:AlgorithmSuite” security policy
assertion to require the algorithm suite that uses SHA-256 for the signature digest and 256-bit Basic as
the message encryption algorithm. The “signatureAlgorithm” attribute for the “sp:AlgorithmSuite”
security policy assertion is set to ”SHA256withRSA” to require the use of the SHA-256 based signature
algorithm.
2.4.3.8 SAML 2.0 Token
The policy uses SAML 2.0 Token Profile 1.1 [WSS11-SAML1120-PROFILE] and includes
“sp:WssSamlV20Token11” element within the “sp:SignedEncryptedSupportingTokens” security policy
assertion.
2.4.3.9 WS-ReliableMessaging
The policy uses WS-ReliableMessaging [WS-RM] 1.1 and the WSDL includes XML Namespace and
corresponding prefix declaration:
xmlns:wsrmp="http://docs.oasis-open.org/ws-rx/wsrmp/200702”.
The service requirement to initiate reliable messaging is specified by the use of the
“wsrmp:RMAssertion” policy assertion as shown in the Attachment I: Sample SLA Policy for WSReliableMessaging 1.1.
14
2.5 Integration Points
The sample implementation (GWSS2SPSI) exposes various integration points that developers can use to
further extend and modify the implementation with additional functionality and new features. The
Table 1 below reflects the available integration points and the section within this document where each
integration point is described.
SIP
Consumer-Provider
Integration Point
Service Contract
User-Consumer-Provider
Trust Fabric
WSC Authorization
Service Contract
Trust Fabric
SAML Token and GFIPM
Attribute Generation
SAML Token Validation
WSC and User
Authorization
Section(s)
3.1.3 Information Exchange Service Contract
Implementation Library
3.1.1 GFIPM CTF Library
3.1.4.2 WSP Implementation (Model 1)
3.1.3 Information Exchange Service Contract
Implementation Library
3.1.1 GFIPM CTF Library
3.1.5.1 IDP/ADS STS Implementation (Model 8)
3.1.5.3.3 SAML Assertion Validation
3.1.5.3.4 WSP Service Implementation
Table 1: Implementer Integration Points
15
2.6 GFIPM Security Model
2.6.1 GFIPM User Assertions
GFIPM user assertions are based on the GFIPM Metadata [GFIPMMETA] specification version 2.0. A user
assertion consists of a SAML assertion with SAML metadata tags for describing message characteristics
and GFIPM user attributes for describing a user’s properties such as name, phone, email, and privileges.
The Table 2 below outlines some sample information in the SAML GFIPM user assertion used in
GWSS2SPSI (not all tags or attributes are shown).
Metadata Tag
Value
Description
gfipm:2.0:user:EmployerName
Dundler
Mifflin
false
Organization name.
gfipm:2.0:user:SwornLawEnforc
ementOfficerIndicator
An IDP may assert that a user is a SLEO if certain
conditions, as defined by the GFIPM Metadata Spec, are
met (such as being authorized to make an arrest, etc).
Table 2: GFIPM User Assertions Examples
A sample SAML assertion containing GFIPM user attributes can be found in Attachment A: GFIPM SAML
User Assertion Sample.
2.6.2 GFIPM Entity Assertions
GFIPM entity assertions are based on the GFIPM Metadata specification version 2.0. A GFIPM entity
assertion is an entry in the GFIPM Cryptographic Trust Fabric (CTF) document that represents an entity
such as an IDP, SP, WSC, WSP, ADS, AS, or TIB in the federation. Each Entity entry in the CTF includes the
X.509 public certificate data and several informational attributes about each entity. Each Entity could
also contain corresponding Web Service Endpoint URL, Delegate Service Endpoint URL, Metadata
Exchange Endpoint URL, and WSDL URL. The Table 3 below outlines some sample information in the
GFIPM CTF for the Entity used in the GWSS2SPSI. Not all entity information is included in the table.
XPath
Sample Value(s)
md:EntitiesDescriptor
curewspm1
/md:EntityDescriptor
cureidpm2
/@entityID
md:EntitiesDescriptor
gfipmws:GFIPMWebServiceProviderType
/md:EntityDescriptor
gfipmws:GFIPMAssertionDelegateServiceType
/md:RoleDescriptor
/@xsi:type
md:EntitiesDescriptor
https://curewspm1:8181/m1wsp/services/cvc
/md:EntityDescriptor
/md:RoleDescriptor
/gfipmws:WebServiceEndpoint
md:EntitiesDescriptor
https://cureidpm2:8181/m2sts/services/sts
/md:EntityDescriptor
/md:RoleDescriptor
/gfipmws:DelegatedTokenServiceEndpoint
XPath Prefixes Notations:
xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata”
xmlns:gfipmws=”http://gfipm.net/standards/metadata/2.0/webservices”
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Description
An Entity Id
A role of an Entity (ex: WSP,
ADS)
A web service endpoint for
WSP
A web service endpoint for
ADS STS
Table 3: GFIPM Entity Assertions Examples
16
A Sample GFIPM entity assertion for WSP and WSC used in GFIPM CTF can be found in Attachment B:
GFIPM SAML Metadata Entity Assertion Sample.
2.6.3 GFIPM Cryptographic Trust Fabric
The GFIPM Cryptographic Trust Fabric (CTF) is an XML document signed by the Federation Manager
Organization, containing trusted information about each IDP, SP, WSC, WSP, AS, ADS, and TIB in the
federation. It includes X.509 certificate data for each software entity, as well as a GFIPM Entity
Assertion providing various informational attributes about each entity. The CTF is the cryptographic
trust anchor for all federation transactions.
WSP
WSP CA
WSC
IDP
WSC CA
Federation Manager
Organization
Figure 10: Conceptual view of the Trust Fabric
The GWSS2SPSI supplies a library that allows dynamic query of the GFIPM CTF. For detailed API see
chapter GFIPM CTF Library.
2.6.4 Model Certificates
This chapter covers trusted public and private certificates used in the GWSS2SPSI, Truststores, and
Keystores locations for those certificates.
Each entity used in the GWSS2SPSI contains an entry in the sample CTF. The Table 4 below shows the
Entity Id’s and corresponding roles. The GWSS2SPSI is distributed with trusted and private Java
keystores, where certificate aliases correlate to the GFIPM CTF entity Id.
Model
1
2
8
GFIPM Role
WSC
WSP
WSC
WSP
ADS STS
Entity Id
curewscm1
curewspm1
curewscm2
curewspm2
cureidpm2
Table 4: Entity Roles and Certificate Aliases
Each deployable component (WSC, WSP, IDP/ADS) of the GWSS2SPSI contains configured private and
trusted keystores that are located in the “$COMPONENT_NAME/src/main/resources/META-INF”
directory:
17
Consumer-Provider SIP Model 1
m1wsc/src/main/resources/META-INF/curewscm1-cacerts.jks
m1wsc/src/main/resources/META-INF/curewscm1-keystore.jks
m1wsp/src/main/resources/META-INF/curewspm1-cacerts.jks
m1wsp/src/main/resources/META-INF/curewspm1-keystore.jks
User-Consumer-Provider SIP Model 2
m2client/src/main/resources/META-INF/cure-client-cacerts.jks
m2client/src/main/resources/META-INF/cure-client-keystore.jks
m2sts/src/main/resources/META-INF/cureidpm2-cacerts.jks
m2sts/src/main/resources/META-INF/cureidpm2-keystore.jks
m2wsc/src/main/resources/META-INF/curewscm2-cacerts.jks
m2wsc/src/main/resources/META-INF/curewscm2-keystore.jks
m2wsp/src/main/resources/META-INF/curewspm2-cacerts.jks
m2wsp/src/main/resources/META-INF/curewspm2-keystore.jks
The Maven build automatically includes keystores in distributable WAR files under “WEBINF/classes/META-INF” directory, making it available in the application’s runtime environment.
2.6.4.1 Updating certificates
2.6.4.1.1 Trust Keystores
When a new GFIPM CTF is released, it is necessary to remove retired trusted certificates from the
deprecated GFIPM CTF and update keystore with new trusted certificates. The new certificates can be
easily extracted from the GFIPM CTF using supplied CTF Command Line Utility. The utility can also be
used to remove old certificates and install new certificates in trusted keystores (*-cacerts.jks). The
GFIPM CTF Library includes a set of sample scripts designed to populate trusted certificates into the Java
keystore.
To manage private keys and public certificates, developers also have other tools at their disposal:



Java “keytool” [KEYTOOL]
KeyStore Explorer [KSEXPL]
KeyTool IUI [KTIUI].
2.6.4.1.2 Private Keystores
The GFIPM CTF Library includes a set of sample scripts designed to populate private keys into the Java
keystore. The library includes a Java class (“src/main/java/ImportKey.java”) that allows import of the
DER-encoded format keys generated by OpenSSL[OPENSSL] into the private Java keystore.
18
3 GFIPM-WS S2S Profile Sample Implementation (GWSS2SPSI)
3.1 Sample Implementation Components
The GFIPM Web Services S2S Consumer-Provider SIP (Model 1) sample implementation distribution
contains the following modules:
1. trustfabric – GFIPM Cryptographic Trust Fabric Library
2. wscontract – Information Exchange Service Contract Implementation Library
3. m1wsc – GFIPM Web Services Model 2 Web Service Consumer (WSC)
4. m1wsp – GFIPM Web Services Model 2 Web Service Provider (WSP)
The GFIPM Web Services S2S User-Consumer-Provider SIP (Model 2/Model 8) sample implementation
distribution contains the following modules:
1. trustfabric – GFIPM CTF Library
2. wscontract – Information Exchange Service Contract Implementation Library
3. m2sts – GFIPM Web Services Model 2 Security Token Service (STS) for the Identity Provider (IDP)
and the Assertion Delegate Service (ADS)
4. m2lib – GFIPM Web Services auxiliary library
5. m2wsc – GFIPM Web Services Model 2 Web Service Consumer (WSC)
6. m2wsp – GFIPM Web Services Model 2 Web Service Provider (WSP)
7. m2client – GFIPM Model 2 Web Service Client
Library modules (trustfabric, wscontract, m2lib) are reused by other modules (WSC, WSP, IDP/ADS STS)
by using the maven dependency mechanism.
3.1.1 GFIPM CTF Library
The GFIPM Cryptographic Trust Fabric (CTF) Library consists of two functionally independent projects:
GFIPM CTF library API and GFIPM CTF Command Line Utility.
3.1.1.1 CTF Library API
The GFIPM CTF library API allows dynamic querying of the GFIPM CTF from within a web application.
For detailed CTF library API see Attachment C: GFIPM CTF Library API.
The GFIPM CTF library API comes with sample GFIPM CTF xml file:
src/main/resources/net/gfipm/trustfabric/gfipm-trust-fabric-model2-sample-signed.xml
The GFIPM CTF library Trust Fabric object could be also initialized using an external trust fabric as shown
on the examples below.
19
//Using default CTF “https://ref.gfipm.net/gfipm-signed-ref-metadata.xml”
TrustFabric tf = new TrustFabric();
//Using sample CTF included in the library API
TrustFabric tf = new TrustFabric("net/gfipm/trustfabric/gfipm-trust-fabric-model2-sample-signed.xml");
//Using CTF included in your application classpath
TrustFabric tf = new TrustFabric("classpath:net/gfipm/trustfabric/your-gfipm-trust-fabric.xml");
//Using other externally available CTF via http or https URL
TrustFabric tf = new TrustFabric("https://yourdomain.net/your-gfipm-signed-ref-metadata.xml ");
The Trust Fabric object is thread-safe. A static instance could be initialized through Singleton Factory
Pattern [GO4] using TrustFabricFactory.
//Usting TrustFabricFactory and static singleton Trust Fabric
TrustFabric tf = TrustFabricFactory.getInstance("net/gfipm/trustfabric/gfipm-trust-fabric-model2sample-signed.xml");
The developer must install “trustfabric” artifact into the local Maven repository (“mvn install”). To add
the GFIPM CTF library Trust Fabric API to your application, include Maven dependency in your POM file
as follows:
<dependency>
<groupId>net.gfipm</groupId>
<artifactId>trustfabric</artifactId>
<version>1.0-SNAPSHOT</version>
</dependency>
3.1.1.2 CTF Scripts
The GFIPM CTF library contains sample scripts that allow fast population of the trusted and private
keystores with public certificates and private keys. The sample scripts are located under “src/bin”
directory.
Scripts that populate trusted keystores (*-cacerts.jks) from supplied public certificates:
 src/bin/create_cacerts_stores_metro_m1.sh
 src/bin/create_cacerts_stores_metro_m2.sh
Scripts that populate private keystores (*-keystore.jks) from supplied openssl generated key pairs:
 src/bin/create_private_stores_metro_m1.sh
 src/bin/create_private_stores_metro_m2.sh
The GFIPM CTF library also includes the “ImportKey.java” class in the default package under
“src/main/java” directory. The “ImportKey” was developed to help import the DER-encoded format keys
into the private Java keystore.
20
3.1.1.3 CTF Command Line Utility
The GFIPM CTF Command Line Utility is designed to extract certificates for the GFIPM Entities from the
GFIPM CTF document and populate trusted Java keystore; save certificates as a file; remove old
certificates and update trusted Java keystore with new certificates from the CTF document. Utility also
provides user with options to validate the CTF document.
trustfabric options: (options are processed in the order shown)
-help
Print this help and then exits.
-verbose yes | no
Set verbose output (default is yes).
-trustdoc <URL> | nief | ref | sample
Load GFIPM trust document from URL, or NIEF Fed url, or Reference Fed url, or special Sample
URL.
Default is https://ref.gfipm.net/gfipm-signed-ref-metadata.xml
-validatetrustdoc
Validate loaded GFIPM trust document.
-password prompt | <password> | none
Prompt user for key store password or use the one given or no password. Otherwise use default
password (changeit).
-keepEntityId
Keep an EntityId as Alias in the keystore or as a file name when extracting all certificates from
the GFIPM trust doc.
-keystore <filename>
Load Java key store from <filename>. If no file is found one will be created.
-delete <entityid> | <alias>
Delete entry with entity id or alias name from key store.
-deleteall
Delete all GFIPM entries from key store. Does not delete non-GFIPM entries.
-add <entityid> | cisaidp | cisasp
Retrieve entity with entityid from trust doc and adds it to key store. (cisaidp, cisasp is for
debugging)
-addall
Extract all certificates from GFIPM trust doc and adds non-duplicates to Java key store.
-writeall <directory>
Extract all certificates from GFIPM trust doc and writes non-duplicates to files in dirctory.
-view nondup | dup | cisa | attr1
Print non-duplicate or all duplicate entity ids in trust doc to terminal. cisa and attr1 are for
debugging only.
-print alias | cert | rawcert | all
Print contents of key store: all alias names, all base64 certs, all text certs, or everything.
The utility could be invoked through maven. Maven configuration file (pom.xml) already includes
several run configurations to get started. For example, to extract all certificates from the CTF and
populate Java keystore (“gfipm-trust-fabric.jks”) use the following Maven configuration:
21
<argument>-keystore</argument>
<argument>gfipm-trust-fabric.jks</argument>
<argument>-addall</argument>
<argument>-validatetrustdoc</argument>
<argument>-trustdoc</argument>
<argument>https://ref.gfipm.net/gfipm-signed-ref-metadata.xml</argument>
To extract all certificates from the CTF and save each Entity certificate to the separate file in the
“certificates” directory use the following Maven configuration:
<argument>-writeall</argument>
<argument>certificates</argument>
<argument>-validatetrustdoc</argument>
<argument>-trustdoc</argument>
<argument>https://ref.gfipm.net/gfipm-signed-ref-metadata.xml </argument>
The configuration could be invoked through Maven commands: “mvn clean install exec:exec”.
3.1.2 GFIPM Web Services Auxiliary Library
The GFIPM Web Services auxiliary library (m2lib) contains common code, provides a set of auxiliary
utilities, hotfixes, and the SAML V2.0 Condition for Delegation Restriction implementation
[SAMLDelegation2009]. The library is used in WSC, WSP, and in IDP/ADS STS projects of the
GWSS2SPSI.
A SAML V2.0 Condition for the Delegation Restriction implementation uses JAXB [JAXB] and hooks up
directly to the default JAXB Context used by the Metro framework. The explanation of the
implementation details of the Delegation Restriction JAXB library is beyond the scope of this document.
The WSC, WSP, and IDP/ADS STS applications initialize this library by including the following code within
the application initialization servlet:
static {
DelegateUtil.initDelegateJAXBContext();
}
The code snippet below shows how to use the SAML V2.0 Condition for Delegation Restriction
implementation library:
22
Element domSamlAssertion = SAMLUtil.createSAMLAssertion(xmlStreamerReader);
com.sun.xml.wss.saml.Assertion assertion = AssertionUtil.fromElement(domSamlAssertion);
Conditions conditions = assertion.getConditions();
for (Object condition : conditions.getConditions()) {
if(condition instanceof DelegationRestrictionType){
List<DelegateType> delegateTypesList = ((DelegationRestrictionType)condition).getDelegate();
for (DelegateType delegateType : delegateTypesList) {
NameIDType nameIDType = delegateType.getNameID();
//other GFIPM Entity ID validation code goes here
}//for delegateType
}//if instanceof DelegationRestrictionType
}//for condition
Note that the sample code doesn’t include validation for “null” values, and other important production
code checks.
This library can also be used for stand-alone JAXB processing of the DOM objects. For example to obtain
the Delegate object from the W3C DOM Element, it is possible to use the fromElement method within
gov.niem.ws.util.jaxb.delegate.Delegate class. The signature of the fromElement method is shown in the
code snippet below:
/**
* Constructs an <code>Delegate</code> element from an existing XML block.
*
* @param DelegateElement A
*
<code>org.w3c.dom.Element</code> representing DOM tree for
*
<code>Delegate</code> object.
* @exception SAMLException if it could not process the
*
<code>org.w3c.dom.Element</code> properly, implying that there
*
is an error in the sender or in the element definition.
*/
public static DelegateType fromElement(org.w3c.dom.Element element)
For detailed usage of the Delegate JAXB library, see the sample code in the
“m2wsp\src\main\java\gov\niem\ws\sample\cvc\service\GFIPMCertificateValidatorWSP” class.
To add the GFIPM library to the application, include its Maven dependency in the POM file as follows:
<dependency>
<groupId>edu.gatech.gtri.gfipm.model2</groupId>
<artifactId>m2lib</artifactId>
<version>1.0-SNAPSHOT</version>
</dependency>
This library is a part of multi-module maven project (gfipm-ws-m2) and will be installed in the repository
automatically.
23
3.1.3 Information Exchange Service Contract Implementation Library
The Information Exchange Service Contract Implementation Library provides developers with reusable
JAXB [JAXB] and JAX-WS [JAXWS] service contract interface and implementation classes. The project
uses the wsimport [WSIMPORT] goal of the “jaxws-maven-plugin” to generate JAX-WS portable artifacts,
such as: Service Endpoint Interface (SEI), and JAXB generated value types (mapped Java classes from
schema types). The Module Service Contract WSDL files do not contain SLA security policy content.
The following customizations are used:




JAXB Content Objects (src/jaxws/schema-bindings.xml )
o places all CommercialVehicleCollisionMessageSchema.xsd schema based classes in the
gov.niem.ws.sample.cvc.jaxb.msg package
o places all CommercialVehicleCollisionExchangeSchema.xsd schema based classed in the
gov.niem.ws.sample.cvc.jaxb.iepd package
Service Endpoint Interface (SEI) (src/jaxws/wsdl-bindings.xml)
o places all SEI generated classes in the gov.niem.ws.sample.cvc.jaxws package
Library Packaging (src/jaxws/jaxwsjar.xml)
JAXBContext auxiliary loader file (src\main\resources\gov\niem\ws\sample\cvc\jaxb\jaxb.index)
The diagram below reflects the relationship between library artifacts and the Service Contract.
Figure 11: Service Contract Implementation Library
To add the GFIPM Service Contract Information Exchange Implementation library to your application,
include the appropriate Maven dependency in your POM file as follows:
24
<dependency>
<groupId>edu.gatech.gtri.gfipm.model2</groupId>
<artifactId>m2contract</artifactId>
<!-- classifiers used with Maven Assembly Plugin to specify subset of above artifact needed -->
<classifier>lib-jaxws</classifier>
<version>1.0-SNAPSHOT</version>
</dependency>
3.1.4 GFIPM WS S2S Consumer-Provider (Model 1) Implementation
This section covers the implementation of the components that are specific to the GFIPM WS S2S
Consumer-Provider Service Interaction Profile (Model 1) implementation.
3.1.4.1 WSC Implementation (Model 1)
The WSC in the GFIPM WS S2S Consumer-Provider SIP is a simple command line client application. The
WSC uses the Information Exchange Service Contract Implementation Library to create a connection to
the WSP service. To determine the SLA policy for the WSP, the WSC retrieves the WSDL from the WSP,
sets the proper Service Endpoint for WSP service (listed in the GFIPM CTF), and then invokes the WSP
service.
The WSC is configured through the Client-Side WSIT [WSIT] configuration file “wsit-client.xml” located
under “src\main\resources\META-INF\” directory. The Client-Side WSIT configuration file imports a
separate configuration file for the WSP as shown on the code snippet below:
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" name="mainclientconfig">
<import location="CommercialVehicleCollisionWebserviceImpl.xml"
namespace="urn:examples.com:techniques:iepd:commercialVehicleCollision:ws:2.0"/>
</definitions>
The configuration for the connection to the WSP (“src\main\resources\METAINF\CommercialVehicleCollisionWebserviceIntf.xml”) includes settings for the WSC private certificate
that should be used for the connection to the WSP and specifies WSP public certificate as follows:
<wsp:Policy wsu:Id="CalculatorServicePortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<!-- WSP Server identity -->
<scl:TrustStore wspp:visibility="private" peeralias="curewspm1"
storepass="changeit" type="JKS" location="curewscm1-cacerts.jks"/>
<!-- WSC Client identity -->
<scl:KeyStore wspp:visibility="private" alias="curewscm1"
storepass="changeit" type="JKS" location="curewscm1-keystore.jks"/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
25
Caching of the WSDL files to prevent extra WSDL queries is possible through the use of the
“src\main\resources\META-INF\jax-ws-catalog.xml” configuration file.
The WSC (“gov.niem.ws.sample.cvc.client.CommercialVehicleCollisionClient”) initializes the service
connection to WSP (cvcPort), sets proper Service Endpoint, and invokes a service call as shown on the
code snippet below:
CommercialVehicleCollisionPortType cvcPort;
CommercialVehicleCollisionWebService cvsWebService;
MTOMFeature mtomFeature = new MTOMFeature(true);
cvsWebService = new CommercialVehicleCollisionWebService(new URL(wsdlUrl),
new QName("urn:examples.com:techniques:iepd:commercialVehicleCollision:ws:2.0",
"CommercialVehicleCollisionWebService"));
cvcPort = cvsWebService.getCommercialVehicleCollisionPort(new MTOMFeature(true));
Map<String, Object> requestContext = ((BindingProvider) cvcPort).getRequestContext();
requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, sepUrl);
GetDocumentResponseType getDocumentResponseType =
cvcPort.getDocument(getDocumentRequestType);
For the details on the WSC execution and running tests see the Readme.txt installation instructions file
in the GWSS2SPSI distribution package.
3.1.4.2 WSP Implementation (Model 1)
The WSP is responsible for accepting a request from a WSC listed in the GFIPM CTF. The WSP must
conform to GFIPM WS S2S Consumer-Provider (Model 1) SIP requirements.
The WSP is deployed under the following URL: https://curewspm1:8181/m1wsp/services/cvc
The WSP exposes the Service Contract described earlier, and is using the Information Exchange Service
Contract Implementation Library. The WSP Service Contract is stated in the following files:
src/wsdl/CommercialVehicleCollisionExchangeSchema.xsd
src/wsdl/CommercialVehicleCollisionMessageSchema.xsd
src/wsdl/CommercialVehicleCollisionWebserviceImpl.wsdl
src/wsdl/CommercialVehicleCollisionWebserviceIntf.wsdl
The WSP includes a preconfigured trust keystore and private keystore:
src/main/resources/META-INF/curewspm1-cacerts.jks
src/main/resources/META-INF/curewspm1-keystore.jks
3.1.4.2.1 WSP SLA Implementation
The WSP uses an SLA security policy stipulated in the “CommercialVehicleCollisionWebserviceIntf.wsdl”.
The SLA for a WSP is subject to the GFIPM WS S2S Consumer-Provider SIP specification requirements
26
and is included in the Attachment F: Sample SLA Security Policy for WSP Model 1. The WSP SLA uses
mutual certificates for authentication, message integrity, and confidentiality protection.
3.1.4.2.2 Certificate Validation
The WSP provides a certificate validator configured through the service WSDL
(CommercialVehicleCollisionWebserviceIntf.wsdl) as follows:
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="certificateValidator"
classname="gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator"/>
</sc:ValidatorConfiguration>
The custom certificate validator class, “gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator”,
provides X.509 certificate validation. The certificate validator uses the “src\main\resources\gfipmsecurity-env.properties” properties file to initialize and use a keystore that is shipped with the
application. Furthermore, the GFIPMCertificateValidator class provides certificate validation according
to the GFIPM WS S2S Consumer-Provider SIP normative conformance requirements in the S2S section
8.1.2. The code snippet below shows how to validate the certificate against the GFIPM CTF and how to
obtain an access control decision based on the WSC Entity attributes listed in the GFIPM CTF.
Note that the code in this snippet is hard-coding an access control policy. In production environment, it
is recommended that the access control decision making be abstracted out into a separate Policy
Decision Point (PDP) component using an access control framework such as the XACML framework. See
the Global Privacy Policy Technical Framework [GPPTF] for more information about integrating with an
access control framework.
The access control decision could also be obtained in the actual WSP service implementation as shown
in the chapter 3.1.4.2.3 on WSP Service Implementation.
27
private static TrustFabric tf = TrustFabricFactory.getInstance();
private boolean isAuthorized(X509Certificate certificate) {
String entityId = tf.getEntityId(certificate);
if (entityId == null) {
log.log(Level.WARNING, "Certificate used by the peer is not in the GFIPM Trust Fabric: " +
certificate.getSubjectDN());
return false;
}
//GFIPM Entity (entityId) should belong to WSC only
//Add access control decisions based on the GFIPM CTF entityAttributes
if (tf.isWebServiceConsumer(entityId)) {
String ownerAgencyCountryCode = tf.getGfipmEntityAttribute(entityId,
"gfipm:2.0:entity:OwnerAgencyCountryCode");
//As an example current WSP SLA currently allows only country codes US and VQ
if (!(("VQ".compareToIgnoreCase(ownerAgencyCountryCode) != 0) ||
("US".compareToIgnoreCase(ownerAgencyCountryCode) != 0))) {
log.log(Level.WARNING, "WSP: WSC Entity connecting to this WSP should have
OwnerAgencyCountryCode as VQ or US. Retrieved agency ID from TF is: " +
ownerAgencyCountryCode);
return false;
}
} else {
log.log(Level.WARNING, "Entity connecting to this WSP should be listed as WSC in the GFIPM
Trust Fabric, entity id :" + entityId);
return false;
}
return true;
}//isAuthorized
3.1.4.2.3 WSP Service Implementation
The WSP service is implemented by the CommercialVehicleCollisionWebServiceImpl class located in the
“src/main/java/gov/niem/ws/sample/cvc/service” directory.
The service implementation class provides a sample code for obtaining the access control decision based
on the invoked method and credentials of the WSC that attempts to access the functionality. Note that
the code is hard-coding an access control policy. In production environment, it is recommended that
the access control decision making be abstracted out into a separate Policy Decision Point (PDP)
component using an access control framework such as the XACML framework. See the Global Privacy
Policy Technical Framework [GPPTF] for more information about integrating with an access control
framework.
GFIPMAuthorizationProvider.isAuthorized(GFIPMAuthorizationProvider.getCurrentMethodName(),
wsContext);
The “GFIPMAuthorizationProvider” class provides a sample implementation for obtaining the access
control decision based on the WSC attributes in the GFIPM CTF and is implemented as follows:
28
private static TrustFabric tf = TrustFabricFactory.getInstance();
public static boolean isAuthorized(String methodName,WebServiceContext wsContext) {
boolean isAuthorized = false;
try {
if (SubjectAccessor.getRequesterSubject(wsContext) != null) {
for (Iterator<Object> it =
SubjectAccessor.getRequesterSubject(wsContext).getPublicCredentials().iterator(); it.hasNext();) {
Object publicCredentialsObject = it.next();
if (publicCredentialsObject instanceof X509Certificate) {
X509Certificate subjectX509Certificate = (X509Certificate) publicCredentialsObject;
//Delegate ID is determined from Entity Certificate.
String wscId = tf.getEntityId(subjectX509Certificate);
//Provide authorization decision for the WSC to execute method
if (tf.isWebServiceConsumer(wscId) &&
"gov.niem.ws.sample.cvc.service.CommercialVehicleCollisionWebServiceImpl.getDocument".equal
s(methodName)) {
//In this example any WSC from the CTF is authorized to execute this method
isAuthorized = true;
}}}}
} catch (XWSSecurityException ex) {
logger.log(Level.SEVERE, "Unable to get UserPrincipal", ex);
} catch (Exception e) {
logger.log(Level.SEVERE, "Unknown exception", e);
}
return isAuthorized;
}
The class also provides business logic operations that are not subject to GFIPM WS S2S requirements.
3.1.5 GFIPM WS S2S User-Consumer-Provider (Model 2/Model 8) Implementation
This section covers implementation of the components that are specific to the GFIPM WS S2S UserConsumer-Provider Service Interaction Profile (Model 2/Model 8) implementation.
3.1.5.1 IDP/ADS STS Implementation (Model 8)
In the sample implementation users are authenticated through Identity Provider Security Token Service
(IDP STS). The IDP STS issues SAML 2.0 Assertion to authenticated users. The Assertion uses GFIPM
Metadata attributes. The sample implementation also includes an Assertion Delegate Service (ADS STS)
that issues SAML 2.0 Assertion tokens based on the original SAML token obtained by the user from IDP
STS during authentication phase. The new SAML token includes all GFIPM attributes from the original
SAML token and adds SAML Delegation information as described in GFIPM WS S2S User-ConsumerProvider SIP 8.8. The re-issued SAML token is used by the WSC to submit requests to the WSP.
An IDP STS and an ADS STS share the same code for the SAML token generation. While the IDP STS
provides the GFIPM attribute generation, the ADS STS copies attributes from the presented SAML
Assertion token. The IDP STS and ADS STS expose different SLA policies and have different
authentication mechanisms. Message validation also differs depending on functional requirements of
29
the IDP or the ADS. The IDP and the ADS endpoints implement the WS-Trust 1.3 specification based on
the S2S baseline requirements for GRA conformance.
To support the GlassFish JSR-196 deployment and HTTPS (HTTP over TLS 1.x), IDP/ADS STS certificates
are installed in the default Glassfish’s domain trust store (/var/opt/glassfish/domain1/config/cacerts.jks)
and private keystore (/var/opt/glassfish/domain1/config/keystore.jks). For the details on STS
deployment see the installation documentation Readme.txt.
3.1.5.1.1 Token Generation
The SAML Token generation is performed by the “gov.niem.ws.sample.cvc.sts.GFIPMSTSTokenProvider”
class, which is located in the “src/main/java/gov/niem/ws/sample/cvc/sts” directory. This class extends
“com.sun.xml.ws.security.trust.impl.DefaultSAMLTokenProvider” class and implements the
“com.sun.xml.ws.api.security.trust.STSTokenProvider” interface. This class overrides the
“generateToken” method in “DefaultSAMLTokenProvider”.
The STS Token Provider is configured through the “com.sun.xml.ws.api.security.trust.STSTokenProvider”
file located in the “src/main/resources/META-INF/services” directory.
For the token type "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0", the
Token Provider implementation manually sets subject confirmation method to
“urn:oasis:names:tc:SAML:2.0:cm:sender-vouches”.
The following code snippet shows how to check whether an OnBehalfOf request was submitted to the
STS and how to retrieve the OnBehalfOf token. The code also shows how to obtain the WSC
intermediary entity ID (or Delegate Id) from the GFIPM CTF based on the certificate from the requestor.
private static TrustFabric tf = TrustFabricFactory.getInstance();
public void generateToken(IssuedTokenContext ctx) throws WSTrustException {
Boolean isOnBehalfOf = Boolean.parseBoolean(ctx.getOtherProperties().get("OnBehalfOf"));
//delegateId is an entity which is requesting token
String delegateId = null;
Element onBehalfOfToken = null;
Set<Object> publicCred = ctx.getRequestorSubject().getPublicCredentials();
for (Iterator<Object> it = publicCred.iterator(); it.hasNext();) {
Object publicCredentialsObject = it.next();
if (publicCredentialsObject instanceof X509Certificate) {
X509Certificate subjectX509Certificate = (X509Certificate) publicCredentialsObject;
//Delegate ID is determined from Entity Certificate number.
delegateId = tf.getEntityId(subjectX509Certificate);
} else if (publicCredentialsObject instanceof Element) {
onBehalfOfToken = (Element) publicCredentialsObject;
}
}
}
30
A SAML Token Assertion included within an “OnBehalfOf” element has to be validated according to the
normative conformance requirements outlined in section 8.8.2 of the S2S. Sample code validating the
included SAML Token Assertion can be located in the GWSS2SPSI in the
“gov.niem.ws.sample.cvc.sts.GFIPMSTSTokenProvider” class.
The sample code in “gov.niem.ws.sample.cvc.sts.GFIPMSTSTokenProvider” also shows how to generate
SAML 2.0 Assertion and how to sign it according to S2S specification.
3.1.5.1.2 Attribute Generation
The SAML Attribute generation is performed by the “GFIPMSTSAttributeProvider” class located in the
“src/main/java/gov/niem/ws/sample/cvc/sts” directory. This class implements the
“com.sun.xml.ws.api.security.trust.STSAttributeProvider” interface. A custom STS Attribute Provider is
configured through the “com.sun.xml.ws.api.security.trust.STSAttributeProvider” file located in the
“src/main/resources/META-INF/services” directory.
For a request sent to the IDP STS, the attribute provider creates new GFIPM User Assertion attributes as
shown on the following code snippet:
Map<QName, List<String>> attrs = new HashMap<QName, List<String>>();
addAttribute(attrs, "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"gfipm:2.0:user:EmployerName", "Dundler Mifflin");
private void addAttribute(Map<QName, List<String>> attrs, String nameFormat, String name,
String value) {
QName testQName = new QName(nameFormat, name);
List<String> testAttrs = new ArrayList<String>();
testAttrs.add(value);
attrs.put(testQName, testAttrs);
}
For the request to the ADS using OnBehalfOf, the attribute provider copies attributes from the original
SAML Assertion token. There are several ways to obtain the SAML Assertion from the OnBehalfOf
element. Obtaining the original SAML Assertion through subject’s public credentials is shown on the
code snippet below:
Set<Object> publicCredential = subject.getPublicCredentials();
Element onBehalfOfElement = null;
for (Object obj : publicCredential) {
if (obj instanceof XMLStreamReader) {
XMLStreamReader reader = (XMLStreamReader) obj;
onBehalfOfElement = SAMLUtil.createSAMLAssertion(reader);
} else if (obj instanceof Element) {
onBehalfOfElement = (Element) obj;
}
}
31
Obtaining the original SAML Assertion through Claims is shown in the code snippet below:
public Map<QName, List<String>> getClaimedAttributes(Subject subject, String appliesTo, String
tokenType, Claims claims) {
if ("true".equals(claims.getOtherAttributes().get(new QName("OnBehalfOf")))) {
// Get the OnBehalfOf token
Element token = null;
for (Object obj : claims.getSupportingProperties()) {
if (obj instanceof Subject) {
token = (Element) ((Subject) obj).getPublicCredentials().iterator().next();
break;
}
}
//retrieve attributes from an original token and adds them to the new assertion
addAttributes(token, attrs, true);
}
3.1.5.1.3 IDP SLA Implementation
The IDP STS is deployed under the following URL: https://cureidpm2:8181/m2sts/services/idp?wsdl
The IDP STS is implemented by the “gov.niem.ws.sample.cvc.sts.IDPImpl” class located in the
“src/main/java/gov/niem/ws/sample/cvc/sts” directory.
The IDP STS uses the SLA security policy stipulated in the “src/wsdl/idp.wsdl” file. The SLA for the IDP
STS is not subject to S2S specification requirements. Attachment D: Sample SLA Security Policy for IDP
STS includes two sample alternatives available for user authentication to the IDP: (1) Using Username
Token and Secure Transport, and (2) Using Username Token and Server Certificate.
User authentication for user name / password combination is provided through the sample
“gov.niem.ws.sample.cvc.service.GFIPMUsernamePasswordValidator” class. The Username validator for
Metro is configured through the “src/wsdl/idp.wsdl” file as follows:
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="usernameValidator"
classname="gov.niem.ws.sample.cvc.service.GFIPMUsernamePasswordValidator"/>
</sc:ValidatorConfiguration>
The sample includes hardcoded sample user names and passwords are “bob:bob” and “alice:alice”.
The IDP STS configuration in “src/wsdl/idp.wsdl” allows the service to issue tokens only for the WSC
Service EndPoints (SEP) of “curewscm2” and “ha50wscm2” as shown on the code snippet below:
32
<tc:STSConfiguration wspp:visibility="private" encryptIssuedKey="false"
encryptIssuedToken="false">
<tc:Contract>com.sun.xml.ws.security.trust.impl.WSTrustContractImpl</tc:Contract>
<tc:LifeTime>300000</tc:LifeTime>
<tc:Issuer>cureidpm2</tc:Issuer>
<tc:ServiceProviders>
<!-- Metro WSC -->
<tc:ServiceProvider endpoint="https://curewscm2:8181/m2wsc/services/cvc">
<tc:CertAlias>curewscm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile1.1#SAMLV2.0</tc:TokenType>
</tc:ServiceProvider>
<!-- .NET WSC -->
<tc:ServiceProvider endpoint="https://ha50wscm2:8643/Model2/Service.svc">
<tc:CertAlias>ha50wscm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile1.1#SAMLV2.0</tc:TokenType>
</tc:ServiceProvider>
</tc:ServiceProviders>
</tc:STSConfiguration>
3.1.5.1.4 ADS SLA Implementation
The ADS STS is deployed under the following URL: https://cureidpm2:8181/m2sts/services/sts?wsdl
The ADS STS is implemented by the gov.niem.ws.sample.cvc.sts.STSImpl class located in the
“src/main/java/gov/niem/ws/sample/cvc/sts” directory.
The ADS STS uses the SLA security policy stipulated in the “src\wsdl\sts.wsdl” file. The SLA for an ADS
STS is subject to the GFIPM WS S2S Consumer-Provider Model 1 specification requirements and is
included in the Attachment E: Sample SLA Security Policy for ADS STS. The ADS STS SLA uses mutual
certificates authentication described in the WSP Implementation. In accordance with the S2S ConsumerProvider Model 1 specification requirements the ADS STS SLA requires use of the Transport Level
Security (TLS). The TLS is implemented through the Glassfish domain container.
3.1.5.1.5 ADS Certificate Validation
To provide the WSC certificate validation against the GFIPM CTF, it is necessary to include a custom
certificate validator. A custom certificate validator is implemented in the
“gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator” class, and is configured in the
“src/wsdl/sts.wsdl” file as follows:
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="certificateValidator"
classname="gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator"/>
</sc:ValidatorConfiguration>
33
The custom certificate validator class, “gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator”,
provides full X.509 certificate validation and shows an example of accessing the GFIPM CTF. The
certificate validator also shows how to initialize and access the keystore shipped with the application
using the “src/main/resources/gfipm-security-env.properties” properties file. The listing below shows
the location of the keystores within the IDP STS.
src/main/resources/META-INF/cureidpm2-cacerts.jks
src/main/resources/META-INF/cureidpm2-keystore.jks
Certificate validation can also be delegated to an abstracted access control policy framework such as the
XACML framework. The GFIPMCertificateValidator class provides certificate validation against the
GFIPM CTF as shown on the code snippet below:
String entityId = null;
entityId = tf.getEntityId(certificate);
if((entityId == null) || (!tf.isWebServiceConsumer(entityId))){
log.log(Level.WARNING, "Unauthorized attempt to access ADS");
throw new CertificateValidationException("Unauthorized attempt to access ADS");
}
If validation against CTF Entity attributes is not necessary, and no end-user client certificates are
installed in the STS keystore, it is possible to rely on default Metro/Glassfish X.509 build-in certificate
validation by uncommenting “certificateValidator” configuration in the file sts.wsdl.
3.1.5.2 WSC Implementation (Model 2)
The Web Service Consumer (WSC) for the User-Consumer-Provider (Model 2) SIP plays a double role and
structurally consists of two modules: WSC Service and WSC Client. The WSC works as a proxy service by
receiving the request from the Client, performing necessary business operations and applicable security
tasks, propagating the request to WSP, processing the response and finally propagating it back to the
Client.
The WSC includes a preconfigured trust keystore and private keystore that are used for both WSC
Service and WSC Client components.
src/main/resources/META-INF/curewscm2-cacerts.jks
src/main/resources/META-INF/curewscm2-keystore.jks
3.1.5.2.1 WSC Service Implementation
The WSC Service is responsible for accepting a request from Client and handling the initial SAML
Assertion token from the Client. This token is a prerequisite for subsequent exchanges described in S2S
for the Model 2.
The WSC Service is deployed under the following URL: https://curewscm2:8181/m2wsc/services/cvc
34
For simplicity, the WSC Service exposes the Service Contract that is described earlier, and uses the
Information Exchange Service Contract Implementation Library. However, the WSC Service is not
subject to GFIPM WS S2S requirements. The WSC Service Contract is stated in the following files:
src/wsdl/CommercialVehicleCollisionExchangeSchema.xsd
src/wsdl/CommercialVehicleCollisionMessageSchema.xsd
src/wsdl/CommercialVehicleCollisionWebserviceImpl.wsdl
src/wsdl/CommercialVehicleCollisionWebserviceIntf.wsdl
The WSC Service uses the SLA security policy stipulated in the
“CommercialVehicleCollisionWebserviceIntf.wsdl” file. The WSC Service relies on default Glassfish /
Metro incoming requests certificate validation against certificates in trust keystores and is configured as
follows:
<sc:KeyStore wspp:visibility="private" location="curewscm2-keystore.jks" type="JKS"
storepass="changeit" alias="curewscm2"/>
<sc:TrustStore wspp:visibility="private" location="curewscm2-cacerts.jks" type="JKS"
storepass="changeit"/>
The WSC Service SLA policy requires the Client to present a SAML 2.0 Assertion Token obtained from an
IDP STS. No Issuer is specified, leaving it up to the client to determine the IDP STS to connect to obtain
SAML Assertion Token. An obtained token will use “urn:oasis:names:tc:SAML:2.0:cm:bearer” as the
value for the Method in the SubjectConfirmation element, according to the WSC Service SLA shown
below:
<sp:SignedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/wssecuritypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile1.1#SAMLV2.0</t:TokenType>
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</t:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
A client authenticates to an IDP STS of its choice (see IDP SLA Implementation) and obtains a SAML 2.0
Assertion token containing GFIPM Assertion Attributes, then submits a request to the WSC Service.
35
The WSC Service provides a SAML Assertion validator that is configured through the service WSDL
(CommercialVehicleCollisionWebserviceIntf.wsdl) as follows:
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="samlAssertionValidator"
classname="gov.niem.ws.sample.cvc.service.GFIPMSAMLAssertionValidatorWSC"/>
</sc:ValidatorConfiguration>
The SAML Assertion validator does not need to conform to the GFIPM WS S2S specification, however it
provides sample code that shows how to process an incoming SAML Assertion tokens and prepare them
for the future reuse in the application:
public void validate(XMLStreamReader xmlStreamerReader, Map map, Subject sbjct) throws
SAMLValidationException {
Element domSamlAssertion = SAMLUtil.createSAMLAssertion(xmlStreamerReader);
//To be able to access SAML assertion through SubjectAccessor.getRequesterSubject(context)
//add it here
sbjct.getPublicCredentials().add(domSamlAssertion);
The WSC Service is implemented by the CommercialVehicleCollisionWebServiceImpl class located in the
“src/main/java/gov/niem/ws/sample/cvc/service” directory.
The WSC Service obtains a reference to a current “javax.xml.ws.WebServiceContext” and invokes the
WSC Client to submit a request to a WSP as follows:
public class CommercialVehicleCollisionWebServiceImpl implements
CommercialVehicleCollisionPortType {
@Resource
WebServiceContext wsContext;
@Override
public GetDocumentResponseType getDocument(GetDocumentRequestType parameters) {
String wspIncidentText = (new
CommercialVehicleCollisionWSCClient()).getIncidentText(wsContext);
3.1.5.2.2 WSC Client Implementation
The WSC Client is responsible for obtaining a new SAML Assertion token from ADS based on the initial
SAML token used by the command line Client. The WSC Client is also responsible for exchanges with
WSP.
The WSC Client uses the Information Exchange Service Contract Implementation Library to create a
connection to the WSP service, retrieves the SAML Assertion from context that was placed there
previously by the SAMLAssertionValidator, sets proper Service Endpoint for WSP, and then invokes WSP
service call.
36
CommercialVehicleCollisionPortType cvcPort;
CommercialVehicleCollisionWebService cvsWebService;
cvsWebService = new CommercialVehicleCollisionWebService(new URL(wsdlUrl),
new QName("urn:examples.com:techniques:iepd:commercialVehicleCollision:ws:2.0",
"CommercialVehicleCollisionWebService"));
Token samlToken = new GenericToken(GFIPMUtil.getSAMLAssertion(context));
MTOMFeature mtomFeature = new MTOMFeature(true);
cvcPort = cvsWebService.getCommercialVehicleCollisionPort(new
WebServiceFeature[]{mtomFeature});
//put initial SAML assertion obtained from STS back into request for SamlCallbackHandler
((BindingProvider) cvcPort).getRequestContext().put("userSAMLAssertion",
samlToken.getTokenValue());
//set Service Endpoint
((BindingProvider)
cvcPort).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, sepUrl);
GetDocumentResponseType getDocumentResponseType;
getDocumentResponseType = cvcPort.getDocument(getDocumentRequestType);
During the invocation of the WSP service, based on the retrieved WSP SLA policy, the WSC Client invokes
the local “gov.niem.ws.sample.cvc.client.GFIMPWSCSamlCallBackHandler” class to obtain the required
WSP SAML Assertion token that is to be provide to the WSP.
When invoked, the SAML callback handler retrieves the original SAML Assertion token of the user from
the callback runtime properties and then requests a new SAML Assertion. A new SAML Assertion is set
for the call to the WSP. The code snippet below shows the steps that are described above:
for (int i=0; i < callbacks.length; i++) {
if (callbacks[i] instanceof SAMLCallback) {
SAMLCallback samlCallback = (SAMLCallback)callbacks[i];
Map<String, Object> runtimeProps = samlCallback.getRuntimeProperties();
Element samlAssertion = (Element)runtimeProps.get("userSAMLAssertion");
samlAssertion = getNewSAMLAssertionFromSTS(samlAssertion);
samlCallback.setAssertionElement(samlAssertion);
}}
The code snippet below shows how to retrieve a new SAML Assertion from an ADS STS. In conformance
with the S2S ADS SIP section 8.8, the request sent to an ADS uses the “OnBehalfOf” element to include
the original SAML Assertion that the user received from an IDP STS. The code also shows how to
dynamically obtain the ADS service endpoint and WSDL location from the GFIPM CTF. The Metro ADS
implementation keeps the service name, port name, and namespace consistent in the ADS WSDL, while
.NET implementations might have different values and will require code update to accommodate for
WSDL change.
37
private Element getSAMLAssertionFromSTS(Element samlAssertion) throws WSTrustException {
TrustFabric tf = TrustFabricFactory.getInstance();
String stsEndpoint = tf.getDelegatedTokenServiceEndpointAddress (issuerEntityId);
String stsWSDLLocation = tf. getWsdlUrlAddress (issuerEntityId);
String stsServiceName="SecurityTokenService";
String stsPortName="ISecurityTokenService_Port";
String stsNamespace="http://tempuri.org/";
DefaultSTSIssuedTokenConfiguration config = new DefaultSTSIssuedTokenConfiguration(
STSIssuedTokenConfiguration.PROTOCOL_13,stsEndpoint, stsWSDLLocation,
stsServiceName, stsPortName, stsNamespace);
config.setTokenType(WSTrustConstants.SAML20_WSS_TOKEN_TYPE);
config.setOBOToken(new GenericToken(samlAssertion));
IssuedTokenManager manager = IssuedTokenManager.getInstance();
IssuedTokenContext ctx = manager.createIssuedTokenContext(config, appliesTo);
manager.getIssuedToken(ctx);
Token issuedToken = ctx.getSecurityToken();
return (Element) issuedToken.getTokenValue();
}
The WSC Client is configured through the Client-Side WSIT configuration file “wsit-client.xml” located in
the “src/main/resources/META-INF” directory. The Client-Side WSIT configuration file includes a
separate configuration file for the WSP and ADS as shown on the code snippet below:
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" name="mainclientconfig">
<import location="CommercialVehicleCollisionWebserviceImpl.xml"
namespace="urn:examples.com:techniques:iepd:commercialVehicleCollision:ws:2.0"/>
<import location="sts-client.xml" namespace="http://tempuri.org/"/>
</definitions>
The WSC Client configuration for the connection to the WSP (“src/main/resources/METAINF/CommercialVehicleCollisionWebserviceIntf.xml”) includes settings for the public and private
certificates that should be used for the connection. The WSC Client configuration also includes a SAML
Callback handler described in detail previously:
38
<wsp:Policy wsu:Id="CalculatorServicePortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<!-- WSP identity -->
<scl:TrustStore wspp:visibility="private" peeralias="curewspm2" storepass="changeit"
type="JKS" location="curewscm2-cacerts.jks"/>
<!-- WSC Client identity -->
<scl:KeyStore wspp:visibility="private" alias="curewscm2" storepass="changeit"
type="JKS" location="curewscm2-keystore.jks"/>
<scl:CallbackHandlerConfiguration wspp:visibility="private">
<scl:CallbackHandler name="samlHandler"
classname="gov.niem.ws.sample.cvc.client.GFIPMWSCSamlCallbackHandler"/>
</scl:CallbackHandlerConfiguration>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
The WSC Client configuration for the connection to the ADS (“src/main/resources/META-INF/stsclient.xml”) also includes settings for public and private certificates that should be used for the
connection:
<wsp:Policy wsu:Id="STSClientKeystorePolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy">
<wsp:ExactlyOne>
<wsp:All>
<sc:KeyStore wspp:visibility="private" location="curewscm2-keystore.jks" type="JKS"
storepass="changeit" alias="curewscm2"/>
<sc:TrustStore wspp:visibility="private" location="curewscm2-cacerts.jks" type="JKS"
storepass="changeit" peeralias="cureidpm2"/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Caching of the WSDL files to prevent WSDL queries is possible through the use of the
“src/main/resources/META-INF/jax-ws-catalog.xml” configuration file.
3.1.5.3 WSP Implementation (Model 2)
The WSP is responsible for accepting a request from a WSC which is listed in GFIPM CTF. The WSP must
conform to GFIPM WS S2S User-Consumer-Provider (Model 2) SIP requirements.
The WSP is deployed at the following URL: https://curewspm2:8181/m2wsp/services/cvc
The WSP exposes the Service Contract described earlier, and is using the Information Exchange Service
Contract Implementation Library. The WSP Service Contract is stated in the following files:
39
src/wsdl/CommercialVehicleCollisionExchangeSchema.xsd
src/wsdl/CommercialVehicleCollisionMessageSchema.xsd
src/wsdl/CommercialVehicleCollisionWebserviceImpl.wsdl
src/wsdl/CommercialVehicleCollisionWebserviceIntf.wsdl
The WSP includes a preconfigured trust keystore and private keystore:
src/main/resources/META-INF/curewspm2-cacerts.jks
src/main/resources/META-INF/curewspm2-keystore.jks
3.1.5.3.1 WSP SLA Implementation
The WSP uses the SLA security policy stipulated in the “CommercialVehicleCollisionWebserviceIntf.wsdl”
file. The SLA for a WSP is subject to the GFIPM WS S2S User-Consumer-Provider SIP specification
requirements and is included in the Attachment G: Sample SLA Security Policy for WSP Model 2. The
WSP SLA requires attaching a user’s SAML token with the message and uses mutual certificates for
authentication, message integrity and confidentiality protection.
The WSP SLA policy requires the WSC to present a SAML 2.0 Assertion Token that has been obtained
from an ADS STS. An obtained token must use “urn:oasis:names:tc:SAML:2.0:cm:sender-vouches” as the
value for the Method attribute in the SubjectConfirmation element. An SLA policy snippet for the WSP
is shown below:
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/wssecuritypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV20Token11/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
The WSP provides a SAML Assertion validator and a Certificate validator configured through the service
WSDL (CommercialVehicleCollisionWebserviceIntf.wsdl) as follows:
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="certificateValidator"
classname="gov.niem.ws.sample.cvc.service.GFIPMCertificateValidatorWSP"/>
<sc:Validator name="samlAssertionValidator"
classname="gov.niem.ws.sample.cvc.service.GFIPMSAMLAssertionValidatorWSP"/>
</sc:ValidatorConfiguration>
40
3.1.5.3.2 Certificate Validation
The WSP provides a certificate validator configured through the service WSDL
(CommercialVehicleCollisionWebserviceIntf.wsdl) as follows:
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="certificateValidator"
classname="gov.niem.ws.sample.cvc.service.GFIPMCertificateValidatorWSP"/>
</sc:ValidatorConfiguration>
The custom certificate validator class, “gov.niem.ws.sample.cvc.service.GFIPMCertificateValidatorWSP”,
provides X.509 certificate validation of the ADS certificate (that was used to sign the SAML Assertion)
and WSC certificate (that was used to connect to the WSP service). The certificate validator uses the
“src\main\resources\gfipm-security-env.properties” properties file to initialize and use the keystore that
is shipped with the application. Furthermore, the GFIPMCertificateValidatorWSP class provides
certificate validation according to the GFIPM WS S2S User-Consumer-Provider SIP normative
conformance requirements in section 8.2.2. The code snippet below shows how to validate the
certificate against the GFIPM CTF and how to obtain an access control decision based on the WSC Entity
attributes listed in the GFIPM CTF.
Note that the code in this snippet is hard-coding an access control policy. In production environment, it
is recommended that the access control decision making be abstracted out into a separate Policy
Decision Point (PDP) component using an access control framework such as the XACML framework See
the Global Privacy Policy Technical Framework [GPPTF] for more information about integrating with an
access control framework.
The access control decision could also be obtained in the actual WSP service implementation as shown
in the chapter 3.1.5.3.4 on WSP Service Implementation.
41
private static TrustFabric tf = TrustFabricFactory.getInstance();
private boolean isAuthorized(X509Certificate certificate) {
String entityId = tf.getEntityId(certificate);
if (entityId == null) {
log.log(Level.WARNING, "Certificate used by the peer is not in the GFIPM Trust Fabric: " +
certificate.getSubjectDN());
return false;
}
/*GFIPM Entity (entityId) should belong to WSC or IDP. The IDP case is possible because this
validator also provides check for the certificate used to sign SAML Assertion, therefore this code
will be executed to validate a certificate for both: WSC and IDP */
if (tf.isWebServiceProvider(entityId)) {
log.log(Level.WARNING, "Entity connecting to this WSP should be listed as WSC or IDP in the
GFIPM Trust Fabric, entity id :" + entityId);
return false;
}
//add any access control decisions based on the GFIPM CTF entityAttributes
if (tf.isWebServiceConsumer(entityId)) {
String ownerAgencyCountryCode = tf.getGfipmEntityAttribute(entityId,
"gfipm:2.0:entity:OwnerAgencyCountryCode");
//As an example current WSP SLA currently allows only country codes US and VQ
if (!(("VQ".compareToIgnoreCase(ownerAgencyCountryCode) != 0) ||
("US".compareToIgnoreCase(ownerAgencyCountryCode) != 0))) {
log.log(Level.WARNING, "WSP: WSC Entity connecting to this WSP should have
OwnerAgencyCountryCode as VQ or US. Retrieved agency ID from TF is: " +
ownerAgencyCountryCode);
return false;
}
}
return true;
} //isAuthorized
3.1.5.3.3 SAML Assertion Validation
The custom SAML Assertion validator provides checks according to the GFIPM WS S2S User-ConsumerProvider SIP normative conformance requirements in section 8.2.2 and follows GFIPM-Specific SAML
Assertion Format Rules requirements as outlined in the Appendix A of the S2S document. For the full
validation code sample see the GFIPMSAMLAssertionValidatorWSP class. After validation is complete it
is necessary to add the obtained object to the subject’s public credentials for future reuse.
public void validate(XMLStreamReader xmlStreamerReader, Map map, Subject sbjct) throws
SAMLValidationException {
Element domSamlAssertion = SAMLUtil.createSAMLAssertion(xmlStreamerReader);
// … validation code ….
//if we want to be able to access the saml assertion later on we have to add it here
sbjct.getPublicCredentials().add(domSamlAssertion);
42
3.1.5.3.4 WSP Service Implementation
The WSP service is implemented by the CommercialVehicleCollisionWebServiceImpl class located in the
“src/main/java/gov/niem/ws/sample/cvc/service” directory.
If, for any business logic reasons, access to SAML Assertion is needed, it is possible to obtain a reference
to the assertion with the following code:
@Resource
WebServiceContext wsContext;
static {DelegateUtil.initDelegateJAXBContext();}
@Override
public GetDocumentResponseType getDocument(GetDocumentRequestType parameters) {
//if for any reason we need to have an access to the assertion that user came in with
// here is how to get the Assertion from the Context
Element samlAssertion = GFIPMUtil.getSAMLAssertion(wsContext);
Assertion assertion = AssertionUtil.fromElement(samlAssertion);
The WSP service implementation class obtains the access control decision based on the invoked
method, the WSC credentials, and the GFIPM SAML Assertion of the user.
String currentMethodName = GFIPMAuthorizationProvider.getCurrentMethodName();
GFIPMAuthorizationProvider.isServiceAuthorized(currentMethodName, wsContext );
GFIPMAuthorizationProvider.isUserAuthorized(currentMethodName, samlAssertion );
The “GFIPMAuthorizationProvider” class provides implementation of the access control decision logic
based on the WSC CTF GFIPM attributes, and GFIPM SAML Assertion of the user.
The following code snippet from the “GFIPMAuthorizationProvider” class shows how to obtain
authorization access control decision for the user based on the presented GFIPM SAML Assertion:
public static boolean isUserAuthorized(String methodName, Element userSAMLAssertion) {
Assertion assertion = AssertionUtil.fromElement(userSAMLAssertion);
HashMap<String, String> attributesHashMap = new HashMap<String, String>();
List<Object> statements = assertion.getStatements();
for (Object s : statements) {
if (s instanceof AttributeStatement) {
for (Attribute samlAttr : ((AttributeStatement) s).getAttributes()) {
attributesHashMap.put(samlAttr.getName(), (String)
samlAttr.getAttributes().iterator().next());
}}}//for statements
return isAuthorized(attributesHashMap);
}
Where the GFIPM attribute validation is performed in the following function:
43
private static Boolean isAuthorized(HashMap<String, String> attributesHashMap) {
//Check gfipm:2.0:user:SwornLawEnforcementOfficerIndicator and
//gfipm:2.0:user:CitizenshipCode
if(("true".compareToIgnoreCase(attributesHashMap.get("gfipm:2.0:user:SwornLawEnforcementOff
icerIndicator")) == 0) &&
("US".compareToIgnoreCase(attributesHashMap.get("gfipm:2.0:user:CitizenshipCode")) == 0)) {
return true;
}
return false;
}
The following code snippet from the “GFIPMAuthorizationProvider” class shows how to obtain access
control decision based on the WSC CTF GFIPM attributes:
public static boolean isAuthorized(String methodName,WebServiceContext wsContext) {
boolean isAuthorized = false;
try {
if (SubjectAccessor.getRequesterSubject(wsContext) != null) {
for (Iterator<Object> it =
SubjectAccessor.getRequesterSubject(wsContext).getPublicCredentials().iterator(); it.hasNext();) {
Object publicCredentialsObject = it.next();
if (publicCredentialsObject instanceof X509Certificate) {
X509Certificate subjectX509Certificate = (X509Certificate) publicCredentialsObject;
//Delegate ID is determined from Entity Certificate.
String wscId = tf.getEntityId(subjectX509Certificate);
//Provide authorization decision for the WSC to execute methodName
if (tf.isWebServiceConsumer(wscId) &&
"gov.niem.ws.sample.cvc.service.CommercialVehicleCollisionWebServiceImpl.getDocument".equal
s(methodName)) {
//In this example any WSC from the CTF is authorized to execute this method
isAuthorized = true;
}}}}
} catch (XWSSecurityException ex) {
logger.log(Level.SEVERE, "Unable to get UserPrincipal", ex);
}
return isAuthorized;
}
Note that the code is hard-coding an access control policy. In production environment, it is
recommended that the access control decision making be abstracted out into a separate Policy Decision
Point (PDP) component using an access control framework such as the XACML framework. See the
Global Privacy Policy Technical Framework [GPPTF] for more information about integrating with an
access control framework.
The WSP service implementation class includes business logic operations that are not subject to GFIPM
WS S2S requirements.
44
3.1.5.4 GFIPM Client (Model 2)
The Client is responsible for communication with the WSC. The Client uses the Information Exchange
Service Contract Implementation Library to create a connection to the WSC service, retrieves the WSDL,
sets proper Service Endpoint, connects to the IDP STS, obtains SAML Assertion from an IDP, and then
invokes the WSC service.
The Client is configured through the Client-Side WSIT [WSIT] configuration file “wsit-client.xml” located
in the “src/main/resources/META-INF” directory. The Client-Side WSIT configuration file includes a
separate configuration file for the WSC and IDP as shown on the code snippet below:
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" name="mainclientconfig">
<import location="CommercialVehicleCollisionWebserviceImpl.xml"
namespace="urn:examples.com:techniques:iepd:commercialVehicleCollision:ws:2.0"/>
<import location="net-sts-client.xml"
namespace="http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"/>
<import location="sts-client.xml" namespace="http://tempuri.org/"/>
</definitions>
The Client configuration for the connection to the WSC (“src\main\resources\METAINF/CommercialVehicleCollisionWebserviceIntf.xml”) includes settings for the WSC public certificate that
should be used for the connection.
<wsp:Policy wsu:Id="CalculatorServicePortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<!-- WSC identity -->
<scl:TrustStore wspp:visibility="private" peeralias="curewscm2" storepass="changeit"
type="JKS" location="cure-client-cacerts.jks"/>
<!-- Username / Password based IDP Metro https,
works with sp:TransportBinding in idp.wsdl -->
<tc:PreconfiguredSTS
wspp:visibility="private"
shareToken="false"
xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/client"
wstVersion="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
endpoint="https://cureidpm2:8181/m2sts/services/idp"
wsdlLocation="http://cureidpm2:8080/m2sts/services/idp?wsdl"
serviceName="IdentityProviderService"
portName="IIdentityProviderService_Port"
namespace="http://tempuri.org/">
</tc:PreconfiguredSTS>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
45
The Client configuration does not include a SAML Callback handler since the IDP configuration is
specified through PreconfiguredSTS and Metro automatically sends token request to the specified IDP.
It is possible to configure the Client in the code as shown in the code snippet below:
private static DefaultSTSIssuedTokenConfiguration getDefaultSTSIssuedTokenConfiguration() {
//Metro Username Token
String stsEndpoint = "https://cureidpm2:8181/m2sts/services/idp";
String stsWSDLLocation = "https://cureidpm2:8181/m2sts/services/idp?wsdl";
String stsServiceName = "IdentityProviderService";
String stsPortName = "IIdentityProviderService_Port";
String stsNamespace = "http://tempuri.org/";
DefaultSTSIssuedTokenConfiguration stsIssuedTokenConfiguration = new
DefaultSTSIssuedTokenConfiguration(STSIssuedTokenConfiguration.PROTOCOL_13,
stsEndpoint, stsWSDLLocation, stsServiceName, stsPortName, stsNamespace);
return stsIssuedTokenConfiguration;
}
The Client includes a separate configuration for the connection to the IDP through the
“src/main/resources/META-INF/sts-client.xml” configuration file. The configuration includes settings for
public and private certificates that should be used for the connection.
<wsp:Policy wsu:Id="STSClientKeystorePolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client" >
<wsp:ExactlyOne>
<wsp:All>
<sc:KeyStore wspp:visibility="private" location="cure-client-keystore.jks" type="JKS"
alias="alice" storepass="changeit"/>
<sc:TrustStore wspp:visibility="private" location="cure-client-cacerts.jks" type="JKS"
peeralias="cureidpm2" storepass="changeit"/>
<sc:CallbackHandlerConfiguration>
<sc:CallbackHandler name="usernameHandler"
classname="gov.niem.ws.sample.cvc.client.GFIPMUsernamePasswordCallbackHandler"/>
<sc:CallbackHandler name="passwordHandler"
classname="gov.niem.ws.sample.cvc.client.GFIPMUsernamePasswordCallbackHandler"/>
</sc:CallbackHandlerConfiguration>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
If the IDP SLA policy requires the client to authenticate using Username and Password then the
“GFIPMUsernamePasswordCallbackHandler” class is called. If the IDP SLA policy requests a client
certificate then the Client retrieves the certificate for “alice” from the “cure-client-keystore.jks”
keystore. The Client can be authenticated to the IDP STS using hardcoded Username and Password
46
(alice:alice; bob:bob) or to the ADS STS as user “alice”. The ADS STS contains public key for user “alice”
in its trust-store and can act as an IDP as well.
Caching of the WSDL files to prevent WSDL queries is possible through the use of the
“src/main/resources/META-INF/jax-ws-catalog.xml” configuration file.
The Client initializes the service connection to WSC (cvcPort), sets proper Service Endpoint, and invokes
a service call as shown on the code snippet below:
CommercialVehicleCollisionPortType cvcPort;
CommercialVehicleCollisionWebService cvsWebService;
DefaultSTSIssuedTokenConfiguration stsIssuedTokenConfiguration =
getDefaultSTSIssuedTokenConfiguration(); // see above
STSIssuedTokenFeature stsIssuedTokenFeature = new
STSIssuedTokenFeature(stsIssuedTokenConfiguration);
MTOMFeature mtomFeature = new MTOMFeature(true);
cvsWebService = new CommercialVehicleCollisionWebService(new URL(wsdlUrl),
new QName("urn:examples.com:techniques:iepd:commercialVehicleCollision:ws:2.0",
"CommercialVehicleCollisionWebService"));
cvcPort = cvsWebService.getCommercialVehicleCollisionPort(
new WebServiceFeature[]{stsIssuedTokenFeature, mtomFeature});
Map<String, Object> requestContext = ((BindingProvider) cvcPort).getRequestContext();
requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, sepUrl);
GetDocumentResponseType getDocumentResponseType =
cvcPort.getDocument(getDocumentRequestType);
For details on the client execution and running tests, see the Readme.txt installation instructions file in
the GWSS2SPSI distribution package.
3.2 Debugging
3.2.1 Message Logging
Message logging can be enabled on Glassfish either through the Web-based Administration GUI or
through the domain configuration file “$AS_HOME/domains/domain1/config/domain.xml”, where
$AS_HOME is the Glassfish home directory, for example: “/var/opt/glassfish/glassfish”.
To enable logging of the server side messages, modify the Java options under the server configuration
(<config name="server-config">):
<jvm-options>-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true</jvm-options>
To enable logging of the client messages modify the Java options under the server configuration (<config
name="server-config">):
<jvm-options>-Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true</jvm-options>
47
Restarting the Glassfish server is required if these configuration files are edited. Logs can be viewed in
the “server.log” file in the “$AS_HOME/domains/domain1/logs” directory.
3.2.2 Applications Logging
The application logging can be enabled on Glassfish either through the Web-based Administration GUI
or through the domain logging properties configuration file
“$AS_HOME/domains/domain1/config/logging.properties”, where $AS_HOME is the Glassfish home
directory, for example: “/var/opt/glassfish/glassfish”
The following packages should be set to the highest log level (“FINEST”) for the debug information from
the sample implementation components (WSC, WSP, IDP/ADS STS) to be logged to the
“$AS_HOME/domains/domain1/logs/server.log” log file.
gov.niem.ws.util.level = FINEST
gov.niem.ws.util.jaxb.level = FINEST
gov.niem.ws.util.jaxb.delegate.level = FINEST
gov.niem.ws.sample.cvc.client.level = FINEST
gov.niem.ws.sample.cvc.handlers.level = FINEST
gov.niem.ws.sample.cvc.sts.level = FINEST
gov.niem.ws.sample.cvc.service.level = FINEST
48
4 References
[GFIPMCTF] GFIPM Cryptographic Trust Fabric, http://it.ojp.gov/docdownloader.aspx?ddid=1338
[GFIPMMETA] GFIPM Metadata 2, http://gfipm.net/standards/metadata/2.0/
[GFIPMS2SP] Global Federated Identity and Privilege Management (GFIPM) Web Services System-toSystem Profile Version 1.0, (URL TBD)
[GFIPMTERMS] Global Federated Identity and Privilege Management (GFIPM) Terminology Matrix
Version 1.0; (September 2010), http://www.it.ojp.gov/docdownloader.aspx?ddid=1333
[GLASSFISH] Oracle, Open Source Application Server v3.1.2, http://glassfish.java.net/
[GO4] Design Patterns: Elements of Reusable Object-Oriented Software by ErichGamma, RichardHelm,
RalphJohnson, and JohnVlissides, AddisonWesley Professional (November 10, 1994)
[GPPTF] Implementing Privacy Policy in Justice Information Sharing: A Technical Framework, Global
Security Working Group Technical Privacy Task Team, October 31, 2007,
http://it.ojp.gov/docdownloader.aspx?ddid=1195
[GRA] Global Reference Architecture (GRA), BJA, http://www.it.ojp.gov/global
[GRAGIDES] Global Reference Architecture (GRA) Guidelines for Identifying and Designing Services
Version 1.1; May 2011, http://www.it.ojp.gov/global
[JAVA] Oracle, http://www.oracle.com/us/technologies/java/overview/index.html
[JAXB] Oracle, Java Architecture for XML Binding (JAXB), http://jaxb.dev.java.net
[JAXWS] Oracle, Java API for XML Web Services (JAX-WS), http://jax-ws.dev.java.net, http://jaxws.java.net/2.2.6/docs/
[KEYTOOL] Oracle, keytool - Key and Certificate Management Tool,
http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html,
http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html
[KSEXPL] LAZGO Software, http://www.lazgosoftware.com/kse/index.html
[KTIUI] KeyTool IUI, http://www.lazgosoftware.com/kse/index.html
[MAVEN] Apache build manager for Java projects, http://maven.apache.org
[METRO] Oracle, Metro Web Services Framework, https://metro.dev.java.net
[MTOM] MTOM Serialization Policy Assertion (WS-MTOMPolicy), Version 1.0, Nov 01, 2006,
http://www.w3.org/Submission/WS-MTOMPolicy/
[MUG] Metro User Guide – Java.net, http://metro.java.net/guide/user-guide.html
49
[OPENSSL] OpenSSL, OpenSSL: The Open Source toolkit for SSL/TLS, http://www.openssl.org
[SAML20-CORE] OASIS Standard, “Assertions and Protocols for the OASIS Security Assertion Markup
Language (SAML) V2.0”, March 2005, http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0os.pdf
[SAMLCore] Maler, E., Mishra, P., Philpott, R., et al., "Assertions and Protocol for the OASIS Security
Assertion Markup Language (SAML) V1.1", September 2003, http://www.oasisopen.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf
[SAMLDelegation2009] “SAML V2.0 Condition for Delegation Restriction Version 1.0”15 November 2009,
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-delegation.pdf
[SAMLToken1.1] Lawrence, K., Kaler, C., Monzillo, R., et al., "Web Services Security: SAML Token Profile
1.1", February 2006, http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-osSAMLTokenProfile.pdf
[SPEOAIS] WS-SecurityPolicy Examples Version 1.0, Oasis Committee Specification, 4 November 2010,
http://docs.oasis-open.org/ws-sx/security-policy/examples/ws-sp-usecases-examples.html
[WSAM2007] W3C, Web Services Addressing 1.0 – Metadata, W3C Recommendation, 4 September
2007, http://www.w3.org/TR/2007/REC-ws-addr-metadata-20070904
[WSAWSDL] Web Services Addressing 1.0 - WSDL Binding, W3C CR 29 May 2006,
http://www.w3.org/TR/ws-addr-wsdl/
[WSIBP12] WS-I Basic Profile Version 1.2, 2010-11-09, http://ws-i.org/profiles/basicprofile-1.2-2010-1109.html
[WSIMPORT] Oracle, Java API for XML Web Services (JAX-WS) – wsimport, version 2.2, revision 2.2.1,
http://jax-ws.java.net/nonav/2.2.1/docs/wsimport.html
[WSIT] Oracle, Web Services Interoperability Technologies (WSIT), https://wsit.dev.java.net/
[WSPL2004] W3C, Web Services Policy 1.2 – Framework, W3C Recommendation, 4 September 2007,
http://schemas.xmlsoap.org/ws/2004/09/policy/
[WSS11-SAML1120-PROFILE] OASIS Standard, “Web Services Security: SAML Token Profile 1.1”, OASIS
Standard Incorporating Approved Errata, 1 November 2006, http://docs.oasis-open.org/wss/v1.1/wssv1.1-spec-errata-os-SAMLTokenProfile.pdf
[WSS11-SOAPMSG] OASIS Standard, “Web Services Security: SOAP Message Security 1.1”, OASIS
Standard incorporating Approved Errata, 01 November 2006, http://docs.oasis-open.org/wss/v1.1/wssv1.1-spec-errata-os-SOAPMessageSecurity.pdf
50
[WSS2006] OASIS, Web Services Security: SOAP Message Security 1.1, OASIS Standard, 1 February 2006,
http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-osSOAPMessageSecurity.pdf
[WS-SECURITYPOLICY] OASIS Standard, “WS-SecurityPolicy 1.2”, July 2007, http://docs.oasisopen.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.doc
[WSSPL2007] OASIS, WS-SecurityPolicy 1.2, OASIS Standard, 1 July 2007, http://docs.oasis-open.org/wssx/ws-securitypolicy/v1.2/wssecuritypolicy.pdf
[WS-TRUST] OASIS Standard, “WS-Trust 1.3”, March 2007, http://docs.oasis-open.org/ws-sx/wstrust/200512/ws-trust-1.3-os.doc
[XSD2004] W3C, XML Schema Part 1: Structures, W3C Recommendation, 28 October 2004,
http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/
51
5 Appendixes
5.1 Attachment A: GFIPM SAML User Assertion Sample
<saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ns5="urn:oasis:names:tc:SAML:2.0:conditions:delegation" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="uuid-9dd21656-f992-40c3-a815ff515af24747" IssueInstant="2012-04-25T22:49:11.834Z" Version="2.0">
<saml2:Issuer>cureidpm2</saml2:Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256"/>
<ds:Reference URI="#uuid-9dd21656-f992-40c3-a815-ff515af24747">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
<ds:DigestValue>Q0vEPdzmHR42eQ9GoqLOs9hxpAo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>H78yQg==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID</ds:X509Certificate></ds:X509Data></ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID NameQualifier="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">bob</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml2:Subject>
<saml2:Conditions NotBefore="2012-04-25T22:49:11.834Z" NotOnOrAfter="2012-04-25T22:54:11.834Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://curewscm2:8181/m2wsc/services/cvc</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2012-04-25T22:49:11.834Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="gfipm:2.0:user:CitizenshipCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:ns7="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns8="http://www.w3.org/2001/XMLSchema"
ns7:type="ns8:string">US</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="gfipm:2.0:user:EmployerName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:ns7="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns8="http://www.w3.org/2001/XMLSchema"
ns7:type="ns8:string">Dundler Mifflin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="gfipm:2.0:user:SwornLawEnforcementOfficerIndicator" NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat:uri">
<saml2:AttributeValue xmlns:ns7="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns8="http://www.w3.org/2001/XMLSchema"
ns7:type="ns8:string">true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="gfipm:2.0:user:GivenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:ns7="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns8="http://www.w3.org/2001/XMLSchema"
ns7:type="ns8:string">Michael</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="gfipm:2.0:user:SecurityClearanceLevelCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:ns7="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns8="http://www.w3.org/2001/XMLSchema"
ns7:type="ns8:string">Secret</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="gfipm:2.0:user:SurName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:ns7="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns8="http://www.w3.org/2001/XMLSchema"
ns7:type="ns8:string">Scott</saml2:AttributeValue>
52
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
5.2 Attachment B: GFIPM SAML Metadata Entity Assertion Sample
<EntitiesDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
validUntil="2022-04-18T00:00:00-04:00" ID="2a2bce2d-dec3-4be1-8e0b-e4f2bd29ff2f" Name="sample-implementation:gfipm:ref"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<EntityDescriptor entityID="curewspm1">
<RoleDescriptor xmlns:q7="http://gfipm.net/standards/metadata/2.0/webservices" xsi:type="q7:GFIPMWebServiceProviderType"
protocolSupportEnumeration=" http://gfipm.net/standards/webservices/1.0/consumer-provider-sip.html"
ServiceDisplayName="WebServiceProvider M1" ServiceDescription="The GFIPM CURE M1 Web Service Provider">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data><X509Certificate>XcxDw5w=</X509Certificate></X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data><X509Certificate>XcxDw5w=</X509Certificate></X509Data>
</KeyInfo>
</KeyDescriptor>
<q7:WebServiceEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://curewspm1:8181/m1wsp/services/cvc</Address>
</EndpointReference>
</q7:WebServiceEndpoint>
<q7:MetadataExchangeEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://curewspm1:8181/m1wsp/services/cvc/mex</Address>
</EndpointReference>
</q7:MetadataExchangeEndpoint>
<q7:WSDLURL>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://curewspm1:8181/m1wsp/services/cvc?wsdl</Address>
</EndpointReference>
</q7:WSDLURL>
</RoleDescriptor>
<ContactPerson contactType="technical">
<Company>CURE Research Institute</Company>
<GivenName>Roger</GivenName>
<SurName>Waters</SurName>
<EmailAddress>roger.waters@wspm1.net</EmailAddress>
<TelephoneNumber>4145555555</TelephoneNumber>
</ContactPerson>
</EntityDescriptor>
<EntityDescriptor entityID="cureidpm2">
<RoleDescriptor xmlns:q9="http://gfipm.net/standards/metadata/2.0/webservices" xsi:type="q9:GFIPMAssertionDelegateServiceType"
protocolSupportEnumeration="http://gfipm.net/standards/webservices/1.0/saml-assertion-delegate-service-sip.html"
ServiceDisplayName="ADS for CUREIDPM2" ServiceDescription="The Assertion Delegate Service for the CURE IDP M2">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data><X509Certificate>MIIDE=</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data><X509Certificate>MIIDE=</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<q9:DelegatedTokenServiceEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://cureidpm2:8080/m2sts/services/sts</Address>
53
</EndpointReference>
</q9:DelegatedTokenServiceEndpoint>
<q9:WSDLURL>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://cureidpm2:8080/m2sts/services/sts?wsdl</Address>
</EndpointReference>
</q9:WSDLURL>
<q9:MetadataExchangeEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://cureidpm2:8080/m2sts/services/sts/mex</Address>
</EndpointReference>
</q9:MetadataExchangeEndpoint>
</RoleDescriptor>
<ContactPerson contactType="technical">
<Company>CURE Research Institute</Company>
<GivenName>Jack</GivenName>
<SurName>Shephard</SurName>
<EmailAddress>jack.shephard@idpm2.net</EmailAddress>
<TelephoneNumber>4145555555</TelephoneNumber>
</ContactPerson>
</EntityDescriptor>
</EntitiesDescriptor>
5.3 Attachment C: GFIPM CTF Library API
public interface TrustFabricIntf {
/**
* Get a list of all the GFIPM entities in the trust document and returns a
* list of GFIPMCertificate instances (id, types, key use, certificate).
*
* @param collectDuplicates Flag to determine if duplicate certificate
* strings should be added, even if the certificate is duplicated in the
* trust fabric document.
*
* @return List<GFIPMCertificate>
*
*/
List<GFIPMCertificate> getAllEntityCertificates(boolean collectDuplicates);
/**
* Get entity Id from GFIPM CTF using a Public Key of that entity.
* @param public key of the certificate.
* @return entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
*/
String getEntityId(PublicKey publicKey);
/**
* Get entity Id from GFIPM CTF using X509Certificate of that entity.
* @param X509 Certificate of the entity
* @return entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
*/
String getEntityId(X509Certificate cert);
/**
* Get entity id from GFIPM CTF using Service Endpoint of that entity.
* @param Service Endpoint URL String of the entity
* @return entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
*/
String getEntityIdBySEP(String sepString);
/**
* Get the value of a GFIPM trust fabric document Organization Extensions
* attribute in a specific entity.
*
* @param entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
*
54
* @param attrname The name of a GFIPM metadata entity attribute. Ex.:
* gfipm:2.0:entity:OwnerAgencyORI
*
*/
String getGfipmEntityAttribute(String entityId, String attrname);
/**
* Get all entity attributes in the GFIPM CTF for entity by entity Id
* @param entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
* @return hash maps of the entity attribute values.
*/
HashMap<String, String> getGfipmEntityAttributes(String entityId);
/**
* Get entity type specified in the EntityDescriptor/RoleDescriptor element
*
* @param entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
* @return GFIPMCertificate.RoleDescriptorType Role Descriptor Type in a GFIPM
* trust fabric document. Null if not found.
*/
GFIPMCertificate.RoleDescriptorType getRoleDescriptorType(String entityId);
/**
* Check if an entity with entity is an assertion delegate service
*
* @param entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
* @return boolean true if an entity is an assertion delegate service
*/
boolean isAssertionDelegateService(String entityId);
/**
* Check if an entity with entity is a web service consumer
*
* @param entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
* @return boolean true if an entity is a web service consumer
*/
boolean isWebServiceConsumer(String entityId);
/**
* Check if an entity with entity is a web service provider
*
* @param entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
* @return boolean true if an entity is a web service provider
*/
boolean isWebServiceProvider(String entityId);
/**
* Builds a query for an entity's certificate and performs the XPath query
* on the GFIPM Trust Document and returns the value.
*
* @param entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
*
* @param entityType One of "IDP" or "SP" or possibly other values later.
*
* @param keyUse The use of the certificate. One of "signing" or
* "encryption" or null.
*
* @return Returns a String that is the public certificate with spaces and
* tabs removed. Or null if not found.
*/
String retrieveEntityCertificate(String entityId, String entityType, String keyUse);
/**
* Builds a query for an entity's certificate and performs the XPath query
* on the GFIPM Trust Document and returns the value. The key use will try
* "signing" or "encryption" or null.
*
55
* @param entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
*
* @param entityType One of "IDP" or "SP" or possibly other values later.
*
* @return Returns a String that is the public certificate with spaces and
* tabs removed. Or null if not found.
*/
String retrieveEntityCertificate(String entityId, String entityType);
/**
* Builds a query for an entity's certificate and performs the XPath query
* on the GFIPM Trust Document and returns the value. For entity type, this
* method will try both IDP and SP. The key use will try "signing" or
* "encryption" or null.
*
* @param entityId The entity ID of an EntityDescriptor in a GFIPM trust
* fabric document.
*
* @return Returns a String that is the public certificate with spaces and
* tabs removed. Or null if not found.
*/
String retrieveEntityCertificate(String entityId);
/**
* Retrieve Web Service Endpoint Address from the GFIPM Trust Document for an Entity with entityId
* @param entityId
* @return Returns URL Address string
*/
String getWebServiceEndpointAddress(String entityId);
/**
* Retrieve Delegated Token Service Endpoint Address from the GFIPM Trust Document for an Entity with entityId
* @param entityId
* @return Returns URL Address string
*/
String getDelegatedTokenServiceEndpointAddress(String entityId);
/**
* Retrieve WSDL URL Address from the GFIPM Trust Document for an Entity with entityId
* @param entityId
* @return Returns URL Address string
*/
String getWsdlUrlAddress(String entityId);
/**
* Retrieve Metadata Exchange Endpoint Address from the GFIPM Trust Document for an Entity with entityId
* @param entityId
* @return Returns URL Address string
*/
String getMetadataExchangeEndpointAddress(String entityId);
}
5.4 Attachment D: Sample SLA Security Policy for IDP STS
<wsp:Policy wsu:Id="IIdentityProviderService_BindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsaw:UsingAddressing wsp:Optional="false"/>
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="usernameValidator" classname="gov.niem.ws.sample.cvc.service.GFIPMUsernamePasswordValidator"/>
</sc:ValidatorConfiguration>
<tc:STSConfiguration wspp:visibility="private" encryptIssuedKey="false" encryptIssuedToken="false">
<tc:Contract>com.sun.xml.ws.security.trust.impl.WSTrustContractImpl</tc:Contract>
<tc:LifeTime>300000</tc:LifeTime>
<tc:Issuer>cureidpm2</tc:Issuer>
<tc:ServiceProviders>
<!-- Metro WSC http -->
<tc:ServiceProvider endpoint="http://curewscm2:8080/m2wsc/services/cvc">
<tc:CertAlias>curewscm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tc:TokenType>
56
</tc:ServiceProvider>
<!-- Metro WSC https -->
<tc:ServiceProvider endpoint="https://curewscm2:8181/m2wsc/services/cvc">
<tc:CertAlias>curewscm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tc:TokenType>
</tc:ServiceProvider>
<!-- .NET WSC -->
<tc:ServiceProvider endpoint="https://ha50wscm2:8643/Model2/Service.svc">
<tc:CertAlias>ha50wscm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tc:TokenType>
</tc:ServiceProvider>
</tc:ServiceProviders>
</tc:STSConfiguration>
<sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
<wsp:Policy>
<sp:Basic256Sha256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/wssecuritypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="IIdentityProviderService_BindingPolicy">
<wsp:ExactlyOne>
57
<wsp:All>
<wsaw:UsingAddressing wsp:Optional="false"/>
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="usernameValidator" classname="gov.niem.ws.sample.cvc.service.GFIPMUsernamePasswordValidator"/>
</sc:ValidatorConfiguration>
<tc:STSConfiguration wspp:visibility="private" encryptIssuedKey="false" encryptIssuedToken="false">
<tc:Contract>com.sun.xml.ws.security.trust.impl.WSTrustContractImpl</tc:Contract>
<tc:LifeTime>300000</tc:LifeTime>
<tc:Issuer>cureidpm2</tc:Issuer>
<tc:ServiceProviders>
<!-- Metro WSC http -->
<tc:ServiceProvider endpoint="http://curewscm2:8080/m2wsc/services/cvc">
<tc:CertAlias>curewscm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tc:TokenType>
</tc:ServiceProvider>
<!-- Metro WSC https -->
<tc:ServiceProvider endpoint="https://curewscm2:8181/m2wsc/services/cvc">
<tc:CertAlias>curewscm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tc:TokenType>
</tc:ServiceProvider>
<!-- .NET WSC -->
<tc:ServiceProvider endpoint="https://ha50wscm2:8643/Model2/Service.svc">
<tc:CertAlias>ha50wscm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tc:TokenType>
</tc:ServiceProvider>
</tc:ServiceProviders>
</tc:STSConfiguration>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
58
</wsp:Policy>
</sp:Trust13>
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/wssecuritypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
5.5 Attachment E: Sample SLA Security Policy for ADS STS
<wsp:Policy wsu:Id="ISecurityTokenService_BindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsaw:UsingAddressing wsp:Optional="false"/>
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="certificateValidator" classname="gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator"/>
</sc:ValidatorConfiguration>
<tc:STSConfiguration wspp:visibility="private" encryptIssuedKey="false" encryptIssuedToken="false">
<tc:Contract>com.sun.xml.ws.security.trust.impl.WSTrustContractImpl</tc:Contract>
<tc:LifeTime>300000</tc:LifeTime>
<tc:Issuer>cureidpm2</tc:Issuer>
<tc:ServiceProviders>
<!-- Metro WSC https -->
<tc:ServiceProvider endpoint="https://curewscm2:8181/m2wsc/services/cvc">
<tc:CertAlias>curewscm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tc:TokenType>
</tc:ServiceProvider>
<!-- Metro WSP https -->
<tc:ServiceProvider endpoint="https://curewspm2:8181/m2wsp/services/cvc">
<tc:CertAlias>curewspm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tc:TokenType>
</tc:ServiceProvider>
<!-- .NET WSP -->
<tc:ServiceProvider endpoint="https://ha50wspm2:8553/Model2/CommercialVehicleCollisionWsp.svc">
<tc:CertAlias>ha50wspm2</tc:CertAlias>
<tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</tc:TokenType>
</tc:ServiceProvider>
</tc:ServiceProviders>
</tc:STSConfiguration>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/wssecuritypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/wssecuritypolicy/200702/IncludeToken/AlwaysToInitiator">
<wsp:Policy>
<sp:RequireThumbprintReference/>
59
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
<wsp:Policy>
<sp:Basic256Sha256/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
5.6 Attachment F: Sample SLA Security Policy for WSP Model 1
<wsp:Policy wsu:Id="CommercialVehicleCollisionBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsrmp:RMAssertion>
<wsrmp:DeliveryAssurance>
<wsp:Policy>
<wsrmp:ExactlyOnce />
</wsp:Policy>
</wsrmp:DeliveryAssurance>
</wsrmp:RMAssertion>
<wsoma:OptimizedMimeSerialization/>
<wsaw:UsingAddressing wsp:Optional="false"/>
<sc:KeyStore wspp:visibility="private"
location="curewspm1-keystore.jks" type="JKS" storepass="changeit" alias="curewspm1"/>
<sc:TrustStore wspp:visibility="private"
location="curewspm1-cacerts.jks" type="JKS" storepass="changeit"/>
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="certificateValidator" classname="gov.niem.ws.sample.cvc.service.GFIPMCertificateValidator"/>
</sc:ValidatorConfiguration>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/wssecuritypolicy/200702/IncludeToken/AlwaysToRecipient">
60
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/wssecuritypolicy/200702/IncludeToken/AlwaysToInitiator">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
<wsp:Policy>
<sp:Basic256Sha256/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
5.7 Attachment G: Sample SLA Security Policy for WSP Model 2
<wsp:Policy wsu:Id="CommercialVehicleCollisionBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsrmp:RMAssertion>
<wsrmp:DeliveryAssurance>
<wsp:Policy>
<wsrmp:ExactlyOnce />
</wsp:Policy>
</wsrmp:DeliveryAssurance>
</wsrmp:RMAssertion>
<wsoma:OptimizedMimeSerialization/>
<wsaw:UsingAddressing wsp:Optional="false"/>
<sc:KeyStore wspp:visibility="private"
location="curewspm2-keystore.jks" type="JKS" storepass="changeit" alias="curewspm2"/>
<sc:TrustStore wspp:visibility="private"
location="curewspm2-cacerts.jks" type="JKS" storepass="changeit"/>
<sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="false">
<sc:Validator name="certificateValidator"
classname="gov.niem.ws.sample.cvc.service.GFIPMCertificateValidatorWSP"/>
<sc:Validator name="samlAssertionValidator"
classname="gov.niem.ws.sample.cvc.service.GFIPMSAMLAssertionValidatorWSP"/>
</sc:ValidatorConfiguration>
<sp:AsymmetricBinding>
61
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
<wsp:Policy>
<sp:Basic256Sha256/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV20Token11/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
62
5.8 Attachment H: Sample SLA Security Policy for Message Encryption and
Signature
<wsp:Policy wsu:Id="CommercialVehicleCollisionBinding_getDocumentRequest_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
5.9 Attachment I: Sample SLA Policy for WS-ReliableMessaging 1.1
<wsrmp:RMAssertion>
<wsrmp:DeliveryAssurance>
<wsp:Policy>
<wsrmp:ExactlyOnce />
</wsp:Policy>
</wsrmp:DeliveryAssurance>
</wsrmp:RMAssertion>
5.10 Attachment J: Sample SLA Policy for Algorithm Suite
<sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
<wsp:Policy>
<sp:Basic256Sha256/>
</wsp:Policy>
</sp:AlgorithmSuite>
63