[Fix Pack 7 or later]

Configuration of a SAML token during token creation

When creating a new SAML token, you can specify configuration properties to control how the token is configured. The configuration properties are stored in a properties file containing name/value pairs. The properties describe provider-side information such as the issuer location, and the keystore and truststore file paths.

Avoid trouble: Any changes you make to the SAMLIssuerConfig.properties file do not go into effect until you restart the application servers that are running the JAX-WS web service clients.gotcha
The following table describes the provider configuration properties.
Table 1. Properties to configure provider information for a new SAML token. Use these properties to control how the token is created.
Property name Sample property value Property description
IssuerURI http://www.websphere.ibm.com/SAML/SelfIssuer The URI of the issuer.
TimeToLiveMilliseconds 3600000 Amount of time before expiration of the token.
KeyStoreRef MyKeyStoreRef A reference to a managed keystore from security.xml. Example:
KeyStoreRef=name=TD-POCClientKeyStore managementScope=(cell):stdfed01_Cell

If you specify a KeyStoreRef property, you do not have to specify the KeyStorePath, and KeyStoreType properties.

KeyStorePath app_server_root/etc/ws-security/samples/dsig-receiver.ks The location of the keystore file.

You do not have to specify this property if you have specified the KeyStoreRef property,

Note: You must modify this value from the default value to match the path location for your system.
KeyStoreType JKS The keystore type.

You do not have to specify this property if you have specified the KeyStoreRef property,

KeyStorePassword password The password of the keystore file. For increased security, the password should be XOR encoded. For more information, read about encoding passwords in files.
KeyAlias soapprovider The alias of the key as defined in the keystore file.
KeyName CN=SOAPProvider, OU=TRL, O=IBM, ST=Kanagawa, C=JP The name of the key as defined in the keystore file.
KeyPassword password The password of the private key as defined in the keystore file. For increased security, the password should be XOR encoded.
TrustStoreRef MyTrustStoreRef A reference to a managed keystore from security.xml. Example:
TrustStoreRef=name=POCClientTrustStore managementScope=(cell):lanscheNode11Cell:(node):lanscheNode04

If you specify a TrustStoreRef property, you do not have to specify the TrustStorePath, and TrustStoreType properties.

TrustStorePath app_server_root/etc/ws-security/samples/dsig-receiver.ks The location of the truststore file.

You do not have to specify this property if you have specified the TrustStoreRef property,

Note: You must modify this value from the default value to match the path location for your system.
TrustStoreType JKS The truststore type.

You do not have to specify this property if you have specified the TrustStoreRef property,

TrustStorePassword password The password of the truststore file. For increased security, the password should be XOR encoded.
AttributeProvider com.mycompany.SAML.AttributeProviderImpl Implementation class of attribute provider.
NameIDProvider com.mycompany.SAML.NameIDProviderImpl Implementation class of name ID provider.

File location

A single configuration file, SAMLIssuerConfig.properties, containing the provider-side properties is created and stored on each server. On a WebSphere® server, the file is located in the server-level repository, or in the cell-level repository. In an environment that is not based on WebSphere, the file location is defined by a Java™ system property. The name of this property is com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath.

For example, the location of the file at the server level on a WebSphere server is:
app_server_root/profiles/$PROFILE/config/cells/$CELLNAME/nodes/$NODENAME/servers/$SERVERNAME/SAMLIssuerConfig.properties
The location of the file at the cell level on a WebSphere server is:
app_server_root/profiles/$PROFILE/config/cells/$CELLNAME/sts/SAMLIssuerConfig.properties

Example

See the following example of a SAML token configuration properties file:
IssuerURI=http://www.websphere.ibm.com/SAML/SelfIssuer
TimeToLiveMilliseconds=3600000
KeyStorePath=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
KeyStoreType=JKS
KeyStorePassword={xor}LDotKTot
KeyAlias=soapprovider
KeyName=CN=SOAPProvider, OU=TRL, O=IBM, ST=Kanagawa, C=JP
KeyPassword={xor}LDotKTot
TrustStorePath=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
TrustStoreType=JKS
TrustStorePassword={xor}LDotKTot 



Related tasks
Propagating SAML tokens
Encoding passwords in files
Concept topic    

Terms of Use | Feedback

Last updated: Oct 20, 2010 7:53:43 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-dist&topic=cwbs_samltokenproperties
File name: cwbs_samltokenproperties.html