Versions Compared

Old Version 28

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin
{warning}This page
Wiki Markup
Warning

This page didn't

survive

the

conversion

process

and

is

no

longer

very

usable.

{warning}

An

...

alternative

...

implementation

...

of

...

a

...

Shibboleth

...

handle

...

is

...

called

...

CryptoShibHandle.

...

Like

...

SharedMemoryShibHandle,

...

a

...

CryptoShibHandle

...

is

...

an

...

opaque

...

reference

...

to

...

a

...

SAML

...

subject.

...

Unlike

...

SharedMemoryShibHandle,

...

however,

...

a

...

CryptoShibHandle

...

introduces

...

no

...

state

...

at

...

the

...

IdentityProvider.

...

Consequently,

...

CryptoShibHandle

...

is

...

well

...

suited

...

for

...

load

...

balanced

...

environments

...

.

...

A

...

CryptoShibHandle

...

avoids

...

state

...

at

...

the

...

IdentityProvider

...

by

...

encrypting

...

the

...

local

...

principal

...

name

...

and

...

its

...

associated

...

time-to-live

...

(TTL

...

)

...

into

...

the

...

handle

...

itself.

...

Configuration

...

is

...

more

...

involved,

...

however,

...

since

...

the

...

key

...

used

...

to

...

encrypt/decrypt

...

the

...

handle

...

must

...

be

...

created,

...

packaged,

...

and

...

secured.

...

To

...

enable

...

CryptoShibHandle,

...

perform

...

the

...

following

...

steps:

...

  1. Create

...

  1. a

...

  1. Java

...

  1. keystore.

...

  1. If

...

  1. you're

...

  1. using

...

  1. the

...

  1. default

...

  1. Java

...

  1. cryptography

...

  1. engine

...

  1. you

...

  1. can

...

  1. do

...

  1. this

...

  1. with

...

  1. the

...

  1. keytool

...

  1. command

...

  1. as

...

  1. follows:

...


  1. > keytool -genkey

...

  1. -keyalg

...

  1. RSA

...

  1. -keystore

...

  1. cryptohandle.jks

...

  1. -storepass

...

  1. KeyStorePassword

...

  1. -keypasswd

...

  1. KeyStoreKeyPassword

...

  1. -alias

...

  1. KeyStoreKeyAlias
  2. Place the cryptohandle.jks

...

  1. file

...

  1. in

...

  1. the

...

  1. etc/

...

  1. directory

...

  1. of

...

  1. your

...

  1. Shibboleth

...

  1. !IdP

...

  1. home

...

  1. directory.

...

  2. Insert

...

  1. a

...

  1. NameMapping

...

  1. element

...

  1. into

...

  1. the

...

  1. !IdP

...

  1. config

...

  1. file

...

  1. (see

...

  1. below

...

  1. ).

...

  2. In

...

  1. the

...

  1. !IdP

...

  1. config

...

  1. file,

...

  1. set

...

  1. one

...

  1. or

...

  1. more

...

  1. /IdPConfig/RelyingParty/NameID/@nameMapping

...

  1. attributes

...

  1. equal

...

  1. to

...

  1. the

...

  1. value

...

  1. of

...

  1. /IdPConfig/NameMapping/@id

...

  1. (see

...

  1. below

...

  1. ).

...

  2. Restart

...

  1. the

...

  1. !IdP

...

  1. (probably

...

  1. means

...

  1. restarting

...

  1. Tomcat+Apache

...

  1. )

...

To

...

configure

...

an

...

!IdP

...

to

...

use

...

CryptoShibHandle,

...

a

...

NameMapping

...

element

...

similar

...

to

...

the

...

following

...

is

...

inserted

...

into

...

the

...

!IdP

...

config

...

file

...

(idp.xml

...

):

...

}
Code Block
<!-- CryptoShibHandle configuration -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="CryptoHandleGenerator">
  <!-- the absolute path to a Java keystore -->
  <KeyStorePath>...</KeyStorePath>
  <!-- the keystore password -->
  <KeyStorePassword>...</KeyStorePassword>
  <!-- the alias of the private key in the keystore -->
  <KeyStoreKeyAlias>...</KeyStoreKeyAlias>
  <!-- the password of the private key in the keystore -->
  <KeyStoreKeyPassword>...</KeyStoreKeyPassword>
  <!-- the keystore type (default: JCEKS) -->
  <KeyStoreType>JCEKS</KeyStoreType>
  <!-- the crypto cipher (default: DESede/CBC/PKCS5Padding) -->
  <Cipher>DESede/CBC/PKCS5Padding</Cipher>
  <!-- the MAC (default: HmacSHA1) -->
  <MAC>HmacSHA1</MAC>
</NameMapping>
{code}

where

...

the

...

attributes

...

of

...

the

...

NameMapping

...

element

...

are

...

the

...

same

...

as

...

SharedMemoryShibHandle

...

(except

...

for

...

the

...

value

...

of

...

the

...

type

...

attribute

...

).

...

The

...

nested

...

elements

...

are

...

summarized

...

in

...

the

...

following

...

table:



Class CryptoShibHandle:


Element Name
Required
Default


KeyStorePath
Yes
none


KeyStorePassword
Yes
none


KeyStoreKeyAlias
Yes
none


KeyStoreKeyPassword
Yes
none


KeyStoreType
No
JCEKS


Cipher
No
DESede/CBC/PKCS5Padding


MAC
No
HmacSHA1

Note: If you are using a standard Java keystore, the KeyStoreType element may be omitted. Otherwise, set the KeyStoreType element to the appropriate type identifier. Also, unless you know what you're doing, use the default values of Cipher and MAC by omitting the child elements from the NameMapping element.

See the Shibboleth Identity Provider Deployment Guide for more detail regarding CryptoShibHandle configuration. See http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html

...

for

...

general

...

information

...

about

...

cryptographic

...

implementations,

...

conventions

...

and

...

syntax.

...