This command line configuration example:
reads a file
path/to/metadata.xml
containing SAML metadatasigns that document using:
a PKCS#11 token determined by
a PKCS#11 configuration file specifying the toke
a user password
an alias determining which of the token's keys to use
a separate certificate read from
path/to/certificate.pem
writes the results into the file
path/to/output.xml
You can execute the example as follows:
$ .../mda.sh config.xml main
The example configuration file is as follows; it has been verified with MDA version 0.9.2:
<?xml version="1.0" encoding="UTF-8"?> <beans default-init-method="initialize" xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"> <!-- First, we define the stages for our pipeline --> <bean id="source" class="net.shibboleth.metadata.dom.DOMFilesystemSourceStage"> <property name="id" value="source"/> <property name="parserPool"> <bean class="net.shibboleth.utilities.java.support.xml.BasicParserPool" init-method="initialize"/> </property> <property name="source"> <bean class="java.io.File"> <constructor-arg value="path/to/metadata.xml"/> </bean> </property> </bean> <bean id="generateContentReferenceId" class="net.shibboleth.metadata.dom.saml.GenerateIdStage"> <property name="id" value="generateContentReferenceId" /> </bean> <bean id="signMetadata" class="net.shibboleth.metadata.dom.XMLSignatureSigningStage"> <property name="id" value="signMetadata"/> <property name="certificates"> <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"> <property name="resource" value="file:path/to/certificate.pem"/> </bean> </property> <property name="privateKey"> <bean class="net.shibboleth.metadata.util.PKCS11PrivateKeyFactoryBean"> <property name="pkcs11Config" value="path/to/pkcs11.cfg"/> <property name="keyPassword" value="passwordHere"/> <property name="keyAlias" value="key10"/> </bean> </property> </bean> <bean id="serialize" class="net.shibboleth.metadata.pipeline.SerializationStage"> <property name="id" value="serializeIdPs"/> <property name="outputFile"> <bean class="java.io.File"> <constructor-arg value="path/to/output.xml"/> </bean> </property> <property name="serializer"> <bean id="domSerializer" class="net.shibboleth.metadata.dom.DOMElementSerializer" /> </property> </bean> <!-- Next we define a pipeline with all the stages in it --> <bean id="main" class="net.shibboleth.metadata.pipeline.SimplePipeline" init-method="initialize"> <property name="id" value="main"/> <property name="stages"> <list> <ref bean="source"/> <ref bean="generateContentReferenceId" /> <ref bean="signMetadata"/> <ref bean="serialize" /> </list> </property> </bean> </beans>
The PKCS#11 configuration file configures the Sun PKCS#11 bridge. Its contents are specific to the token and operating environment. For example:
Example pkcs11.cfg
# PKCS#11 provider configuration for for OpenSC running under Mac OS X name = OpenSC library = /Library/OpenSC/lib/pkcs11/opensc-pkcs11.so