Standalone Server User Guide Table of Contents
Contents
1. lt wsdl part name parameters element wst RequestSecurityToken gt lt wsdl part gt lt wsdl message gt lt wsdl message name saml2XACMLAuthzResponseMessage gt lt wsdl part name parameters element samlp Response gt lt wsdl part gt lt wsdl message gt lt wsdl message name xacmlAuthzRequestMessage gt lt wsdl part name parameters element xacml context Request gt lt wsdl part gt lt wsdl message gt lt wsdl message name xacmlAuthzResponseMessage gt lt wsdl part name parameters element xacml context Response gt lt wsdl part gt lt wsdl message gt lt wsdl portType name AuthzInterface gt lt wsdl operation name XACMLAuthzRequest gt lt wsdl input message tns xacmlAuthzRequestMessage gt lt wsdl input gt lt wsdl output message tns xacmlAuthzResponseMessage gt lt wsdl output gt lt wsdl operation gt lt wsdl operation name WsTrustAuthzRequest gt lt wsdl input message tns WsTrustAuthzRequestMessage gt lt wsdl input gt lt wsdl output message tns WsTrustA uthzResponseMessage gt lt wsdl output gt lt wsdl operation gt lt wsdl operation name SAML2XACMLAuthzRequest gt lt wsdl input message tns saml2XACMLAuthzRequestMessage gt lt wsdl input gt lt wsdl output message tns saml2XACMLAuthzResponseMessage gt lt wsdl output gt lt wsdl operation gt lt wsdl portT ype gt lt wsdl binding name AuthzSoapHttpBinding type tns AuthzInterface gt2. xmlns samlp urn oasis names tc SAML 2 0 protocol xmlIns mime http schemas xmlsoap org wsdl mime xmlns soap http schemas xmlsoap org wsdl soap xmIns xacml samlp urn oasis names tc xacml 2 0 profile sam12 0 v2 schema protocol cd 01 xmlns ds http www w3 org 2000 09 xmldsig xmlns xsi http www w3 org 2001 XMLSchema instance gt lt wsdl types gt lt xsd schema targetNamespace urn oasis names tc xacml 2 0 policy schema os xmlns xsd http www w3 org 2001 XMLSchema gt lt xsd import namespace urn oasis names tc xacml 2 0 policy schema os schemaLocation access_control xacml 2 0 policy schema os xsd gt lt xsd schema gt lt xsd schema targetNamespace urn oasis names tc xacml 2 0 context schema os xmlins xsd http www w3 org 2001 XMLSchema gt lt xsd import namespace urn oasis names tc xacml 2 0 context schema os schemaLocation access_control xacml 2 0 context schema os xsd gt lt xsd schema gt lt xsd schema targetNamespace http docs oasis open org ws sx ws trust 2005 12 xmlns xsd http www w3 org 2001 XMLSchema gt lt xsd import namespace http docs oasis open org ws sx ws trust 200512 schemaLocation http docs oasis open org ws sx ws trust 2005 12 ws trust 1 3 xsd gt lt xsd schema gt lt xsd schema targetNamespace urn oasis names tc xacml 2 0 profile sam12 0 v2 schema assertion cd 01 xmlns xsd http www w3 org 2001 XMLSchema gt lt xsd import namespace urn oas
3. 2001 XMLSchema string gt lt AttributeValue gt GET lt AttributeValue gt lt Attribute gt lt Action gt lt Environment xmlns urn oasis names tc xacml 2 0 context schema os gt lt xacml context Request gt lt Policy xmIns urn oasis names tce xacml 2 0 policy schema os PolicyId mysite policy RuleCombiningAlgId urn oasis names tc xacml 1 0 rule combining algorithm permit overrides gt lt Target gt lt Policy gt lt XACMLAuthzDecisionQuery gt References 1 Gosling J Joy B Steele G and Bracha G 2005 Java Tm Language Specification the 3rd Edition Java Addison Wesley Addison Wesley Professional 2 Apache Axis 2 project see http ws apache org axis2 3 Gudgin M Hadley M Mendelsohn M et al 2003 SOAP Version 1 2 Part 1 Messaging Framework W3C Recommendation 24th June URL http www w3 org TR 2003 REC soap12 part 20030624 4 OASIS OASIS eXtensible Access Control Markup Language XACML Version 2 0 OASIS Standard 1 February 2005 5 OASIS SAML 2 0 Profile of XACML Version 2 Committee Draft 1 16 April 2009 6 David W Chadwick Linying Su Romain Laborde Use of XACML Request Context to Obtain an Authorisation Decision OGSA Standard September 2006 7 S Anderson et al Web Services Trust Language WS Trust technical report 2005 8 David Chadwick Linying Su Use of WS TRUST and SAML to access a Cre
4. This optional element should contain a string representation of the password required to access the TrustStore file If this element is not present the KeyStore password will be assumed to be password lt RequireClientAuthentication gt This element specifies whether or not the server should only accept requests from servers with whom it has a pre existing trust relationship i e their SSL certificate is in the TrustStore A value of true specifies that only trusted servers can access the service a value of false specifies that any server may make authorisation requests Table 2 Example HTTPS Configuration lt TCPConfiguration gt lt ServerPort gt 1104 lt ServerPort gt lt ThreadCount gt 10 lt ThreadCount gt lt Protocol gt https lt Protocol gt lt SSL only Configurations gt lt PublicKey gt server crt lt PublicKey gt lt PrivateKey gt server key lt PrivateKey gt lt PrivateKeyPassword gt password lt PrivateKeyPassword gt lt KeyStore gt keystore jks lt KeyStore gt lt KeyStorePassword gt password lt KeyStorePassword gt lt RequireClientAuthentication gt true lt RequireClientAuthentication gt lt TrustStore gt truststore jks lt TrustStore gt lt TrustStorePassword gt password lt TrustStorePassword gt lt TCPConfiguration gt If you now navigate to https localhost 1104 you should be asked by your browser to provide a certificate for authentication The example trus
5. lt For XML policies the Policy Identifier may have any unique value but MUST still be set gt lt Policyldentifier gt TestPolicy lt PolicyIdentifier gt lt The LDAP attribute where the users policy attributes are stored gt lt LDAPACAttribute gt attributeCertificateA ttribute lt LDAPACA ttribute gt lt The LDAP attribute where the user s PK certificate is stored gt lt LDAPPKCAttribute gt userCertificateA ttribute lt LDAPPKCAttribute gt lt The location of user credentials gt lt CredentialLocation gt Idap sec cs kent ac uk c gb lt CredentialLocation gt lt PERMISConfiguration gt For additional policy configurations please refer to the example permis xml configuration file included in the release package Configuring a Sun PDP Each lt SunPDPConfiguration gt element defined in the configuration file describes a separate instance of a Sun XACML PDP accessible through the server s authorisation endpoint We do not currently support SAML XACML or Ws Trust requests for this PDP type and whilst multiple policies can be configured via this configuration file only one can be used to access the XACML only endpoint We call this policy the default policy and specify it as a boolean attribute of the SunPDPConfiguration element itself called isDefault Please Note In order to provide access to a Sun XACML PDP instance it MUST be configured as the default policy The possible configuration eleme
6. test handlers can be initialised by adding a lt TestService gt element to the permis xml configuration file This element chould have a single attribute handler which is used to specify whether the service returns GRANT or DENY responses For GRANT responses the attribute should have the value permit and for deny responses deny Table 6 Test Service Configuration Example lt An example GRANT test handler gt lt TestService handler grant gt Please note This handler overrides any other default policies configured in the permis xml configuration file and should be omitted in production services Protocol Information Due the the proliferation of different standards and versions of standards we wish to make clear that contrary to previous releases of this software we now only support three distinct message types 1 xacml context Request messages as defined in 4 2 xacml samlp XACMLAuthzDecisionQuery messages as defined in 5 3 wst RequestSecurityToken messages as defined in 7 and constrained by 8 In addition to the standard message types defined in these file we have also implemented standards compliant but otherwise un profiled means of specifying the CVS or authorisation policies to use when making RequestSecurityToken and XACMLAuthzDecisionQuery messages we are currently in the process of profiling these requests and standardising them and will make the full profiles available in t
7. Standalone Server User Guide Author Version Date Comments George Inman l 19 10 09 First Version George Inman 1 1 07 12 09 Updated Version George Inman 1 2 08 12 09 Added endorsed directory Instructions Table of Contents Standalone server User E 1 MATTEO CUA EN 1 Overview of the SPV ICS tisk eet 2 Jet Dee th Service minnar e a a a a a a a a a ai 2 Serer COUA e WEE 3 The TCPConfiguration elements 23 055 EE Ee 3 Gep ral Parameters jccsscusccaigscedavcessswsevsdegnecaxactecesdusatectvendean aa EES ta 3 Table 1 Example dt TPC Eet 4 SSE Specific EE EE 4 Table 2 Example HTTPS Configuration ee ENEE 5 PDP and CVS Contig rations ne eiiiai aeina hasten dots A A RA EREEREER 5 Configuring a PERMIS PDP and CVS cccssitccsastecegueadeccskaels gd csdetacateccaedale Gu tiveeadcastean 6 Table 3 PERMIS Policy Configuration Example 0 c ceccccssecsseceseceseceeseeeseecsaeenseeeeneenaees 6 Configuring a Sun PDP beten iene u e a a 7 Table 4 XACML Policy Configuration Example cccccccecssecsseceseceeeceeeeeeseeceaeceseeeeeeenaees d Confieunng a Lost PIP gitt nten a a RE Ara Ea EE gtt O erbei 7 Table 5 Trust PDP Configuration EENG ee det 8 WSS tree Mie Server EEN 8 Table 6 Test Service Configuration Eelere ehre 8 Protocol Information EE 8 Specifying a CVS policy when making a WS Trust Request ss nnssseosseeseeseosseeseeseesseesseseessee 9 Table 7 An Example WS Trust Request with referenced Poli
8. ate instance of a PERMIS RBAC server that is accessible through the server s authorisation endpoint Whilst multiple policies can be configured via this configuration file only one can be used to access the XACML only endpoint or be used as for SAML2XACML and WS TRUST requests that do not contain a policy identifier We call this policy the default policy and specify it as a boolean attribute of the PERMISConfiguration element itself called isDefault Please Note Whilst the server architecture currently supports the use of Obligations in Policies a user configurable mechanism for enforcing obligations has not yet been implemented Therefore obligations will only be enforced if the appropriate handling code has been compiled into the server architecture prior to usage The possible configuration elements defined for this configuration type are lt PolicyLocation gt The PolicyLocation element specifies the location of the policy to be used with this service This may take the form of the URL of an LDAP server a WebDAV server URL the path to an Attribute Certificate or the Path to an XML file lt PolicyIssuer gt the Policy Issuer specifies the Policy writer When accessing policies which are stored in remote repositories this value is also used to determine the user entry in which the policy is stored lt Policyldentifier gt The Policy Identifier specifies a Unique identifier that can be used to identify the correct policy to be u
9. ch can be queried using the example SOAP request messages included in the Example Request Messages folder of the release package using some form of Soap client such as SoapUI 9 Server Configuration All server and policy configurations are defined in a single file in the root directory of the release package called permis xml This file is consists of a single lt PERMISStandaloneConfiguration gt element containing a single lt TCPConfiguration gt element that is used to configure the axis server itself and multiple elements used to configure each indivual message handler type lt PERMISConfiguration gt elements that are used to configure individual instances of PERMIS lt SunPDPConfiguration gt elements that are used to configure individual instances of the XACML PDP lt TrustPDPConfiguration gt elements that are used to configure individual instances of the TrustPDP and lt TestService gt elements that are used to configure GRANT all or DENY all handlers The TCPConfiguration element At its most basic the TCPConfiguration element defines the port number upon which the server listens the number of threads to use for requests and the protocol to use Where required additional configuration parameters are included in order to configure the protocol listener e g for SSL We specify below the possible parameters for this service and their expected contents General Parameters These parameters are required by all server config
10. cy Jdentt fer 9 Specifying an Authorisation Policy to use when making an XACMLAuthzRequest 9 Table 8 An example SAML XACML Policy reference 0 0 0 ceeceeceseesceereeeceeeeeeeeeneeaeeess 10 Table 9 An Example SAML XACML Request with referenced Policy Identifier 10 EE 11 Appendix EE 11 Introduction The standalone server is a network accessible application independent Authorisation server that can be used as an application independent PEP or Credential Validation Service to respond to any application s request for an authorisation decision The following instructions will teach you how to install and tailor the standalone server to allow you to make authorisation requests across a network using standardised authorisation protocols and receive authorisation responses for use in your application Overview of the Service The standalone server is a Java 1 based application with an embeded Apache Axis2 2 service that accepts requests for authorisation using three standardised protocols messages sent using SOAP 3 The first of these protocol languages is XACML 4 which is implemented as a test message handler and should not be used in production environments The second handler is an XACML over SAML 2 0 5 message handler this handler has been produced in accordance with the constrained authorisation profile outlined in 6 The final handler operates as a Ws Trust 7 CVS handler which provides the requestor wit
11. d may or may not be encrypted If the file is encrypted however the PrivateKeyPassword element must be present lt PublicKey gt This element should contain a relative or absolute path that can be used to determine a file containing a public key certificate PKC The contents of this file must contain a PKC certificate that matches the details contained in the private key file defined above lt PrivateKeyPassword gt This element should contain a string representation of the password required to access the Private Key file This element is only required when the private key is protected by a password lt KeyStore gt This element should contain a relative or absolute path that can be used to create a Java KeyStore file containing the private and public key certificates loaded from their respective files Please note that this file should not exist prior to service initialisation If the file is found to exist it will be overwritten lt TrustStore gt This element should contain a relative or absolute path that can be used to locate a Java TrustStore file containing the certificates of server entities that the service trusts For more information please see Section 4 lt KeyStorePassword gt This optional element should contain a string representation of the password that will be used to access the KeyStore file If this element is not present the KeyStore password will be assumed to be password lt TrustStorePassword gt
12. dential Validation Service OGSA Draft June 2009 9 PERMIS PDP CVS see http sec cs kent ac uk permis or http www openpermis org 10 Sun s XACML PDP see http sunxacml sourceforge net Appendix 1 Server WSDL This appendix contains a copy of the wsdl used to generate the Permis Standalone server s message handling code For additional schema information please refer the the resources folder in the release package which contains a copy of this wsdl as well as all the schema used to generate the service lt wsdl definitions targetNamespace http sec cs kent ac uk authzservice xsi schemaLocation http schemas xmlsoap org wsdl http schemas xmlsoap org wsdl wsdl xsd_ _http www w3 org 2001 XMLSchema http www w3 org 2001 XMLSchema xsd xmlIns xacml policy urn oasis names tc xacml 2 0 policy schema os xmlns wsdl http schemas xmlsoap org wsdl xmlns saml urn oasis names tc SAML 2 0 assertion xmIns xacml saml urn oasis names tc xacml 2 0 profile saml2 0 v2 schema assertion cd 01 xmlns xacml context urn oasis names tc xacml 2 0 context schema os xmlns ws http www example com webservice xmlIns wst http docs oasis open org ws sx ws trust 200512 xmlns soapenc http schemas xmlsoap org soap encoding xmlns http http schemas xmlsoap org wsdl http xmlns tns http sec cs kent ac uk authzservice xmlns wsoap http www w3 org 2004 08 wsdl soap 12 xmlns xsd http www w3 org 2001 XMLSchema
13. ed by copying the endorsed directory in the release to the lib directory of your Java For Windows users C standalone gt copy endorsed JAVA_ HOME lib For Linux users standalone cp R endorsed JAVA_HOME lib You should now be ready to test the service by running one of the two following commands For Windows users C standalone gt standalone bat For Linux users standalone standalone sh At this point you should be able to verify that the service has been installed properly by navigating to https localhost 1104 which should show a page similar to the one displayed below ane Axis2 Services A Deployed services AuthzService Available operations es SAML2XACMLAuthzRequest e XACMLAuthzRequest es WsTrustAuthzRequest Please ensure that a service named AuthzService has been deployed and that it has three separate operations SAML2XACMLAuthzRequest XACMLAuthzRequest and WsTrustAuthzRequest Please note Occasionally when started additional operations are made available If this occurs please restart the server as there is a bug within the Axis WSDL parsing code meaning that the schema is incorrectly loaded occasionally and we are currently working to fix this bug At this stage you should have a fully operational standalone PERMIS Authorisation server deployed with two default policies one of whi
14. er o PERMISv5 c gb lt saml Issuer gt lt saml Subject gt lt saml NameID Format urn oasis names tc SAML 2 0 nameid format X509SubjectName gt CN User0 0 PERMISv5 c gb lt saml NameID gt lt saml Subject gt lt saml Assertion gt lt wst Claims gt lt wst RequestSecurity Token gt Specifying an Authorisation Policy to use when making an XACMLAuthzRequest In order to specify the policy to use when making an XACMLAuthzRequest a request should be specified according to the profile described in 5 Once this request has been constructed a lt Policy gt element of type urn oasis names tc xacml 2 0 policy schema os should be added to the body of the request The Policyld attribute of this element should contain a policy OID that matches a policy OID configured into the main configuration file of the server permis xml The RuleCombiningAlgld attribute of this message should be set to urn oasis names tc xacml 1 0 rule combining algorithm permit overrides and an empty target element should be included e g Table 8 An example SAML XACML Policy reference lt Policy xmlIns urn oasis names tc xacml 2 0 policy schema os PolicyId mysite policy RuleCombiningAlgId urn oasis names tc xacml 1 0 rule combining algorithm permit overrides gt lt Target gt lt Policy gt For example the request defined below would mean that a policy with the OID of mysite policy would be used to provide the auth
15. h a SAML assertion containing valid Attributes as specified in 8 Currently the handlers that supports the use of multiple policies is the XACML over SAML 2 0 message handler and the WS Trust message handler Request messages should be sent to the server s endpoint which will determine the type of the messages based on the XML namespace of the request message Please note that only messages that conform to the relevant message schemas will be accepted by the service Installing the Service Prior to installation the standalone server has the following requirements e A Sun Java Runtime Environment this should be a 1 6 release of the JRE olderversions are not supported e Optional If you wish to make the server available over a network then a single port number should be reserved for the service and this port should then be opened in your firewall e Optional If you wish to run the server using SSL then you may wish to install OpenSSL or similar for use when creating server certificates In order to install the service you should download the latest release of the service from the PERMIS website http sec cs kent ac uk permis and unzip the release package to a folder of your choice Once this folder has been unzipped you should open a new terminal window and navigate into the newly unzipped directory Before the server can be run you must endorse the XML parsers contained in the endorsed directory of the relese This can be accomplish
16. he near future Specifying a CVS policy when making a WS Trust Request In order to specify the CVS policy to use when making the WS Trust Request a request should be specified according to the profile described in 8 Once this request has been constructed a lt wsp PolicyReference gt element should be added to the body of the request The URI attribute of this element should contain a policy OID that matches a policy OID configured into the main configuration file of the server permis xml For example the request defined below would mean that a policy with the OID of mysite policy would be used to provide the credentials for this request Table 7 An Example WS Trust Request with referenced Policy Identifier lt wst RequestSecurityToken xmlns http www w3 org 2001 XMLSchema xmlns wst http docs oasis open org ws sx ws trust 200512 xmlns wsp http schemas xmlsoap org ws 2004 09 policy gt lt wst TokenType gt urn oasis names tc SAML 2 0 profiles attribute XACML lt wst TokenType gt lt wst RequestType gt http schemas xmlsoap org ws 2005 02 trust validate lt wst RequestType gt lt wsp PolicyReference uri mysite policy gt lt wst Claims Dialect http www ogf org authz 2008 06 CVS pull gt lt saml Assertion ID Permis Credential Validation Service V 1 0 IssueInstant Wed Oct 14 16 10 15 BST 2009 Version 2 0 xmlns saml urn oasis names tc SAML 2 0 assertion gt lt saml Issuer gt cn A Permis Test Us
17. is names tc xacml 2 0 profile sam12 0 v2 schema assertion cd 01 schemaLocation xacml 2 0 profile sam12 0 v2 schema assertion cd 1 xsd gt lt xsd schema gt lt xsd schema targetNamespace urn oasis names tc xacml 2 0 profile sam12 0 v2 schema protocol cd 01 xmlns xsd http www w3 org 2001 XMLSchema gt lt xsd import namespace urn oasis names tc xacml 2 0 profile saml2 0 v2 schema protocol cd 01 schemaLocation xacml 2 0 profile sam12 0 v2 schema protocol cd 1 xsd gt lt xsd schema gt lt xsd schema targetNamespace urn oasis names tc SAML 2 0 protocol xmlins xsd http www w3 org 2001 XMLSchema gt lt xsd import namespace urn oasis names tc SAML 2 0 protocol schemaLocation saml schema protocol 2 0 xsd gt lt xsd schema gt lt xsd schema targetNamespace urn oasis names tc SAML 2 0 assertion xmlns xsd http www w3 org 2001 XMLSchema gt lt xsd import namespace urn oasis names tc SAML 2 0 assertion schemaLocation saml schema assertion 2 0 xsd gt lt xsd schema gt lt wsdl types gt lt wsdl message name saml2XACMLAuthzRequestMessage gt lt wsdl part name parameters element xacml samlp XACMLAuthzDecisionQuery gt lt wsdl part gt lt wsdl message gt lt wsdl message name WsTrustAuthzResponseMessage gt lt wsdl part name parameters element wst RequestSecurityTokenResponse gt lt wsdl part gt lt wsdl message gt lt wsdl message name WsTrustAuthzRequestMessage gt
18. lt soap binding style document transport http schemas xmlsoap org soap http gt lt wsdl operation name XACMLAuthzRequest gt lt soap operation soapAction urn oasis names tc xacml 2 0 policy schema os gt lt wsdl input gt lt soap body use literal gt lt wsdl input gt lt wsdl output gt lt soap body use literal gt lt wsdl output gt lt wsdl operation gt lt wsdl operation name WsTrustAuthzRequest gt lt soap operation soapAction http schemas xmlsoap org ws 2005 02 trust gt lt wsdl input gt lt soap body use literal gt lt wsdl input gt lt wsdl output gt lt soap body use literal gt lt wsdl output gt lt wsdl operation gt lt wsdl operation name SAML2XACMLAuthzRequest gt lt soap operation soapAction urn oasis names tc xacml 2 0 profile sam12 0 v2 schema protocol cd 01 gt lt wsdl input gt lt soap body use literal gt lt wsdl input gt lt wsdl output gt lt soap body use literal gt lt wsdl output gt lt wsdl operation gt lt wsdl binding gt lt wsdl service name AuthzService gt lt wsdl port name AuthzEndpoint binding tns AuthzSoapHttpBinding gt lt soap address location https localhost 1104 axis2 services AuthzService AuthzEndpoint gt lt wsdl port gt lt wsdl service gt lt wsdl definitions gt
19. ments defined for this configuration type are lt PolicyConfigFile gt The PolicyConfigFile element is used to provide a relative or absolute path to a TrustPDP policy configuration file that defines the policies required to initalise the PDP instance The element may only be defined once per TrustPDPConfiguration instance lt TrustServiceConfigFile gt The TrustServiceConfigFile is used to provide a relative or absolute path to a Trust Service confiuration file which specifies the class names of the required trust services Table 5 Trust PDP Configuration example lt TrustPDPConfiguration isDefault true gt lt The location of the Policy Configuration file gt lt PolicyConfigFile gt config xml lt PolicyConfigFile gt lt The location of the Trust Service Configuration file gt lt TrustServiceConfigFile gt config trustservice xml lt TrustServiceConfigFile gt lt TrustPDPConfiguration gt For more information on configuring a Trust PDP and the contents of the referrenced configuration files please refer to the trust PDP s installation documents Testing The Server The standalone server also provides a testing mechanism that provides both XACML and SAML XACML grant and deny handlers This service means that as long as the server receives correctly formatted requests then either grant or deny replies will always be received from the default policy endpoints no matter the contents of the request The
20. nts defined for this configuration type are lt PolicyLocation gt The PolicyLocation element specifies the absolute or relative path location of the policy to be used with this service This may only take the form of a Path to an XML file containing an XACML 2 0 Policy construct This element must be present at least once and may be used multiple times to specify multiple policies Table 4 XACML Policy Configuration Example lt an example XACML Policy Configuration gt lt SunPDPConfiguration isDefault false gt lt The location of the Required XACML Policy files gt lt PolicyLocation gt xacmlpolicy xml lt PolicyLocation gt lt PolicyLocation gt xacmlpolicy second xml lt PolicyLocation gt lt SunPDPConfiguration gt Configuring a Trust PDP Each lt TrustPDPConfiguration gt element defined in the configuration file describes a separate instance of a Trust PDP accessible through the server s authorisation endpoint We do not currently support SAML XACML or Ws Trust requests for this PDP type and whilst multiple policies can be configured via this configuration file only one can be used to access the XACML only endpoint We call this policy the default policy and specify it as a boolean attribute of the TrustPDPConfiguration element itself called isDefault Please Note In order to provide access to a Trust PDP instance it MUST be configured as the default policy The possible configuration ele
21. orisation decision for this request Table 9 An Example SAML XACML Request with referenced Policy Identifier lt XACMLAuthzDecisionQuery xmIns urn oasis names tc xacml 2 0 profile sam12 0 v2 schema protocol cd 01 xmins xsi http www w3 org 2001 XMLSchema instance xsi schemaLocation urn oasis names tc xacml 2 0 profile saml2 0 v2 schema protocol cd 01 file home sfl work issrg oasis documents xacm13 XACML 3 0 cd 1 updated 2009 May 07 XSD xacml 2 0 profile saml2 0 v2 schema protocol cd 1 xsd ID A2009 10 13T12 57 07 Version 2 0 IssueInstant 2009 10 13T12 58 12 209Z gt lt xacml context Request xmlns xacml context urn oasis names tc xacml 2 0 context schema os gt lt Subject xmlns urn oasis names tc xacml 2 0 context schema os gt lt Attribute Attributeld urn oid 1 2 826 0 1 3344810 1 1 14 DataType http www w3 org 2001 XMLSchema string gt lt AttributeValue gt member lt Attribute Value gt lt Attribute gt lt Subject gt lt Resource xmlns urn oasis names tc xacml 2 0 context schema os gt lt Attribute AttributeId urn oasis names tc xacml 1 0 resource resource id DataType http www w3 org 2001 XMLSchema string gt lt AttributeValue gt http www mysite com members lt Attribute Value gt lt Attribute gt lt Resource gt lt Action xmlns urn oasis names tc xacml 2 0 context schema os gt lt Attribute AttributeId urn oasis names tc xacml 1 0 action action id DataType http www w3 org
22. sed This value must match the OID attribute contained in the policy file itself This value is then used to determine which policy to load from repositories and later this identifier can be used when making both Ws Trust and SAML XACML requests to determine which policy to use for credential validation or authorisation lt LDAPACAttribute gt This element specifies the LDAP attribute name that is used to hold Attribute Certificates for authorisation lt LDAPPKCAttribute gt This element specifies the LDAP attribute name that is used to hold user PKCs for signature verification lt CredentialLocation gt The Credential Location element is used in pull mode to define the repositories from which user credentials should be pulled This element should take the value of an LDAP or WebDAV attribute repository s URL lt RootPKC gt This element specifies the paths to certificate authoritys that can be used when verifying user certificates and signed credentials Table 3 PERMIS Policy Configuration Example lt example Policy Configuration using XML and no Signature Verification This policy is the default policy as specified by the isDefault attribute gt lt PERMISConfiguration isDefault true gt lt The location of the policy gt lt PolicyLocation gt policy xml lt PolicyLocation gt lt The issuer of the policy gt lt PolicyIssuer gt cn A Permis Test User o Permisv5 c gb lt PolicyIssuer gt
23. t store included in the release should contain a single PKC that corresponds to a PKCS 12 file in the release named trusted p12 which has a password of password You should now be able to see the service as before Please Note The SSL certificates provided with the release should not be used to provide SSL support in deployed systems PDP and CVS Configuration The authorisation server offers support for several PDP implementations including the PERMIS PdP CVS 9 Sun s XACML PDP 10 and Eindhoven s Trust PDP Each of these configuration types utilise a different type of configuration element in the main configuration file e lt PERMISConfiguration gt elements configure an instance of the PERMIS PDP CVS e lt SunPDPConfiguration gt elements configure an instance of the Sun XACML PDP e lt TrustPDPConfiguration gt elements configure an instance of the Trust PDP If a error occurs whilst configuring these elements the element will be skipped and appropriate error information will be oputputted to the log file Please Note At construction the server will attempt to determine a default PDP CVS for incoming requests This default policy will be defined using the isDefault attribute present on all the PDP configuration elements Only one default policy may be specified in any configuration file instance Configuring a PERMIS PDP and CVS Each lt PERMISConfiguration gt element defined in the configuration file describes a seper
24. urations lt ServerPort gt This element is used to specify the port number on which the server should accept incoming requests It takes a single numeric value If a port has been opened in your firewall to support this service then this value should match the value of that port lt ThreadCount gt The ThreadCount element is used to specify how may requests can be handled in parallel by the server The value placed here should be numeric and should vary according to the resources allocated to the system lt Protocol gt The Protocol element specifies the underlying protocol upon which SOAP requests will be received by the server This may currently contain a value of either http or https If the system cannot determine the type of the protocol then it will default to http Table 1 Example HTTP Configuration lt TCPConfiguration gt lt ServerPort gt 1104 lt ServerPort gt lt ThreadCount gt 10 lt ThreadCount gt lt Protocol gt http lt Protocol gt lt TCPConfiguration gt Using the above configuration you should be able to navigate to http localhost 1104 and view the service as before SSL Specific Parameters These parameters are only required when operating using the HTTPS server lt PrivateKey gt This element should contain a relative or absolute path that can be used to determine a file containing a private key certificate This certificate will be used to secure the SSL server an
Download Pdf Manuals
Related Search