Skip to main content

Deploying and Using a Security Token Service (STS)

You have created the service and client keystores as in the previous section. Now create the STS keystore as follows:

Information noteNote: Replace stsspass in the example below with your own passwords. The STS key password stskpass cannot be changed.
openssl req -x509 -days 36525 -newkey rsa:2048 -sha256 -keyout stskey.pem -out 
   stscert.pem -passout pass:stsspass
This command is interactive. Enter the answers for the following questions, for example:
Country Name - US
State or Province Name - Maryland
Locality Name - Baltimore
Organization Name - Sample STS -- NOT FOR PRODUCTION
Organizational Unit Name - IT Department
Common Name - www.sts.com
Email Address - sts@sts.com
openssl pkcs12 -export -inkey stskey.pem -in stscert.pem -out sts.p12 
   -name mystskey -passin pass:stsspass -passout pass:stskpass
keytool -importkeystore -destkeystore stsstore.jks -deststoretype jks -deststorepass stsspass 
   -srckeystore sts.p12 -srcstorepass stskpass -srcstoretype pkcs12
keytool -list -keystore stsstore.jks -storepass stsspass
keytool -exportcert -alias mystskey -storepass stsspass -keystore 
   stsstore.jks -file sts.cer
keytool -printcert -file sts.cer
rm *.pem *.p12

To fix any issues with fixed paths to the keystore and truststore locations within the WSDLs, the source code download uses Maven resource filtering to allow for a relative path to the project base directory to be used instead.

Next, the service keystore will need to have the STS public key added so it trusts it, and vice-versa. Also, the client will need to have the STS' and WSP's certificates added to its truststore, as it relies on symmetric binding to encrypt the SOAP requests it makes to both:

keytool -keystore servicestore.jks -storepass sspass -import -noprompt 
   -trustcacerts -alias mystskey -file sts.cer
keytool -keystore stsstore.jks -storepass stsspass -import -noprompt 
   -trustcacerts -alias myservicekey -file service.cer 
keytool -keystore clientstore.jks -storepass cspass -import -noprompt 
   -trustcacerts -alias mystskey -file sts.cer
keytool -keystore clientstore.jks -storepass cspass -import -noprompt 
   -trustcacerts -alias myservicekey -file service.cer

If you plan on using X.509 authentication of the WSC to the STS (instead of UsernameToken), the former's public key will need to be in the latter's truststore. This can be done with the following commands:

keytool -exportcert -alias myclientkey -storepass cspass -keystore
   clientstore.jks -file client.cer
keytool -keystore stsstore.jks -storepass stsspass -import -noprompt
   -trustcacerts -alias myclientkey -file client.cer

Since the service does not directly trust the client (the purpose for our use of the STS to begin with), we will not add the client's public certificate to the service's truststore as normally done with message-layer encryption.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!