Sun Java System Identity Server 2004Q2
Sample
 

Main Page

SAML XMLSIG Samples Readme File

This Sample serves as a basis for using XMLSIG API in SAML.

I. Prepare the key and certificate

Before the user tried out this sample, the user needs to create a keystore/code> and a keyentry in the keystore. Please note, you must use keytool from JDK 1.3.1 and above version.

For more detail, please refer to keytool.txt file.

Here, for simplicity, We use selftcert as an example.

  1. Generate the key pair (selfcert)
    keytool -genkey -keyalg dsa -alias test 
    -dname "cn=sun-unix,ou=SUN Java System Identity Server,o=Sun, c=US"
    -keypass 11111111
    -keystore ./mykeystore
    -storepass 11111111 -validity 180
    This command will generate a keystore called "mykeystore" in current directory. A KeyEntry which alias name is "test", is created and stored in keystore. If the user wants to generate an RSA Key, please modify to "-keyalg rsa" in above command.

    To generate self certificate please follow, steps 2 and 3 from section III of keytool.txt. This is more useful for testing purposes, where the signer and verifier are the same entity so have to import self cert as a trusted certificate, but for commercial deployments, refer to point 2 below.

  2. If your site will receive any signed Assertion, Request or Response signed by your trusted partner's site, you must import this trusted site's certificate into your keystore. Please follow the step 4 and Step 5 in section III specified in file "keytool.txt" to import your partner site's certificate into your keystore.
  3. The user needs to follow steps 6-14 in section III described in file "keytool.txt" to set up the IS configuration.

    Note: For commercial product development, please always follow keytool.txt to prepare the KeyEntry/Certificate.

II. Instructions to set up the XMLSIG sample

For Solaris
  1. cd to <install dir>/SUNWam/samples/saml/xmlsig
  2. Edit the Makefile

    Modify the environment variables. These environment variables will be used to run the make command.

    • BASE - Set this Variable to install directory
    • CLASSPATH - Reference the required jars from server.xml of IS instance.
    • JAVA_HOME - Set this variable to your installation of JDK. It should be newer than JDK 1.3.1
    • BASE_CLASS_DIR - Directory where all the Sample compiled classes will be kept.
  3. Run gmake
  4. set LD_LIBRARY path to <install dir>/SUNWam/servers/bin/https/lib

    A sample script looks like:

    LD_LIBRARY_PATH=/opt/SUNWam/servers/bin/https/lib
    export LD_LIBRARY_PATH
    echo $LD_LIBRARY_PATH
  5. If the user is using an RSA key, Edit <install dir>/SUNWam/locale/amSAML.properties file, change "xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#dsa-sha1" to "xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1"
  6. Run "gmake createsig"

    This command will sign the "assertion.xml" file and put the signed document into "signature.xml" file. If the user wants to sign different file or would like to put signed doc into different file. Simply edit the Makefile, replace "assertion.xml" to the filename which the user wants to sign. Similarly, replace "signature.xml" with the filename to which the signed doc would be stored.

  7. Run "gmake verifysig"

    This command will verify the "signature.xml" file. The output should be "Doc is valid" or "Doc is not valid" If the user wants to verify different file, simply edit the "Makefile", replace "signature.xml" with the filename which is preferred to be verified.

 

Windows2000
  1. cd to <install dir>\samples\saml\xmlsig
  2. Edit file make.bat

    Modify the environment variables. These environment variables will be used to run the make command.

    • BASE - Set this Variable to install directory
    • CLASSPATH - Reference the required jars from server.xml of IS instance
    • JAVA_HOME - Set this variable to your installation of JDK. It should be newer than JDK 1.3.1
    • BASE_CLASS_DIR - Directory where all the Sample compiled classes will be kept.
  3. Run "make" to compile
  4. If the user is using an RSA key, Edit <install dir>/locale/amSAML.properties file, change "xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#dsa-sha1" to "xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1"
  5. Run "make createsig"

    This command will sign the "assertion.xml" file and put the signed document into "signature.xml" file. If the user wants to sign different file or would like to put signed document into different file. Simply edit the "make.bat" file, replace "assertion.xml" to the filename which the user wants to sign. Similarly, replace "signature.xml" with the filename to which the signed document would be stored.

  6. Run "make verifysig"

    This command will verify the "signature.xml" file. The output should be "Doc is valid" or "Doc is not valid". If the user wants to verify different file, simply edit the file "make.bat", replace "signature.xml" with the filename which is preferred to be verified.