Main Page
SAML XMLSIG Samples Readme File
This Sample serves as a basis for using XMLSIG API in SAML.
I. Prepare the key and certificate
Before the user tried out this sample, the user
needs to create a keystore/code> and a keyentry in the
keystore . Please note,
you must use keytool from JDK 1.3.1 and above version.
For more detail, please refer to keytool.txt file.
Here, for simplicity, We use selftcert as an example.
- Generate the key pair (
selfcert )
keytool -genkey -keyalg dsa -alias test
-dname "cn=sun-unix,ou=SUN Java System Identity Server,o=Sun, c=US"
-keypass 11111111
-keystore ./mykeystore
-storepass 11111111 -validity 180
This command will generate a keystore called "mykeystore"
in current directory. A KeyEntry which alias name is
"test" , is created and stored in keystore .
If the user wants to generate an RSA Key, please modify
to "-keyalg rsa" in above command.
To generate self certificate please follow, steps 2 and
3 from section III of keytool.txt .
This is more useful for testing purposes,
where the signer and verifier are the same entity so have to import self
cert as a trusted certificate, but for commercial deployments, refer to
point 2 below.
- If your site will receive any signed Assertion,
Request or Response signed by your trusted partner's site, you must import
this trusted site's certificate into your
keystore . Please follow the step
4 and Step 5 in section III specified in file "keytool.txt"
to import your partner site's certificate into your keystore .
- The user needs to follow steps 6-14 in section
III described in file
"keytool.txt" to set up the IS configuration.
Note: For commercial product development, please
always follow keytool.txt to prepare the KeyEntry/Certificate .
II. Instructions to set up the XMLSIG sample
For Solaris
- cd to
<install dir>/SUNWam/samples/saml/xmlsig
- Edit the
Makefile
Modify the environment variables. These environment variables
will be used to run the make command.
BASE - Set this Variable to install directory
CLASSPATH - Reference the required jars from
server.xml of IS instance.
JAVA_HOME - Set this variable to your
installation of JDK. It should be newer than JDK 1.3.1
BASE_CLASS_DIR - Directory where all the Sample
compiled classes will be kept.
- Run
gmake
- set
LD_LIBRARY path to <install dir>/SUNWam/servers/bin/https/lib
A sample script looks like:
LD_LIBRARY_PATH=/opt/SUNWam/servers/bin/https/lib
export LD_LIBRARY_PATH
echo $LD_LIBRARY_PATH
- If the user is using an RSA key, Edit
<install dir>/SUNWam/locale/amSAML.properties
file, change "xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#dsa-sha1"
to "xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1"
- Run
"gmake createsig"
This command will sign the "assertion.xml"
file and put the signed document into "signature.xml"
file. If the user wants to sign different file or would like to put signed
doc into different file. Simply edit the Makefile , replace
"assertion.xml" to the filename which the user wants to sign.
Similarly, replace "signature.xml" with the filename to
which the signed doc would be stored.
- Run
"gmake verifysig"
This command will verify the "signature.xml" file.
The output should be "Doc is valid" or "Doc is not valid" If the user
wants to verify different file, simply edit the "Makefile" ,
replace "signature.xml" with the filename which is preferred
to be verified.
Windows2000
- cd to
<install dir>\samples\saml\xmlsig
- Edit file
make.bat
Modify the environment variables. These environment
variables will be used to run the make command.
BASE - Set this Variable to install directory
CLASSPATH - Reference the required jars from
server.xml of IS instance
JAVA_HOME - Set this variable to your
installation of JDK. It should be newer than JDK 1.3.1
BASE_CLASS_DIR - Directory where all the Sample
compiled classes will be kept.
- Run
"make" to compile
- If the user is using an RSA key, Edit
<install dir>/locale/amSAML.properties
file, change "xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#dsa-sha1"
to "xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1"
- Run
"make createsig"
This command will sign the "assertion.xml" file and put the
signed document into "signature.xml"
file. If the user wants to sign different file or would like to put signed
document into different file. Simply edit the "make.bat"
file, replace "assertion.xml" to the filename
which the user wants to sign. Similarly, replace "signature.xml" with the
filename to which the signed document would be stored.
- Run
"make verifysig"
This command will verify the "signature.xml"
file. The output should be "Doc is valid" or "Doc is not valid".
If the user wants to verify different file, simply edit the file
"make.bat" ,
replace "signature.xml" with the filename which is preferred to be verified.
|