Using X.509 token profile

From GEANT2-JRA1 Wiki

The X.509 token profile of the Web Services Security: SOAP Message Security specification is used for sending a valid X.509 certificate in eduGAIN trust model which it's required by the Authentication Service for authenticating the client/user.

The SOAP header includes the following WS-SEC header:

SOAP Header - AC and UbC profiles

The implementation of this profile in the perfSONAR architecture MUST be done with the following values:

  • Token type
    • Token: single certificate
    • ValueType URI: #X509v3
  • Token reference
    • Reference to a Binary Security Token
  • Timestamp
  • Signature
    • It has to include a signature of that Binary Security Token

An example of a SOAP message with a security token included following this specification is: 

<soapenv:Envelope 
	xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<soapenv:Header>
		<wsse:Security 
			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
			soapenv:actor="ac" 
			soapenv:mustUnderstand="1">
			<wsse:BinarySecurityToken 
				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
				EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" 
				ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
				wsu:Id="CertId-15005985">
					.
					.
					.
			</wsse:BinarySecurityToken>
			<ds:Signature 
				xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
				Id="Signature-29913235">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
					<ds:Reference URI="#STRId-16258050">
						<ds:Transforms>
							<ds:Transform 
								Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
								<wsse:TransformationParameters>
									<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
								</wsse:TransformationParameters>
							</ds:Transform>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<ds:DigestValue>DFEHz/yFjGyTvbjLmY99YNWvJWA=</ds:DigestValue>
					</ds:Reference>
					<ds:Reference URI="#Timestamp-25688561">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<ds:DigestValue>h+sg8LfU2EQJtELsp6gaZ8p+43Y=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>
					.
					.
					.
				</ds:SignatureValue>
				<ds:KeyInfo Id="KeyId-5686223">
					<wsse:SecurityTokenReference 
						xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
						wsu:Id="STRId-16258050">
						<wsse:Reference URI="#CertId-15005985" 
							ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
			<wsu:Timestamp 
				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
				wsu:Id="Timestamp-25688561">
				<wsu:Created>2008-01-14T10:50:10.972Z</wsu:Created>
				<wsu:Expires>2008-01-14T10:55:10.972Z</wsu:Expires>
			</wsu:Timestamp>
		</wsse:Security>
	</soapenv:Header>
	<soapenv:Body>
		.
		.
		.
	</soapenv:Body>
</soapenv:Envelope>
Retrieved from "http://wiki.perfsonar.net/jra1-wiki/index.php/Using_X.509_token_profile"
Personal tools