PicketLink Configuration: Mask password

PicketLink Federation configuration for the STS and/or the SAML IDP/SP include passwords.  Based on PLFED-73, we should be able to mask the password in the configuration files.

 

This should be available as of 1.0.3.CR4 and later (May 2010).

Usage

  • Locate the picketlink-fed-core jar on your operating system. Use the file finder feature.
  • Go to that directory and perform the following:
  •  

  • java -cp picketlink-fed-core-1.0.3.CR3-SNAPSHOT.jar org.picketlink.identity.federation.core.util.PBEUtils 18273645 56 testpass
    Encoded password: MASK-j0zEeKjP7IBywzHTUBd0MQ==
    
  • Note: In your case, the jar file may just be "picketlink-fed-core.jar"
  • Now you can see that for a password called "testpass", the encoded password is "MASK-j0zEeKjP7IBywzHTUBd0MQ==". Now copy paste this into the password field of your configuration.  In addition, add two properties, one for "salt" and the other for "iterationCount".

 

Example

Before Password Masking

 

<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0"
    STSName="Test STS" TokenTimeout="7200" EncryptToken="false">
    <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
        <Auth Key="KeyStoreURL" Value="keystore/sts_keystore.jks"/> 
          <Auth Key="KeyStorePass" Value="testpass"/>
          <Auth Key="SigningKeyAlias" Value="sts"/>
          <Auth Key="SigningKeyPass" Value="keypass"/>
          <ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/>
          <ValidatingAlias Key="http://services.testcorp.org/provider2" Value="service2"/>
    </KeyProvider>
    <RequestHandler>org.picketlink.identity.federation.core.wstrust.StandardRequestHandler</RequestHandler>
    <TokenProviders>
        <TokenProvider ProviderClass="org.picketlink.test.identity.federation.core.wstrust.SpecialTokenProvider"
            TokenType="http://www.tokens.org/SpecialToken"
            TokenElement="SpecialToken"
            TokenElementNS="http://www.tokens.org">
            <Property Key="Property1" Value="Value1"/>
            <Property Key="Property2" Value="Value2"/>
        </TokenProvider>
        <TokenProvider ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider"
            TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
            TokenElement="Assertion"
            TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"/>
    </TokenProviders>
    <ServiceProviders>
        <ServiceProvider Endpoint="http://services.testcorp.org/provider1" TokenType="http://www.tokens.org/SpecialToken"
            TruststoreAlias="service1"/>
        <ServiceProvider Endpoint="http://services.testcorp.org/provider2" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
            TruststoreAlias="service2"/>
    </ServiceProviders>
</PicketLinkSTS>

 

Running the commands:

java -cp picketlink-fed-core-1.0.3.CR3-SNAPSHOT.jar org.picketlink.identity.federation.core.util.PBEUtils 18273645 56 testpass
Encoded password: MASK-j0zEeKjP7IBywzHTUBd0MQ==


java -cp picketlink-fed-core-1.0.3.CR3-SNAPSHOT.jar org.picketlink.identity.federation.core.util.PBEUtils 18273645 56 keypass
Encoded password: MASK-ir6cKDE6OoQ=

 

After masking,

 

 

<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0"
    STSName="Test STS" TokenTimeout="7200" EncryptToken="false">
    <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
        <Auth Key="KeyStoreURL" Value="keystore/sts_keystore.jks"/> 
          <Auth Key="KeyStorePass" Value="MASK-j0zEeKjP7IBywzHTUBd0MQ=="/>
          <Auth Key="SigningKeyAlias" Value="sts"/>
          <Auth Key="SigningKeyPass" Value="MASK-ir6cKDE6OoQ="/>
          <Auth Key="salt" Value="18273645"/>
          <Auth Key="iterationCount" Value="56"/>
          <ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/>
          <ValidatingAlias Key="http://services.testcorp.org/provider2" Value="service2"/>
    </KeyProvider>
    <RequestHandler>org.picketlink.identity.federation.core.wstrust.StandardRequestHandler</RequestHandler>
    <TokenProviders>
        <TokenProvider ProviderClass="org.picketlink.test.identity.federation.core.wstrust.SpecialTokenProvider"
            TokenType="http://www.tokens.org/SpecialToken"
            TokenElement="SpecialToken"
            TokenElementNS="http://www.tokens.org">
            <Property Key="Property1" Value="Value1"/>
            <Property Key="Property2" Value="Value2"/>
        </TokenProvider>
        <TokenProvider ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider"
            TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
            TokenElement="Assertion"
            TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"/>
    </TokenProviders>
    <ServiceProviders>
        <ServiceProvider Endpoint="http://services.testcorp.org/provider1" TokenType="http://www.tokens.org/SpecialToken"
            TruststoreAlias="service1"/>
        <ServiceProvider Endpoint="http://services.testcorp.org/provider2" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
            TruststoreAlias="service2"/>
    </ServiceProviders>
</PicketLinkSTS>