Configuring DDF to use external STS

50 views
Skip to first unread message

Matthew DeFazio

unread,
Aug 31, 2017, 11:06:47 AM8/31/17
to ddf-users
Hello,

I am having an Issue with configuring DDF 2.10.3 to use an external STS to retrieve tokens from.

I changed the STS WSDL Address in ddf.security.sts.client.configuration to point to my STS WSDL but I am getting the following error:

org.apache.cxf.interceptor.fault: no username available

I suspect that the property ws-security.encryption.username in the STS client is not set correctly.

Is there a way to set  ws-security.encryption.username for my Client STS?  Also, is there more configuration that I need to do? 

I am used to configuring the STS client using spring beans defined in a xml file, Does a similar file exists for DDF or is all configuration done through the Admin console? 

Thanks!

-Matt D

Scott Tustison

unread,
Aug 31, 2017, 11:17:33 AM8/31/17
to ddf-users
If you'd like to use an STS other than the one we provide with DDF, you need to remove the configuration with id "ddf.security.sts.client.configuration" and create a configuration for "ddf.security.sts.wss.configuration". You also need to set up the handlers in the Web Context Policy Manager with the WSS variants: WSSBASIC or WSSPKI, otherwise we'll generate tokens that only our STS can understand.

Scott

Matthew DeFazio

unread,
Sep 14, 2017, 4:54:08 PM9/14/17
to ddf-users
Thanks Scott, I created a configuration for "ddf.security.sts.wss.configuration" with the property useWss=B"true" and made sure that I had no config file with the  id "ddf.security.sts.client.configuration" but My DDF is still using the default STS wsdl location. The directory etc/failed is empty so the ddf.security.sts.wss.configuration did load and I can see my values in the admin console.

I had to recreate the ddf.security.sts.client.configuration.config file and set the wsdl address to my external STS server to point DDF to use my external STS but DDF cannot retrieve tokens from the external STS due to the no username available error I mentioned above.

How does DDF create the sts client after reading the config files? If I can figure out how to add the security.encryption.username property to the STS client, I should be able to retrieve tokens from the external STS.

Thanks,

Matt D

work.ra...@gmail.com

unread,
Sep 20, 2017, 4:30:52 PM9/20/17
to ddf-...@googlegroups.com
I am having this exact same issue. Was there any resolution to this?Can you go into more detail on how to setup the handlers?

Scott Tustison

unread,
Sep 26, 2017, 10:40:12 AM9/26/17
to ddf-users
You need to set useWss=B"true" on the configuration ddf.security.sts.address.provider not on ddf.security.sts.wss.configuration. If Solr is blowing up because the local STS is being contacted, then you're either missing the config for ddf.security.sts.wss.configuration or a configuration for ddf.security.sts.address.provider which tells it to use the external STS configuration.

work.ra...@gmail.com

unread,
Sep 26, 2017, 1:04:25 PM9/26/17
to ddf-...@googlegroups.com
Thanks. I am now using the ddf.security.sts.address.provider to set the useWss=B"true". I am still getting the same error where it tries to contact the local STS. I found a blueprint file inside the security-sts-realm-2.10.3.jar. I set the values in the blueprint and the external STS is still not used.
Reply all
Reply to author
Forward
0 new messages