How to Configure Responses to Produce WS-Security Headers

Web Services Security Guides › CA SiteMinder WSS Policy Configuration Guide › (Optional) Configure Responses to Generate SAML Session Tickets or WS-Security Headers for Outgoing Messages › How to Configure Responses to Produce WS-Security Headers

How to Configure Responses to Produce WS-Security Headers

To configure CA SiteMinder WSS to produce WS-Security headers, create a response and associate it with resources in a web service security policy. This response data is used by the SiteMinder WSS Agent to generate WS‑Security headers. The SiteMinder WSS Agent then inserts these headers into the SOAP message header and delivers them to the protected web service.

Use variable types, if needed, to pass data back to the web service. Variables are resolved by the Policy Server at run time, when it generates the response.

Diagram illustrating how to configure responses to produce WS-Security headers

To configure responses to produce WS-Security Headers for outgoing messages, do the following procedures:

More information:

Review Supported Authentication Schemes for Producing Different WS-Security Header Types

Verify Certificate Requirements

Before you configure a response to produce WS‑Security headers, verify that the following requirements are met:

To produce signed WS‑Security tokens, verify that your enterprise private key and certificate chain are present in the certificate data store (CDS).
To produce WS‑Security X509v3 tokens, verify that your enterprise private key and certificate chain are present in the certificate data store (CDS).

Review Supported Authentication Schemes for Producing Different WS-Security Header Types

You can configure responses to produce any type of WS-Security token upon successful authorization of a request. However, not every authentication scheme gathers all the necessary information (username, clear text password, SOAP message) from an incoming request to create every type of token.

If a response is configured to create a token that requires anything that the configured authentication scheme does not provide, header creation fails. Verify that the authentication method that you plan to use is suitable to produce the WS-Security token that you want to produce in response.

The following table shows which WS-Security tokens can be produced for each authentication method.

	WS-Security Token Types That Can be Produced

Authentication Method	Username and Password	Username and Password Digest	SAML	X.509
Basic (SiteMinder WSS Agent for Web Servers only)	No	Yes	No	No
XML-DCC	Yes	Yes	Yes	Yes
XML-DSIG	No	No	Yes	Yes
SAML Session Ticket	No	No	Yes	Yes
WS-Security Username and Password Token	Yes	Yes	Yes	Yes
WS-Security Username and Password Digest Token	No	Yes	Yes	Yes
WS-Security SAML Token	No	No	Yes	Yes
WS-Security X.509 Token	No	No	Yes	Yes
SiteMinder Session (SMSESSION) Cookie	No	No	No	No

Configure CA SiteMinder WSS to Generate SAML Assertions

If you are configuring CA SiteMinder WSS to add WS-Security headers containing SAML assertions tokens to outgoing messages, you must first perform some additional configuration in the Administrative UI

In all SAML token generation situations, you must create an Affiliate domain. Additionally, you must perform the following steps depending on the version of SAML tokens you need to generate:

To create SAML 1.1 assertions, configure the SAML 1.x Assertion Generator properties file and add Affiliate objects to the Affiliate domain.
To create SAML 2.0 assertions, add SAML 2.0 Service Provider objects to the Affiliate domain.

Note: Affiliate domains and related SAML token functionality are implemented as part of legacy federation on the Policy Server.

SAML 1.x Assertion Generator

If you are configuring CA SiteMinder WSS to add WS-Security tokens containing SAML 1.x assertions to SOAP documents for consumption by other web services, you must configure the SAML Assertion Generator to produce the SAML 1.1 assertions that will be used in those tokens.

Note: The SAML Assertion Generator is a component of CA SiteMinder® legacy federation on the Policy Server.

The SAML Assertion Generator uses static configuration data from two sources to determine how to construct assertions:

SAML Assertion Generator Properties File: Specifies domain-wide SAML assertion generation parameters
Affiliate Objects: Define a set of parameters for the SAML Assertion Generator

Once configured, the SAML Assertion Generator is triggered to generate an assertion when a WS-Security SAML response (which specifies the affiliate to use to generate the assertion and dynamic information about how the assertion and message should be signed) is triggered by an authorizing policy.

Configure the AMAssertionGenerator.properties File

The AMAssertionGenerator.properties file contains domain-wide configuration parameters required for generating SAML assertions.

To configure the AMAssertionGenerator.properties file for CA SiteMinder WSS

Navigate to the following location: policy_server_home/config/properties
Open the AMAssertionGenerator.properties file in a text editor.
Modify the following parameters:

AssertionIssuerID

Specifies the URL of the authentication web service that is issuing the assertion. Must match the Issuer DN in the enterprise certificate. This value is used for unsigned assertions. For example:

AssertionIssuerID = http://www.acmewidget.com/ordering

SecurityDomain

Specifies the domain name of the enterprise issuing the assertion. For example:

SecurityDomain = www.example.com

SourceID

Not used by CA SiteMinder WSS.
Save the file and exit the text editor.
Restart the Policy Server. (Changes made to the AmAssertionGenerator.properties file will not be picked up by the Policy Server until it is restarted.)

Configure Affiliate Domains and Affiliate Objects

You require an affiliate domain containing and affiliate object to configure the SAML Assertion Generator produce SAML 1.x assertions in WS-Security SAML tokens.

To configure affiliate domains and affiliate objects, follow the associated procedures in Federation Manager Guide: Legacy Federation. However, because CA SiteMinder WSS does not use the affiliate object to define an affiliate organization, you do not need to specify all the options.

Note: Affiliate objects configured for CA SiteMinder WSS do not define the affiliate organization for which the assertion is intended. Assertions generated for CA SiteMinder WSS can be sent to any web service protected by the WS-Security authentication scheme (or similarly capable third-party security application).

The following list summarizes the affiliate configuration parameters that CA SiteMinder WSS uses to generate WS-Security SAML tokens. The wizard may require you to enter values for other parameters, but these are not used by CA SiteMinder WSS.

General page

General section: Name

Specifies the name of the affiliate object (must be unique across all affiliate domains).

This name is referenced by WS-Security policy responses (by defining a txm_wssec_saml_affiliate attribute whose value matches the name of the affiliate object).

General section: Active

Activates the affiliate object.

This option must be set for CA SiteMinder WSS to produce SAML 1.x assertions.

Restrictions section: Time

(Optional) Specifies times when assertion can be issued.

Restrictions section: IP Address

(Optional) Specifies IP addresses that are allowed to generate SAML assertions.

User page

Add Members: Specifies the users and groups (from the user directory or directories defined in the affiliate domain) for whom assertions should be generated.

Assertions page

General section: Audience

(Optional) Specifies the URI of a document that describes the terms and conditions of the agreement between the token issuer and consumer. This value is added to the assertion and can be used for authentication purposes. (If a request’s assertion token contains an audience value, that value must match one specified in the WS-Security scheme for the request to be authenticated.)

Additionally, the web service can parse the actual audience document to obtain additional information.

General section: Validity Duration Second(s)

(Optional) Specifies the amount of time, in seconds, that the assertion will be valid.

General section: Skew Time Second(s)

(Optional) Specifies the difference, in seconds, between the system clock time of the SAML assertion producer and the system clock time of the SAML assertion consumer.

Session section: Shared Sessioning

Not used by CA SiteMinder WSS (leave option unset).

Attributes section: Add

(Optional) If specified, an attribute statement will be included in the assertion that can be used for use in authentication and authorization decisions.

Configure SAML 2.0 Service Providers

SAML Service Provider objects define parameters used by the SAML Assertion Generator to produce SAML 2.0 assertions for use in WS-Security SAML tokens.

Note: When you configure a service provider object for use by CA SiteMinder WSS, you are not defining a service provider organization for which the assertion is intended. Assertions generated for CA SiteMinder WSS can be sent to any web service protected by the WS-Security authentication scheme (or similarly capable third-party security application).

To configure SAML Service Provider objects, generally follow the associated procedures in the CA SiteMinder Federation Security Services Guide. However, because CA SiteMinder WSS does not use the affiliate object to define a service provider organization, you do not need to specify all the options. Fields whose use is different for use by CA SiteMinder WSS are described below.

Name: Specifies the name of the service provider object (must be unique across all affiliate domains). This name is referenced by WS-Security policy responses (by defining a txm_wssec_saml_affiliate attribute whose value matches the name of the affiliate object).
Enabled: Sets the Enabled check box to activate the service provider object. This option must be set for CA SiteMinder WSS to produce SAML 2.0 assertions.
Authentication URL: Not used by CA SiteMinder WSS. However, a valid value is required. CA recommends using "http:\\localhost\"
Application URL: Not used by CA SiteMinder WSS.
SSO Tab: Bindings: Choose the HTTP-Post option.

Configure a Response to Produce WS-Security Headers

To define the properties of WS-Security headers you want CA SiteMinder WSS to produce, create a WS-Security header response in an application security policy.

Note: If you are using the domain security model, create a WS-Security header response in the web service domain.

Follow these steps:

Create an application object or modify an existing application object that defines the security policy for a web service.
Click the Response tab.
Click Create Response.
The Create Application Response pane opens.
Type the response name in the General section.
Add response attributes that define the properties of the WS-Security headers, by doing the following steps:
1. Click Create Response Attribute. The Create Response Attribute pane that opens
2. Select the WebAgent-WS-Security-Token response attribute type from the Attribute drop-down list in the Attribute Type section.
3. Select the attribute type (Static, User Attribute, DN Attribute, or Active Response) in the Attribute Kind section.
  The fields on the Attribute Fields group box are updated to match the specified attribute type.
4. Specify a required name/value pair (listed in the following sections) in the Attribute Fields section. Enter values directly in the Variable Name and Variable Value fields or populate those fields with valid values from the Select a Name and Select a Value drop-down lists.
5. Specify Cache Value or Recalculate value every ... seconds on the Attribute Caching group box.
6. Click Submit.
  The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Create Response Attribute pane.
Create further response attributes as required.
Click OK.
The Create Response Task is submitted for processing and you are returned to the Responses tab.

More information:

(Mandatory) Response Attribute Variable for Specifying the Generated WS-Security Token Type

Response Attribute Variables for Encrypting/Decrypting WS-Security Messages

Response Attribute Variables for Handling WS-Security Headers

(Mandatory) Response Attribute Variable for Specifying the Generated WS-Security Token Type

The TXM_WSSEC_TOKEN_TYPE variable name/value pair determines the WS‑Security token type to generate. A response attribute that defines TXM_WSSEC_TOKEN_TYPE is required in all WS-Security header responses.

TXM_WSSEC_TOKEN_TYPE

Specifies the type of WS‑Security token the SiteMinder WSS Agent should create and add to the WS‑Security header for message authentication:

Attribute kind: Static

Variable value: One of the following:

password—Creates a Username and Password Digest token, providing for password digest message authentication. For this token type, the TXM_WSSEC_USER_
PASSWORD response variable must also be configured.
password_nodigest—Creates a Username and Password token, providing clear text password message authentication. For this token type, the TXM_WSSEC_USER_
PASSWORD response variable must also be configured.
X509—Creates an X509v3 token.
SAML—Creates a SAML token, providing for SAML message authentication. For this token type, the TXM_WSSEC_SAML_AFFILIATE response variable must also be configured.

More information:

Review Supported Authentication Schemes for Producing Different WS-Security Header Types

Response Attribute Variables for Generating Username and Password and X.509 Certificate Tokens

The following table describes the response variable name/value pairs for generating username and password (digest or clear text) and X.509 certificate tokens in WS-Security headers. That is, if the TXM_WSSEC_TOKEN_TYPE response attribute variable is set to password, password_nodigest, or X509.

Variable Name	Variable Value	Attribute Type	Meaning
TXM_WSSEC_USER_PASSWORD (Required)	userpassword (Value most common for LDAP user directories -- if you have used a custom naming scheme for your LDAP directory, the value will be different.)	User Attribute	Specifies the LDAP query string that the SiteMinder WSS Agent uses to retrieve the web service consumer’s password from the user store. This value is then placed in the token.
TXM_WSSEC_USER_PASSWORD (Required)	Or password	Static	Specifies a static password value to be used in the token.
TXM_WSSEC_ROLE (Optional)	token_role_name	Static	Specifies the value of a SOAP role attribute that identifies the WS‑Security header element containing the Username and Password or X.509 token.
TXM_WSSEC_TIMESTAMP (optional)	True False	Static	If True, tells the agent to add a wsu:Timestamp element to the WS‑Security SOAP header that specifies the time that the message was created
TXM_WSSEC_TIMESTAMP _EXPIRY (Valid only if TXM_WSSEC_TIMESTAMP is True)	message lifespan in seconds	Static	Tells the agent to add a wsu:Expires element to the wsu:Timestamp element in the WS‑Security SOAP header. The value of the wsu:Expires element is an absolute time based on the time of message creation and the specified message lifespan.
TXM_WSSEC_SIGNATURE (optional)	all body_ts body headers	Static	For WS‑Security tokens of type password or X509, tells the agent to retrieve the enterprise private key from the certificate data store (CDS) and use it to digitally sign all or part of the SOAP document: all—the generated signature will cover the entire SOAP envelope. body_ts—the generated signature will cover the SOAP body and the generated <wsu:Timestamp> element. If a timestamp response attribute is not configured, a message will be logged and the signature will cover only the SOAP body. body—the generated signature will cover the SOAP body. headers—the generated signature will cover the SOAP header containing the generated/modified WS‑Security element. By default, tokens are signed using RSA-SHA1.
TXM_WSSEC_SIGNATURE_ALG (Valid only if TXM_WSSEC_SIGNATURE is set)	rsa-sha1 (default) rsa-sha256	Static	For WS‑Security tokens of type password or X509, defines the signature algorithm the agent uses to sign the part of the SOAP document defined by TXM_WSSEC_SIGNATURE.

Response Attribute Variables for Generating SAML Tokens

The following table describes the response attribute variable name/value pairs for generating SAML tokens in WS-Security headers. That is, if the TXM_WSSEC_TOKEN_TYPE response attribute variable is set to SAML.

Variable Name	Variable Value	Attribute Type	Meaning
TXM_WSSEC_SAML20_ASSERTION (Required for SAML 2.0)	Yes No (default)	Static	Specifies whether the generated SAML assertion token is SAML 2.0 compliant.
TXM_WSSEC_SAML20_SPID (required for SAML 2.0)	SAML_20_audience_value	Static	Specifies the value of the <saml:Audience> element in a generated SAML 2.0 assertion token.
TXM_WSSEC_SAML_AFFILIATE (Required)	affiliate_or_service_provider_object_name	Static	Identifies the affiliate (SAML 1.x) or service provider (SAML 2.0) object that configures how SAML assertions will be produced for inclusion in SAML tokens.
TXM_WSSEC_ SAML_ROLE (optional)	SAML_assertion_token_role_name	Static	Specifies the value of a SOAP role attribute that identifies the WS-Security header element containing the SAML assertion token.
TXM_WSSEC_SAML_SIG_REQUIRED	HK SV SVS	Static	Specifies how the assertion and document should be signed: HK (for holder-of-key)—Only the assertion will be signed (enveloped). SV (for sender-vouches with SSL-based issuer confirmation)—Both assertion and document will be signed (external). SVS (for sender-vouches with signature-based issuer validation)—Assertion is explicitly signed (enveloped) in addition to SV signing. (This option is only supported for SAML 1.x assertions.) Any other value or no value results in the default—an assertion with a bearer confirmation method.
TXM_WSSEC_ SAML_USER_CERT_SRC (Required for holder-of-key signing)	XMLDSIG Client_Cert User_Store	Static	If TXM_WSSEC_SAML_SIG_REQUIRED is set to HK, this value specifies where CA SiteMinder WSS should obtain the web service consumer’s public key: XMLDSIG—The public key will be retrieved from a signed request sent to a web service protected by the XML DSIG authentication scheme. Client_Cert—The public key will be retrieved from SSL. User_Store—the public key should be retrieved from an associated user store. If this value is set, the TXM_WSSEC_SAML_USER_CERT response variable must also be configured. Note: If TXM_WSSEC_SAML_SIG _REQUIRED is set to SV, this option is ignored because no user public key is required.
TXM_WSSEC_ SAML_USER_CERT (Required if web service consumer public key is obtained from a user store for signing)	usercertificate This value is the most common for LDAP user directories. If you have used a custom naming scheme for your LDAP directory, the value will be different.	User Attribute	If TXM_WSSEC_SAML_USER_ CERT_SRC is set to User_Store, specifies the LDAP query string that the SiteMinder WSS Agent uses to retrieve the web service consumer’s public key from the user store for signing SAML assertion tokens. Note: CA SiteMinder WSS automatically completes the query string using the value you specify.
TXM_WSSEC_ SAML_TIMESTAMP (optional)	True False (default)	Static	A value of True causes a timestamp to be generated for use in SAML assertions. Note: If TXM_WSSEC_SAML_SIG _REQUIRED is set to SV or SVS, the timestamp is signed.
TXM_WSSEC_ SAML_TIMESTAMP _EXPIRY (optional)	message _lifespan_in_seconds	Static	Tells the agent to add an expiry element to the timestamp used in SAML assertions. The value of this expiry element is an absolute time based on the time of assertion creation and the specified message lifespan.

More information:

WS-Security SAML Assertion Token

Configure CA SiteMinder WSS to Generate SAML Assertions

Review Supported Authentication Schemes for Producing Different WS-Security Header Types

Response Attribute Variables for Encrypting/Decrypting WS-Security Messages

The following table describes response attribute variable name/value pairs that can be configured to tell the SiteMinder WSS Agent to encrypt message elements or to pass a decrypted version of a message to the recipient web service.

Note: There are two versions of each XML encryption-related name/value pair—use the former for use with messages with username/password or X.509 tokens, use the latter for use with messages with SAML tokens.

Variable Name	Variable Value	Attribute Type	Meaning
TXM_WSSEC_ENCRYPT_PUB_KEY_ROLE or TXM_WSSEC_SAML_ENCRYPT_PUB_KEY_ROLE (required)	name_of_WS‑Security_token_consumer	Static	Specifies the value of a SOAP role attribute that identifies the WS‑Security header element containing the recipient's X.509 certificate. The public key in this certificate is used to encrypt the symmetric key. The corresponding private key must be held by the intended message recipient. This element is required. If no role is specified, the variable must be declared with a null value; CA SiteMinder WSS will then obtain the key in the WS‑Security header with no role, of which only one is allowed.
TXM_WSSEC_ENCRYPT_ DECRYPT or TXM_WSSEC_SAML_ENCR YPT_DECRYPT	True False (default)	Static	Specifies whether the SiteMinder WSS Agent should pass an incoming encrypted message to the web service in its encrypted or decrypted form. If True, the SiteMinder WSS Agent will replace the current message with the decrypted version of the message, if available.
TXM_WSSEC_ENCRYPT_ ELEMENT or TXM_WS SEC_SAML_ENCRYPT_ELEMENT	UsernameToken Assertion Body	Static	Identifies the message element to be encrypted. You should add one such name value/pair for each element you want encrypted. For example, configure one name/value pair for the message body and one name/value pair for the token. For TXM_WSSEC_ENCRYPT_ ELEMENT: If UsernameToken, Username and Password and Username and Password Digest tokens will be encrypted. If Body, the message body will be encrypted. For TXM_WSSEC_SAML_ ENCRYPT_ELEMENT: If Assertion, SAML assertion token will be encrypted. If Body, the message body will be encrypted.
TXM_WSSEC_ENCRYPT_ OR_SIGN_FIRST or TXM_WSSEC_SAML_ ENCRYPT_OR_SIGN_FIRST	Sign (default) Encrypt	Static	Indicates whether encryption or signing should be performed first.
TXM_WSSEC_ENCRYPT_ ALG_KEY or TXM_WSSEC_SAML_ENC RYPT_ALG_KEY	rsa-1_5 (default) rsa_oaep	Static	Indicates the encryption algorithm to use to encrypt the symmetric encryption key.
TXM_WSS EC_ENCRYPT_ALG_DATA or TXM_WSSEC_SAML_ENC RYPT_ALG_DATA	tripledes-cbc (default) aes128-cbc aes256-cbc aes192-cbc	Static	Indicates the encryption algorithm to use to encrypt the data element or elements that have been specified using TXM_WSSEC_ENCRYPT[_SAML] _ELEMENT variables.

Response Attribute Variables for Handling WS-Security Headers

The following table describes response attribute variable name/value pairs that can be configured to tell the SiteMinder WSS Agent how to handle the mustUnderstand attribute in WS‑Security request , or to remove the mustUnderstand or the entire security token from messages passed to the recipient web service.

Variable Name	Variable Value	Attribute Type	Meaning
TXM_WSSEC_MUST_UNDERSTAND (optional)	True False Not set (default)	Static	Determines how the SiteMinder WSS Agent behaves with respect to the mustUnderstand attribute when consuming and producing messages. For specifics of the behavior of this variable when consuming and producing headers, see TXM_WSSEC_MUST_UNDERSTAND Response Variable Effect Detail.
TXM_WSSEC_REMOVE (optional)	True False (default)	Static	Determines whether the SiteMinder WSS Agent removes WS-Security headers from messages. If True, the WS-Security header for a specified actor/role (or the default header if no actor/role is defined) is removed from the inbound document. This setting effectively scrubs credentials. (Default) If False, no change is made to the request document.

Variable Name

Variable Value

Attribute Type

Meaning

TXM_WSSEC_MUST_UNDERSTAND

(optional)

True
False
Not set (default)

Static

Determines how the SiteMinder WSS Agent behaves with respect to the mustUnderstand attribute when consuming and producing messages.

For specifics of the behavior of this variable when consuming and producing headers, see TXM_WSSEC_MUST_UNDERSTAND Response Variable Effect Detail.

TXM_WSSEC_REMOVE

(optional)

True
False (default)

Static

Determines whether the SiteMinder WSS Agent removes WS-Security headers from messages.

If True, the WS-Security header for a specified actor/role (or the default header if no actor/role is defined) is removed from the inbound document. This setting effectively scrubs credentials.
(Default) If False, no change is made to the request document.

More information:

TXM_WSSEC_MUST_UNDERSTAND Response Variable Effect Detail

The following table describes the exact behavior of the SiteMinder WSS Agent when consuming and producing WS‑Security tokens with different values of the TXM_WSSEC_MUST_UNDERSTAND response variable name/value pair.

TXM_WSSEC_MUST_UNDERSTAND Value	Behavior when Consuming WS‑Security Tokens	Behavior when Producing WS‑Security Tokens
Not set	If present in the WS‑Security header, leaves mustUnderstand="1".	Places mustUnderstand="1" in the generated WS‑Security header
False	If present in the WS‑Security header, removes mustUnderstand="1"	Does not place mustUnderstand="1" in the generated WS‑Security header
True	If present in the WS‑Security header, leaves mustUnderstand="1".	Places mustUnderstand="1" in the generated WS‑Security header