10-6 Oracle Fusion Middleware Reference for Oracle Security Developer Tools nonce and createdDate For this mechanism, the reciever should use the following byte nonce[] = ut.getNonce; .. check against the used nonces, to make sure this is a new nonce Date createdDate = ut.getCreated; .. check that this createdDate is within an expected clock skew boolean valid = ut.isValiduserName, passwd, above call will recompute the digest from the passwd and the nonce and created date, and check if this digest matches the digest in the username token For option 4, set the salt and iteration count SecureRandom random = SecureRandom.getInstanceSHA1PRNG; byte salt[] = new byte[15]; random.nextBytessalt; compute a 15 byte random salt ut.setSalt1, salt; ut.setIteration1000; SecretKey key = ut.deriveKeyIloveDogs; Now you can use this secret key to sign or encrypt data.

10.2.3.2 Creating an X509 Token

You can either use the X509BinarySecurityToken constructor followed by the setToken method, or use the equivalent helper method WSSecurity.createBST_ X509: WSSecurity ws = ... X509Certificate cert = ... X509BinarySecurityToken x509token = WSSecurity.createBST_X509cert; remember to put this inside your WSSecurity header. addX509CertificateToken puts it at the beginning, you can also use a regular DOM method appendChild or insertChild to put it in. ws.addX509CertificateTokenx509Token; optionally add an wsu:Id, so you can refer to it x509Token.setWsuIdMyCert; You can also create an X509BinarySecurityToken from a CertPath object if you want to include an entire chain of certificates. For encryption data with this certificate, you need the public key which you can obtain by using cert.getPublicKey. For signing, however, you need the private key, which you should maintain in a keystore.

10.2.3.3 Creating a Kerberos Token

Kerberos tokens are used, as a rule, in conjunction with the Java GSS-API. Client Side Use JAAS Authentication with Kerberos Login Module Set up the config files and then call login to login using this module. This will cause the client to contact the Kerberos Authentication-Service and get a ticket to talk to the Kerberos Ticket-Granting-Service Oracle Web Services Security 10-7 LoginContext lc = new LoginContext...; lc.login; Use JAAS Authorization to set the subject into the thread context Subject.doAslc.getSubject, action The rest of the code should be executed as a Privileged action Create a GSSContext to talk to a particular server. GSSManager gssManager = GSSManager.getInstance; GSSName serviceName = gssManager.createNamesvcPrincipalName, null; GSSContext gssContext = gssManager.createContextserviceName, null, null, GSSCredential.DEFAULT_LIFETIME; Then call initSecContext. this will cause the client to contact the Ticket-Granting-Service to obtain a ticket for talking to that particular server. The token that is returned by the initSecContext is a GSS wrapped AP_REQ packet. byte[] token = new byte[1]; token = gssContext.initSecContexttoken, 0, token.length; Create a Kerberos BST using this AP_REQ packet WSSecurity ws = ... KerberosBinarySecurityToken kbst = ws.createBST_Kerberostoken, WSSURI.vt_GSSKerberosv5; ws.addKerberosTokenkbst; Get the sessionKey that is present inside the AP_REQ packet, this is the session that is generated by the TGT and returned to the client in the initSecContext class This getSessionKey call simply calls Subject.getPrivateCredentials to get a list of tickets associated with the subject, and then iterates through them to find the one to be used for for that particular server SecretKey sessionKey = KerberosUtils.getSessionKeylc.getSubject,svcPrincipalName; Now you can use this secret key to sign or encrypt data. Server Side Use JAAS Authentication and Authorization as for the client Create GSSContext will null credentials bbr SSManager manager = GSSManager.getInstance; GSSContext gssContext = manager.createContextGSSCredentialnull; Locate the KerberosBinarySecurityToken in the incoming WSSecurity header. You can do this by doing a DOM search WSSecurity = ... KerberosBinarySecurityToken kbst = ... Now extract the AP_REQ from the BST and call acceptSecContext byte ap_req[] = kbst.getValue; gssContext.acceptSecContextap_req; The context is now extablished. Note Mutual authentication would need one more round trip 10-8 Oracle Fusion Middleware Reference for Oracle Security Developer Tools Now extract the session key KerberosUtils.getSession is an overloaded method, and this particular one is meant to be used by server. Internally it decrypts the ap_req packet using the servers key or the tgtSession key and extracts the key from the decrypted ap_req packet Subject srvrSubject = ... SecretKey sessionKey = KerberosUtils.getSessionKeysrvrSubject, ap_req; Now you can decrypt or verify using this key.

10.2.3.4 Creating a SAML Assertion Token