Enabling Web Service Security With OpenAM WSS Agent

Question

I am struggling with setting up the Web service security with OpenAM. Here is what I have done so far:

1. I looked up openam documentation but I could nto find anything significant which points to web service security implementation details.

2. However I found this link (http://www.oracle.com/technetwork/java/wss-sdn-1-137232.html) on OpenSSO oracle website which gives step by step instructions to secure the web services.

3. Also I found this post (http://www.stormacq.com/web-services-security-with-opensso-security-token-service-sts/) which essentially says that there are many issues one might face while trying to implement WSS in OpenAM.

4. I followed oracle link (point 2 above) and tried to implement the WSS in OpenAM version 10.0.0:

My questions:

• But The WSS Agent I got from OpenAM website is glassfish version. I am not sure if extracting it and including files from it in my service and client will cause any issues if the server is not glassfish. OpenAM website has glassfish version only.

• Another problem is that oracle tutorial was probably written in days of OpenSSO 8.0. Not sure if it will work with Open AM 10. I can see some differences in directory structure already.

• It will be helpful if anyone can point me to any other available documentation for implementation of WSS in OpenAM.

• Is it advisable to use some IDM solution other than OpenAM for WSS security if OpenAM WSS has known issues.

Any help here will be sincerely appreciated. Thanks in Advance.

Answer 1

WSS Agent actually is a JAX-WS filter implementation. It does not rely on GlassFish you can also use it with Tomcat and Metro. However I've not tested it with Apache CXF yet.

Unfortunately there's no real documentation yet. If you face issues you may post it to the OpenAM mailing list.