The STS configuration file
The STS configuration file specifies various aspects of the CICS® Security Token Service (STS).
CICS uses a file called sts.xml in
the directory that is identified by the JVMPROFILEDIR SIT
parameter. If that file does not exist, CICS uses
the file that is specified by the JVM property com.ibm.cics.sts.config in
the JVM server profile. For example:
-Dcom.ibm.cics.sts.config=/var/security/sts/sts-config.xml
.
A sample STS configuration file, sts-config.xml,
is supplied for reference. The XML schema file, sts.xsd, is supplied in the /usr/lpp/cicsts/cicsts52/schemas/sts directory.
The STS configuration file contains the following elements:
- <keystore>
- Defines the RACF® keystore type. The possible values are JCERACFKS and JCECCARACFKS. The default value is JCERACFKS.
- <issuer>
- Defines the STS as an asserting party. This element contains the
following elements:
- <format>
- Contains any string. There is no default value.
- <uri>
- Contains any string. The default value is http://cics.
- <signature>
- Specifies the hash algorithm and the certificate label. This element
has the following attribute:
- hash_algorithm
- Possible values are sha-1 and sha-2. The default value is sha-2.
- <certificate>
- This element contains the following element:
- <label>
- The value of the RACF certificate label. The default value is CICSCERT.
- <clock_skew>
- The clock skew time, in milliseconds. The default value is 180000 ms (3 minutes).
A clock skew allows for any time difference in system clocks on different computers. It is applied to all timing conditions in a SAML token.
The following figure shows an example of an STS configuration file with all elements
set:
<sts_configuration xmlns="https://www.ibm.com/xmlns/prod/cics/JVMSERVER/stsconfig">
<keystore>
<type>JCECCARACFKS</type>
</keystore>
<issuer>
<format>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</format>
<uri>http://cics</uri>
</issuer>
<signature hash_algorithm="sha-1">
<certificate>
<label>CICSCERT</label>
</certificate>
</signature>
<clock_skew>90000</clock_skew>
</sts_configuration>