Exploring the WebSphere Application Server Feature Pack for SCA, Part 2: Web services policy sets

Learn how to use IBM® WebSphere® Application Server V7 policy sets to configure WS-Security and other settings for Web services-bound Service Component Architecture (SCA) services using the Feature Pack for SCA.

Share:

Mark B Coats, Advisory Software Engineer, IBM

Mark Coats is a senior developer with WebSpere Application Server, whose focus is on Web services and the administrative console. In his earlier roles, he has been a developer on the CORBA object request broker and a communications systems engineer with Attachmate Corporation.



Chao M Beck, Software Engineer, IBM

Chao Beck is a technical lead for the feature pack for Service Component Architecture (SCA) early program. She has long been a member of the Application Integration Middleware early programs team responsible for the execution of early programs for IBM WebSphere Application Server products. She handles the development and delivery of education for new product functions and the provision of customer support during pre-GA (early) programs and post-GA (customer acceleration) programs.



14 January 2009

Also available in Chinese Japanese Spanish

Introduction

Part 1 of this series on the IBM WebSphere Application Server V7 Feature Pack for SCA, provided an introduction to open Service Component Architecture (SCA) concepts, and described objectives of the technology along with some of the key integration points that provide great value to WebSphere Application Server V7 users. This article introduces you to Web services policy sets, and explains how to configure SCA components to use them. These policy sets can be used to realize SCA quality of service assertions (intents) when Web services bindings are being used. Web services policy sets provide concrete policies that can be configured to guarantee these assertions.


An overview of policy sets

When using SCA components that are bound with Web services bindings, you can simplify the configuration of the Web services by grouping security and other Web services settings into policy sets. Policy sets are reusable units that you can create, copy, and share with other WebSphere Application Server components.

WebSphere Application Server V7 provides preconfigured policy sets made up of commonly used policies. The Feature Pack for SCA supports configuring these policy sets with SCA services using Web services bindings.

SCA services using Web services bindings can take advantage of a number of preconfigured policy sets that are part of WebSphere Application Server. Policy sets provide reusable quality of service configurations, which can be associated with the SCA Web services bindings defined in a composition unit. Policy sets can also be shared with other Web services deployed in the same cell.

The WebSphere Application Server administrative console supports attaching these policy sets to SCA services and references. The policy sets can be configured for a service provider, its endpoints, or operations. Likewise, you can also attach a policy set to a service reference, its endpoints, or operations. You can also simply attach policy sets to all services or references in an SCA composite.

An instance of a policy set consists of a collection of policies. For example, the WS-I RSP default policy set consists of instances of the WS-Security, WS-Addressing, and WS-ReliableMessaging policy types. A policy set is identified by a name that is unique across the cell.

These preconfigured policy sets can be used as a starting point and can be customized to your particular requirements. You can further customize the attached policy set by using bindings that are specific to your composition unit (application-specific bindings) or you can simply use general bindings. General bindings are global to the security domain and can be shared across applications and composition units.

For more information, see the Web services policy sets topic in the WebSphere Application Server Information Center.


Configure HelloWorld with a policy set

As an example, consider a preconfigured policy set that is configured with the Async HelloWorld Web Service Sample that is delivered with Feature Pack for SCA. Configure the sample as described in its associated readme file and then use a browser to verify that the sample works before continuing.

In the steps below, you will import the "WSSecurity default" policy set from the WebSphere Application Server default repository. This policy set provides message integrity through digital signature and message confidentiality through encryption. You will then attach the WSSecurity default policy set to the service providers and service references in the two composition units of the HelloWorld sample: helloworldws and helloworldwsclient.

  1. From the WebSphere Application Server admin console, navigate to Services => Policy Sets => Application policy sets. Click on Import, and select From Default Repository... (Figure 1).

    Figure 1. Application policy sets
    Figure 1. Application policy sets
  2. Scroll down and check the box for the Username WSSecurity default policy set (Figure 2), then click OK at the bottom of the panel.

    Figure 2. Import from default repository
    Figure 2. Import from default repository
  3. Navigate to the myhelloWorld business-level application and go to the helloworld composition unit (Figure 3). Select Service provider policy sets and bindings from the Additional Properties list on the right.

    Figure 3. helloworld composition unit
    Figure 3. helloworld composition unit
  4. Select the HelloWorldService checkbox and click the Attach button. From the pull-down menu that displays (Figure 4), click the WSSecurity default policy set.

    Figure 4. Service provider policy sets and bindings
    Figure 4. Service provider policy sets and bindings
  5. Return to the composition unit panel (Figure 3) and repeat the same steps to configure the reference. Click on References policy sets and bindings from the Additional Properties list on the right. Select the HelloWorldCallbackService checkbox (Figure 5), then click Attach. From the pull down menu that displays, select the WSSecurity default policy set.

    Figure 5. References policy sets and bindings
    Figure 5. References policy sets and bindings

    You have now attached the WSSecurity default policy set to the Web service reference and provider in the helloworldws composition unit.

  6. Navigate to the second composition unit, helloworldclient (Figure 6).

    Figure 6. helloworldclient composition unit
    Figure 6. helloworldclient composition unit
  7. Use the Service provider policy sets and bindings and References policy sets and bindings links to attach the WSSecurity default policy set, just as you did for the helloworld composition unit. When these steps are complete, both the HelloWorldCallbackService service provider and the HelloWorldCallbackService reference should have the WSSecurity default policy set attached.

    If you were to select the first resource in the table, helloworldws, you would be attaching the policy set to all of the service references in this composition unit. This would be a more interesting option had the helloworldws been configured with a number of service references.

  8. Use the console’s Save option to write the changes to your configuration.

  9. Navigate to the business-level applications collection, then stop and restart both myhelloWorld and myhelloWorldClient business-level applications (Figure 7).

    Figure 7. Business-level applications
    Figure 7. Business-level applications
  10. You can now run the HelloWorld sample, as described in its associated readme file.


Summary

By configuring a policy set for the services and references in the sample, you were able to change the security behavior of the services without making any changes to the business logic.

Before the policy set was configured, the messages flowing between the HelloWorldCallbackService and HelloWorldService services were not protected in any way. Now they are protected by the policies defined by the WSSecurity default policy set. The messages are signed and time-stamped, assuring that data is consistent and correct. The messages are also encrypted, assuring confidentiality. Of course, there are more policy set configuration capabilities that are not covered here. One of interest is the policy set replace operation. Navigate to Application policy sets => WSSecurity default => Attached deployed assets to see learn how it works.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=362464
ArticleTitle=Exploring the WebSphere Application Server Feature Pack for SCA, Part 2: Web services policy sets
publish-date=01142009