This procedure describes how to configure the message-level
WS-Security policy set and bindings to consume an LTPA token, a UsernameToken
or both. This procedure can be modified to apply to any pair of dissimilar
token value types. You cannot create a configuration that will make
one token required and the other optional.
Before you begin
This task assumes that the service provider and client
that you are configuring are in the JaxWSServicesSamples application.
Refer to Accessing the samples for more
information on how to obtain and install this application. You should
use the following trace specification on your server. These specifications
enable you to debug any future configuration problems that might occur.
*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all:
com.ibm.ws.wssecurity.*=all: com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all:
com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:
Since
LTPA tokens will be used, application security must be enabled on
the application servers used for both the client and the service.
About this task
This procedure explains the actions you need to complete
to configure a WS-Security policy to consume an LTPA token, a UsernameToken
or both. Ordinarily this configuration would be used on a provider
application. For simplicity, this procedure will remove timestamp,
digital signature and encryption from the policy; you may want to
include these in your final configuration. Refer to Configuring a policy set and bindings for Asymmetric XML Digital Signature or XML Encryption by using application-specific bindingsfor more information.
This
procedure also includes the steps to configure a client application
to send a UsernameToken or an LTPA token.
Procedure
- Create the custom policy set for the provider.
- In the administrative console, click Services
> Policy sets > Application Policy sets.
- Click New.
- Specify Name = AtwoTokenPolicy.
- Click Apply.
- Under Policies, click Add
> WS-Security.
- Edit the custom policy set.
- Remove digital signature, encryption and timestamp.
- In the administrative console, click WS-Security >
Main Policy.
- Deselect Message level protection.
- Click Apply.
- Add the UsernameToken and LTPA token.
- Click Request token policies.
- Click Add Token Type > LTPA.
- Click OK.
- Click Add Token Type > UserName.
- Username token name: myUNT.
- Click OK.
- Save the configuration.
- Configure the provider to use the AtwoTokenPolicy policy
set.
- In the administrative console, click Applications
> Application types > WebSphere enterprise applications > JaxWSServicesSamples
> Service provider policy sets and bindings.
- Select the web services client resource.
- Select the web services provider resource.
- Click Attach Policy Set.
- Select AtwoTokenPolicy.
- Create a custom binding for the provider.
- Select the web services provider resource again.
- Click Assign Binding.
- Click New Application Specific Binding to
create an application-specific binding.
- Specify Bindings configuration name:providerBinding.
- Click Add > WS-Security.
-
Edit the custom bindings for the provider.
-
To add a caller configuration for the LTPA token:
- Click Caller.
- Click New.
- Name: ltpaCaller
- Caller identity local part: LTPAv2
- Caller identity namespace URI: https://www.ibm.com/websphere/appserver/tokentype
- Click OK.
-
To add a caller configuration to the UsernameToken
- Click New.
- Name: untCaller
- Caller identity local part:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
- Caller identity namespace URI: [leave blank]
- Click OK.
Note: Ensure that tokens have the desired precedence. There can only be a single caller identity for
thread. If more than one tokens occur in the inbound SOAP message for which there are caller
configurations, the caller configuration with the lower order number will be used. If the order
shown in the Order field in the table is not the order that you want, do the following:
-
Select the token that you want to have highest priority.
-
Click Move Up until its Order number is 1.
-
Repeat this procedure using Move Up and Move Down to achieve the desired order.
-
Click Save to save the configuration.
- Create a policy set that has only a UsernameToken in the
request message for the client
- In the administrative console, click Services
> Policy sets> Application Policy sets.
- Click New.
- Specify Name = AUntPolicy
- Click Apply.
- Under Policies, click Add > WS-Security.
- Remove digital signature, encryption and timestamp.
In the administrative console:
- Click WS-Security > Main Policy.
- Deselect Message level protection.
- Click Apply
- Add the UsernameToken.
- Click Request Token Policies.
- Click Add Token Type > UserName.
- Username token name: myUNT.
- Click OK.
- Save the configuration. Click Save.
- Create a policy set that has only an LTPA token in the
request message for the client.
- In the administrative console, click Services
> Policy sets> Application Policy sets.
- Click New.
- Specify Name = AnLTPAPolicy
- Click Apply.
- Under Policies, click Add > WS-Security.
- Remove digital signature, encryption and timestamp.
In the administrative console:
- Click WS-Security > Main Policy.
- Deselect Message level protection.
- Click Apply
- Add the LTPA token.
- Click Request Token Policies.
- Click Add Token Type > LTPA.
- LTPA token name: myLTPA.
- Click OK.
- Save the configuration. Click Save.
- Perform the following steps to configure the client to
use the UsernameToken policy and create bindings:
- Configure the client to use the AUntPolicy policy set.
- In the administrative console, click Applications >
Application types > WebSphere enterprise applications > JaxWSServicesSamples
> Service client policy sets and bindings.
- Select the web services client resource.
- Click Attach Policy Set.
- Select AUntPolicy.
- Create a custom binding for the client.
- Select the web services resource again.
- Click Assign Binding.
- Click New Application Specific Binding to
create an application specific binding.
- Specify the bindings configuration name. name: untClientBinding.
- Click Add > WS-Security.
- Configure the client's custom bindings.
- Select Authentication and protection.
- Under Authentication tokens, select myUNT.
- Click Apply.
- Click Callback handler.
- Enter your desired User name and Password.
- Add the custom properties for nonce and timestamp: Since the UsernameToken
consumer was not configured during the custom binding configuration
on the provider, the run time will use the default general bindings
for the UsernameToken configuration. The UsernameToken consumer in
the default general binding requires that timestamp and nonce be sent
in the username token, so the properties to emit these elements must
be entered:
* com.ibm.wsspi.wssecurity.token.username.addTimestamp=true
* com.ibm.wsspi.wssecurity.token.username.addNonce=true
- Click OK.
- Save the configuration.
-
Perform the following steps to configure the client to use the LTPA policy and create
bindings:
-
Configure the client to use the AnLTPAPolicypolicy set.
- In the administrative console, click Applications > Application types > WebSphere
enterprise applications > JaxWSServicesSamples > Service client policy sets and
bindings.
- Select the web services client resource .
- Click Attach Policy Set.
- Select AnLTPAPolicy.
-
Create a custom binding for the client.
- Select the web services resource again.
- Click Assign Binding.
- Click New Application Specific Binding to create an application specific
binding.
- Specify the bindings configuration name. name: ltpaClientBinding.
- Click Add > WS-Security.
-
Configure the client's custom bindings.
- Select Authentication and protection.
- Under Authentication tokens, select myLTPA.
- Click Apply.
- Click Callback handler.
- Enter your desired User name and Password.
- Click OK.
-
Save the configuration.