Information Management IBM InfoSphere Master Data Management, Version 11.3

To set up your server to support Web Services with WS-Security

About this task

To enable the server to support Web Services with atomic transactions, you must create and attach a policy set to the application. This configuration specifies only the part of the policy to setup multiple tokens (UserName and LTPA) for MDM to accept either one of them or both simultaneously.

Procedure

  1. Ensure that the application server is running.
  2. Create a new policy set:
    1. From the Administrative Console, navigate to Services > Policy Sets > Application Policy Sets.

      Since the predefined policy sets are too general for this objective, you must create a new policy.

    2. Click New... to create a new policy set.
    3. Provide a name and description for the new policy set.
    4. Click Apply.
    5. Under the policy section, click Add....
    6. Choose WS-Security as the policy to be added.
    7. After the policy has been added to the policy set, click on it to configure it.
    8. In the configuration window, click Main Policy.
    9. Disable message level protection, as it is not required for basic authentication.
    10. Click Apply.
    11. Navigate to the Policy Details section of the window and click Request token policies.
    12. Click Token type and select UserName.
    13. Specify a name in the Username token field.
    14. For the WS-Security version, select WS-Security 1.0.
    15. Click Apply.
    16. From the Request Token Policies page, click Token type and select LTPA.
    17. Specify the name of the LTPA token in the field.
    18. Click Apply.
    19. Click Save to save your changes to the master configuration.
  3. Attach the new policy to the InfoSphere® MDM service provider:
    1. On the left side of the Administrative Console, navigate to Services > Service Providers to view a list of all of the service providers deployed on the application server.
    2. Click MDMService.
    3. On the opened page, select MDMService and click Attach Policy Set.
    4. Select the policy set that you have just created.

      The new policy set is now attached to the provider. You can confirm this by checking the Attached Policy Set column.

    5. Click Assign Binding.
    6. Choose New Application Specific Binding from the list.
    7. Specify the bindings configuration name, then click Add.
    8. Select WS-Security.
    9. In the new window, click Authentication and protection.
    10. Under Authentication tokens, click the name of the Username token that you previously specified.
    11. Do not change any configuration settings and click OK.
    12. Under Authentication tokens, click the name of the LTPA token that was previously configured, and click OK without changing anything.
    13. Return to the WS-Security main configuration window.
    14. Click Caller.
    15. In the newly opened window, click New.
    16. Specify a name for the Caller for the LTPA token, give the local part as LTPAv2, and specify the caller identity NameSpace URL as: 
      http://www.ibm.com/websphere/appserver/tokentype
    17. Click OK to return to the Caller page.
    18. Click New.
    19. Specify a name for the caller for UserName token and set the caller identity Local part as follows: 
      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
      Note: The caller part values must be identical to the Local part in the request token configuration window that was previously configured.
    20. Click OK and then click Save to save your changes to the master configuration.
      Note: Ensure that the LTPA Caller has the Order column as 1 (higher priority), otherwise check the LTPA Caller box, and select Move Up. In the case where the client sent both tokens, this ensures the LTPA token will be used for user authentication and generating credentials.
      Note: To setup only a single token for authentication (UserName or LTPA), while creating the Policy set, select only one token type. In the Binding, add only the Caller for the respective token.
  4. Enable security on the server:
    1. From the left side of the Administrative Console, navigate to Security > Global security.
    2. Check Enable administrative security.
    3. Ensure that Enable application security is checked.
    4. Uncheck User Java 2 security to restrict.
    5. Click Apply and then click Save.
      Note: By default, the server uses the local operating system user registry.
  5. From the left side of the Administrative Console, navigate to Applications > WebSphere enterprise applications.
  6. Click DWLCusomer and wait for the configuration page to open. This could take a few minutes.
  7. Click Security role to user/group mapping.
  8. Select ServiceConsumer and click Map Users.
  9. Click Search and select users that must interact with the MDMService securely as clients.
  10. Click the > button to transfer your selection.
  11. Click OK and then click Save to save your changes to the master configuration.

Results

The server is now ready to accept secure communications from the clients.

Note: By default, there are two security roles: ServiceConsumer and ServiceProvider.
  • The ServiceConsumer role maps to all authenticated users. This role is associated with all entry point modules. The Web Service provider is considered as the entry point. The Entry point module can accept outside calls. When you send user tokens in a SOAP request to the Web Service provider, the user must exist in the WebSphere Application Server user registry.
  • The ServiceProvider role maps to one default user: mdmadmin. This role is associated with all modules that are not considered entry points. These modules are not to be exposed to outside calls and are only called by entry point modules, therefore the user mdmadmin must not be exposed to the outside. If it is exposed, a caller from the outside maybe able to directly call a non-entry module using the mdmadmin identity.
Parent topic: Invoking Web Services with WS-Security

Last updated: 27 June 2014