Web Services - Configure token consumers with an assembly tool

 

+

Search Tips   |   Advanced Search

 

 

Before you begin

Prior to completing this task, complete the following steps:

• Import your application into an assembly tool. For information on how to import your application, see Import enterprise applications.

• Configure the security token in the extension file. For example, if you are configuring a token consumer for a Lightweight Third Party Authentication (LTPA) token, first configure the LTPA token under the Required Security Token section on the Extensions tab. For more information, see Configuring the security token requirement in consumer security constraints

• Configure a collection certificate store if the token consumer uses the PKCS#7 token type and you want to package the certificate revocation lists (CRL) in the security token. For more information, see Configuring the collection certificate store for the consumer binding with an assembly tool.

 

Overview

A security token represents a set of claims that are made by a client. This set of claims might include a name, password, identity, key, certificate, group, privilege, and so on. A security token is embedded in the SOAP message within the SOAP header. The security token within the SOAP header is propagated from the message sender to the intended message receiver. On the receiving side, the security handler for WAS authenticates the security token and sets up the caller identity on the running thread.

Complete the following steps to configure a token consumer for either the client-side bindings in step 2 or the server-side bindings in step 3:

 

Procedure

1. Start the assembly tool and click Window > Open Perspective > J2EE.

2. Optional: Locate the client-side bindings using the Project Explorer window. The Client Deployment Descriptor window is displayed. This Web service contains the bindings that we need to configure. Complete the following steps to locate the client-side bindings:

   1. Expand the Web Services > Client section and double-click the name of the Web service.

   2. Click the WS Binding tab and expand the Security Response Consumer Configuration section.

3. Optional: Locate the server-side bindings using the Project Explorer window. The Web Services Editor window is displayed. This Web service contains the bindings that we need to configure. Complete the following steps to locate the server-side bindings:

   1. Expand the Web Services > Services section and double-click the name of the Web service.

   2. Click the Binding Configurations tab and expand the Request Consumer Binding Configuration Details section.

4. Optional: Configure a trust anchor if you are configuring this token consumer for an X.509 security token. Complete the following steps to configure the trust anchors:

   1. Expand the Trust anchor section and click Add to add a new entry or click Edit to edit a selected entry. The Trust anchor dialog window is displayed.

   2. Specify a name for the trust anchor configuration in the Trust anchor name field.

   3. Specify a keystore password in the Key store storepass field. The keystore storepass is the password that is required to access the keystore file.

   4. Specify the path to the keystore file in the Key store path field. The key store path is the directory where the keystore resides. Make sure that wherever you deploy your application that the server can locate your keystore file.

   5. Select a key store type from the Key store type field. The key store type that you select must match the keystore file that is specified in the Key store path field.

   6. Click OK to save the trust anchor configuration.

5. Expand the Token Consumer section and click Add to add a new entry or click Edit to edit a selected entry. The Token Consumer Dialog window is displayed.

6. Specify a name in the Token consumer name field. If this token consumer is for an X.509 certificate and is used for signature validation or decryption, the token consumer name is referenced in the Token field of the Key Information dialog window.

7. Select a token consumer class in the Token consumer class field. Select the token consumer class that matches the type of token that you are configuring. For example, if you are configuring a token consumer that processes an X.509 security token in the received message, select the com.ibm.wsspi.wssecurity.token.X509TokenConsumer token consumer class.

8. Select a security token reference in the Security token field. The value in this field references the security token that is configured in the extensions file. If you are configuring this token consumer for an X.509 security token, where the token consumer class is com.ibm.wsspi.wssecurity.token.X509tokenConsumer, leave this field blank.

9. Select the Use value type option and select the value type in the Value type field. Select the value type of the security token that matches the type of token consumer that you are configuring. When you select the value type, the assembly tool automatically enters the correct values in the Local name and URI fields depending upon the type of security token that is specified by the value type.

10. Optional: Select the Use jaas.config option and specify a Java Authentication and Authorization Service (JAAS) configuration name in the jaas.config.name field if a JAAS configuration is required for the security token. The JAAS configuration name that you specify must be for the security token that is specified for this token consumer. The following table lists the JAAS configuration names for the different security tokens specified by the value type.

    Table 1. JAAS configuration names and the corresponding value type

    jaas.config name	Value type
    system.wssecurity.UsernameToken	Username Token
    system.wssecurity.IDAssertionUsernameToken	Username Token (for IDAssertion)
    system.wssecurity.X509BST	X509 certificate token
    system.wssecurity.PkiPath	X509 certificates in a PKIPath
    system.wssecurity.PKCS7	X509 certificates and CRLs in a PKCS#7

11. Optional: If a trusted ID evaluator is required for this token consumer, select either the Use trusted ID evaluator option to define a new trusted ID evaluator or select the Use trusted ID evaluator reference option to select an existing trusted ID evaluator that is defined in a default binding file. A trusted ID evaluator is typically used by the target Web service in a multi-hop environment to determine whether to trust the identity of the intermediary Web service. Complete the following steps if you select the Use trusted ID evaluator option:

    1. Specify a trusted ID evaluator implementation in the Trusted ID evaluator class field. The trusted ID evaluators are implemented by specifying a class that implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface. WAS v6.x provides the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl default implementation of a trusted ID evaluator.

       The implementation is initialized with a list of trusted identity names. The trusted identities are specified as trustedIDEvaluator properties in the binding file. When a name is evaluated, it is checked against a list of trusted identity names. If the name is in the list, it is trusted and if the name is not in the list, it is not trusted.

    2. Click Add under the Trusted ID evaluator property section to add a new entry or click Remove to delete a selected entry. Each property entry represents a trusted identity.

    3. Specify trustedId_trustmode in the Name field and the identity of the intermediary in the Value field.

    If you select the Use trusted ID evaluator reference option, specify the name of an existing Trusted ID evaluator in the Trusted ID evaluator reference field.

12. Optional: Click Add under Property to add a new property for this token consumer or click Remove to delete a selected property. If this token consumer needs to process a nonce and a time stamp that is contained in a username token, define the properties in the following table.

    Table 1. Nonce and time stamp properties

    Name	Value
    com.ibm.wsspi.wssecurity.token.Username.verifyNonce	true
    com.ibm.wsspi.wssecurity.token.Username.verifyTimestamp	true

13. Optional: Select the Use certificate path settings option if you are configuring this token consumer for an X.509 security token.

14. Select either the Certificate path reference option or the Trust any certificate option if you are configuring this token consumer for an X.509 security token. Important: When you configure a token consumer for an X.509 certificate token, use caution when you select the Trust any certificate option. This option might compromise the security of your Web service application by allowing the SOAP message to be signed or encrypted using any certificate. It is recommended that you use the trust anchor and certificate store list to validate the X.509 certificate embedded in the received SOAP message.

    If you select the Certificate path reference option, complete the following steps:

    1. Select a trust anchor reference from the list in the Trust anchor reference field. This reference is the name of the trust anchor that specifies the key store, which contains the trusted root certificate authority (CA) certificates.

    2. Select a certificate store from the Certificate store reference field. A certificate store list contains both non-root CA certificates (or intermediary certificates) and certificate revocation lists (CRLs).

15. Click OK to save your configuration.

 

What to do next

Configure the key information if this token consumer configuration is for an X.509 security token. For more information, see Configuring key information for the consumer binding with an assembly tool.

---

 

See Also

Trusted ID evaluator

 

Related Tasks

Configure the security token requirement in consumer security constraints
Configure the security token in generator security constraints
Configure key information for the consumer binding with an assembly tool

 

---