Authentication generator or consumer token settings

 

+

Search Tips   |   Advanced Search

 

Authentication tokens are used to prove or assert an identity. Use the admin console to add authentication token settings for message parts when we are editing a general binding.

To configure authentication tokens...

1. To set the general bindings that are set as the global security default policy set bindings, click...

   Services | Policy sets | Default policy set bindings

   The specified bindings are used unless overridden at the attachment point, at the server, or at a security domain.

2. To set the general bindings and to add authentication token settings for message parts, click...

   Services | Policy sets | General provider policy set bindings

3. Click the WS-Security policy in the Policies table.

4. Click the Authentication and protection link in the Main message security policy bindings section.

5. Click New token to create a new token generator or consumer, or click an existing consumer or generator token link from the Authentication Tokens table.

To set application-specific bindings for tokens and message parts that are required by a policy set, complete the

1. Go to...

   Applications | Application Types | WebSphere enterprise apps.

2. Select an application that contains Web services. The application must contain a service provider or a service client.

3. Click the Service provider policy sets and bindings link or the Service client.policy sets and bindings link in the Web Services Properties section.

4. Select a binding. You must have previously attached a policy set and assigned an application specific binding.

5. Click the WS-Security policy in the Policies table.

6. Click the Authentication and protection link in the Main message security policy bindings section.

7. Click a consumer or generator token link from the Protection Tokens table.

This admin console panel applies only to JAX-WS applications.

Name

Name of the token being configured. When using application specific bindings, this field is not displayed.

Token type

Type of token being configured.

When using application specific bindings, the token type is obtained from the policy file and it is read-only. When we are using general bindings, select a token type from the list.

The following token types are available:

• X509V3 Token V1.1
• X509V3 Token V1.0
• Username Token V1.1
• Username Token V1.0
• X509PKCS7 Token V1.1
• X509PKCS7 Token V1.0
• X509PkiPathV1 Token V1.1
• X509PkiPathV1 Token V1.0
• LTPA Propagation Token
• X509V1 Token V1.1
• LTPA Token
• LTPA Token V2.0
• Custom Token

New feature: The LTPA Token V2.0 token type is available only for bindings using the new namespace in IBM WAS, V7.0 or later. When you select LTPA Token V2.0 as the token type for the token consumer, both LTPA tokens and LTPA V2.0 tokens can be consumed. To restrict the token consumer to LTPA V2.0 tokens only, select the Enforce token version check box.

If we select LTPA Token as the token type for the token generator, single sign-on interoperability mode must be enabled. This is a setting in global security from Web and SIP security. If the interoperability flag is not set to enabled (true), an error occurs when the application that is attached to these bindings is started. To use the LTPA token without checking the state of the interoperability flag, we can set the custom property...

com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7

...on the token generator.

Local name

Local name for the authentication token generator or consumer. The Local name field is populated based on the token type displayed. Use this field to edit custom token types only.

URI

URI of the authentication token generator or consumer. The URI field is populated based on the token type displayed. Use this field to edit custom token types only.

Leave this field blank if the custom token type is used to generate a Kerberos token as defined in the OASIS WS-Security Specification for Kerberos Token Profile v1.1.

Security token reference

Security token reference. The security token reference field is displayed only for authentication tokens in application-specific bindings. This field is not available for default bindings.

JAAS login

List of application and system JAAS logins that are effective for the domain to which the binding is scoped.

If an application is scoped to the global security or if it is scoped to a domain that does not customize its own JAAS logins, then the list of global logins are displayed in the menu list. Click New Application Login to access the global JAAS application login collection. The JAAS login menu list and New Application Login button behavior depend on whether the binding is being created in association with an attachment. Use caution when changing security domains, since a previously-referenced security configuration, such as JAAS logins, might not be accessible in a different security domain.

Custom properties – Name

Name used for the custom property.

Custom properties are not initially displayed in this column. Click one of the following buttons to enable the actions described:

Button	Resulting Action
New	Creates a new custom property entry. To add a custom property, enter the name and value.
Edit	Enables the selected custom property to be edited. Clicking this button provides input fields and creates the listing of cell values to be edited. The Edit button is not available until at least one custom property has been added.
Delete	Removes the selected custom property.

When configuring a username token for the JAX-WS model, to protect against replay attacks IBM recommends that you add custom properties to the username token consumer and the username token generator configuration. The custom properties enable and verify the nonce and timestamp for message authentication. Specify the property names and values as follows:

Property name (generator)	Property value
com.ibm.wsspi.wssecurity.token.username.addNonce	true
com.ibm.wsspi.wssecurity.token.username.addTimestamp	true

Property name (consumer)	Property value
com.ibm.wsspi.wssecurity.token.username.verifyNonce	true
com.ibm.wsspi.wssecurity.token.username.verifyTimestamp	true

Custom properties - Value

Value of the custom property to be used. Use the Value field to enter, edit, or delete the value for a custom property.

If the custom token type is used to generate a Kerberos token, specify the following custom properties:

Custom property name	Value
com.ibm.wsspi.wssecurity.krbtoken.targetServiceName	Name of the target service. Is required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost	Host name that is associated with the target service in the following format: myhost.mycompany.com Is required.
om.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm	Name of the realm that is associated with the target service. Is optional for a single Kerberos realm. If the targetServiceRealm property is not specified, the default realm name from the Kerberos configuration file is used as the realm name. In a cross or trusted realm environment, provide a value for the targetServiceRealm property.
com.ibm.wsspi.wssecurity.krbtoken.clientRealm	Name of the Kerberos realm associated with the client. Is optional for a single Kerberos realm environment. When implementing WS-Security in a cross or trusted Kerberos realm environment, provide a value for the clientRealm property.
com.ibm.wsspi.wssecurity.krbtoken.loginPrompt	Enables the Kerberos login when the value is True. The default value is False. Is required.

For the token generator, the combination of the target service name and target hostname forms a Service Principal Name (SPN) which represents the target Kerberos service principal name. The Kerberos client requests the initial Kerberos AP_REQ token for the SPN.

If an application generates or consumes a Kerberos V5 AP_REQ token for each Web services request message, set...

com.ibm.wsspi.wssecurity.kerberos.attach.apreq

...to true in the token generator and the token consumer bindings for the application.

Callback handler

Links to the Callback handler page where we can configure callback handlers. Callback handler settings determine how security tokens are acquired from messages headers.

If working with a Username token or LTPA token using default bindings, the user names and passwords might have been provided as examples. Update the values for these token types.

---

 

Related tasks

Set policy set bindings
Manage policy sets

 

Related

Callback handler settings
Protection token settings (generator or consumer)
Application policy sets collection
Application policy set settings
Search attached applications collection
Policy set bindings settings
WS-Security authentication and protection