Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Authenticate web services using generic security token login modules > 2. Administering a generic security token login module.


Configure a generic security token login module for an authentication token: Token consumer

We can configure a generic security token login module for an authentication token on the token consumer side of the Web Services Security provider.

When a web service message is received, the Web Services Security runtime calls the generic security token login module for the token consumer as part of the authentication process. The login module delegates the token validation process to the WS-Trust service using WS-Trust Validate. The WS-Trust service processes the request and returns a RequestSecurityTokenResponse message to the login module, which might contain a new security token or validation status code only. The returned token from WS-Trust service or the original received token is the caller token if the caller token is required.

For illustration purposes, it is assumed that policy sets and bindings are configured and attached to an application. For example, you can use the SAML11 Bearer WSSecurity default policy set and SAML Bearer Provider sample binding. See the topic about configuring client and provider bindings for the SAML bearer token.

Complete the following steps to configure the generic login module on the token consumer side using the admin console:


Procedure

  1. Configure the wss.consume.issuedToken JAAS login module for the application.

    1. Expand Applications > Application Types and click WebSphere enterprise applications.

    2. Click the application that contains the policy sets and bindings to modify.

    3. Under Web Services Properties, click Service provider policy sets and bindings.

    4. In the Binding column on the Service client.policy sets and bindings panel, click the name of the binding.

    5. In the Policy column on the Bindings configuration panel, click WS-Security.

    6. Under the Main Message Security Policy Bindings heading, click Authentication and protection.

    7. In the Authentication tokens section of the Authentication and protection panel, select the token to configure. For example, select request:SAMLToken11Bearer.

    8. On the Token consumer panel, select the wss.consume.issuedToken option for the JAAS login.

    9. Click Apply.

  2. Configure the callback handler.

    1. Under the Additional Bindings heading, click Callback handler.

    2. Under the Class Name heading on the Callback handler panel, select Use custom and specify com.ibm.websphere.wssecurity.callbackhandler.GenericIssuedTokenConsumeCallbackHandler for the class name.

    3. Click Apply. After you click apply, a list of existing custom properties displays in the Custom Properties section of the panel. We can add, edit, or delete entries in the custom properties list. For more information about the custom properties for the callback handler, see the information about the com.ibm.wsspi.wssecurity.core.config.IssuedTokenConfigConstants API. This information is accessible within the Reference > Programming interfaces > APIs- Application Programming Interfaces section of the product documentation.

    4. Click Add to add both the stsURI custom property and its associated value. This custom property value is the target Security Token Service URL address. This property is required.

    5. Click Add to add both the wstrustClientPolicy custom property and its associated value. This custom property value is the trust client.policy set name that applies to the WS-Trust client call.

    6. Click Add to add both the wstrustClientBinding custom property and its associated value. The custom property value is the trust client bindings that applies to the WS-Trust client call. For more information about creating trust client bindings, see steps 3, 4, and 5 in the documentation on configuring client and provider bindings for the SAML bearer token.

    7. Optional: Specify other custom properties. We can add the custom properties that are listed in the following tables.

      To add these custom properties, click New in the Custom properties section.

      Callback handler custom properties for both token generator and token consumer bindings. . This table contains the custom property name, its values, and a short description.

      Name Values Description
      clockSkew This custom property does not have a default value. Use this custom property to specify, in minutes, an adjustment to the times in the self-issued SAML token that the SAMLGenerateLoginModule creates.

      The clockSkew custom property is set on the Callback handler of the SAML token generator that uses the SAMLGenerateLoginModule class. The value specified for this custom property must be numeric and is specified in minutes.

      When a value is specified for this custom property, the following time adjustments are made in the self-issued SAML token that the SAMLGenerateLoginModule creates:

      • The new NotBefore time setting equals the initial NotBefore time setting, minus the amount of time specified for the clockSkew custom property.
      • The new NotAfter time setting equals the initial NotAfter time setting, plus the amount of time specified for the clockSkew custom property.

      stsURI This custom property does not have a default value. Use this custom property to specify the Security Token Service (STS) address.

      This custom property is required for the token consumer. However, this custom property is optional for the token generator if the requested token exists in the RunAs Subject and its verification is not required.

      wstrustClientBinding This custom property does not have a default value. Use this custom property to specify the binding name for the WS-Trust client.
      wstrustClientBindingScope We can specify an application or domain value. Use this custom property to specify the type of bindings that are used for the WS-Trust client.

      The following conditions apply:

      • If you specify the domain value, general bindings are used.

      • If you specify the application value, custom bindings are used.

      • If you do not specify a value and application bindings exist, those application bindings are used.

      • If you do not specify a value and general bindings exist, those general bindings are used.

      • If neither application or general bindings exist, the default bindings are used.

      This custom property is optional.

      wstrustClientPolicy This custom property does not have a default value. Use this custom property to specify the policy set name for the WS-Trust client.
      wstrustClientSoapVersion We can specify a 1.1 or 1.2 value. Use this custom property to specify the SOAP message version that the trust client uses to generate the SOAP message. The SOAP message is sent to the Security Token Service (STS). If you do not define this custom property, the generic security token login module uses the SOAP version of the application when it generates the SOAP message for the trust client request.

      The default value corresponds to the SOAP version used by the application client.

      This custom property is optional.

      wstrustClientWSTNamespace Specify one of the following values:

      Trust v1.3 (Default)

      Specify 1.3 to use Trust v1.3 (Default):

      Trust v1.2

      Specify 1.2 to use Trust v1.2:

      		Use this custom property to specify which trust client namespace the generic security token login modules uses when it makes the WS-Trust request.
      wstrustValidateClientBinding By default, the value for this custom property is the same value specified for the wstrustClientBinding custom property. Use this custom property to specify the bindings that are used by the WS-Trust Validate request.

      If you do not specify this custom property, the WS-Trust Validate request uses the same bindings that are used by WS-Trust Issue, which are defined by the wstrustClientBinding custom property.

      wstrustValidateClientPolicy By default, the value for this custom property is the same value specified for the wstrustClientPolicy custom property. Use this custom property to specify the policy sets to use with the WS-Trust Validate request.

      If you do not specify a value for this custom property, WS-Trust Validate uses the same policy set as WS-Trust Issue, defined by the required wstrustClientPolicy custom property.

      wstrustIssuer We can use any string value. Use this custom property to specify the issuer for the request token.

      This custom property is optional

      wstrustValidateTargetOption The default value is the WS-Trust Base element extension.

      We can specify a token value or a base value, which is also the default value.

      		Use this custom property to specify whether the WS-Trust client passes the validation token to the WS-Trust Security Token Service using the ValidateTarget or the Base element extension.

      The following conditions apply:

      • If you do not specify a value for this custom property, the token is wrapped in the Base element extension within the RequestedSecurityToken element.

      • If you specify the token value, the token is wrapped in the ValidateTarget element within the RequestedSecurityToken element.

      Callback handler custom properties for token consumer bindings only.. This table contains the custom property name, its values, and a short description.

      Name Value Description
      exchangedTokenType The valid value for this custom property is the string ValueType value for the token that is supported by the system default login modules. Use this custom property to specify the new token with the defined ValueType value, which the trust service must return after successful validation.

      If you do not specify a value for the custom property, the generic security token login module accepts whichever token the trust service returns.

      This custom property is optional.

  3. Click OK and click Save to save the bindings.

  4. Stop and restart the applications.


Results

When you complete this task, we have configured a generic login module for the token consumer.


What to do next

Configure a generic security token login module for the token generator.
Configure client and provider bindings for the SAML bearer token
Configure a generic security token login module for an authentication token: Token generator


Related


Web services security custom properties

+

Search Tips   |   Advanced Search