Configure a generic security token login module for an authentication token: Token generator

Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Authenticate web services using generic security token login modules > 2. Administering a generic security token login module.

Configure a generic security token login module for an authentication token: Token generator

We can configure a generic security token login module used for an authentication token on the token generator side of the Web Services Security process.
When you invoke the generic security token login modules on the generator side, the login module delegates the token generation process to a Security Token Service (STS) using a WS-Trust Issue or WS-Trust Validate request. The STS processes the request and returns a RequestSecurityTokenResponse message to the login module. The login module inserts the token from the STS response message in the security header of the web service request message.
For illustration purposes, it is assumed that policy sets and bindings are configured and attached to an application. For example, you can use the SAML11 Bearer WSSecurity default policy set and SAML Bearer Client sample binding. See the topic about configuring client and provider bindings for the SAML bearer token.
Complete the following steps to configure the generic security token login module on the token generator side using the admin console:

Procedure

Configure the wss.generate.issuedToken JAAS login module for the application.

Expand Applications > Application Types and click WebSphere enterprise applications.

Click the application that contains the policy sets and bindings to modify.

Under Web Services Properties, click Service client policy sets and bindings.
In the Binding column on the Service client policy sets and bindings panel, click the name of the binding.
In the Policy column on the Bindings configuration panel, click WS-Security.

Under the Main Message Security Policy Bindings heading, click Authentication and protection .
In the Authentication tokens section of the Authentication and protection panel, select the token to configure. For example, select request:SAMLToken11Bearer.

On the Token generator panel, select the wss.generate.issuedToken option for the JAAS login.

Click Apply.

Configure the callback handler.

Under the Additional Bindings heading, click Callback handler.

Under the Class Name heading on the Callback handler panel, select Use custom and specify com.ibm.websphere.wssecurity.callbackhandler.GenericIssuedTokenGenerateCallbackHandler for the class name.

Click Apply. After you click apply, a list of existing custom properties displays in the Custom Properties section of the panel. We can add, edit, or delete entries in the custom properties list. For more information about the custom properties for the callback handler, see the information about the com.ibm.wsspi.wssecurity.core.config.IssuedTokenConfigConstants API. This information is accessible within the Reference > Programming interfaces > APIs- Application Programming Interfaces section of the product documentation.

Click Add to add both the stsURI custom property and its associated value. This custom property value is the target Security Token Service URL address. This property is required, unless to use a security token from the RunAs subject without calling out to a security token service for validation. For more information, read the information about the validateUseToken and useRunAsSubjectOnly custom properties in subsequent steps.

Click Add to add both the wstrustClientPolicy custom property and its associated value. This custom property value is the trust client.policy set name that applies to the WS-Trust client call.

Click Add to add both the wstrustClientBinding custom property and its associated value. The custom property value is the trust client bindings that applies to the WS-Trust client call. For more information about creating trust client bindings, see the documentation on configuring client and provider bindings for the SAML bearer token.

Optional: Specify other custom properties. We can add the custom properties that are listed in the following tables.
To add these custom properties, click New in the Custom properties section.

Callback handler custom properties for both token generator and token consumer bindings. . This table contains the custom property name, its values, and a short description.

Name Values Description
clockSkew This custom property does not have a default value. Use this custom property to specify, in minutes, an adjustment to the times in the self-issued SAML token that the SAMLGenerateLoginModule creates.
The clockSkew custom property is set on the Callback handler of the SAML token generator that uses the SAMLGenerateLoginModule class. The value specified for this custom property must be numeric and is specified in minutes.
When a value is specified for this custom property, the following time adjustments are made in the self-issued SAML token that the SAMLGenerateLoginModule creates:

The new NotBefore time setting equals the initial NotBefore time setting, minus the amount of time specified for the clockSkew custom property.
The new NotAfter time setting equals the initial NotAfter time setting, plus the amount of time specified for the clockSkew custom property.

stsURI This custom property does not have a default value. Use this custom property to specify the Security Token Service (STS) address.
This custom property is required for the token consumer. However, this custom property is optional for the token generator if the requested token exists in the RunAs Subject and its verification is not required.
wstrustClientBinding This custom property does not have a default value. Use this custom property to specify the binding name for the WS-Trust client.
wstrustClientBindingScope We can specify an application or domain value. Use this custom property to specify the type of bindings that are used for the WS-Trust client.
The following conditions apply:

If you specify the domain value, general bindings are used.

If you specify the application value, custom bindings are used.

If you do not specify a value and application bindings exist, those application bindings are used.

If you do not specify a value and general bindings exist, those general bindings are used.

If neither application or general bindings exist, the default bindings are used.

This custom property is optional.
wstrustClientPolicy This custom property does not have a default value. Use this custom property to specify the policy set name for the WS-Trust client.
wstrustClientSoapVersion We can specify a 1.1 or 1.2 value. Use this custom property to specify the SOAP message version that the trust client uses to generate the SOAP message. The SOAP message is sent to the Security Token Service (STS). If you do not define this custom property, the generic security token login module uses the SOAP version of the application when it generates the SOAP message for the trust client request.
The default value corresponds to the SOAP version used by the application client.
This custom property is optional.
wstrustClientWSTNamespace Specify one of the following values:

Trust v1.3 (Default)

Specify 1.3 to use Trust v1.3 (Default):

Trust v1.2

Specify 1.2 to use Trust v1.2:
Use this custom property to specify which trust client namespace the generic security token login modules uses when it makes the WS-Trust request.
wstrustValidateClientBinding By default, the value for this custom property is the same value specified for the wstrustClientBinding custom property. Use this custom property to specify the bindings that are used by the WS-Trust Validate request.
If you do not specify this custom property, the WS-Trust Validate request uses the same bindings that are used by WS-Trust Issue, which are defined by the wstrustClientBinding custom property.
wstrustValidateClientPolicy By default, the value for this custom property is the same value specified for the wstrustClientPolicy custom property. Use this custom property to specify the policy sets to use with the WS-Trust Validate request.
If you do not specify a value for this custom property, WS-Trust Validate uses the same policy set as WS-Trust Issue, defined by the required wstrustClientPolicy custom property.
wstrustIssuer We can use any string value. Use this custom property to specify the issuer for the request token.
This custom property is optional
wstrustValidateTargetOption The default value is the WS-Trust Base element extension.
We can specify a token value or a base value, which is also the default value.
Use this custom property to specify whether the WS-Trust client passes the validation token to the WS-Trust Security Token Service using the ValidateTarget or the Base element extension.
The following conditions apply:

If you do not specify a value for this custom property, the token is wrapped in the Base element extension within the RequestedSecurityToken element.

If you specify the token value, the token is wrapped in the ValidateTarget element within the RequestedSecurityToken element.

Callback handler custom properties for token generator bindings only. . This table contains the custom property name, its values, and a short description.

Name Value Description
useRunAsSubject We can use a True or False value. By default, a True value is used.
This value for this custom property is case sensitive.
Use this custom property to specify whether the generic security token login modules use the token from the RunAs Subject for the outgoing request. By default, the login module uses the validated tokens in the RunAs Subject first.
The following conditions apply:

If you set this custom property to a false value, the generic security token login module does not use WS-Trust Validate to exchange the token for the outbound request. Instead, it uses WS-Trust Issue to request a token.

If you do not specify this custom property, the generic security token login module attempts to use a token from the RunAs Subject and WS-Trust Validate to exchange the token.

If a token does not exist in the RunAs Subject, the generic security token login module uses WS-Trust Issue and is protected by the trust client.policy sets.

useRunAsSubjectOnly We can use a True or False value. By default, a False value is used.
This value for this custom property is case sensitive.
Use this custom property to disable or enable WS-Trust Issue in the generic security token login module. If you set this custom property to a true value, the generic security token login module uses the token from the RunAs Subject and WS-Trust Validate to exchange the tokens. The generic security token login module does not use WS-Trust Issue to request a token even if WS-Trust Validate fails or it does not find a matching token in the RunAs Subject.
useToken We can use any string value of the ValueType value for the security token. When you use a security token in a RunAs Subject to validate and exchange tokens for an outbound request, you can use this custom property to specify which token ValueType value in the RunAs Subject to validate and exchange for the requested token.
For example, you might have a token with a ValueType value of Token_1 in the RunAs Subject. However, the ValueType value of Token_2 is the required token. We can set this custom property to Token_1 .
If you do not define this custom property, the validation token is the token from the RunAs Subject that has the same ValueType value as the required token.
This custom property is optional.
validateUseToken We can use a True or False value. By default, a True value is used.
This value for this custom property is case sensitive.
Use this custom property to specify whether the token generator uses WS-Trust Validate to validate the token from the RunAs Subject.
By default, the generic security token login module validates a token from the RunAs Subject against the Security Token Service (STS) before sending the token in the SOAP message to the service provider.
If you set this custom property value to false and the generic security token login module finds a matching token from the RunAs Subject, the login module does not invoke WS-Trust Validate to validate the matching token. Instead, it sends the matching token to the downstream service provider without validation.
wstrustIncludeTokenType We can use a True or False value. By default, a True value is used.
This value for this custom property is case sensitive.
Use this custom property to specify whether the WS-Trust RequestedSecurityToken token includes the requested token ValueType value.
If you do not specify this custom property, the generic security token login modules includes the requested token type in the WS-Trust RequestedSecurityToken token.
This custom property is optional.

Click OK and click Save to save the bindings.

Stop and restart the applications.

Results

When you complete this task, we have configured a generic login module for the token generator.

What to do next
Configure a generic security token login module for the token consumer.
Generic security token login module for the token generator
Generic security token login modules
Configure client and provider bindings for the SAML bearer token
Configure a generic security token login module for an authentication token: Token consumer

Related

Web services security custom properties

+
Search Tips | Advanced Search

Name	Values	Description
clockSkew	This custom property does not have a default value.	Use this custom property to specify, in minutes, an adjustment to the times in the self-issued SAML token that the SAMLGenerateLoginModule creates. The clockSkew custom property is set on the Callback handler of the SAML token generator that uses the SAMLGenerateLoginModule class. The value specified for this custom property must be numeric and is specified in minutes. When a value is specified for this custom property, the following time adjustments are made in the self-issued SAML token that the SAMLGenerateLoginModule creates: The new NotBefore time setting equals the initial NotBefore time setting, minus the amount of time specified for the clockSkew custom property. The new NotAfter time setting equals the initial NotAfter time setting, plus the amount of time specified for the clockSkew custom property.
stsURI	This custom property does not have a default value.	Use this custom property to specify the Security Token Service (STS) address. This custom property is required for the token consumer. However, this custom property is optional for the token generator if the requested token exists in the RunAs Subject and its verification is not required.
wstrustClientBinding	This custom property does not have a default value.	Use this custom property to specify the binding name for the WS-Trust client.
wstrustClientBindingScope	We can specify an application or domain value.	Use this custom property to specify the type of bindings that are used for the WS-Trust client. The following conditions apply: If you specify the domain value, general bindings are used. If you specify the application value, custom bindings are used. If you do not specify a value and application bindings exist, those application bindings are used. If you do not specify a value and general bindings exist, those general bindings are used. If neither application or general bindings exist, the default bindings are used. This custom property is optional.
wstrustClientPolicy	This custom property does not have a default value.	Use this custom property to specify the policy set name for the WS-Trust client.
wstrustClientSoapVersion	We can specify a 1.1 or 1.2 value.	Use this custom property to specify the SOAP message version that the trust client uses to generate the SOAP message. The SOAP message is sent to the Security Token Service (STS). If you do not define this custom property, the generic security token login module uses the SOAP version of the application when it generates the SOAP message for the trust client request. The default value corresponds to the SOAP version used by the application client. This custom property is optional.
wstrustClientWSTNamespace	Specify one of the following values: Trust v1.3 (Default) Specify 1.3 to use Trust v1.3 (Default): Trust v1.2 Specify 1.2 to use Trust v1.2:	Use this custom property to specify which trust client namespace the generic security token login modules uses when it makes the WS-Trust request.
wstrustValidateClientBinding	By default, the value for this custom property is the same value specified for the wstrustClientBinding custom property.	Use this custom property to specify the bindings that are used by the WS-Trust Validate request. If you do not specify this custom property, the WS-Trust Validate request uses the same bindings that are used by WS-Trust Issue, which are defined by the wstrustClientBinding custom property.
wstrustValidateClientPolicy	By default, the value for this custom property is the same value specified for the wstrustClientPolicy custom property.	Use this custom property to specify the policy sets to use with the WS-Trust Validate request. If you do not specify a value for this custom property, WS-Trust Validate uses the same policy set as WS-Trust Issue, defined by the required wstrustClientPolicy custom property.
wstrustIssuer	We can use any string value.	Use this custom property to specify the issuer for the request token. This custom property is optional
wstrustValidateTargetOption	The default value is the WS-Trust Base element extension. We can specify a token value or a base value, which is also the default value.	Use this custom property to specify whether the WS-Trust client passes the validation token to the WS-Trust Security Token Service using the ValidateTarget or the Base element extension. The following conditions apply: If you do not specify a value for this custom property, the token is wrapped in the Base element extension within the RequestedSecurityToken element. If you specify the token value, the token is wrapped in the ValidateTarget element within the RequestedSecurityToken element.

Name	Value	Description
useRunAsSubject	We can use a True or False value. By default, a True value is used. This value for this custom property is case sensitive.	Use this custom property to specify whether the generic security token login modules use the token from the RunAs Subject for the outgoing request. By default, the login module uses the validated tokens in the RunAs Subject first. The following conditions apply: If you set this custom property to a false value, the generic security token login module does not use WS-Trust Validate to exchange the token for the outbound request. Instead, it uses WS-Trust Issue to request a token. If you do not specify this custom property, the generic security token login module attempts to use a token from the RunAs Subject and WS-Trust Validate to exchange the token. If a token does not exist in the RunAs Subject, the generic security token login module uses WS-Trust Issue and is protected by the trust client.policy sets.
useRunAsSubjectOnly	We can use a True or False value. By default, a False value is used. This value for this custom property is case sensitive.	Use this custom property to disable or enable WS-Trust Issue in the generic security token login module. If you set this custom property to a true value, the generic security token login module uses the token from the RunAs Subject and WS-Trust Validate to exchange the tokens. The generic security token login module does not use WS-Trust Issue to request a token even if WS-Trust Validate fails or it does not find a matching token in the RunAs Subject.
useToken	We can use any string value of the ValueType value for the security token.	When you use a security token in a RunAs Subject to validate and exchange tokens for an outbound request, you can use this custom property to specify which token ValueType value in the RunAs Subject to validate and exchange for the requested token. For example, you might have a token with a ValueType value of Token_1 in the RunAs Subject. However, the ValueType value of Token_2 is the required token. We can set this custom property to Token_1 . If you do not define this custom property, the validation token is the token from the RunAs Subject that has the same ValueType value as the required token. This custom property is optional.
validateUseToken	We can use a True or False value. By default, a True value is used. This value for this custom property is case sensitive.	Use this custom property to specify whether the token generator uses WS-Trust Validate to validate the token from the RunAs Subject. By default, the generic security token login module validates a token from the RunAs Subject against the Security Token Service (STS) before sending the token in the SOAP message to the service provider. If you set this custom property value to false and the generic security token login module finds a matching token from the RunAs Subject, the login module does not invoke WS-Trust Validate to validate the matching token. Instead, it sends the matching token to the downstream service provider without validation.
wstrustIncludeTokenType	We can use a True or False value. By default, a True value is used. This value for this custom property is case sensitive.	Use this custom property to specify whether the WS-Trust RequestedSecurityToken token includes the requested token ValueType value. If you do not specify this custom property, the generic security token login modules includes the requested token type in the WS-Trust RequestedSecurityToken token. This custom property is optional.