Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Welcome to scripting for web services > Configure web services applications using wsadmin.sh > Configure application and system policy sets for web services using wsadmin.sh
Create policy set attachments using wsadmin
Use wsadmin.sh, which supports the Jython and Jacl scripting languages, to define the policy set configuration for your web services applications.
When administrative security is enabled, verify that you use the correct administrative role:
| Administrative role | Authorization |
|---|---|
| Administrator | The Administrator role must have cell-wide access to create policy set attachments. If we have access to a specific resource only, you can create policy set attachments for the resource for which we have access. |
| Configurator | The Configurator role must have cell-wide access to create policy set attachments. If we have access to a specific resource only, you can create policy set attachments for the resource for which we have access. |
| Deployer | The Deployer role with cell-wide or resource specific access can create policy set attachments for application resources only. |
| Operator | The Operator role cannot create policy set attachments. |
| Monitor | The Monitor role cannot create policy set attachments. |
Before you use the commands in this topic, verify that you are using the most recent version of wsadmin.sh. The policy set management commands that accept a properties object as the value for the attributes or bindingLocation parameters are not supported on previous versions of wsadmin.sh. For example, the commands do not run on a v6.1.0.x node.
To use a new policy set to manage policies for the application, attach the policy set to an application artifact or artifacts. When the application restarts, the application uses the policies from the newly attached policy set.
Mixed-version environment: In a mixed cell environment, the following limitations
apply to service reference attachments or resource attachments that are specified in name-value pair format:
- We must not create these types of attachments for applications that are deployed on an application server that is prior to WebSphere Application Server v8. Service reference attachments are only supported on WAS V8 and later.
- An application that contains these types of attachments must not be deployed on an application server that is prior to WAS v8.
- If an application that is deployed in a cluster environment contains these types of attachments, not add a member application server that is prior to WAS v8 to the cluster.
mixv
Procedure
- Launch a scripting command.
To learn more, read about starting the wsadmin scripting client.
- Select an application with web services to update.
Use the listWebServices command to list all web services and the associated applications. Enter the following command to list all web services and attributes:
AdminTask.listWebServices()
For each web service, the command returns the associated application name, module name, service name, and service type. For example, the following information is returned:'[ [service {http://www.ibm.com}service1] [client false] [application application1] [module webapp1.war] [type JAX-WS] ]' - Create a policy set attachment for an application.
For the commands in the PolicySetManagement group, the term resource refers to a web service artifact. For application and service client.policy sets, the artifacts use the application hierarchy. The application hierarchy includes a web service, module name, endpoint, or operation. Enter the value for the -resource parameter as a string, with a backslash ( / ) character as a delimiter. When attempting to connect to a web service from a thin client, verify that the resources you are specifying are valid before running the updatePolicySetAttachment command. No configuration changes are made if the requested resource does not match a resource in the attachment file for the application.
Use the following format for application and client.policy set attachments:
- WebService:/
Attaches all artifacts in the application to the policy set.
- WebService:/webapp1.war:{http://www.ibm.com}myService
Attaches all artifacts within the web service {http://www.ibm.com}myService to the policy set. We must provide a fully qualified name (QName) for the service.
- WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA
Attaches all operations for the endpointA endpoint to the policy set.
- WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA/operation1
Attaches only the operation1 operation to the policy set.
The format for the -resource string differs for service reference attachments. Use the following format for service reference attachments:
- type=WebService:/
Attaches all artifacts in the application to the policy set.
- type=WebService:/,module=myModule.war,service={ http://www.mynamespace.com}myService
Attaches all artifacts within the web service {http://www.mynamespace.com}myService to the policy set. We must provide a fully qualified name (QName) for the service.
- type=WebService:/,module=myModule.war,service={ http://www.mynamespace.com
}myService,serviceRef=myServiceRef
Attaches all artifacts within the web service reference myServiceRef to the policy set.
- type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,endpoint=endpointA
Attaches all operations for the service reference endpointA endpoint in the service reference myServiceRef to the policy set.
- type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,endpoint=endpointA
operation=operation1
Attaches only the operation1 operation in the service reference myServiceRef to the policy set.
The format for the -resource string differs for system policy set attachments for the trust service. Use the following format for system policy set attachments:
- Trust.opName:/
The opName attribute can be issue, renew, cancel, or validate.
- Trust.opName:/url
The opName attribute can be issue, renew, cancel, or validate. We can specify any valid URL for the url attribute.
- Enter the command to attach the policy set to the application.
This command attaches the policyset1 application policy set to all artifacts in the WebService application.
For transitioning users: Even
though you can specify the application value for the -attachmentType parameter, use the provider value in place of the application value because the attachments
are used for more than just applications, such as system attachments
for trust service. For system policy set attachments, specify the provider value for the attachmentType parameter and the "[systemType trustService]" value for the -attachmentProperties parameter. For WSNClient attachments, specify the client value for the attachmentType parameter and the bus and WSNService properties with the -attachmentProperties parameter.trns
To attach a policy set to a Web service application, specify the provider value for the -attachmentType parameter:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources "WebService:/" -applicationName WebService -attachmentType provider]')To attach a policy set to a service client application, specify the client value for the -attachmentType parameter:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources "WebService:/" -applicationName WebService -attachmentType client]')To create a trust service attachment for a system policy set, specify the provider value for the -attachmentType parameter and the [systemType trustService] value for the -attachmentProperties parameter:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources "WebService:/" -attachmentType provider -attachmentProperties "[systemType trustService]"]')To attach a policy set to a service reference, run:
AdminTask.createPolicySetAttachment('[-resources "type=WebService:/,module=webapp1.war,service= {http://www.mynamespace.com}myService,serviceRef=myServiceRef" -applicationName application1 –attachmentType client -policySet PolicySet1 –inheritFromService false]')This command returns an attachment ID number that use to reference this attachment. In the next step, use the attachment ID number to set the binding configuration. For this example, the attachment ID number is 124.
- WebService:/
- Run the command to set the binding.
To attach a policy set to a web services application, specify the provider value for the -attachmentType parameter.
The following example demonstrates how to set the timestamp expiration attribute on the SecureConversation123binding binding for the WSSecurity policy, on the WebService Web service application.
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[application WebService] [attachmentId 124] ]" -attachmentType provider -bindingName SecureConversation123binding -attributes "[application.securityoutboundbindingconfig.timestampexpires.expires 5]"')To attach a policy set to a Web services application client or to a service reference, specify the client value for the -attachmentType parameter.
- Save the configuration changes.
Enter the following command to save your changes:
AdminConfig.save()
Results
Your have attached the policy set to the application artifact or artifacts specified. Restart the application to use the policies from the newly attached policy set.
What to do next
Manage and update your attachments.
Start the wsadmin scripting client using wsadmin.sh
Configure attachments for the trust service
Manage policy set attachments using wsadmin
Manage policy set attachments for service references using wsadmin
Configure application and system policy sets for web services using wsadmin.sh
Create policy sets using wsadmin.sh
Add and remove policies using wsadmin.sh
Remove policy set attachments using wsadmin
Manage policy sets
Related
Search attached applications collection
PolicySetManagement command group
WebServicesAdmin command group