Authentication generator or consumer token settings

Network Deployment (Distributed operating systems), v8.0 > Reference > Sets

Authentication generator or consumer token settings

Authentication tokens are used to prove or assert an identity. Use the administrative console to add authentication token settings for message parts when you are editing a general binding.
To configure authentication tokens...

To view and select the general bindings that are set as the global security default policy set bindings, click Services > Policy sets > Default policy set bindings. The specified bindings are used unless overridden at the attachment point, at the server, or at a security domain.

To access and configure the general bindings and to add authentication token settings for message parts, click Services > Policy sets > General provider policy set bindings .

Click the WS-Security policy in the Policies table.

Click the Authentication and protection link in the Main message security policy bindings section.

Click New token to create a new token generator or consumer, or click an existing consumer or generator token link from the Authentication Tokens table.

To view and configure application-specific bindings for tokens and message parts that are required by a policy set...

Click Applications > Application Types > WebSphere enterprise applications.

Select an application that contains web services. The application must contain a service provider or a service client.

Click the Service provider policy sets and bindings link or the Service client.policy sets and bindings link in the Web Services Properties section.

Select a binding. We must have previously attached a policy set and assigned an application specific binding.

Click the WS-Security policy in the Policies table.

Click the Authentication and protection link in the Main message security policy bindings section.

Click a consumer or generator token link from the Protection Tokens table.

This administrative console page applies only to Java API for XML Web Services (JAX-WS) applications.

Name

Name of the token being configured. When using application specific bindings, this field is not displayed.

Token type

Type of token being configured.
When you are using application specific bindings, the token type is obtained from the policy file and it is read-only. When you are using general bindings, select a token type from the list. The following token types are available:

X509V3 Token V1.1
X509V3 Token V1.0
Username Token V1.1
Username Token V1.0
X509PKCS7 Token V1.1
X509PKCS7 Token V1.0
X509PkiPathV1 Token V1.1
X509PkiPathV1 Token V1.0
LTPA Propagation Token
X509V1 Token V1.1
LTPA Token
LTPA Token V2.0
Custom Token

The LTPA Token V2.0 token type is available only for bindings using the namespace as supported in IBM WAS, v7.0 or later. When you select LTPA Token V2.0 as the token type for the token consumer, both LTPA tokens and LTPA V2.0 tokens can be consumed. To restrict the token consumer to LTPA V2.0 tokens only, select the Enforce token version check box.
If you select LTPA Token as the token type for the token generator, single sign-on interoperability mode must be enabled. This is a setting in global security from Web and SIP security. If the interoperability flag is not set to enabled (true), an error occurs when the application that is attached to these bindings is started. To use the LTPA token without checking the state of the interoperability flag, you can set the custom property, com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7, on the token generator. Set the property , as described in the topic Enabling or disabling single sign-on interoperability mode for the LTPA token. The property can not be set using the Web Services Security API.

Local name

Local name for the authentication token generator or consumer. The Local name field is populated based on the token type displayed. Use this field to edit custom token types only.

URI

Uniform resource identifier (URI) of the authentication token generator or consumer. The URI field is populated based on the token type displayed. Use this field to edit custom token types only.
Leave this field blank if the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile v1.1.

Security token reference

Security token reference. The security token reference field is displayed only for authentication tokens in application-specific bindings. This field is not available for default bindings.

JAAS login

Specifies a list of application and system JAAS logins that are effective for the domain to which the binding is scoped.
If an application is scoped to the global security or if it is scoped to a domain that does not customize its own JAAS logins, then the list of global logins are displayed in the menu list. Click New Application Login to access the global JAAS application login collection. The JAAS login menu list and New Application Login button behavior depend on whether the binding is being created in association with an attachment. Use caution when changing security domains, since a previously-referenced security configuration, such as JAAS logins, might not be accessible in a different security domain.

Custom properties – Name

Name used for the custom property.
Custom properties are not initially displayed in this column. Click one of the following buttons to enable the actions described:

Button Resulting Action
New Creates a new custom property entry.
To add a custom property, enter the name and value.
Edit Enable the selected custom property to be edited. Clicking this button provides input fields and creates the listing of cell values to be edited. The Edit button is not available until at least one custom property has been added.
Delete Removes the selected custom property.

Custom properties – Value

Value of the custom property to be used. Use the Value field to enter, edit, or delete the value for a custom property.
If the custom token type is used to generate a Kerberos token, specify the following custom properties:

Custom property name Value
Specify the name of the target service. com.ibm.wsspi.wssecurity.krbtoken.targetServiceName Name of the target service.
This property is required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost Host name that is associated with the target service in the following format: myhost.mycompany.com.
This property is required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm Name of the realm that is associated with the target service.
This property is optional for a single Kerberos realm. If the targetServiceRealm property is not specified, the default realm name from the Kerberos configuration file is used as the realm name.
In a cross or trusted realm environment, provide a value for the targetServiceRealm property.

com.ibm.wsspi.wssecurity.krbtoken.clientRealm Name of the Kerberos realm associated with the client.
This property is optional for a single Kerberos realm environment.
When implementing Web Services Security in a cross or trusted Kerberos realm environment, provide a value for the clientRealm property.

com.ibm.wsspi.wssecurity.krbtoken.loginPrompt Enable the Kerberos login when the value is True. The default value is False.
This property is required.

For the token generator, the combination of the target service name and target hostname forms a Service Principal Name (SPN) which represents the target Kerberos service principal name. The Kerberos client requests the initial Kerberos AP_REQ token for the SPN.
If an application generates or consumes a Kerberos V5 AP_REQ token for each web services request message, set the com.ibm.wsspi.wssecurity.kerberos.attach.apreq custom property to true in the token generator and the token consumer bindings for the application. See the Web Services Security troubleshooting tips topic.

Callback handler

Links to the Callback handler page where you can configure callback handlers. Callback handler settings determine how security tokens are acquired from messages headers.
If you are working with a Username token or LTPA token that is using default bindings, the user names and passwords might have been provided as examples. You need to update the values for these token types.
Define and managing policy set bindings
Manage policy sets
Enable or disabling single sign-on interoperability mode for the LTPA token

Related

Callback handler settings for JAX-WS aug2011
Protection token settings (generator or consumer)
Application policy sets collection
Application policy set settings
Search attached applications collection
Policy set bindings settings
WS-Security authentication and protection

+
Search Tips | Advanced Search

Button	Resulting Action
New	Creates a new custom property entry. To add a custom property, enter the name and value.
Edit	Enable the selected custom property to be edited. Clicking this button provides input fields and creates the listing of cell values to be edited. The Edit button is not available until at least one custom property has been added.
Delete	Removes the selected custom property.

Custom property name	Value
Specify the name of the target service. com.ibm.wsspi.wssecurity.krbtoken.targetServiceName	Name of the target service. This property is required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost	Host name that is associated with the target service in the following format: myhost.mycompany.com. This property is required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm	Name of the realm that is associated with the target service. This property is optional for a single Kerberos realm. If the targetServiceRealm property is not specified, the default realm name from the Kerberos configuration file is used as the realm name. In a cross or trusted realm environment, provide a value for the targetServiceRealm property.
com.ibm.wsspi.wssecurity.krbtoken.clientRealm	Name of the Kerberos realm associated with the client. This property is optional for a single Kerberos realm environment. When implementing Web Services Security in a cross or trusted Kerberos realm environment, provide a value for the clientRealm property.
com.ibm.wsspi.wssecurity.krbtoken.loginPrompt	Enable the Kerberos login when the value is True. The default value is False. This property is required.