Configuring identity assertion
Identity assertion is one of the WebSphere® Application Server Version 6 enhancements, but it must be used in a secured environment such as a Virtual Private Network (VPN) or HTTPs. In a secure environment, it is possible to send the requester identity without credentials with other trusted credentials such as the server identity. With identity assertion, WebSphere Application server supports the following types of trust modes:
- None
- Specifies that a trusted credential is not attached to the Simple Object Access protocol (SOAP) message
- BasicAuth
- Specifies that a username token with a user name and a password is used as a trusted credential
- Signature
- Specifies that an X.509 certificate security token is used in the digital signature
The specific configuration for identity assertion is necessary on the consumer side in a service configuration only. On the generator side, you need to configure two token generators in a client configuration: one for a requester token and one for a token of a trusted party.
Complete the following steps to configure an application for identity assertion. You must configure both the consumer and the generator to complete the configuration.
- Click Window > Open Perspective > Java EE.
- Expand the Web Services > Services section in the Enterprise Explorer and double-click the name of the Web service.
- Click the Extensions tab and expand the Response Consumer Service Configuration Details > Caller Part section to configure the caller token.
- Configure the caller token for the consumer. Complete the following steps to configure the caller token for the consumer:
- Click Add to configure the caller part. The Caller Part Dialog window is displayed. In this window, configure both a token that is used as a caller (requester) credential and a token for the trusted party.
- Specify a name for the caller token in the Name field.
- Select the type of caller token in Token type field. For example, you can select Username if a username token is used as the caller token. When you select the token type, the Local name is automatically specified.
- Optional:
If you select the Custom token in the Token type field, specify the Local name and the Uniform Resource Identifier (URI) of the custom token. The URI field is used only for a custom token.
- Optional:
If the caller token is also used as a certificate of a required integrity or confidentiality part, select the name of the part in Integrity or Confidentiality part field. The list contains the names of the integrity and confidentiality parts that are defined in the Required Integrity and Required Confidentiality sections for the consumer. For example, when an X.509 certificate token is used for both a caller token and a signature certificate of the body element, you can select X.509 certificate token in the Token type field and select reqint_body1 in Integrity or Confidentiality part field. This example assumes that reqint_body1 is a required integrity configuration.
- Configure a trusted party token for the consumer. Complete the following steps to configure the trusted party token:
- Select the Use IDAssertion option to associate a trust method with this caller and to verify an asserted identity from the intermediary (caller).
- Select the name of the trust method in the Trust method name field. The following selections are supported:
- None
- Select this option to specify that a trusted credential is not attached to the SOAP message.
- BasicAuth
- Select this option to specify that a username token with a user name and password is used as a trusted credential.
- Signature
- Select this option to specify that an X.509 certificate security token is used in the digital signature.
When you select either BasicAuth or Signature, the URI and the Local name fields are automatically specified.
- Optional:
Select a name of an integrity or confidentiality part in the Integrity or Confidentiality part field if you require digital signature or encryption by the trusted party token. For example, if you select Signature in the Trust method name field and you require that the trusted party token signs the body element, select reqint_body2 in Integrity and Confidentiality part field. This example assumed that reqint_body2 is a required integrity configuration.
- Optional:
If you select BasicAuth or Signature in the Trust method name field, specify a trusted ID evaluator in Token Consumer Dialog window of the binding configuration. Complete the following steps to specify a trusted ID evaluator:
- Click Binding Configurations in the Web services editor.
- Expand the Token Consumer section and click Add.
- Click the Use trusted ID evaluator option.
- Specify a class name in the Trusted ID evaluator class field. The class implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface and validates a trusted party token. WAS provides the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl class, which is a sample implementation of the TrustedIDEvaluator interface. If you use this class, specify com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl in Trusted ID evaluator class field and click Add to add the following trusted ID evaluator property:
The value of the property is the distinguished name (DN) of the username or X.509 certificate token of the trusted party token.
- In the name field, specify trustedid
- In the value field, specify CN=Alice,O=IBM,C=US
- Click OK to save the configuration.
- Expand the Web Services > Client section in the Enterprise Explorer and double-click the name of the Web service.
- Click the WS Extension tab and expand the Request Generator Configuration > Security Token section.
- Specify the caller token for the generator. Do not specify a token in the required token if the token is used for signing or encryption. However, specify a token in the required token for a stand-alone token. A stand-alone token is a token that is not used for signing or encryption. When the caller token type is a username token or an X.509 certificate token and it is not used for signing or encryption, specify a security token for this caller token.
- Click Add to configure a security token.
- Specify a name for the caller token in the Name field.
- Select either the Username or X.509 certificate token option in the Token type field. After you select one of these two options, a value for the Local name field is automatically defined.
- Click OK to save the configuration.
- Click the WS Binding tab and expand the Security Request Generator Binding Configuration > Token Generator section.
- Click Add and add the token generator configuration for the caller token.
- Click OK to save the configuration.
- Configure the trusted party token. When the trust mode, which was specified previously, is None only the caller token is attached and you do not need to specify the security token of the trusted party. When the trust mode is BasicAuth or Signature you need to specify a username token or an X.509 certificate token of the trusted party token. However, if the X.509 certificate token of trusted party is used for digital signing or encryption as well, you do not need to specify the security token of the trusted party. Complete the following steps to configure the trusted party token:
- Expand the Web Services > Client section in the Enterprise Explorer and double-click the name of the Web service.
- Click the WS Extension tab and expand the Request Generator Configuration > Security Token section.
- Click Add to configure a security token.
- Specify a name for the trusted party token in the Name field.
- Select either the Username or X.509 certificate token option in the Token type field. After you select one of these two options, a value for the Local name field is automatically defined.
- Click OK to save the configuration.
- Click the WS Binding tab and expand the Security Request Generator Binding Configuration > Token Generator section.
- Click Add and add the token generator configuration for the trusted party token.
- Click OK to save the configuration.
Your environment is configured for identity assertion.
Related tasks
Configuring token generators with an assembly tool