Configure the client security bindings using the Assembly Toolkit

When configuring a client for Web services security, the bindings describe how to run the security specifications found in the extensions. Use the Web services client editor within the Assembly Toolkit to include the binding information in the client EAR file.

You can configure the client-side bindings from a pure client accessing a Web service or from a Web service accessing a downstream Web service. This document focuses on the pure client situation. However, the concepts, and in most cases the steps, also apply when a Web service is configured to communicate downstream to another Web service that has client bindings. Complete the following steps to edit the security bindings on a pure client (or server acting as a client) using the Assembly Toolkit...

  1. Import the Web services client EAR file into the Assembly Toolkit. When you edit the client bindings on a server acting as a client, the same basic steps apply. Complete the following steps to import your client EAR file into the Assembly Toolkit. Refer to the Assembly Toolkit documentation for additional information.

    1. Download and install the Assembly Toolkit.You can download the Assembly Toolkit from the following Web site:

      http://www.ibm.com/support/docview.wss?rs=180&context=SSEQTP
      &q=ASTK&uid=swg24005125&loc=en_US&cs=utf-8&lang=en+en
      
      

    2. Start the Assembly Toolkit and open the Java perspective, by clicking Window > Open Perspective > J2EE.

    3. Import the client EAR file by clicking File > Import > EAR file.

    4. Click Next.

    5. Enter the path name to the EAR file in the EAR File field or click Browse to locate the file.

    6. Enter the project name in the Project name field.

    7. Click Finish.

  2. Open the Web services client editor within the Assembly Toolkit to begin editing the client bindings. To access the client bindings using the Assembly Toolkit, complete the following steps...

    1. Open the Navigator by clicking Window > Show View > Navigator.

    2. Expand your application JAR file from the Navigator.

    3. Expand the J2EE client application (appClientModule, ejbModule, or WebContent), which are included in the client JAR package that you selected.

    4. Expand the META-INF directory and locate the webservicesclient.xml file.

    5. Right-click the webservicesclient.xml file and click Open With > Web Services Client Editor.In the Web services client editor (for webservicesclient.xml and outbound requests and inbound responses Web services configuration), there are several tabs at the bottom of the editor including References, Handlers, Security Extensions, Web Services Client Binding, and Port Binding.  The security extensions are edited using the Security Extensions tab.  The security bindings are edited using the Port Binding tab.

  3. On the Security Extensions tab, select the port qualified name bindings that you want to configure.The Web services security extensions are configured for outbound requests and inbound responses. You need to configure the following information for Web services security extensions. These topics are discussed in more detail in other sections of the documentation.

    Request sender configuration details

    Details Configuring the client for request signing: digitally signing message parts

    Integrity Configuring the client for request signing: digitally signing message parts

    Confidentiality Configuring the client for request encryption: encrypting the message parts

    Login Config

    BasicAuth Configuring the client for basicauth authentication: specifying the method

    IDAssertion Configuring the client for identity assertion authentication: specifying the method

    Signature Configuring the client for signature authentication: specifying the method

    LTPA Configuring the client for LTPA token authentication: specifying LTPA token authentication

    ID Assertion Configuring the client for identity assertion authentication: specifying the method

    Add Created Time Stamp Configuring the client for request signing: digitally signing message parts

    Response receiver configuration details

    Required Integrity Configuring the client for response digital signature verification: verifying the message parts

    Required Confidentiality Configuring the client for response decryption: decrypting message parts

    Add Received Time Stamp Configuring the client for response digital signature verification: verifying the message parts

  4. From the Port Binding tab, select the port qualified name binding that you want to configure.The Web services security bindings are configured for outbound requests and inbound responses. You need to configure the following information for Web services security bindings. These topics are discussed in more details in other sections of the documentation.

    Security request sender binding configuration

    Signing information Configuring the client for request signing: choosing the digital signature method

    Encryption information Configuring the client for request encryption: choosing the encryption method

    Key locators Configuring key locators using the Assembly Toolkit

    Login binding

    Basic auth Configuring the client for basicauth authentication: collecting the authentication information

    ID assertion Configuring the client for identity assertion: Collecting the authentication method

    Signature Configuring the client for signature authentication: collecting the authentication information

    LTPA Configuring the client for LTPA token authentication: Collecting the authentication method information

    Security response receiver binding configuration

    Signing information  Configuring the client for response digital signature verification: choosing the verification method

    Encryption information Configuring the client for response decryption: choosing a decryption method

    Trust anchor Configuring trust anchors using the Assembly Toolkit

    Certificate store list Configuring the client-side collection certificate store using the Application Server Toolkit

    Key locators Configuring key locators using the Assembly Toolkit

When configuring the security request sender binding configuration, synchronize the information used to perform the specified security with the security request receiver binding configuration, which is configured in the server EAR file. These two configurations must be synchronized in all respects because there is no negotiation during run time to determine the requirements of the server.

For example, when configuring the encryption information in the security request sender binding Configuration, use the public key from the server for encryption. Therefore, the key locator that you choose must contain the public key from the server configuration. The server must contain the private key to decrypt the message. This example illustrates the important relationship between the client and server configuration. Additionally, when configuring the security response receiver binding configuration, the server must send the response using security information known by this client security response receiver binding configuration.

The following table shows the related configurations between the client and the server. The client request sender and the server request receiver are relative configurations that must be synchronized with each other. The server response sender and the client response receiver are related configurations that must be synchronized with each other. Note that the related configurations are end points for any request or response. One end point must communicate its actions with the other end point because run time requirements are not negotiated.
Related configurations

Client configuration Server configuration
Request sender Request receiver
Response receiver Response sender

 

See Also

Request sender
Request receiver
Response sender
Response receiver
Securing Web services using XML digital signature
Configuring the security bindings on a server acting as a client using the administrative console
Configuring the server security bindings using the Assembly Toolkit
Configuring the server security bindings using the administrative console