Configuring the caller in consumer security constraints

The caller is used to identify the token. The runtime for Web services security uses this token identity to create the security credential and principal for WebSphere Application Server. The token identity must be in the configured user registry so that the Application Server can use the token identity in J2EE authorization checks.

 

Before you begin

Prior to completing this task, import your application into an assembly tool.

For information on how to import your application, see Import enterprise applications.

 

About this task

Complete the following steps to specify the caller part when you configure the consumer security constraints for either the response consumer or the request consumer. The response consumer is configured for the client and the request consumer is configured for the server. In the following steps, configure either the client-side extensions in step 2 or the server-side extensions in step 3.

 

Procedure

  1. Start the assembly tool.
  2. Switch to the J2EE perspective. Click Window > Open Perspective > J2EE.
  3. Optional: Locate the client-side extensions using the Project Explorer window. The Client Deployment Descriptor window is displayed. This Web service contains the extensions that we need to configure. Complete the following steps to locate the client-side extensions:
    1. Expand the Web Services > Client section and double-click the name of the Web service.
    2. Click the WS Extension tab and expand the Response Consumer Configuration section.
  4. Optional: Locate the server-side extensions using the Project Explorer window. The Web Services Editor window is displayed. This Web service contains the extensions that we need to configure. Complete the following steps to locate the server-side extensions:
    1. Expand the Web Services > Services section and double-click the name of the Web service.
    2. Click the Extensions tab and expand the Request Consumer Service Configuration Details section.
  5. Expand the Caller Part section.
  6. Click Add to specify the caller part. The Caller Part Dialog window is displayed. Complete the following steps to configure the caller part:

    1. Specify the name of the caller in the Name field.
    2. Optional: Specify the name of an integrity or confidentiality part in the Required Integrity or Required Confidentiality part field if you want to select the token that used for either digital signature or encryption as the caller token. For more information on these configurations, see the following tasks:
      Important: Either complete this step or specify a token type in the Token type field in the next step.
    3. Optional: Specify a token type in the Token type field if you want to select a standalone security token as the caller token.

      If a standalone security token is used for authentication, then the Uniform Resource Identifier (URI) and local name attributes must define the type of security token that is used for authentication. We can select standard or custom security tokens by URI and local name.

      If you specify a token type in the Token type field, complete the following steps:

      1. Specify the namespace URI of the security token that is used for authentication in the URI field.
      2. Specify the local name of the security token that is used for authentication in the Local name field. The following table shows the URI and local name combinations that are supported:
        Table 1. URI and Local name combinations
        URI Local name Description
        A namespace URI is not applicable. Specify http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 as the local name value. Specifies the name of an X.509 certificate token
        A namespace URI is not applicable. Specify http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1 as the local name value. Specifies the name of the X.509 certificates in a PKI path
        A namespace URI is not applicable. Specify http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7 as the local name value. Specifies a list of X509 certificates and certificate revocation lists (CRL) in a PKCS#7
        Specify http://www.ibm.com/websphere/appserver/tokentype/5.0.2 as the URI value. Specify LTPA as the local name value. Specifies a binary security token that contains an embedded Lightweight Third Party Authentication (LTPA) token.
        Specify http://www.ibm.com/websphere/appserver/tokentype as the URI value. Specify LTPA_PROPAGATION as the local name value. Specifies a binary security token that contains an embedded propagation token.
        Specify the namespace URI value as indicated by the provider. Specify http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken as the local name value. Specifies the token type that is configured to perform token validation. This local name is used to remap an incoming security token to a different security token. We can use this local name value in a situation that is similar to the following scenario:

        A client sends a username token to the server. The custom token consumer on the server uses the security token service to authenticate the user name information. The username token is used to create a new token type such as a Security Assertion Markup Language (SAML) token. We can use the identity from the SAML token for authentication and authorization verification in WebSphere Application Server.

        The custom token requires that you specify both the URI and the Local name.

  7. Optional: Configure identity assertion. For more information, see Configuring identity assertion
  8. Optional: Click Add and specify a Trust method property in the Trust method property section, if necessary.
  9. Optional: Click Add and specify an additional property in the Property section, if necessary.
  10. Click OK to save the configuration changes.
    Note: These configurations on the consumer side and the generator side must match.