Default binding

 

+

Search Tips   |   Advanced Search

 

Certain applications can share certain binding information. This information includes truststores, keystores, and authentication methods (token validation). WAS provides support for default binding information. Administrators can define binding information at:

  • The cell level

Applications can refer to this binding information.

We can define the following binding information in the ws-security.xml file:

Trust anchors (truststore)

Collection certificate store

Key locators

  • Key locators specify implementation of the com.ibm.wsspi.wssecurity.config.KeyLocator interface. This interface is used to retrieve keys for signature or encryption. Customer implementations can extend the key locator interface to retrieve keys using other methods. WAS provides implementations to retrieve a key from the key store, map an authenticated identity to a key in the key store, or retrieve a key from the signer certificate (mapping and retrieving actions are used for encrypting the response).

  • The Key Locator Name is used in the binding file (ibm-webservices-bnd.xmi and ibm-webservicesclient-bnd.xmi when Web services is running as a client) to refer to the key locator defined in the default binding information. The Key Locator Name must be unique to the key locators collection in the default binding information.

Trusted ID evaluators

  • Trusted ID evaluators are an implementation of the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface. This interface is used to make sure the identity (ID)-asserting authority is trusted. Additionally, one can extend the trusted identity evaluator to validate the trust. WAS provides a default implementation for validating trust based on a predefined list of identities.

  • The Trusted ID Evaluator Name is used in the binding file (ibm-webservices-bnd.xmi) to refer to the trusted identity evaluator defined in the default binding information. The Trusted ID Evaluator Name must be unique to the Trusted ID Evaluator collection.

Login mappings

  • Login mappings define the mapping of the authentication method to the JAAS login configuration. The mappings are used to authenticate the incoming security token embedded in the Web services security SOAP message header. The JAAS login configuration is defined in the administrative console under...

    Security | JAAS Configuration | Application Logins

  • WebSphere Application Server defines the following authentication methods:

    BasicAuth

    Authenticates user name and password.

    Signature

    Maps the subject distinguished name (DN) in the certificate to a WAS credential.

    IDAssertion

    Maps the identity to a WAS credential.

    LTPA

    Authenticates a Lightweight Third Party Authentication (LTPA) token.

    After identity authentication, the associated credential is used in the downstream call.

  • This method can be extended to authenticate custom security tokens by providing a custom JAAS login configuration and by using the com.ibm.wsspi.wssecurity.auth.module.WSSecurityMappingModule to create the principal and credential required by WebSphere Application Server.

  • If LoginConfig (AuthMethod) is defined in the IBM extension deployment descriptor (ibm-webservices-ext.xmi), but there are no login mapping bindings (ibm-webservices-bnd.xmi) defined for the AuthMethod, Web services security run time uses the login mapping defined in the default binding information.

 

WebSphere Application

Server Network Deployment

When the WebSphere Application Server is federated to a Network Deployment cell, the default binding file (ws-security.xml) of the server is added to the new cell (with other server level configuration information). If you use the cell-level default binding, the entries of the server level default binding must be removed.

There is a cell-level default binding (ws-security.xml) for Network Deployment installation. Furthermore, for Network Deployment installation server-level binding is optional. To navigate to the cell-level default binding in the administrative console, click Security > Web Services. The server-level binding is described in WebSphere Application Server. Figure 1. Web services security application-level, cell-level, and server-level default binding information

The order of the default binding information is application-level binding, server-level, and cell-level default binding.


 

See Also


Trust anchors
Collection certificate store
Key locator
Trusted ID evaluator
Login mappings
BasicAuth authentication method
Identity assertion authentication method
Signature authentication method
Lightweight Third Party Authentication