Callback handler configuration settings

Use this page to specify how to acquire the security token that is inserted in the Web services security header within the Simple Object Access Protocol (SOAP) message. The token acquisition is a pluggable framework that leverages the JAAS javax.security.auth.callback.CallbackHandler interface for acquiring the security token. To view this console page for the callback handler on the cell level...

1. Click Security > Web services.

2. Under Default generator bindings, click Token generators > token_generator_name .

3. Under Additional properties, click Callback handler.

To view this console page for the callback handler on the server level...

1. Click Servers > Application servers > server .

2. Under Security, click Web services: Default bindings for Web services security.

3. Under Default generator bindings, click Token generators > token_generator_name .

4. Under Additional properties, click Callback handler.

To view this console page for the callback handler on the application level ...

1. Click Applications > Enterprise applications > application.

2. Click Manage modules > URI_name .

3. Under Additional properties, you can access the callback handler information for the following bindings:

   • For the Request generator (sender) binding, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom. Under Additional properties, click Token generator. Click New to create a new token generator configuration or click the name of an existing configuration to modify its settings. Under Additional properties, click Callback handler.

   • For the Response generator (sender) binding, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom. Under Additional properties, click Token generator. Click New to create a new token generator configuration or click the name of an existing configuration to modify its settings. Under Additional properties, click Callback handler.

Callback handler class name

Name of the callback handler implementation class that is used to plug in a security token framework. The specified callback handler class must implement the javax.security.auth.callback.CallbackHandler class. The implementation of the JAAS javax.security.auth.callback.CallbackHandler interface must provide a constructor using the following syntax:

MyCallbackHandler(String username, char[] password, java.util.Map properties)

Where:

username

User name that is passed into the configuration.

password

Password that is passed into the configuration.

properties

Specifies the other configuration properties that are passed into the configuration.

The appserver provides the following default callback handler implementations:

com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler

This callback handler uses a login prompt to gather user name and password information. However, if you specify the user name and password on this panel, a prompt is not displayed and the appserver returns the user name and password to the token generator if it is specified on this panel. Use this implementation for a J2EE application client only.

This callback handler uses a login prompt to gather user name and password information. However, if you specify the user name and password on this panel, a prompt is not displayed and the appserver returns the user name and password to the token generator if it is specified on this panel. Use this implementation for a J2EE application client only.

com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler

This callback handler does not issue a prompt and returns the user name and password if it is specified on this panel. You can use this callback handler when the Web service is acting as a client.

This callback handler does not issue a prompt and returns the user name and password if it is specified on this panel. You can use this callback handler when the Web service is acting as a client.

com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler

This callback handler uses a standard-in prompt to gather the user name and password. However, if the user name and password is specified on this panel, the appserver does not issue a prompt, but returns the user name and password to the token generator. Use this implementation for a Java 2 Platform, Enterprise Edition (J2EE) application client only.

This callback handler uses a standard-in prompt to gather the user name and password. However, if the user name and password is specified on this panel, the appserver does not issue a prompt, but returns the user name and password to the token generator. Use this implementation for a Java 2 Platform, Enterprise Edition (J2EE) application client only.

com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler

This callback handler uses a standard-in prompt to gather the user name and password. However, if the user name and password is specified on this panel, the appserver does not issue a prompt, but returns the user name and password to the token generator. Use this implementation for a Java 2 Platform, Enterprise Edition (J2EE) application client only.

This callback handler uses a standard-in prompt to gather the user name and password. However, if the user name and password is specified on this panel, the appserver does not issue a prompt, but returns the user name and password to the token generator. Use this implementation for a Java 2 Platform, Enterprise Edition (J2EE) application client only.

com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler

This callback handler is used to obtain the LTPA security token from the Run As invocation Subject. This token is inserted in the Web services security header within the SOAP message as a binary security token. However, if the user name and password are specified on this panel, the appserver authenticates the user name and password to obtain the LTPA security token rather than obtaining it from the Run As Subject. Use this callback handler only when the Web service is acting as a client on the appserver. IBM recommends that you do not use this callback handler on a J2EE application client.

This callback handler is used to obtain the LTPA security token from the Run As invocation Subject. This token is inserted in the Web services security header within the SOAP message as a binary security token. However, if the user name and password are specified on this panel, the appserver authenticates the user name and password to obtain the LTPA security token rather than obtaining it from the Run As Subject. Use this callback handler only when the Web service is acting as a client on the appserver. IBM recommends that you do not use this callback handler on a J2EE application client.

com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler

This callback handler is used to create the X.509 certificate that is inserted in the Web services security header within the SOAP message as a binary security token. A keystore and a key definition is required for this callback handler.

com.ibm.wsspi.wssecurity.auth.callback.PKCS7CallbackHandler

This callback handler is used to create X.509 certificates encoded with the PKCS#7 format. The certificate is inserted in the Web services security header in the SOAP message as a binary security token. A keystore is required for this callback handler. You must specify a certificate revocation list (CRL) in the collection certificate store. The CRL is encoded with the X.509 certificate in the PKCS#7 format.

com.ibm.wsspi.wssecurity.auth.callback.PkiPathCallbackHandler

This callback handler is used to create X.509 certificates encoded with the PkiPath format. The certificate is inserted in the Web services security header within the SOAP message as a binary security token. A keystore is required for this callback handler. A CRL is not supported by the callback handler; therefore, the collection certificate store is not required or used.

The callback handler implementation obtains the required security token and passes it to the token generator. The token generator inserts the security token in the Web services security header within the SOAP message. Also, the token generator is the plug-in point for the pluggable security token framework. Service providers can provide their own implementation, but the implementation must use the com.ibm.wsspi.wssecurity.token.TokenGeneratorComponent interface.

Use identity assertion

Select this option if you have identity assertion defined in the IBM extended deployment descriptor.

This option indicates that only the identity of the initial sender is required and inserted into the Web services security header within the SOAP message. For example, the appserver sends only the user name of the original caller for a Username TokenGenerator. For an X.509 token generator, the appserver sends the original signer certification only.

Use RunAs identity

Select this option if you have identity assertion defined in the IBM extended deployment descriptor and you want to use the Run As identity instead of the initial caller identity for identity assertion for a downstream call.

This option is valid only if you have Username TokenGenerator configured as a token generator.

Basic authentication user ID

User name that is passed to the constructors of the callback handler implementation. The basic authentication user name and password are used if you select one of the following default callback handler implementations provided by WAS:

• com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler

• com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler

• com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler

• com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler

These implementations are described in detail under the Callback handler class name field description in this article.

Basic authentication password

Password that is passed to the constructor of the callback handler. The keystore and its related configuration are used if you select one of the following default callback handler implementations provided by WAS:

com.ibm.wsspi.wssecurity.auth.callback.PKCS7CallbackHandler

The keystore is used to build the X.509 certificate with the certificate path.

com.ibm.wsspi.wssecurity.auth.callback.PkiPathCallbackHandler

The keystore is used to build the X.509 certificate with the certificate path.

com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler

The keystore is used to retrieve the X.509 certificate.

Key store configuration name

Name of the key store configuration defined in the keystore settings in secure communications.

Key store password

Password that is used to access the keystore file.

Key store path

Location of the keystore file.

Use ${USER_INSTALL_ROOT} in the path name because this variable expands to the product path on your machine. To change the path used by this variable, click Environment > WebSphere variables and click USER_INSTALL_ROOT.

Key store type

Timeype of keystore file format Choose one of the following values for this field:

JKS

Use this option if the keystore uses the Java Keystore (JKS) format.

JCEKS

Use this option if the Java Cryptography Extension is configured in the software development kit (SDK). The default IBM JCE is configured in the appserver. This option provides stronger protection for stored private keys by using Triple DES encryption.

JCERACFKS

Use JCERACFKS if the certificates are stored in a SAF key ring (z/OS only).

PKCS11KS (PKCS11)

Use this option if your keystore file uses the PKCS#11 file format. Keystore files that use this format might contain Rivest Shamir Adleman (RSA) keys on cryptographic hardware or might encrypt keys that use cryptographic hardware to ensure protection.

PKCS12KS (PKCS12)

Use this option if your keystore file uses the PKCS#12 file format.

---

 

Related tasks

Configure token generators using JAX-RPC to protect message authenticity at the application level

 

Related Reference

Token generator collection
Token generator configuration settings

 

Reference topic