Callback handler settings
To configure callback handler settings, which determine how security tokens are acquired from messages headers.
Configure callback handler settings when we are editing a default cell or server binding. We can also configure application specific bindings for tokens and message parts that are required by the policy set.
To view this admin console page when we are editing a default cell binding...
- Click Services > Policy sets > Default policy set bindings.
- Click the WS-Security policy in the Policies table.
- Click the Authentication and protection link in the Main message security policy bindings section.
- Click the name_of_token link in the Protection tokens section or the Authentication tokens section.
- Click the Callback handler link.
To view this admin console page when we are configuring application specific bindings for tokens and message parts that are required by the policy set...
- Click Applications > Application Types > WebSphere enterprise apps.
- Select an application that contains Web services. The application must contain a service provider or a service client.
- Click the Service provider policy sets and bindings link or the Service client.policy sets and bindings in the Web Services Properties section.
- Select a binding. You must have previously attached a policy set and assigned an application specific binding.
- Click the WS-Security policy in the Policies table.
- Click the Authentication and protection link in the Main message security policy bindings section.
- Click the name_of_token link in the Protection tokens section or the Authentication tokens section.
- Click the Callback handler link.
This admin console panel applies only to JAX-WS applications.
The Callback Handler displays fields differently for different tokens being configured. Depending on whether we are configuring generator or consumer tokens for protection or we are configuring inbound or outbound tokens for authentication, the sections and fields on this panel display some or all of the fields explained in this topic, as noted in the description of each field.
- Class name
The fields in the Class name section are available for all types of token configuration.
Select the class name to use for the callback handler. Select the Use built-in default option for normal operation. Use the Use custom option only if we are using a custom token type.
For the Kerberos custom token type, use the class name, com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler, for token generator configuration. Use com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler for token consumer configuration.
- Use built-in default
The default value is used for the class name. Use the default value (shown in the field) for the class name when you select this radio button. This name is based on the token type and whether the callback handler is for a token generator or a token consumer. This option is mutually exclusive to the Use custom option.
- Use custom
A custom value is used for the class name. Select this radio button and enter the name in the field to use a custom class name.
No default value is available for this entry field. Use the information in the following table to determine this value:
Token Type Consumer or Generator Callback Handler Class Name UsernameToken consumer com.ibm.websphere.wssecurity.callbackhandler.UNTConsumeCallbackHandler UsernameToken generator com.ibm.websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler X509Token consumer com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallbackHandler X509Token generator com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler LTPAToken/LTPAPropagationToken consumer com.ibm.websphere.wssecurity.callbackhandler.LTPAConsumeCallbackHandler LTPAToken/LTPAPropagationToken generator com.ibm.websphere.wssecurity.callbackhandler.LTPAGenerateCallbackHandler SecureConversationToken consumer com.ibm.ws.wssecurity.impl.auth.callback.SCTConsumeCallbackHandler SecureConversationToken generator com.ibm.ws.wssecurity.impl.auth.callback.WSTrustCallbackHandler
This button is mutually exclusive to the Use built-in default option.
- Certificates
The fields in the Certificates section are available if we are configuring a protection token. For a consumer token, we can use the Trust any certificate or the Certificate store options to configure the certificate. For a generator token, we can click a certificate from the listing or click the New button to add one.
- Certificates - Trust any certificate
If the protection token has a certificate configured, this option specifies that the system will trust any certificate, and not define the certificate store. Select this option to trust each certificate. This option is mutually exclusive to the Certificate store option and is only applicable to the token consumer.
- Certificates - Certificate store
Specifies, if the protection token has a certificate configured, the certificate store to be trusted. Select this option to trust each certificate store specified in the entry field. This option is mutually exclusive to the Trust any certificate option. When you select this option, the New button is enabled so that we can configure a new certificate store. We can also add a second certificate store to the Trusted anchor store entry field when you click Certificate store. The Trusted anchor store field is only applicable to the token consumer.
- Basic authentication
The fields in the Basic authentication section are available if we are configuring an authentication token not an LTPA propagation token.
For the Kerberos custom token type, complete the Basic Authentication section for the Kerberos login.
- User name
User name to authenticate.
to be authenticated. Enter a password to authenticate in this entry field.
- Confirm password
to confirm.
- Keystore
The fields in the Keystore section are available if we are configuring a protection token.
In the Keystore name list, we can click Custom to define a custom keystore, click one of the externally defined keystore names, or click None if no keystore is required.
- Keystore - Name
Name of the centrally managed keystore file to use.
Click the name of a centrally managed keystore name from this menu or enter one of the following values:
- NodeDefaultKeyStore
- NodeDefaultTrustStore
- NodeLTPAKeys
- None
- Specifies to not use a centrally managed keystore file.
- Custom
- Specifies to use the centrally managed keystore file. Click the Custom keystore configuration link to configure custom keystore and key settings.
- Keystore - Custom keystore configuration
Link to create a custom keystore. Click this link to open a panel where we can configure a custom keystore.
- Key
The fields in the Key section are available if we are configuring a protection token.
- Name
Name of the key to use. Enter the name of the key to be used in this required field.
- Alias
Alias name of the key to use. Enter the alias of the name of the key to use in this required field.
for the key to use.
We cannot set a password for public keys for asymmetric encryption generator or asymmetric signature consumer.
- Confirm password
Confirmation of the password for the key to use. Enter the password that you entered in the field to confirm.
Do not provide a key confirm password for public keys for asymmetric outbound encryption or inbound signature.
- Custom properties
The fields in the Custom properties section are available for all types of token configuration.
We can add custom properties needed by the callback handler here using name-value pairs.
To implement signer certificate encryption when using the JAX-WS model, add the custom property com.ibm.wsspi.wssecurity.token.cert.useRequestorCert with the value true on the callback handler of the encryption token generator. This implementation uses the certificate of the signer of the SOAP request to encrypt the SOAP response. This custom property is used by the response generator.
For a Kerberos custom token based on OASIS WS-Security Specification for Kerberos Token Profile V1.1, specify the following property for token generation: com.ibm.wsspi.wssecurity.krbtoken.clientRealm. This allows the Kerberos client realm to initiate the Kerberos login. If not specified, the default Kerberos realm name is used. Is optional for a single Kerberos realm environment. When implementing WS-Security in a cross or trusted Kerberos realm environment, provide a value for the clientRealm property.
- Name
Name of the custom property to use.
Custom properties are not initially displayed in this column. Click one of the following actions for custom properties:
Table 1. Actions for custom properties
Button Resulting Action New Creates a new custom property entry. To add a custom property, enter the name and value. Delete Removes the selected custom property.
- Value
Value of the custom property to use. With the Value entry field, we can enter or delete the value for a custom property.
Subtopics
Custom keystore settings
Related tasks
Set policy set bindings
Manage policy sets
Related
Protection token settings (generator or consumer)
Application policy sets collection
Application policy set settings
Search attached applications collection
Policy set bindings settings
WS-Security authentication and protection