+

Search Tips   |   Advanced Search

Overview of platform configuration and bindings


The WS-Security policy is specified...

Binding information to support the Web Services security policy is stored in the IBM extension of the Web services deployment descriptors for both the JAX-RPC and JAX-WS models.

IBM WAS supports JAX-WS and JAX-RPC. JAX-WS supports annotations.

Due to the complexity of these files, IBM recommends to not edit deployment descriptor and binding files manually with a text editor. IBM recommends using the WAS admin console, or an assembly tool.

WAS V6 and later have a cell level and a server level configuration that are global for all applications. Because WAS V6 and later support 5.x applications, some of the configurations are valid for V5.x applications only and some are valid for V 6 and later applications only.

The following figure represents the relationship of the application deployment descriptor and binding files to the cell (ND only) or server level configuration.

 

Platform configuration

The following options are available in the admin console:

Nonce cache timeout Cache timeout value for a nonce in seconds.

Found on the cell level (ND only) and server level.

Nonce maximum age Default life span for the nonce in seconds.

Found on the cell level (ND only) and server level.

Nonce clock skew Default clock skew to account for network delay, processing delay, and so on. Used to calculate when the nonce expires. Its unit of measurement is seconds.

Found on the cell level (ND only) and server level.

Distribute nonce caching Distribute the cache for the nonce to different servers in a cluster. Available for WAS V6.0.x and later.


Application binding

Key locator How the keys are retrieved for signing, encryption, and decryption. The implementation classes for the key locator are different in WAS Versions 6 and later and V5.x.
Collection certificate store Certificate store for certificate path validation. Typically used for validating X.509 tokens during signature verification or constructing the X.509 token with a certificate revocation list that is encoded in the PKCS#7 format. The certificate revocation list is supported for WAS V6.x and later applications only.
Trust anchors Trust level for the signer certificate and is typically used in the X.509 token validation during signature verification.
Trusted ID evaluators How to verify the trust level for the identity. Used with identity assertion.
Login mappings Login configuration binding to the authentication methods. Used by WAS V5.x applications only. Deprecated.

 

Default bindings

In WAS v7.0, we can configure...

One general provider binding and one general client binding can be designated as the default.


Relationship between the *.ear and ws-security.xml

Applications EAR1 and EAR2 have bindings in the application binding file.

Applications EAR3 and EAR4 do not have a binding in the application binding file; it must be referenced to use the default bindings defined in the ws-security.xml file.

The configuration is resolved by nearest configuration in the hierarchy. For example, there might be three key locators named mykeylocator that is defined in...

If mykeylocator is defined in the application binding, then visibility is scoped to that particular application. If mykeylocater is defined on the server level, visibility scope is all of the applications deployed on that server. If mykeylocater is defined on the cell level, then visibility scope is all of the applications deployed on servers in the cell.

In general, if data is not meant to be shared by other applications, define the configuration in the application binding level.

The following figure shows the relationship of the bindings on the application, server, and cell (ND only) levels.

 

General bindings

General bindings are used as the default bindings at the cell level or server level. The general bindings that are shipped with WAS are initially set as the default bindings, but we can choose a different binding as the default, or change the level of binding that should be used as the default, for example, from cell level binding to server level binding.

In version 7.0, there are two types of bindings: application specific bindings, and general bindings. Both types of bindings are supported for WS-Security policy sets. General bindings can be shared across multiple applications and for trust service attachments. There are two types of general bindings:

Multiple general bindings can be defined for the provider and also for the client.



Subtopics

Keys
Key locator
Trust anchor
Trusted ID evaluator
Hardware cryptographic device support for WS-Security
Web services policy sets
Nonce, a randomly generated token
Basic Security Profile compliance tips
Collection certificate store
Assembly tools
High-level architecture for WS-Security
Manage policy sets
Distributing nonce caching to servers in a cluster
Application policy sets collection