Set application and system policy sets for Web services using scripting

Use the wsadmin tool, which supports the Jython and Jacl scripting languages, to configure application or system policy sets for Web services. We can manage the policies for the Quality of Service (QoS) by creating policy sets and managing associated policies.

Develop a Web services application. For additional information, see the Web services applications topics in the information center.

If we develop an application that uses a custom policy set, the custom policy set configuration is not included in the application EAR file. Install the application and import the custom policy set separately.

The commands in the PolicySetManagement group for AdminTask configure both application and system policy sets. Use the following tasks to configure and manage policy sets for the Web services.

For transitioning users: In WAS Version 7.0, the security model is enhanced to a domain-centric security model instead of a server-based security model. The configuration of the default global security (cell) level and default server level bindings has also changed in this version of WAS ND. In the WAS V 6.1 Feature Pack for Web Services, we can configure one set of default bindings for the cell and optionally configure one set of default bindings for each server. In V7.0, we can configure one or more general service provider bindings and one or more general service client bindings. After we have configured general bindings, we can specify which of these bindings is the global default binding. We can also optionally specify general binding that are used as the default for an appserver or a security domain. trns

To support a mixed-cell environment, WAS supports V7.0 and V6.1 bindings. General cell-level bindings are specific to V7.0 Application-specific bindings remain at the version that the application requires. When the user creates an application-specific binding, the appserver determines the required binding version to use for application. Use the following guidelines to manage bindings in the environment:

• To display or modify default V6.1 bindings, V7.0 trust service bindings, or to reference bindings by attachment for an application, specify the attachmentId and bindingLocation parameters with the getBinding or setBinding commands.

• To use or modify general V7.0 bindings, specify the bindingName parameter with the getBinding or setBinding commands.

• To display the version of a specific binding, specify the version attribute for the getBinding command.

Use a V6.1 binding for an application in a V7.0 environment if:

• The module in the application is installed on at least one Web Services Feature Pack server.

• The application contains at least one V6.1 application-specific binding. The appserver does not assign general bindings to resource attachments for applications that are installed on a Web Services Feature Pack server. All application-specific bindings for an application must be at the same level.

General service provider and client bindings are not linked to a particular policy set and they provide configuration information that we can reuse across multiple applications. We can create and manage general provider and client.policy set bindings and then select one of each binding type to use as the default for an appserver. Setting the server default bindings is useful if we want the services that are deployed to a server to share binding configuration. We can also accomplish this sharing of binding configuration by assigning the binding to each application deployed to the server or by setting default bindings for a security domain and assigning the security domain to one or more servers. We can specify default bindings for the service provider or client that are used at the global security (cell) level, for a security domain, for a particular server. The default bindings are used in the absence of an overriding binding specified at a lower scope. The order of precedence from lowest to highest that the appserver uses to determine which default bindings to use is as follows:

1. Server level default
2. Security domain level default
3. Global security (cell) default

The sample general bindings that are provided with the product are initially set as the global security (cell) default bindings. The default service provider binding and the default service client bindings are used when no application specific bindings or trust service bindings are assigned to a policy set attachment. For trust service attachments, the default bindings are used when no trust specific bindings are assigned. If we do not want to use the provided Provider sample as the default service provider binding, we can select an existing general provider binding or create a new general provider binding to meet the business needs. Likewise, if we do not want to use the provided Client sample as the default service client binding, we can select an existing general client binding or create a new general client binding.

 

• Use the PolicySetManagement group of commands to configure application and client.policy sets:
  • Create a new policy set or copy an existing policy set.
  • Add policies to the policy set.
  • Attach the policy set to an application, Web service, endpoint, or operation.
  • Customize cell-wide, server-specific, or application binding configurations.
  • Manage and edit the policy set configurations.
    • Edit, enable, disable, or remove policies.
    • Add, edit, or remove policy set attachments.
    • Export and import policy sets.
    • Delete policy sets.

• Use the PolicySetManagement group of commands to configure system policy sets.
  • Create a new system policy set or copy an existing system policy set.
  • Add policy types for the policy set.
  • Add trust service attachments.
  • Customize binding configurations.
  • Manage and edit the policy set configurations.
    • Edit, enable, disable or remove policies.
    • Add, edit, or remove policy set attachments.
    • Export and import policy sets.
    • Delete policy sets.

Create policy sets using the wsadmin tool
Updating policy set attributes using the wsadmin tool
Add and remove policies using the wsadmin tool
Edit policy configurations using the wsadmin tool
Enable secure conversation using the wsadmin tool
Manage WS-Security distributed cache configurations using the wsadmin tool
Set custom policies and bindings for security tokens using the wsadmin tool
Create policy set attachments using the wsadmin tool
Manage policy set attachments using the wsadmin tool
Set general, cell-wide bindings for policies using the wsadmin tool
Set V6.1 server-specific default bindings for policies using the wsadmin tool
Set application-specific and system bindings using the wsadmin tool
Create application-specific and trust service-specific bindings using the wsadmin tool
Delete application-specific bindings from the configuration using the wsadmin tool
Importing and exporting policy sets to client or server environments using scripting
Remove policy set bindings using the wsadmin tool
Remove policy set attachments using the wsadmin tool
Delete policy sets using the wsadmin tool
Refreshing policy set configurations using scripting
Policy configuration properties for all policies
WSSecurity policy and binding properties
WSReliableMessaging policy and binding properties
WSAddressing policy and binding properties
SSLTransport policy and binding properties
HTTPTransport policy and binding properties
JMSTransport policy and binding properties
SecureConversation (Deprecated)
WSSCacheManagement
PolicySetManagement
WS-Policy commands for AdminTask

 

Related tasks

Manage policy sets

 

Related

Set secure sessions between clients and services using the wsadmin tool
Set a service provider to share its policy configuration using the wsadmin tool
Set the client.policy based on a service provider policy using the wsadmin tool