Set attachments for the trust service using the admin console

We can attach the trust service operations for a service endpoint to a system policy set and binding. Each new endpoint specified initially has the following four operations: issue, renew, cancel, and validate. By default, all endpoints inherit the policy set and binding that are attached to the respective trust service operation under Trust Service Defaults. However, we can explicitly attach a different policy set.

First define the policy sets and bindings. Policies describe the protection or quality of service that is provided (such as message security, transport and so forth). Bindings specify some details about how to implement the policy, such as: the path for the keystore file, the class name of the token generator, or the JAAS configuration name.

Use system policy sets with the trust service only. The requestor (client) must utilize JAX-WS only. Requestors which use Java API for XML-based remote procedure calls (JAX-RPC) are incompatible with the policy set QOS.

Depending on the assigned security role when security is enabled, we might not have access to text entry fields or buttons to create or edit configuration data. Review the administrative roles documentation to learn more about the valid roles for the appserver.

We can attach the trust service operations for a new endpoint to an existing policy set and binding. For each new service endpoint specified, four trust service operations (cancel, renew, validate and issue) change from having inherited attachments to being explicitly attached. The four operations are attached to the respective policy set and binding as specified in Trust Service Defaults. Then we can change the attachment to the desired existing policy set and binding.

An endpoint policy set consists of two sections: a bootstrap section and an application section. The system policy set attached to the Issue and renew trust service operations for a specific endpoint must correspond to the bootstrap section of the policy set for that endpoint. The system policy set attached to the Cancel and Validate trust service operations for a specific endpoint must correspond to the application section of the policy set for that endpoint.

This task describes how to manage trust service operations for service endpoint URLs that you want to attach to a system policy set and binding. To complete the configuration of the WAS trust service, also complete the following task:

• Create or manage targets. We can create explicit assignments for new service endpoints (targets) or manage endpoints that have a security token explicitly assigned or that inherit the Trust Service Default token.

The sample general bindings that are provided with WAS are initially set as the global security (cell) default bindings. The default service provider binding and the default service client bindings are used when no application specific bindings or trust service bindings are assigned to a policy set attachment. For trust service attachments, the default bindings are used when no trust specific bindings are assigned. If we do not want to use the provided Provider sample as the default service provider binding, we can select an existing general provider binding or create a new general provider binding to meet the business needs. Likewise, if we do not want to use the provided Client sample as the default service client binding, we can select an existing general client binding or create a new general client binding. To specify the global security (cell) default bindings, use the admin console and click Services > Policy sets > Default policy set bindings. For environments with multiple security domains, optionally choose the general provider and general client bindings to use as the default bindings for a domain.

See about default bindings see the topic Setting default policy set bindings.

 

1. To manage system policy set attachments for trust service operations, click Services > Trust service > Trust service attachments.

   The list displays all endpoints that have at least one operation with a policy set attached as well as Trust Service Defaults. The list also displays the system policy set and the binding for each operation.

2. Select one or more of the following actions to configure the trust service attachments:

   New Attachment

   Opens a new panel where we can specify the service endpoint URL. For each new service endpoint specified, four trust service operations (cancel, renew, validate and issue) change from having inherited attachments to being explicitly attached. The four operations are attached to the respective policy set and binding as specified in Trust Service Defaults. These initial attachments can be changed.

   Attach

   Displays a list of existing system policy sets, including the default trust-related system policy sets, to which each of the four trust service operations for a service endpoint can be attached. First, select the operation (for example, Cancel token) and then click Attach to display the list of available system policy sets. Select a default or custom system policy set to attach. When you change the policy set attachment, the binding automatically changes to Default. Select the operation and click Assign Binding to change the binding.The pre-configured system policy sets that we can select include:

   • TrustServiceSecurityDefault

     This trust policy set specifies the asymmetric algorithm as well as the public and private keys to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using RSA. Message confidentiality is provided by encrypting the body and signature using RSA. This policy set follows the WS-Security spec for the issue and renew trust operation requests.

   • TrustServiceSymmetricDefault

     This trust policy set specifies the symmetric algorithm as well as the derived key algorithms to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using HMAC-SHA1. Message confidentiality is provided by encrypting the body and signature using AES. This policy set follows the WS-Security and WS-SecureConversation specifications for the validate and cancel trust operation requests.

   • SystemWSSecurityDefault

     This system policy set specifies the asymmetric algorithm and both the public and private keys to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using RSA encryption. Message confidentiality is provided by encrypting the body and signature using RSA encryption.

   Inherit Operation Defaults

   Sets the operation to inherit the respective trust service default trust service policy set attachment and binding. If we select the attachments to modify and then click Inherit Operation Defaults, the explicit attachment for both the policy set and the binding is removed. Thereafter, the operation inherits any change to the default trust service policy set and binding.

   Assign Binding

   Changes the existing binding. We can create and assign a new binding, assign the Default binding, or assign an existing trust service specific binding to each of the selected trust service attachments.

   Update Runtime

   Updates the trust service runtime with any configuration changes that are made to the trust service attachments, token providers, and targets.

3. Modify the custom policy set by clicking the name of a custom policy set from the list. Edit the settings for custom policy sets, as needed. Default trust service policy set information can only be viewed.

   We cannot edit the default policy sets: TrustServiceSecurityDefault and TrustServiceSymmetricDefault, or SystemWSSecurityDefault. TrustServiceSecurityDefault is the default for the issue and renew operations. TrustServiceSymmetricDefault is the default for the cancel and validate operations.

   At least one trust service operation for the endpoint service URL must be explicitly attached for the endpoint service URL to be displayed. If an operation is explicitly attached, the system policy set name appears. If no policy set is explicitly attached, the respective default trust service policy set appears, followed by the text (inherited).

4. Modify the trust service specific binding by clicking the name of a binding from the list, as needed. Edit the settings for the trust service specific binding, as needed. Any modifications to a trust service binding affect all trust service attachments that reference the binding.

   If the resource has a policy set directly attached, either the bindings name appears or Default appears.

5. Save the changes before applying the changes to the trust service runtime configuration.

6. Click Update Runtime to update the trust service runtime configuration with any data changes for token providers, trust service attachments, and targets. Whether the confirmation window appears depends on whether you select the Show confirmation for update runtime command check box. Expand Preferences to view the check box.

7. Confirm or cancel if the confirmation window appears. If we deselected the Show confirmation for update runtime command check box, all changes are made immediately without displaying the confirmation window.

 

Results

we have provided the basic information to create or update a trust service attachment. we have configured trust service operation attachments to system policy sets and bindings.

 

Next steps

We can also create a new attachment for the WAS trust service using wsadmin. The wsadmin tool examples are written in Jython.

Create a service endpoint attachment
Trust service attachments collection
Trust service attachments settings
New general binding settings

 

Related tasks

Create policy set attachments using wsadmin
Set default policy set bindings
Secure requests to the trust service using system policy sets

 

Related

Administrative roles