Set custom policies and bindings for security tokens using wsadmin
Use the setPolicyType and setBinding commands for AdminTask to specify security tokens for custom policy and binding configurations.
Create a new custom policy set.
The following scenarios configure the custom policy and bindings to use a Kerberos token based on the Oasis Kerberos Token Profile V1.1 specification. We can also use the setPolicyType and setBinding commands to configure other binary security tokens, such as username tokens, LTPA and SecureConversation.
- Set custom policies for security tokens.
- Launch wsadmin using Jython.
- Display the properties of the policy of interest.
Use the getPolicyType command to display detailed property information for the WS-Security policy type, as the following command demonstrates:
AdminTask.getPolicyType('-policySet AuthenticationTokenService -policyType WSSecurity')The getPolicyType command returns a properties object that contains name and value pairs for each property, as the following sample output displays:
'[ [SupportingTokens.request:krb_token.CustomToken.IncludeToken http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient] [enabled true] [type WSSecurity] [description [Policies for sending security tokens and providing message confidentiality and integrity, based on the OASIS WebService Security and Token Profiles specifications.]] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri ] [provides ] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] ]'
- Specify the authentication token for the policy type.
Use the setPolicyType command to specify the Uniform Resource Identifier (URI) of the authentication token for services as the value for the SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri property. Use the [ ] syntax to specify an empty string.
The following example specifies an empty string as the value for the authentication token:
AdminTask.setPolicyType('-policySet AuthenticationTokenService -policyType WSSecurity -attributes "[ [SupportingTokens.request:krb_token.CustomToken.IncludeToken http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient] [enabled true] [type WSSecurity] [description [Policies for sending security tokens and providing message confidentiality and integrity, based on the OASIS Web Service Security and Token Profiles specifications.]] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri []] [provides []] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] ]"')- Set custom bindings for security tokens.
- Launch wsadmin using Jython.
- Display the properties of the bindings of interest.
Use the getBinding command to display detailed property information for the binding of interest, as the following command demonstrates:
AdminTask.getBinding('-policyType WSSecurity -bindingLocation "" -bindingName AuthenticationTokenService')The getBinding command returns a properties object that contains name and value pairs for each property, as the following sample output displays:
'[ [application.securityinboundbindingconfig.tokenconsumer_0.properties_0.name com.ibm.wsspi.wssecurity.krbtoken.serviceSPN] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri ] [application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler] [application.name application][application.securityinboundbindingconfig.tokenconsumer_0.properties_0.value HTTP/derekho1.firehorse.mpls.setgetweb.com] [application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname system.wss.consume.KRB5BST] [application.securityinboundbindingconfig.tokenconsumer_0.name con_krbtoken][application.securityinboundbindingconfig.tokenconsumer_0.classname com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer] [application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference request:krb_token] ]'- Specify the authentication token for the policy type.
Use the setBinding command to specify the Uniform Resource Identifier (URI) of the authentication token for services as the value for the application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri property. Use the [ ] syntax to specify an empty string.
The following example specifies an empty string as the value for the authentication token:
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "" -bindingName AuthenticationTokenService -attributes "[ [application.securityinboundbindingconfig.tokenconsumer_0.properties_0.name com.ibm.wsspi.wssecurity.krbtoken.serviceSPN] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri []] [application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler] [application.name application][application.securityinboundbindingconfig.tokenconsumer_0.properties_0.value HTTP/derekho1.firehorse.mpls.setgetweb.com] [application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname system.wss.consume.KRB5BST][application.securityinboundbindingconfig.tokenconsumer_0.name con_krbtoken][application.securityinboundbindingconfig.tokenconsumer_0.classname com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer] [application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference request:krb_token] ]"')
Results
If the setPolicyType and setBinding commands return a 'true' value, the system successfully updated the policy and binding configurations.
WS-Security default policy sets
Related tasks
Create policy sets using wsadmin
Add and remove policies using wsadmin
Related
PolicySetManagement
WSSecurity policy and binding properties