+

Search Tips   |   Advanced Search

Set the client security bindings using an assembly tool


Use the Web services client editor within an assembly tool to include the binding information, that describes how to run the security specifications found in the extensions, in the client EAR file.

There is an important distinction between Version 5.x and V6 and later applications. The information in this article supports V5.x applications only that are used with WAS V6.0.x and later. The information does not apply to V 6.0.x and later applications.

When configuring a client for WS-Security, the bindings describe how to run the security specifications found in the extensions. Use the Web services client editor within an assembly tool to include the binding information in the client EAR file.

Configure the client-side bindings from a pure client accessing a Web service or from a Web service accessing a downstream Web service. This document focuses on the pure client situation. However, the concepts, and in most cases the steps, also apply when a Web service is configured to communicate downstream to another Web service that has client bindings. Complete the following steps to edit the security bindings on a pure client (or server acting as a client) using an assembly tool:

 

  1. Import the Web services client EAR file into an assembly tool.

    When you edit the client bindings on a server acting as a client, the same basic steps apply.

    See the related information on Assembly Tools.

  2. Switch to the Java EE perspective. Click Window > Open Perspective > J2EE.

  3. Click Application Client Projects > application_name > appClientModule > META-INF.

  4. Right-click the application-client.xml file, select Open with > Deployment descriptor editor. The Client Deployment Descriptor is displayed.

  5. Click the WS Extension tab and select the port QName bindings to configure. The WS-Security extensions are configured for outbound requests and inbound responses. we need to configure the following information for WS-Security extensions. These topics are discussed in more detail in other sections of the documentation.Request sender configuration details

    Details

    Set the client for request signing: digitally signing message parts

    Integrity

    Set the client for request signing: digitally signing message parts

    Confidentiality

    Set the client for request encryption: Encrypting the message parts

    Login Config

    BasicAuth

    Set the client for basic authentication: specifying the method

    IDAssertion

    Set the client for identity assertion: specifying the method

    Signature

    Set the client for signature authentication: specifying the method

    LTPA

    Set the client for LTPA token authentication: specifying LTPA token authentication

    ID assertion

    Set the client for identity assertion: specifying the method

    Add created time stamp

    Set the client for request signing: digitally signing message parts

    Response receiver configuration details

    Required integrity

    Set the client for response digital signature verification: verifying the message parts

    Required confidentiality

    Set the client for response decryption: decrypting the message parts

    Add received time stamp

    Set the client for response digital signature verification: verifying the message parts

  6. Click the WS binding tab and select the port qualified name binding to configure. The WS-Security bindings are configured for outbound requests and inbound responses. we need to configure the following information for WS-Security bindings. These topics are discussed in more details in other sections of the documentation.Security request sender binding configuration

    Signing information

    Set the client for request signing: choosing the digital signature method

    Encryption information

    Set the client for request encryption: choosing the encryption method

    Key locators

    Set key locators using an assembly tool

    Login binding

    BasicAuth

    Set the client for basic authentication: collecting the authentication information

    ID assertion

    Set the client for identity assertion: collecting the authentication method

    Signature

    Set the client for signature authentication: collecting the authentication information

    LTPA

    Set the client for LTPA token authentication: collecting the authentication method information

    Security response receiver binding configuration

    Signing information 

    Set the client for response digital signature verification: choosing the verification method

    Encryption information

    Set the client for response decryption: choosing a decryption method

    Trust anchor

    Set trust anchors using an assembly tool

    Certificate store list

    Set the client-side collection certificate store using an assembly tool

    Key locators

    Set key locators using an assembly tool

 

Next steps

When configuring the security request sender binding configuration, synchronize the information used to perform the specified security with the security request receiver binding configuration, which is configured in the server EAR file. These two configurations must be synchronized in all respects because there is no negotiation during run time to determine the requirements of the server.

For example, when configuring the encryption information in the security request sender binding Configuration, use the public key from the server for encryption. Therefore, the key locator that you choose must contain the public key from the server configuration. The server must contain the private key to decrypt the message. This example illustrates the important relationship between the client and server configuration. Additionally, when configuring the security response receiver binding configuration, the server must send the response using security information known by this client security response receiver binding configuration.

The following table shows the related configurations between the client and the server. The client request sender and the server request receiver are relative configurations that must be synchronized with each other. The server response sender and the client response receiver are related configurations that must be synchronized with each other. Note that the related configurations are end points for any request or response. One end point must communicate its actions with the other end point because run time requirements are not negotiated.


Table 1. Related configurations

Client configuration Server configuration
Request sender Request receiver
Response receiver Response sender

 

Related concepts


Request sender
Request receiver
Response sender
Response receiver
Assembly tools

 

Related tasks


Set the security bindings on a server acting as a client
Set the server security bindings using an assembly tool
Set the server security bindings
Secure Web services for V5.x applications using XML digital signature