Token consumer settings

To specify the information for the token consumer. The information is used at the consumer side only to process the security token.

To view this admin console page for the cell level...

1. Click Security > JAX-WS and JAX-RPC security runtime.

2. Under JAX-RPC Default Consumer Bindings, click Token consumers > token_consumer_name or click New to create a new token consumer.

To view this admin console page for the server level...

1. Click Servers > Server Types > WebSphere appservers > server_name .

2. Under Security, click JAX-WS and JAX-RPC security runtime.

   In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security

3. Under JAX-RPC Default Consumer Bindings, click Token consumers > token_consumer_name or click New to create a new token consumer.

To view this admin console page for V6 and later applications on the application level...

1. Click Applications > Application Types > WebSphere enterprise apps > application_name.

2. Click Manage modules > URI_name.

3. Under WS-Security Properties, we can access the signing information for the following bindings:

   • For the Response generator (sender) binding, click Web services: WAS security bindings. Under Response generator (sender) binding, click Edit custom. Under Required properties, click Token consumers.

   • For the Response consumer (receiver) binding, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom. Under Required properties, click Token consumers.

4. Click New to specify a new configuration or click the name of an existing configuration to modify its settings.

Before specifying additional properties, specify a value in the Token consumer name, the Token consumer class name, and the Value type local name fields.

Token consumer name

Name of the token consumer configuration.

For example, the default X509 token consumer names are either con_enctcon for encrypting or con_signtcon for signing. Or a custom, the token consumer name might be sig_tcon for signing.

Token consumer class name

Name of the token consumer implementation class.

The Java™ Authentication and Authorization Service (JAAS) Login Module implementation is used to validate (authenticate) the security token on the consumer side.

Part reference

Specifies a reference to the name of the security token that is defined in the deployment descriptor.

On the application level, when the security token is not specified in the deployment descriptor, the Part reference field is not displayed.

Certificate path

Trust anchor and the certificate store.

We can select the following options:

None

If we select this option, the certificate path is not specified.

Trust any

If we select this option, any certificate is trusted. When the received token is incorporated, the certificate path validation is not processed.

Dedicated signing information

If we select this option, we can specify the trust anchor and the certificate store. When you select the trust anchor or the certificate store of a trusted certificate, configure the collection certificate store before setting the certificate path.

 

Trust anchor

We can specify a trust anchor for the following bindings on the following levels:

Table 1. Trust anchor binding settings

Binding name	Server level, cell level, or application level	Path
Default consumer binding	Cell level	Click Security > JAX-WS and JAX-RPC security runtime. Under Additional properties, click Trust anchors.
Default consumer binding	Server level	Click Servers > Server Types > WebSphere appservers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security Under Additional properties, click Trust anchors.

 

Certificate store

We can specify a certificate path configuration for the following bindings on the following levels:

Table 2. Certificate store binding settings

Binding name	Server level, cell level, or application level	Path
Default consumer binding	Cell level	Click Security > JAX-WS and JAX-RPC security runtime. Under Additional properties, click Collection certificate store.
Default consumer binding	Server level	Click Servers > Server Types > WebSphere appservers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security Under Additional properties, click Collection certificate store.

Trusted ID evaluator reference

Reference to the Trusted ID evaluator class name that is defined in the Trusted ID evaluators panel. The trusted ID evaluator is used for determining whether the received ID is trusted.

We can select the following options:

None

If we select this option, the trusted ID evaluator is not specified.

Existing evaluator definition

If we select this option, we can select one of the configured trusted ID evaluators. We can specify a certificate path configuration for the following bindings on the following levels:

Table 3. Trusted ID evaluator bindings settings

Binding name	Server level, cell level, or application level	Path
Default consumer binding	Cell level	Click Security > JAX-WS and JAX-RPC security runtime. Under Additional properties, click Trusted ID evaluators.
Default consumer binding	Server level	Click Servers > Server Types > WebSphere appservers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security Under Additional properties, click Trusted ID evaluators.

Binding evaluator definition

If we select this option, we can specify a new trusted ID evaluator and its class name.

When you select a trusted ID evaluator reference, configure the trusted ID evaluators before setting the token consumer.

The Trusted ID evaluator field is displayed in the default binding configuration and the appserver binding configuration.

Verify nonce

Whether the nonce of the user name token is verified.

This option is displayed on the cell, server, and application levels. This option is valid only when the type of incorporated token is the user name token.

Verify timestamp

Whether the time stamp of user name token is verified.

This option is displayed on the cell, server, and application levels. This option is valid only when the type of incorporated token is the user name token.

Value type local name

Local name of value type for the consumed token.

This product has predefined value type local names for the user name token and the X.509 certificate security token. Use the following local names for the user name token and the X.509 certificate security token. When specify the following local names, you do not need to specify the URI of the value type:

Username token

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken

X509 certificate token

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509

# X509 certificates in a PKIPath

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1

A list of X509 certificates and CRLs in a PKCS#7

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7

Lightweight Third Party Authentication (LTPA)

LTPA_PROPAGATION

For LTPA, the value type local name is LTPA. If we enter LTPA for the local name, specify the http://www.ibm.com/websphere/appserver/tokentype/5.0.2 URI value in the Value type URI field as well. For LTPA token propagation, the value type local name is LTPA_PROPAGATION. If we enter LTPA_PROPAGATION for the local name, specify the http://www.ibm.com/websphere/appserver/tokentype URI value in the Value type URI field as well.For the other predefined value types (Username token, X509 certificate token, X509 certificates in a PKIPath, and a list of X509 certificates and CRLs in a PKCS#7), the value for the local name field begins with http://. For example, if we are specifying the username token for the value type, enter http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken in the value type local name field and then you do not need to enter a value in the value type URI field.

When you specify a custom value type for custom tokens, we can specify the local name and the URI of the Quality name (QName) of the value type. For example, we might specify Custom for the local name and http://www.ibm.com/custom for the URI.

Value type URI

Namespace URI of the value type for the integrated token.

When specify the token consumer for the user name token or the X.509 certificate security token, you do not need to specify this option. To specify another token, specify the URI of the QName for the value type.

The appserver provides the following predefined value type URIs:

• For the LTPA token: http://www.ibm.com/websphere/appserver/tokentype/5.0.2

• For the LTPA token propagation: http://www.ibm.com/websphere/appserver/tokentype

---

 

Related tasks

Set token consumers using JAX-RPC to protect message authenticity at the server or cell level
Set programmatic logins for Java Authentication and Authorization Service

 

Related

Token consumer collection
Token generator collection
Token generator settings
JAAS settings