Web services policy sets
Policy sets are assertions about how services are defined. They are used to simplify the quality of service configuration for Web services.
Use policy sets only with JAX-WS applications. We cannot use policy sets with JAX-RPC applications.
Policy sets combine settings, including those for transport and message level configuration, such as...
There are two main types of policy sets:
Application policy sets are used for business-related assertions defined in the WSDL file.
System policy sets are used for non-business-related system messages. These messages are not related to the business operations defined in the WSDL, but instead refer to messages defined in other specifications which apply qualities of service (QoS), including...
- request security token messages defined in WS-Trust
- create sequence messages defined in WS-Reliable Messaging of WS-MetadataExchange
Policy definition is typically based on WS-Policy standard language.
An instance of a policy set consists of a collection of policies. For example, the WS-I RSP default policy set consists of instances of the policy types...
A policy set is identified by a unique name that is unique across the cell. An empty policy set is a policy set with no policies defined.
Use a default policy set after it is imported. To change the properties for a default, not editable policy set, copy the policy set to create an editable version to modify.
We can perform the following actions on policy sets:
- create
- copy
- edit
- delete
- attach to service resources like applications
- detach from service resources like applications
- export
- import
A set of default policy sets are included that we can import; then copy and rename for reuse. Use a default policy set after it is imported, but to change any of the settings, we need to copy the policy set to create an editable version. The configuration can then be altered and customized on the copy.
You can only copy and customize policy sets using the admin console or admin commands. Policy sets do not function correctly if they are copied manually.
On the appserver, policy sets are stored at the cell level. Policy sets are centrally located so that they are available to all applications on the server.
The following application policy sets are installed on the base or network deployment (ND) profile by default:
- WS-I RSP
- WS-I RSP (ND)
- Username WSSecurity default
- WSHTTPS default
The WS-I RSP (ND) is installed in a network deployment environment.
The following policy sets are ready for you to use as is.
- LTPA WSSecurity default
- Kerberos V5 HTTPS default
- SSL WSTransaction
- Username SecureConversation
- Username WSSecurity default
- WS-Addressing default
- WSHTTPS default
- WS-I RSP ND
- WS-ReliableMessaging persistent
The appserver also provides other default policy sets that we can use or customize. To use the additional policy sets, import them from the default repository.
The following default policy sets are provided:
- WS-I RSP default
- This policy set provides:
- Reliable message delivery to the intended receiver by enabling WS-ReliableMessaging
- Message integrity through digital signature that includes signing the body, time stamp, WS-Addressing headers and WS-ReliableMessaging headers using the WS-SecureConversation and WS-Security specifications
- Confidentiality through encryption that includes encrypting the body, signature elements, using the WS-SecureConversation and WS-Security specifications
- LTPA WS-I RSP default
- This policy set provides:
- Reliable message delivery to the intended receiver by enabling WS-ReliableMessaging
- Message integrity through digital signature that includes signing the body, time stamp, WS-Addressing headers and WS-ReliableMessaging headers using the WS-SecureConversation and WS-Security specifications
- Confidentiality through encryption that includes encrypting the body, signature elements, using the WS-SecureConversation and WS-Security specifications
- A LTPA token included in the request message to authenticate the client to the service
- Username WS-I RSP default
- This policy set provides:
- Reliable message delivery to the intended receiver by enabling WS-ReliableMessaging
- Message integrity through digital signature that includes signing the body, time stamp, WS-Addressing headers and WS-ReliableMessaging headers using the WS-SecureConversation and WS-Security specifications
- Confidentiality through encryption that includes encrypting the body, signature elements, using the WS-SecureConversation and WS-Security specifications
- A username token included in the request message to authenticate the client to the service. The username token is encrypted in the request
- SecureConversation
- This policy set provides:
- Message integrity through digital signature that includes signing the body, time stamp, and WS-Addressing headers using WS-SecureConversation and WS-Security specifications
- Message confidentiality through encryption that includes encrypting the body, signature and signature confirmation elements, using WS-SecureConversation and WS-Security specifications
- LTPA SecureConversation
- This policy set provides:
- Message integrity through digital signature that includes signing the body, time stamp, and WS-Addressing headers using WS-SecureConversation and WS-Security specifications
- Message confidentiality through encryption that includes encrypting the body, signature and signature confirmation elements, using WS-SecureConversation and WS-Security specifications
- A LTPA token included in the request message to authenticate the client to the service
- Username SecureConversation
- This policy set provides:
- Message integrity through digital signature that includes signing the body, time stamp, and WS-Addressing headers using WS-SecureConversation and WS-Security specifications
- Message confidentiality through encryption that includes encrypting the body, signature and signature confirmation elements, using WS-SecureConversation and WS-Security specifications
- A username token included in the request message to authenticate the client to the service. The username token is encrypted in the request
- WSAddressing default
- Enables WS-Addressing support, which uses endpoint references and message addressing properties to facilitate the addressing of Web services in a standard and interoperable way.
- WSHTTPS default
- Provides SSL transport security for the HTTP protocol with Web services applications.
- Kerberos V5 HTTPS default
- This policy set provides message authentication with a Kerberos Version 5 token. Message integrity and confidentiality are provided by SSL transport security. This policy set follows the OASIS Kerberos Token Profile V1.1 and WS-Security specifications.
When you use this policy set, configure the basic authentication data and custom properties such as the custom properties...
- com.ibm.wsspi.wssecurity.krbtoken.targetServiceName
- com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost
...in the client bindings.
See the Authentication generator or consumer token settings and Protection token settings (generator or consumer) topics.
- Kerberos V5 SecureConversation
- This policy set provides message integrity by digitally signing the body, time stamp, and WS-Addressing headers. Message confidentiality is provided by encrypting the body and the signature. The bootstrap policy is configured with the Kerberos V5 token. This policy set follows the WS-SecureConversation, OASIS spec for the Kerberos Token Profile, in addition to the WS-Security specification.
To use this policy set, also use the Client sample V2 and Provider sample V2 general sample bindings for the applications.
See, refer to the topic General sample bindings for JAX-WS applications. To use this new policy set, which is included with WAS V7.0.0.1, create a new profile after installing WAS ND.
To update existing profiles with this new policy set and the general bindings, Client sample V2 and Provider sample V2 general sample bindings, complete some manual steps. You only need to update the deployment manager profile and standalone appserver profiles. To complete the manual steps for an existing profile, refer to the topic Configuring Kerberos policy sets and V2 general sample bindings.
- Kerberos V5 WSSecurity default
- This policy set provides message integrity by digitally signing the body, time stamp, and WS-Addressing headers. Message confidentiality is provided by encrypting the body and the signature using Advanced Encryption Standard (AES) encryption. The derived key from the Kerberos V5 token is used. This policy set follows the OASIS specification for the Kerberos Token Profile, in addition to the WS-Security specification.
To use this policy set, also use the Client sample V2 and Provider sample V2 general sample bindings for the applications. For more information, refer to the topic General sample bindings for JAX-WS applications. To use this new policy set, which is included with WAS V7.0.0.1, create a new profile after installing WAS ND.
To update existing profiles with this new policy set and the general bindings, Client sample V2 and Provider sample V2 general sample bindings, complete some manual steps. You only need to update the deployment manager profile and standalone appserver profiles. To complete the manual steps for an existing profile, refer to the topic Configuring Kerberos policy sets and V2 general sample bindings.
- TrustServiceKerberosDefault
- This policy set specifies the symmetric algorithm and the derived keys to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using the HMAC-SHA1 algorithm. Message confidentiality is provided by encrypting the body and signature using the Advanced Encryption Standard (AES). This policy set follows the WS-Security and Secure Conversation specifications for issuing and renewing trust operation requests.
To use this policy set, also use the Client sample V2 and Provider sample V2 general sample bindings for the applications.
See, refer to the topic General sample bindings for JAX-WS applications. To use this new policy set, which is included with WAS V 7.0.0.1, create a new profile after installing WAS ND.
To update existing profiles with this new policy set and the general bindings, Client sample V2 and Provider sample V2 general sample bindings, complete some manual steps. You only need to update the deployment manager profile and standalone appserver profiles. To complete the manual steps for an existing profile, refer to the topic Configuring Kerberos policy sets and V2 general sample bindings.
- WSReliableMessaging default
- This policy set enables both WS-ReliableMessaging V1.1 and WS-Addressing and uses the minimum quality of service, unmanaged non-persistent. This quality of service requires minimal configuration. However it is non-transactional and, although it allows for the resending of messages that are lost in the network, if a server becomes unavailable you will lose messages. This quality of service is for single server only and does not work in a cluster. In-order delivery is set to "false", so messages are not necessarily delivered in the order in which they were sent.
- WSReliableMessaging persistent
- This policy set enables both WS-ReliableMessaging and WS-Addressing and uses the maximum quality of service, managed persistent. This quality of service supports asynchronous Web service invocations and uses a service integration messaging engine and message store to manage the sequence state. Messages are processed within transactions, are persisted at the Web service requester server and at the Web service provider server, and are recoverable in the event of server failure. In-order delivery is set to "false", so messages are not necessarily delivered in the order in which they were sent.
- Because this policy set specifies managed persistent quality of service, we have to define bindings to the service integration bus and messaging engine to use to manage the WS-ReliableMessaging state. We can attach and bind a WS-ReliableMessaging policy set to a Web service application using the admin console or using wsadmin.
- WSReliableMessaging 1_0
- This policy set enables both WS-ReliableMessaging V1.0 and WS-Addressing and uses the minimum quality of service, unmanaged non-persistent. This quality of service requires minimal configuration. However it is non-transactional and, although it allows for the resending of messages that are lost in the network, if a server becomes unavailable you will lose messages. This quality of service is for single server only and does not work in a cluster. In-order delivery is set to "false", so messages are not necessarily delivered in the order in which they were sent.
- Use this policy set with .NET-based Web services.
- WSSecurity default
- This policy set provides:
- Message integrity through digital signature (using RSA public-key cryptography) to sign the body, time stamp, and WS-Addressing headers using WS-Security specifications.
- Message confidentiality through encryption (using RSA public-key cryptography) to encrypt the body, signature and signature elements using WS-Security specifications.
- LTPA WSSecurity default
- This policy set provides:
- Message integrity through digital signature (using RSA public-key cryptography) to sign the body, time stamp, and WS-Addressing headers using WS-Security specifications.
- Message confidentiality through encryption (using RSA public-key cryptography) to encrypt the body, signature and signature elements using WS-Security specifications.
- A LTPA token included in the request message to authenticate the client to the service.
- Username WSSecurity default
- This policy set provides:
- Message integrity through digital signature (using RSA public-key cryptography) to sign the body, time stamp, and WS-Addressing headers using WS-Security specifications.
- Message confidentiality through encryption (using RSA public-key cryptography) to encrypt the body, signature and signature elements using WS-Security specifications.
- A username token included in the request message to authenticate the client to the service. The username token is encrypted in the request.
- WSTransaction
- This policy set enables WS-Transaction, which provides:
- The ability to coordinate distributed transactional work atomically and interoperably using the WS-AtomicTransaction specification.
- The ability to coordinate loosely coupled business processes that are distributed across the heterogenous Web service environment, with the ability to compensate actions if a failure occurs in the business activity, using the WS-BusinessActivity specification.
- SSL WSTransaction
- This policy set enables WS-Transaction, which provides:
- The ability to coordinate distributed transactional work atomically, interoperably, and securely, using the WS-AtomicTransaction specification and SSL Transport security.
- The ability to coordinate loosely coupled business processes, with the ability to compensate actions if a failure occurs in the business activity, securely, using the WS-BusinessActivity specification and SSL Transport security.
Policy sets do not include environment or platform-specific information, such as keys for signing, keystore information, or persistent store information. This type of information is defined in the binding. A policy set attachment defines how a policy set is attached to service resources and bindings. The attachment definition is outside the policy set definition and is defined as meta-data associated with application data.
Bindings are made up of environment and platform-specific information. General bindings such as the service client or provider bindings for the global security domain can be shared across applications.
To enable policy sets to work with applications, bindings are needed. Use the admin console to configure general bindings and application specific bindings. Read about defining binding information for policy sets for more information about working with attachments and bindings.
 
Related concepts
General sample bindings for JAX-WS applications
WS-I RSP default policy sets
WS-ReliableMessaging default policy sets
Web Services Addressing support
WS-Security default policy sets
SecureConversation default policy sets
WSHTTPS default policy set
WSTransaction default policy sets
Related tasks
Set policy set bindings
Importing policy sets
Set service client or provider bindings
Set Kerberos policy sets and V2 general sample bindings
Create policy set attachments using wsadmin
Manage policy sets
Related
Copy of default policy set and bindings settings
Authentication generator or consumer token settings
Protection token settings (generator or consumer)
Web services specifications and APIs 
Related information
WS-Policy working group
OASIS WS-SX Technical Committee