Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication > High-level architecture for Web Services Security > Default configuration

General sample bindings for JAX-WS applications

We can use sample bindings with the admin console for testing purposes. The configurations that you specify are reflected on the cell or server level.

WAS v7.0 and later includes provider and client sample bindings for testing purposes. In the bindings, the product provides sample values for supporting tokens for different token types, such as the X.509 token, the username token, the LTPA token, and the Kerberos token. The bindings also include sample values for message protection information for token types such as X.509 and secure conversation. Both provider and client sample bindings can be applied to the applications attached with a system policy set, or application policy set, from the default local repository.

This information describes the general sample bindings for the JAX-WS programming model. We can develop web services using JAX-RPC, or for WAS v7.0 and later, using JAX-WS. Sample general bindings may differ depending on which programming model you use. The following sections, describing various general sample bindings, are provided:

• General client sample bindings
• Client sample bindings V2
• General provider sample bindings
• Provider sample bindings V2

IBM WAS supports the JAX-WS programming model and JAX-RPC. JAX-WS is the next generation web services programming model extending the foundation provided by JAX-RPC. Using the strategic JAX-WS programming model, development of web services and clients is simplified through support of a standards-based annotations model. Although JAX-RPC and applications are still supported, take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients. bprac

Do not use these provider and client sample bindings in their default state in a production environment. We must modify the bindings to meet the security needs before using them in a production environment by making a copy of the bindings and then modifying the copy. For example, change the key and keystore settings to ensure security, and modify the binding settings to match the environment.

One set of general default bindings is shared by the applications to make application deployment easier. We can specify default bindings for your service provider or client that are used at the global security (cell) level, for a security domain, or for a particular server. The default bindings are used in the absence of an overriding binding specified at a lower scope. The order of precedence from lowest to highest that the application server uses to determine which default bindings to use is as follows:

1. Server level default
2. Security domain level default
3. Global security (cell) default

General client sample bindings

• The sample configuration for signing information generation, called asymmetric-signingInfoRequest, contains the following configuration:
  • References the gen_signkeyinfo signing key information.
  • The part reference configuration, which contains the transform configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, gen_signkeyinfo, which contains this configuration:
    • The security token reference.
    • The gen_signx509token protection token asymmetric signature generator, as follows:
      • Contains the X.509 V3 Token v1.0 token type.
      • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
      • Contains the wss.generate.x509 JAAS login

    • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsigsender.ks, with these characteristics:
      • The keystore type is JKS.
      • The keystore password is client.
      • The alias name of the trusted certificate is soapca.
      • The alias name of the personal certificate is soaprequester.
      • The key password client issued by the intermediary certificate authority Int CA2, which is in turn issued by soapca.

  • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for signing information generation called symmetric-signingInfoRequest contains the following configuration:
  • References the gen_signsctkeyinfo signing key information.
  • The part reference configuration, which contains the transform configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, gen_signsctkeyinfo, which contains this configuration:
    • The security token reference.
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The gen_scttoken protection token generator, as follows:
      • Contains the Secure Conversation Token Version 1.3 token type.
      • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type as the local part value.
      • Contains wss.generate.sct JAAS login

    • The WS-Trust Callback Handler.

  • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for encryption information generation, called asymmetric-encryptionInfoRequest, contains the following configuration:
  • References the gen_enckeyinfo encryption key information.
  • Encryption key information, named gen_enckeyinfo, which contains this configuration:
    • The key identifier.
    • The gen_encx509token protection token asymmetric encryption generator, as follows:
      • Keystore type is JCEKS.
      • Keystore password is client.
      • Alias name of the trusted certificate is soapca.
      • Alias name of the personal certificate is bob.
      • Key password client issued by intermediary certificate authority Int CA2, which is in turn issued by soapca.

    • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks.

  • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.

• The sample configuration for encryption information generation, called symmetric-encryptionInfoRequest, contains the following configuration:
  • References the gen_encsctkeyinfo encryption key information.
  • The encryption key information, gen_encsctkeyinfo, which contains this configuration:
    • The security token reference.
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The gen_scttoken protection token generator, which contains the following configuration:
      • Contains the Secure Conversation Token v1.3 token type.
      • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
      • Contains wss.generate.sct JAAS login.

    • The WS-Trust Callback Handler.

  • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.

• The sample configuration for signing information consumption, called asymmetric-signingInfoResponse, contains the following configuration:
  • References the con_signkeyinfo signing key information.
  • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, named con_signkeyinfo, which contains the following configuration:
    • The con_signx509token protection token asymmetric signature consumer, as follows:
      • Contains the X.509 V3 Token v1.0 token type.
      • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
      • Contains the wss.consume.x509 JAAS login.

    • The X.509 Callback Handler, as follows:
      • References a certificate store named DigSigCertStore.
      • References a trusted anchor store named DigSigTrustAnchor.

  • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for signing information consumption, called symmetric-signingInfoResponse, contains the following configuration:
  • References the con_sctsignkeyinfo signing key information.
  • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, named con_sctsignkeyinfo, which contains the following configuration:
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The con_scttoken protection token consumer, as follows:
      • Contains the Secure Conversation Token v1.3 token type.
      • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
      • Contains the wss.consume.sct JAAS login.

    • The WS-SecureConversation Callback Handler.

  • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for encryption information consumption, called asymmetric-encryptionInfoResponse, which contains the following configuration:
  • References the dec_keyinfo encryption key information.
  • The encryption key information, named dec_keyinfo, which contains the following configuration:
    • The con_encx509token protection token asymmetric encryption consumer, as follows:
      • Contains the X.509 V3 Token v1.0 token type.
      • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
      • Contains the wss.consume.x509 JAAS login.

    • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks, with the follow characteristics:
      • The keystore type is JCEKS.
      • The keystore password is client.
      • The alias name of the trusted certificate is soapca.
      • The alias name of the personal certificate is alice.
      • The key password client issued by intermediary certificate authority Int CA2, which is in turn issued by soapca.

  • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.

• The sample configuration for encryption information consumption, called symmetric-encryptionInfoResponse, contains the following configuration:
  • References the dec_sctkeyinfo encryption key information.
  • The encryption key information, named dec_sctkeyinfo, contains the following configuration:
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The con_scttoken protection token consumer, as follows:
      • Contains the Secure Conversation Token v1.3 token type.
      • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
      • Contains the wss.consume.sct JAAS login.

    • The WS-SecureConversation Callback Handler.

  • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.

• The sample configuration for authentication token generation, called gen_signkrb5token, contains the following configuration:
  • The custom token type for the Kerberos v5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
  • The wss.generate.KRB5BST JAAS login.
  • The following custom properties:
    • com.ibm.wsspi.wssecurity.krbtoken.targetServiceName, the target Kerberos service name.
    • com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost, the host name associated with the target Kerberos service name,

      We must provide the correct values for the environment before using this configuration.

  • The custom Kerberos token callback handler. We must provide the correct values for the Kerberos client principal and password.

• The sample configuration for authentication token generation, called gen_signltpaproptoken, contains the following configuration:
  • The token type LTPA propagation token, as follows:
    • Contains LTPA_PROPAGATION for the local part value.
    • Contains http://www.ibm.com/websphere/appserver/tokentype for the Namespace URI value.

  • Contains the wss.generate.ltpaProp JAAS login.

  • Uses the LTPA token callback handler.

• The sample configuration for authentication token generation, called gen_signltpatoken, contains the following configuration:
  • The token type of LTPA Token v2.0, as follows:
    • Contains LTPA_PROPAGATION for the local part value.
    • Contains http://www.ibm.com/websphere/appserver/tokentype for the Namespace URI value.

  • The wss.generate.ltpa JAAS login.
  • The LTPA token callback handler.

• The sample configuration for authentication token generation, called gen_signunametoken, contains the following configuration:
  • The token type of Username Token v1.0, which uses http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken for the local part value.
  • The wss.generate.unt JAAS login.
  • The Username token callback handler, as follows:
    • Contains basic authentication fields. We must provide the correct values for the environment for client principal and password.
    • Contains the following custom properties:
      • com.ibm.wsspi.wssecurity.token.username.addNonce for adding the nonce value.
      • com.ibm.wsspi.wssecurity.token.username.addTimestamp for adding the time stamp value.

Client sample bindings V2

Two new general sample bindings, Client sample V2, and Provider sample V2, have been added to the product. While many of the configurations are the same as previous versions of the client sample and provider sample bindings, there are several additional, new sample configurations.

To use these new bindings, create a new profile after installing the product. For more information, read the topic Configuring Kerberos policy sets and V2 general sample bindings.

• The sample configuration for signing information generation, called symmetric-KrbsignInfoRequest, contains the following configuration:
  • References the gen_reqKRBsignkeyinfo signing key information.
  • The part reference configuration, which contains the transform configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, gen_reqKRBsignkeyinfo, which contains this configuration:
    • The security token reference.
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The gen_krb5token protection token generator, as follows:
      • Contains the Kerberos V5 GSS AP_REQ binary security token type.
      • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type as the local part value.
      • Contains wss.generate.KRB5BST JAAS login

    • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.

  • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for encryption information generation, called symmetric-KrbEncInfoRequest, contains the following configuration:
  • References the gen_reqKRBenckeyinfo encryption key information.
  • The encryption key information, gen_reqKRBenckeyinfo, which contains this configuration:
    • The security token reference.
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The gen_krb5token protection token generator, which contains the following configuration:
      • Contains the Kerberos V5 GSS AP_REQ binary security token type.
      • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
      • Contains wss.generate.KRB5BST JAAS login.

    • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.

  • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.

• The sample configuration for signing information consumption, called symmetric-KrbsignInfoResponse, contains the following configuration:
  • References the con_respKRBsignkeyinfo signing key information.
  • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, named con_respKRBsignkeyinfo, which contains the following configuration:
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The con_krb5token protection token consumer, as follows:
      • Contains the Kerberos V5 GSS AP_REQ binary security token type.
      • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
      • Contains the wss.consume.KRB5BST JAAS login.

    • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler

  • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for encryption information consumption, called symmetric-KrbEncInfoResponse, contains the following configuration:
  • References the con_respKRBenckeyinfo encryption key information.
  • The encryption key information, named con_respKRBenckeyinfo, contains the following configuration:
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The con_krb5token protection token consumer, as follows:
      • Contains the Kerberos V5 GSS AP_REQ binary security token type.
      • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
      • Contains the wss.consume.KRB5BST JAAS login.

    • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.

  • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.

• The sample configuration for authentication token generation, called gen_krb5token, contains the following configuration:
  • The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
  • The wss.generate.KRB5BST JAAS login.
  • The following custom properties:
    • com.ibm.wsspi.wssecurity.krbtoken.targetServiceName, the target Kerberos service name.
    • com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost, the host name associated with the target Kerberos service name.

      We must provide the correct values for the environment before using this configuration.

  • The custom Kerberos token callback handler.

    We must provide the correct values for the Kerberos client principal and password.

• The sample configuration for authentication token generation, called con_krb5token, contains the following configuration:
  • The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
  • The wss.consume.KRB5BST JAAS login.
  • The custom Kerberos token callback handler.

General provider sample bindings

• The sample configuration for signing information consumption, called asymmetric-signingInfoRequest, contains the following configuration:
  • References the con_signkeyinfo signing key information.
  • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, named con_signkeyinfo, which contains the following configuration:
    • The con_signx509token protection token asymmetric signature consumer, as follows:
      • Contains the X.509 V3 Token v1.0 token type.
      • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
      • Contains the wss.consume.x509 JAAS login.

    • The X.509 Callback Handler, as follows:
      • References a certificate store named DigSigCertStore.
      • References a trusted anchor store named DigSigTrustAnchor.

  • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for signing information consumption, called symmetric-signingInfoRequest, contains the following configuration:
  • References the con_sctsignkeyinfo signing key information.
  • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, named con_sctsignkeyinfo, which contains the following configuration:
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The con_scttoken protection token generator, as follows:
      • Contains the Secure Conversation Token v1.3 token type.
      • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
      • Contains the wss.consume.sct JAAS login.

    • The WS-SecureConversation Callback Handler.

  • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for encryption information consumption, called asymmetric-encryptionInfoRequest, contains the following configurations:
  • References the dec_keyinfo encryption key information.
  • The encryption key information, named dec_keyinfo, which contains the following configuration:
    • The con_encx509token protection token asymmetric encryption consumer, as follows:
      • Contains the X.509 V3 Token v1.0 token type.
      • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
      • Contains the wss.consume.x509 JAAS login.

    • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks, with the following characteristics:
      • The keystore type is JCEKS.
      • The keystore password is client.
      • The alias name of the trusted certificate is soapca.
      • The alias name of the personal certificate is bob.
      • The key password client issued by intermediary certificate authority Int CA2, which is in turn issued by soapca.

  • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.

• The sample configuration for encryption information consumption, called symmetric-encryptionInfoRequest, contains the following configuration:
  • References the dec_sctkeyinfo encryption key information.
  • The encryption key information, named dec_sctkeyinfo, which contains the following configuration:
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The con_scttoken protection token consumer, as follows:
      • Contains the Secure Conversation Token v1.3 token type.
      • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
      • Contains the wss.consume.sct JAAS login.

    • The WS-SecureConversation Callback Handler.

  • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.

• The sample configuration for signing information generation, called asymmetric-signingInfoResponse, contains the following configuration:
  • References the gen_signkeyinfo signing key information.
  • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, named gen_signkeyinfo, which contains the following configuration:
    • The security token reference.
    • The gen_signx509token protection token asymmetric signature generator, as follows:
      • Contains the X.509 V3 Token v1.0 token type.
      • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
      • Contains the wss.generate.x509 JAAS login.

    • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks, with the following characteristics:
      • The keystore type is JKS.
      • The keystore password is client.
      • The alias name of the trusted certificate is soapca.
      • The alias name of the personal certificate is soapprovider.
      • The key password client issued by intermediary certificate authority Int CA2, which is in turn issued by soapca.

  • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for signing information generation, called symmetric-signingInfoResponse, contains the following configuration:
  • References the gen_signsctkeyinfo signing key information.
  • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, named gen_signsctkeyinfo, which contains the following configuration:
    • The security token reference.
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The gen_scttoken protection token generator, as follows:
      • Contains the Secure Conversation Token v1.3 token type.
      • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
      • Contains the wss.generate.sct JAAS login.

    • The WS-Trust Callback Handler.

  • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for encryption information generation, called asymmetric-encryptionInfoResponse, contains the following configuration:
  • References the gen_enckeyinfo encryption key information.
  • The encryption key information, named gen_enckeyinfo, contains the following configuration
    • The key identifier.
    • The gen_encx509token protection token asymmetric encryption generator, as follows:
      • Contains the X.509 V3 Token v1.0 token type.
      • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
      • Contains the wss.generate.x509 JAAS login.

    • Uses X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks, with the following characteristics:
      • The keystore type is JCEKS.
      • The keystore password is client.
      • The alias name of the trusted certificate is soapca.
      • The alias name of the personal certificate is alice.
      • The key password client issued by intermediary certificate authority Int CA2, which is in turn issued by soapca.

  • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.

• The sample configuration for encryption information generation, called symmetric-encryptionInfoResponse, contains the following configuration:
  • References the gen_encsctkeyinfo encryption key information.
  • The encryption key information, named gen_encsctkeyinfo, contains the following configuration:
    • The security token reference.
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The gen_scttoken protection token generator, as follows:
      • Contains the Secure Conversation Token v1.3 token type.
      • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
      • Contains the wss.generate.sct JAAS login.

    • The WS-Trust Callback Handler.

  • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.

• The sample configuration for authentication token consumption, called con_krb5token, contains the following configuration:
  • The custom token type for Kerberos v5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
  • The wss.consume.KRB5BST JAAS login.
  • The custom Kerberos token callback handler.

• The sample configuration for authentication token consumption, called con_ltpaproptoken, contains the following configuration:
  • The token type LTPA propagation token.
  • The wss.consume.ltpaProp JAAS login.
  • The LTPA token callback handler.

• The sample configuration for authentication token consumption, called con_ltpatoken, contains the following configuration:
  • The token type LTPA Token v2.0, with the following characteristics:
    • Contains LTPAv2 for the local part value.
    • Contains http://www.ibm.com/websphere/appserver/tokentype for the Namespace URI value.

  • The wss.consume.ltpa JAAS login
  • The LTPA token callback handler.

• The sample configuration for authentication token consumption, called con_unametoken, contains the following configuration:
  • Token type Username Token v1.0, which uses http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken for the local part value.
  • The wss.consume.unt JAAS login.
  • The Username token callback handler, with the following custom properties:
    • com.ibm.wsspi.wssecurity.token.username.verifyNonce for verifying the nonce value.
    • com.ibm.wsspi.wssecurity.token.username.verifyTimestamp for verifying the time stamp value.

Provider sample bindings V2

Two new general sample bindings, Client sample V2, and Provider sample V2, have been added to the product. While many of the configurations are the same as previous versions of the client sample and provider sample bindings, there are several additional, new sample configurations.

To use these new bindings, create a new profile after installing the product. For more information, read the topic Configuring Kerberos policy sets and V2 general sample bindings.

• The sample configuration for signing information generation, called symmetric-KrbsignInfoRequest, contains the following configuration:
  • References the con_respKRBsignkeyinfo signing key information.
  • The part reference configuration, which contains the transform configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, con_respKRBsignkeyinfo, which contains this configuration:
    • The security token reference.
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The con_krb5token protection token consumer, as follows:
      • Contains the Kerberos V5 GSS AP_REQ binary security token type.
      • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type as the local part value.
      • Contains wss.consume.KRB5BST JAAS login.

    • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.

  • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for encryption information generation, called symmetric-KrbEncInfoRequest, contains the following configuration:
  • References the con_reqKRBenckeyinfo encryption key information.
  • The encryption key information, con_reqKRBenckeyinfo, which contains this configuration:
    • The security token reference.
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The con_krb5token protection token consumer, which contains the following configuration:
      • Contains the Kerberos V5 GSS AP_REQ binary security token type.
      • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
      • Contains wss.consume.KRB5BST JAAS login.

    • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.

  • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.

• The sample configuration for signing information consumption, called symmetric-KrbsignInfoResponse, contains the following configuration:
  • References the gen_respKRBsignkeyinfo signing key information.
  • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
  • The signing key information, named gen_respKRBsignkeyinfo, which contains the following configuration:
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The gen_krb5token protection token generator, as follows:
      • Contains the Kerberos V5 GSS AP_REQ binary security token type.
      • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
      • Contains the wss.generate.KRB5BST JAAS login.

    • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.

  • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
  • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.

• The sample configuration for encryption information consumption, called symmetric-KrbEncInfoResponse, contains the following configuration:
  • References the gen_respKRBenckeyinfo encryption key information.
  • The encryption key information, named gen_respKRBenckeyinfo, contains the following configuration:
    • The derived key, as follows:
      • Requires explicit derived key token.
      • WS-SecureConversation as the client label.
      • WS-SecureConversation as the service label.
      • Key length of 16 bytes.
      • Nonce length of 16 bytes.

    • The gen_krb5token protection token generator, as follows:
      • Contains the Kerberos V5 GSS AP_REQ binary security token type.
      • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
      • Contains the wss.generate.KRB5BST JAAS login.

    • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler

  • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.

• The sample configuration for authentication token generation, called gen_krb5token, contains the following configuration:
  • The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
  • The wss.generate.KRB5BST JAAS login.
  • The custom Kerberos token callback handler.

• The sample configuration for authentication token generation, called con_krb5token, contains the following configuration:
  • The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
  • The wss.consume.KRB5BST JAAS login.
  • The custom Kerberos token callback handler.

Default configuration
Configure Kerberos policy sets and V2 general sample bindings

+

Search Tips   |   Advanced Search