Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Welcome to scripting for web services > Configure web services applications using wsadmin.sh > Configure application and system policy sets for web services using wsadmin.sh

Configure custom policies and bindings for security tokens using wsadmin.sh

Use the setPolicyType and setBinding commands for the AdminTask object to specify security tokens for custom policy and binding configurations.

Create a new custom policy set.

The following scenarios configure the custom policy and bindings to use a Kerberos token based on the Oasis Kerberos Token Profile V1.1 specification. We can also use the setPolicyType and setBinding commands to configure other binary security tokens, such as username tokens, Lightweight Third-Party Authentication (LTPA) and SecureConversation.

Procedure

• Configure custom policies for security tokens.
  1. Launch wsadmin.sh using the Jython scripting language.

     To learn more, see the starting the wsadmin scripting client information.

  2. Display the properties of the policy of interest.

     Use the getPolicyType command to display detailed property information for the WS-Security policy type, as the following command demonstrates:

     AdminTask.getPolicyType('-policySet AuthenticationTokenService -policyType
      WSSecurity')
     

     The getPolicyType command returns a properties object that contains name and value pairs for each property, as the following sample output displays:

     '[ [SupportingTokens.request:krb_token.CustomToken.IncludeToken
      http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient] [enabled true] [type WSSecurity]
      [description [Policies for sending security tokens and providing message confidentiality and integrity, based on the OASIS Web
      Service Security and Token Profiles specifications.]] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri ]
      [provides ] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.localname
      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] ]'
     

  3. Specify the authentication token for the policy type.

     Use the setPolicyType command to specify the Uniform Resource Identifier (URI) of the authentication token for services as the value for the SupportTokens.request:krb_token.CustomToken.WssCustomToken.uri property. Use the [ ] syntax to specify an empty string. The following example specifies an empty string as the value for the authentication token:

     AdminTask.setPolicyType('-policySet AuthenticationTokenService -policyType
      WSSecurity -attributes "[ [SupportingTokens.request:krb_token.CustomToken.IncludeToken
      http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient] [enabled true] [type
      WSSecurity] [description  [Policies for sending security tokens and providing message confidentiality and integrity,
      based on the OASIS Web Services Security and Token Profiles specifications.]]
      [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri []] [provides []]
      [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.localname
      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] ]"')
     

• Configure custom bindings for security tokens.

  1. Start wsadmin.sh.
  2. Display the properties of the bindings of interest.

     Use the getBinding command to display detailed property information for the binding of interest, as the following command demonstrates:

     AdminTask.getBinding('-policyType WSSecurity -bindingLocation "" -bindingName
      AuthenticationTokenService')
     

     The getBinding command returns a properties object that contains name and value pairs for each property, as the following sample output displays:

     '[ [application.securityinboundbindingconfig.tokenconsumer_0.properties_0.name
      com.ibm.wsspi.wssecurity.krbtoken.serviceSPN]  [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname
      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ]
      [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri ]
      [application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname
      com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler]  [application.name
      application][application.securityinboundbindingconfig.tokenconsumer_0.properties_0.value HTTP/derekho1.firehorse.austin.ibm.com]
      [application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname system.wss.consume.KRB5BST]
      [application.securityinboundbindingconfig.tokenconsumer_0.name
      con_krbtoken][application.securityinboundbindingconfig.tokenconsumer_0.classname
      com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer]
      [application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference request:krb_token] ]'
     

  3. Specify the authentication token for the policy type.

     Use the setBinding command to specify the Uniform Resource Identifier (URI) of the authentication token for services as the value for the application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri property. Use the [ ] syntax to specify an empty string. The following example specifies an empty string as the value for the authentication token:

     AdminTask.setBinding('-policyType WSSecurity -bindingLocation ""
      -bindingName AuthenticationTokenService -attributes  "[
      [application.securityinboundbindingconfig.tokenconsumer_0.properties_0.name com.ibm.wsspi.wssecurity.krbtoken.serviceSPN]
      [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname
      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ]
      [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri []]
      [application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname
      com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler] [application.name
      application][application.securityinboundbindingconfig.tokenconsumer_0.properties_0.value
      HTTP/derekho1.firehorse.austin.ibm.com] [application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname
      system.wss.consume.KRB5BST][application.securityinboundbindingconfig.tokenconsumer_0.name
      con_krbtoken][application.securityinboundbindingconfig.tokenconsumer_0.classname
      com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer]
      [application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference request:krb_token]
      ]"')
     

Results

If the setPolicyType and setBinding commands return a 'true' value, the system successfully updated the policy and binding configurations.
Web Services Security default policy sets
Start the wsadmin scripting client using wsadmin.sh
Create policy sets using wsadmin.sh
Add and remove policies using wsadmin.sh

Related

PolicySetManagement command group
WSSecurity policy and binding properties

+

Search Tips   |   Advanced Search