Network Deployment (Distributed operating systems), v8.0 > Reference > Sets
Callback handler configuration settings for JAX-RPC
aug2011
Use this page to specify how to acquire the security token that is inserted in the Web Services Security header for JAX-RPC
aug2011 within the SOAP message. The token acquisition is a pluggable framework that leverages the JAAS (JAAS) javax.security.auth.callback.CallbackHandler interface for acquiring the security token. Before you specify values for the Keystore and Key properties on this page, understand that the keystore/alias information that provided for the generator, and the keystore/alias information that provided for the consumer are used for different purposes. The main difference applies to the alias for an X.509 callback handler:
Generator
When used in association with an encryption generator, the alias supplied for the generator is used to retrieve the public key to encrypt the message. A password is not required. The alias that is entered on a callback handler associated with an encryption generator must be accessible without a password. This means that the alias must not have private key information associated with it in the keystore. When used in association with a signature generator, the alias supplied for the generator is used retrieve the private key to sign the message. A password is required.
Consumer
When used in association with an encryption consumer, the alias supplied for the consumer is used retrieve the private key to decrypt the message. A password is required. When used in associated with a signature consumer, the alias supplied for the consumer is used strictly to retrieve the public key used to resolve an X.509 certificate that is not passed in the SOAP security header as a BinarySecurityToken. A password is not required.
The alias that is entered on a callback handler associated with an signature consumer must be accessible without a password. This means that the alias must not have private key information associated with it in the keystore.
When an X.509 certificate that is not passed in the SOAP security header as a BinarySecurityToken, a SecurityTokenReference will appear in the KeyInfo element within the Signature element in the SOAP security header that will be used to resolve the X.509 certificate. The methods that can be used are Key identifier, X.509 issuer name and issuer serial, and Thumbprint. The consumer will accept any of these three methods for resolving an X.509 certificate outside the message when a keystore/alias is configured for an X.509 token consumer associated with a signature consumer.
Because only one alias can be configured on the X.509 token consumer, the WS-Security run time can resolve only one certificate outside a message. For example, if the X.509 token consumer is configured for certificate A, if client A sends the keyIdentifier for certificate A, the certificate can be retrieved. However, if client B sends the keyIdentifier for certificate B, the certificate cannot be retrieved and the message will be rejected.
When an X.509 certificate is sent in the SOAP security header as a BinarySecurityToken, if there is a keystore/alias configured on the X.509 token consumer associated with a signature consumer, the certificate that is configured on the consumer will be compared against the one that is passed in the message. If they do not match, the message will be rejected. This behavior is different than JAX-RPC. The certificate associated with the alias configured on the X.509 token consumer is not used to evaluate trust on the inbound certificate. Only the trust store and cert stores are used for that purpose.
If you want the certificate configured on the X.509 token consumer associated with a signature consumer to be available for KeyInfo resolution, but not reject X.509 certificates that are passed in the message that do not match, you can add the following custom property to the X.509 token consumer callback handler:
com.ibm.wsspi.wssecurity.consumer.callbackHandlerKeystoreLimitsAccess=falseSee the topic Key information settings for more information about the key identifier, X.509 issuer/serial, and thumbprint.
To view this admin console page for the callback handler on the cell level...
- Click Security > JAX-WS and JAX-RPC security runtime.
- Under JAX-RPC Default generator bindings, click Token generators > token_generator_name .
- Under Additional properties, click Callback handler.
To view this admin console page for the callback handler on the server level...
- Click Servers > Server Types > WebSphere application servers > server_name
.
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv
- Under JAX-RPC Default generator bindings, click Token generators > token_generator_name .
- Under Additional properties, click Callback handler.
To view this admin console page for the callback handler on the application level ...
- Click Applications > Application Types > WebSphere enterprise applications > application_name.
- Under Modules, click Manage ModulesURI_name.
- Under Web Services Security properties, you can access the callback handler information for the following bindings:
- For the Request generator (sender) binding, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom. Under Additional properties, click Token generator. Click New to create a new token generator configuration or click the name of an existing configuration to modify its settings. Under Additional properties, click Callback handler.
- For the Response generator (sender) binding, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom. Under Additional properties, click Token generator. Click New to create a new token generator configuration or click the name of an existing configuration to modify its settings. Under Additional properties, click Callback handler.
Callback handler class name
Name of the callback handler implementation class used to plug in a security token framework.
The specified callback handler class must implement the javax.security.auth.callback.CallbackHandler class. The implementation of the JAAS javax.security.auth.callback.CallbackHandler interface must provide a constructor using the following syntax:
MyCallbackHandler(String username, char[] password, java.util.Map properties)Where:
username
User name that is passed into the configuration.
password
Password that is passed into the configuration.
properties
Other configuration properties that are passed into the configuration. The application server provides the following default callback handler implementations:
com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
This callback handler uses a login prompt to gather user name and password information. However, if you specify the user name and password on this panel, a prompt is not displayed and the application server returns the user name and password to the token generator if it is specified on this panel. Use this implementation for a Java EE application client only.
com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
This callback handler does not issue a prompt and returns the user name and password if it is specified on this panel. We can use this callback handler when the web service is acting as a client.
com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
This callback handler uses a standard-in prompt to gather the user name and password. However, if the user name and password is specified on this panel, the application server does not issue a prompt, but returns the user name and password to the token generator. Use this implementation for a Java EE application client only.
com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
This callback handler uses a standard-in prompt to gather the user name and password. However, if the user name and password is specified on this panel, the application server does not issue a prompt, but returns the user name and password to the token generator. Use this implementation for a Java EE application client only.
com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
This callback handler is used to obtain the Lightweight Third Party Authentication (LTPA) security token from the RunAs invocation Subject. This token is inserted in the Web Services Security header within the SOAP message as a binary security token. However, if the user name and password are specified on this panel, the application server authenticates the user name and password to obtain the LTPA security token rather than obtaining it from the RunAs Subject. Use this callback handler only when the web service is acting as a client on the application server. IBM recommends that you do not use this callback handler on a Java EE application client.
com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler
This callback handler is used to create the X.509 certificate that is inserted in the Web Services Security header within the SOAP message as a binary security token. A keystore and a key definition is required for this callback handler.
com.ibm.wsspi.wssecurity.auth.callback.PKCS7CallbackHandler
This callback handler is used to create X.509 certificates encoded with the PKCS#7 format. The certificate is inserted in the Web Services Security header in the SOAP message as a binary security token. A keystore is required for this callback handler. We must specify a certificate revocation list (CRL) in the collection certificate store. The CRL is encoded with the X.509 certificate in the PKCS#7 format.
com.ibm.wsspi.wssecurity.auth.callback.PkiPathCallbackHandler
This callback handler is used to create X.509 certificates encoded with the PkiPath format. The certificate is inserted in the Web Services Security header within the SOAP message as a binary security token. A keystore is required for this callback handler. A CRL is not supported by the callback handler; therefore, the collection certificate store is not required or used. The callback handler implementation obtains the required security token and passes it to the token generator. The token generator inserts the security token in the Web Services Security header within the SOAP message. Also, the token generator is the plug-in point for the pluggable security token framework. Service providers can provide their own implementation, but the implementation must use the com.ibm.websphere.wssecurity.wssapi.token.SecurityToken interface. The JAAS (JAAS) Login Module implementation is used to create the security token on the generator side and to validate (authenticate) the security token on the consumer side, respectively.
Use identity assertion
Select this option if we have identity assertion defined in the IBM extended deployment descriptor.
This option indicates that only the identity of the initial sender is required and inserted into the Web Services Security header within the SOAP message. For example, the application server sends only the user name of the original caller for a Username TokenGenerator. For an X.509 token generator, the application server sends the original signer certification only.
Use RunAs identity
Select this option if we have identity assertion defined in the IBM extended deployment descriptor and you want to use the Run As identity instead of the initial caller identity for identity assertion for a downstream call.
This option is valid only if we have Username TokenGenerator configured as a token generator.
Basic authentication user ID
User name that is passed to the constructors of the callback handler implementation.
The basic authentication user name and password are used if you select one of the following default callback handler implementations provided by this product:
- com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
These implementations are described in detail under the Callback handler class name field description in this article.
Basic authentication password
Password that is passed to the constructor of the callback handler.
The keystore and its related configuration are used if you select one of the following default callback handler implementations provided by this product:
com.ibm.wsspi.wssecurity.auth.callback.PKCS7CallbackHandler
The keystore is used to build the X.509 certificate with the certificate path.
com.ibm.wsspi.wssecurity.auth.callback.PkiPathCallbackHandler
The keystore is used to build the X.509 certificate with the certificate path.
com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler
The keystore is used to retrieve the X.509 certificate.
Keystore
Select None if no keystore is needed for this configuration.
Select Predefined keystore to choose predefined keystores with keystore configuration name.
Select User-defined keystore to use user-defined keystores.
The following information needs to be specified:
Key store configuration name
Name of the key store configuration defined in the keystore settings in secure communications.
Key store password
Password used to access the keystore file.
Key store path
Location of the keystore file.
Use ${USER_INSTALL_ROOT} in the path name because this variable expands to the product path on your machine.
To change the path used by this variable, click Environment > WebSphere variables and click USER_INSTALL_ROOT.
Key store type
Type of keystore file format
Choose one of the following values for this field:
JKS
Use this option if the keystore uses the Java Keystore (JKS) format.
JCEKS
Use this option if the Java Cryptography Extension is configured in the software development kit (SDK). The default IBM JCE is configured in the application server. This option provides stronger protection for stored private keys by using Triple DES encryption.
PKCS11KS (PKCS11)
Use this option if your keystore file uses the PKCS#11 file format. Keystore files that use this format might contain Rivest Shamir Adleman (RSA) keys on cryptographic hardware or might encrypt keys that use cryptographic hardware to ensure protection.
PKCS12KS (PKCS12)
Use this option if your keystore file uses the PKCS#12 file format.
Configure token generators using JAX-RPC to protect message authenticity at the application level
Related
Token generator collection
Token generator configuration settings
Key information settings