Network Deployment (Distributed operating systems), v8.0 > Reference > Sets


Caller settings

Use this page to configure the caller settings. The caller specifies the token or message part used for authentication.

We can configure the caller settings for message parts when you are editing a default cell or server binding. We can also configure application specific bindings for tokens and message parts that are required by the policy set.

To view this administrative console page when you are editing a general provider binding, complete the following actions:

  1. Click Services > Policy sets > General provider policy sets bindings.

  2. Click the WS-Security policy in the Policies table.

  3. Click the Authentication and protection link in the Main message security policy bindings section.

  4. Click the Caller link in the Main message security policy bindings section.

  5. Click New.

To view this administrative console page when you are configuring application specific bindings for tokens and message parts that are required by the policy set, complete the following actions:

  1. Click Applications > Application Types > WebSphere enterprise applications .

  2. Select an application that contains web services. The application must contain a service provider or a service client.

  3. Click the Service provider policy sets and bindings link in the Web Services Properties section. The caller settings are available only for the service provider policy sets and bindings. The caller settings are not available for service client.policy sets and bindings.

  4. Select a binding. We must have previously attached a policy set and assigned a application specific binding.

  5. Click the WS-Security policy in the Policies table.

  6. Click the Caller link in the Main message security policy bindings section.

  7. Click New.

    When you create a new caller it will automatically be assigned the next available order. We can change the order of preference, as described in the Order section below.

This administrative console page applies only to Java API for XML Web Services (JAX-WS) applications.


Name

Name of the caller to use for authentication. Enter a caller name in this required field. This arbitrary name identifies this caller setting.


Order

Order of preference for the callers. The order determines which caller will be utilized when multiple authentication tokens are received.

We can change the order of preference by moving a caller up or down in the list. Click the checkbox next to a caller name to select the caller, then click the Move up button to move the caller higher in the list, or click the Move down button to move the caller to a lower position in the preference order.

Button Resulting Action
Move up Moves the order of the selected caller up in the caller list.
Move down Moves the order of the selected caller down in the caller list.

The order column displays only for bindings using the new namespace. If a binding with multiple callers was migrated to the new namespace, then the callers do not have an order. In that case, an error message is displayed. When this occurs, select a caller in the table and then click either Move up or Move down to assign an order to each caller. Callers must have orders assigned before you save the bindings or use the bindings with an application.


Caller identity local part

Local name of the caller to use for authentication. Enter a caller identity local name in this required field.

When specifying an LTPA caller, use LTPA as the local name for a caller that uses an older binding, prior to IBM WAS, v7.0. Newer bindings for IBM WAS, v7.0 and later should use LTPAv2 as the local name. Specifying LTPAv2 allows both LTPA and LTPAv2 tokens to be consumed, unless the Enforce token version option is selected on the token consumer.

Caller identity namespace URI field description. The table lists the possible values for the Caller identity namespace URI field description.

Default String


Caller identity namespace URI

Uniform resource identifier (URI) of the caller to use for authentication. Enter a caller URI in this field.

When specifying an LTPA caller, use http://www.ibm.com/websphere/appserver/tokentype/5.0.2 as the URI for a caller that uses an older binding, prior to IBM WAS, v7.0. Newer bindings for IBM WAS, v7.0 and later should use the http://www.ibm.com/websphere/appserver/tokentype URI.

Possible values for the caller identity. The table provides a list of the Caller identity local part and the Caller identity namespace URI field values as applicable. A Caller identity namespace URI value is not needed unless it is otherwise specified in the table. The caller identity is used for message authentication.

Token type Caller identity local part Caller identity namespace URI
Username token 1.0 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken  
Username token 1.1 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken  
X509 certificate token http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3  
X509 certificates in a PKIPath http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1  
A list of X509 certificates and CRLs in a PKCS#7 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7  
LTPA token LTPA http://www.ibm.com/websphere/appserver/tokentype/5.0.2
LTPA token LTPAv2 http://www.ibm.com/websphere/appserver/tokentype
LTPA propagation token LTPA_PROPAGATION http://www.ibm.com/websphere/appserver/tokentype
SAML 1.1 token

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1

 
SAML 2.0 token

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

 
Kerberos token http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ  

If you specify a custom value type for a custom token, specify the Caller identity local part and Caller identity namespace URI values. For example, you might enter Custom in the Caller identity local part value field and http://www.ibm.com/custom in the Caller identity namespace URI field.


Signing part reference

When the trusted identity is based on a signing token, select the signing part reference that represents the message parts signed by token.

If you select the Signing part reference option, specify a callback handler for the bindings to work properly.


Use identity assertion

Whether identity assertion is used when authenticating.

Select this check box to use identity assertion. When you select this checkbox, the Trusted identity local name and Trusted identity namespace URI fields are enabled.


Trusted identity local name

Trusted identity local name when the identity assertion is used.

If you select the Use identity assertion option and a trust token exists in the WS-Security policy, provide a value for the Trusted identity local name field for the bindings to work properly.


Trusted identity URI

Trusted identity uniform resource identifier (URI).


Callback handler

Class name of the callback handler. Enter the class name of the callback handler in this field.

If provided a value for the Trusted identity local name field and you do not set the token consumer for the trust token to Trust any certificate, then set the value in this Callback handler field to com.ibm.ws.wssecurity.impl.auth.callback.TrustedIdentityCallbackHandler.

When provided a callback handler name, specify the trusted identities as callback handler custom properties. For example:

property name="trustedId_0", value="CN=Bob,O=ACME,C=US"
property name="trustedId_1", value="user1"


JAAS login

Java Authentication and Authorization Service (JAAS) application login. We can enter a JAAS login, select one from the menu, or click New to add a new one.

For information on updating the Kerberos system JAAS login module for JAX-WS applications, read the topic Updating the system JAAS login with the Kerberos login module.


Custom properties – Name

Name of the custom property.

Custom properties are not initially displayed in this column. Select one of the following actions for custom properties:

Button Resulting Action
New Creates a new custom property entry.

To add a custom property, enter the name and value.

Edit Specifies that you can edit the custom property value. At least one custom property must exist before this option is displayed.
Delete Removes the selected custom property.


Custom properties – Value

Value of the custom property that you want to use. Use the Value field to add, edit, or delete the value for a custom property.
Define and managing policy set bindings
Update the system JAAS login with the Kerberos login module
Manage policy sets


Related


Caller collection

+

Search Tips   |   Advanced Search