+

Search Tips   |   Advanced Search

Configure a policy set and bindings to consume an LTPA and/or UsernameToken (optional security tokens)

This procedure describes how to configure the message-level WS-Security policy set and bindings to consume an LTPA token, a UsernameToken or both. This procedure can be modified to apply to any pair of dissimilar token value types. We cannot create a configuration that will make one token required and the other optional.

This task assumes that the service provider and client that you are configuring are in the JaxWSServicesSamples application. Refer to Access the samples for more information on how to obtain and install this application. You should use the following trace specification on the server. These specifications enable you to debug any future configuration problems that might occur.

Since LTPA tokens will be used, application security must be enabled on the application servers used for both the client and the service.

This procedure explains the actions we need to complete to configure a WS-Security policy to consume an LTPA token, a UsernameToken or both. Ordinarily this configuration would be used on a provider application. For simplicity, this procedure will remove timestamp, digital signature and encryption from the policy; you may want to include these in the final configuration. Refer to Configure a policy set and bindings for Asymmetric XML Digital Signature and/or XML Encryptionfor more information.

For more information on how to create the caller configuration for other token types, see Caller collection.

This procedure also includes the steps to configure a client application to send a UsernameToken or an LTPA token.

  1. Create the custom policy set for the provider.

    1. In the console, click Services > Policy sets > Application Policy sets.

    2. Click New.

    3. Specify Name = AtwoTokenPolicy.

    4. Click Apply.

    5. Under Policies, click Add > WS-Security.

  2. Edit the custom policy set.

    1. Remove digital signature, encryption and timestamp.

      1. In the console, click WS-Security > Main Policy.

      2. Deselect Message level protection.

      3. Click Apply.

    2. Add the UsernameToken and LTPA token.

      1. Click Request token policies.

      2. Click Add Token Type > LTPA.

        • LTPA token name: myLTPA

      3. Click OK.

      4. Click Add Token Type > UserName.

      5. Click OK.

    3. Save the configuration.

      1. Click Save.

  3. Configure the provider to use the AtwoTokenPolicy policy set.

    1. In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings.

    2. Select the web services client resource.

    3. Select the web services provider resource.

    4. Click Attach Policy Set.

    5. Select AtwoTokenPolicy.

  4. Create a custom binding for the provider.

    1. Select the web services provider resource again.

    2. Click Assign Binding.

    3. Click New Application Specific Binding to create an application-specific binding.

    4. Specify Bindings configuration name:providerBinding.

    5. Click Add > WS-Security.

  5. Edit the custom bindings for the provider. The values for the settings in the following steps were obtained from Caller settings.

    1. To add a caller configuration for the LTPA token:

      1. Click Caller.

      2. Click New.

        • Name: ltpaCaller

        • Caller identity local part: LTPAv2

        • Caller identity namespace URI: [leave blank]

      3. Click OK.

    2. To add a caller configuration to the UsernameToken

      1. Click New.

        • Name: untCaller

        • Caller identity local part: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken

        • Caller identity namespace URI: [leave blank]

      2. Click OK.

    Ensure that tokens have the desired precedence. There can only be a single caller identity for thread. If more than one tokens occur in the inbound SOAP message for which there are caller configurations, the caller configuration with the lower order number will be used. If the order shown in the Order field in the table is not the order we want, do the following:

    1. Select the token to have top priority.

    2. Click Move Up until its Order number is 1.

    3. Repeat this procedure using Move Up and Move Down to achieve the desired order.

    4. Click Save to save the configuration.

  6. Create a policy set that has only a UsernameToken in the request message for the client

    1. In the console, click Services > Policy sets> Application Policy sets.

    2. Click New.

    3. Specify Name = AUntPolicy

    4. Click Apply.

    5. Under Policies, click Add > WS-Security.

    6. Remove digital signature, encryption and timestamp. In the console:

      1. Click WS-Security > Main Policy.

      2. Deselect Message level protection.

      3. Click Apply

    7. Add the UsernameToken.

      1. Click Request Token Policies.

      2. Click Add Token Type > UserName.

      3. Username token name: myUNT.

      4. Click OK.

    8. Save the configuration. Click Save.

  7. Create a policy set that has only an LTPA token in the request message for the client.

    1. In the console, click Services > Policy sets> Application Policy sets.

    2. Click New.

    3. Specify Name = AnLTPAPolicy

    4. Click Apply.

    5. Under Policies, click Add > WS-Security.

    6. Remove digital signature, encryption and timestamp. In the console:

      1. Click WS-Security > Main Policy.

      2. Deselect Message level protection.

      3. Click Apply

    7. Add the LTPA token.

      1. Click Request Token Policies.

      2. Click Add Token Type > LTPA.

      3. LTPA token name: myLTPA.

      4. Click OK.

    8. Save the configuration. Click Save.

  8. To configure the client to use the UsernameToken policy and create bindings:

    1. Configure the client to use the AUntPolicy policy set.

      1. In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.

      2. Select the web services client resource.

      3. Click Attach Policy Set.

      4. Select AUntPolicy.

    2. Create a custom binding for the client.

      1. Select the web services resource again.

      2. Click Assign Binding.

      3. Click New Application Specific Binding to create an application specific binding.

      4. Specify the bindings configuration name. name: untClientBinding.

      5. Click Add > WS-Security.

    3. Configure the client's custom bindings.

      1. Select Authentication and protection > Authentication tokens, select myUNT.

      2. Click Apply.

      3. Click Callback handler.

      4. Enter the desired User name and Password.

      5. Add the custom properties for nonce and timestamp: Since the UsernameToken consumer was not configured during the custom binding configuration on the provider, the run time will use the default general bindings for the UsernameToken configuration. The UsernameToken consumer in the default general binding requires that timestamp and nonce be sent in the username token, so the properties to emit these elements must be entered:
        * com.ibm.wsspi.wssecurity.token.username.addTimestamp=true
        * com.ibm.wsspi.wssecurity.token.username.addNonce=true

      6. Click OK.

    4. Save the configuration.

      1. Click Save.

  9. To configure the client to use the UsernameToken policy and create bindings:

    1. Configure the client to use the AnLTPAPolicypolicy set.

      1. In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.

      2. Select the web services client resource .

      3. Click Attach Policy Set.

      4. Select AnLTPAPolicy.

    2. Create a custom binding for the client.

      1. Select the web services resource again.

      2. Click Assign Binding.

      3. Click New Application Specific Binding to create an application specific binding.

      4. Specify the bindings configuration name. name: ltpaClientBinding.

      5. Click Add > WS-Security.

    3. Configure the client's custom bindings.

      1. Select Authentication and protection > Authentication tokens, select myLTPA.

      2. Click Apply.

      3. Click Callback handler.

      4. Enter the desired User name and Password.

      5. Click OK.

    4. Save the configuration.

      1. Click Save.


Related concepts

  • Access the samples


    Related tasks

  • Secure web services using policy sets

  • Copy of default policy set and bindings settings