+

Search Tips   |   Advanced Search

Configure a generic security token login module for an authentication token: Token generator

We can configure a generic security token login module used for an authentication token on the token generator side of the Web Services Security process.

When you invoke the generic security token login modules on the generator side, the login module delegates the token generation process to a Security Token Service (STS) using a WS-Trust Issue or WS-Trust Validate request. The STS processes the request and returns a RequestSecurityTokenResponse message to the login module. The login module inserts the token from the STS response message in the security header of the web service request message.

For illustration purposes, it is assumed that policy sets and bindings are configured and attached to an application. For example, we can use the SAML11 Bearer WSSecurity default policy set and SAML Bearer Client sample binding. For more information, see the topic about configuring client and provider bindings for the SAML bearer token.

Complete the following steps to configure the generic security token login module on the token generator side using the console:

  1. Configure the wss.generate.issuedToken JAAS login module for the application.

    1. Expand Applications > Application Types and click WebSphere enterprise applications.

    2. Click the application containing the policy sets and bindings to modify.

    3. Under Web Services Properties, click Service client policy sets and bindings.

    4. In the Binding column on the Service client policy sets and bindings panel, click the name of the binding.

    5. In the Policy column on the Bindings configuration panel, click WS-Security.

    6. Under the Main Message Security Policy Bindings heading, click Authentication and protection .

    7. In the Authentication tokens section of the Authentication and protection panel, select the token to configure. For example, select request:SAMLToken11Bearer.

    8. On the Token generator panel, select the wss.generate.issuedToken option for the JAAS login.

    9. Click Apply.

  2. Configure the callback handler.

    1. Under the Additional Bindings heading, click Callback handler.

    2. Under the Class Name heading on the Callback handler panel, select Use custom and specify com.ibm.websphere.wssecurity.callbackhandler.GenericIssuedTokenGenerateCallbackHandler for the class name.

    3. Click Apply. After you click apply, a list of existing custom properties displays in the Custom Properties section of the panel. We can add, edit, or delete entries in the custom properties list. For more information about the custom properties for the callback handler, see the information about the com.ibm.wsspi.wssecurity.core.config.IssuedTokenConfigConstants (API). This information is accessible within the Reference > Programming interfaces > APIs- Application Programming Interfaces section of the product documentation.

    4. Click Add to add both the stsURI custom property and its associated value. This custom property value is the target Security Token Service URL address. Required. unless to use a security token from the RunAs subject without calling out to a security token service for validation. For more information, read the information about the validateUseToken and useRunAsSubjectOnly custom properties in subsequent steps.

    5. Click Add to add both the wstrustClientPolicy custom property and its associated value. This custom property value is the trust client policy set name that applies to the WS-Trust client call.

    6. Click Add to add both the wstrustClientBinding custom property and its associated value. The custom property value is the trust client bindings that applies to the WS-Trust client call. For more information about creating trust client bindings, see the documentation on configuring client and provider bindings for the SAML bearer token.

    7. Optional: Specify other custom properties. To add these custom properties, click New in the Custom properties section. For more information on custom properties, see Web services security custom properties.

  3. Click OK and click Save to save the bindings.

  4. Stop and restart the applications.


Results

When you complete this task, we have configured a generic login module for the token generator.


What to do next

Configure a generic security token login module for the token consumer.


Related concepts

  • Generic security token login module for the token generator
  • Generic security token login modules


    Related tasks

  • Configure a generic security token login module for an authentication token: Token consumer

  • Web services security custom properties