Configure a policy set and bindings for a stand-alone security token (UsernameToken or LTPA Token)

We can secure web services by configuring the message-level WS-Security policy set and bindings for a stand-alone security token that is either a LTPA token or a Username token.

This task assumes that the service provider and client that you are configuring are in the JaxWSServicesSamples application. See the documentation on accessing samples to learn how to obtain and install this application. Specify the following trace specification on the server to enable you to debug any future configuration problems that might occur.

*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all: com.ibm.ws.wssecurity.*=all: com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all: com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:

If LTPA tokens are used, enable the application security on the application servers used for both the client and the service.

This topic describes how to configure a WS-Security policy set and provider bindings for a Username token or an LTPA token. For simplicity, this procedure demonstrates how to remove the timestamp, digital signature, and encryption attributes from the policy; however, you might want to include these attributes in the final configuration. To learn more, see the documentation on configuring a policy set and bindings for Asymmetric XML digital signature or XML encryption with client and provider application specific bindings.

In this task, default provider general bindings are used for the provider application to consume the tokens. If a caller configuration is required, an application-specific binding will be added for the provider.

1. Create the custom policy set.

   1. In the console, click Services > Policy sets > Application Policy sets.

   2. Click New.

   3. Specify Name = OneTokenPolicy.

   4. Click Apply.

   5. Under Policies, click Add > WS-Security.

2. Edit the custom policy set

   1. Remove digital signature, encryption, and timestamp.

      1. In the console, clickWS-Security > Main Policy.

      2. Deselect Message level protection.

      3. Click Apply.

   2. Add the UsernameToken or LTPA token.

      1. Under Policy details, click Request token policies.

      2. Select Add Token Type.

      3. To use a UsernameToken, select UserName. To use an LTPA token, select LTPA.

         Token name=myToken.

      4. Click OK.

3. Configure the client to use the OneTokenPolicy policy set.

   1. In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.

   2. Select the web services client resource.

   3. Click Attach Policy Set.

   4. Select OneTokenPolicy .

4. Create a custom binding for the client.

   1. Select the web services resource again.

   2. Click Assign Binding.

   3. Click New Application Specific Binding to create an application-specific binding

   4. Specify the bindings configuration name. name: oneTokenClientBinding

   5. Click Add > WS-Security

   6. If the Main Message Security Policy Bindings' panel does not display, select WS-Security.

5. Edit the custom binding for the client.

   1. Edit the identity token generator to send the identity username.

      1. Click request:myToken.

      2. Click Apply.

      3. Click Callback handler. User name=(yourUserid) Password=(yourPassword)

      Avoid trouble: This is a userid/password that is valid on the user registry on the provider's system. If we are using LTPA tokens, the userid/password must be valid on both the consumer and provider registries. gotcha

   2. Optional. If configuring a UsernameToken, add the following WS-Security custom properties:

      *com.ibm.wsspi.wssecurity.token.username.addNonce=true
      *com.ibm.wsspi.wssecurity.token.username.addTimestamp=true

      These custom properties are added because they are specified on the UsernameToken consumer default general bindings. If we do not specify those properties here, you will either need to remove those properties from the default provider general bindings or create application-specific bindings for the provider that does not include those properties.

   3. Click OK.

   4. Click Save

6. Configure the provider to use the OneTokenPolicy policy set.

   1. In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings

   2. Select the web services provider resource (OneTokenPolicy)

   3. Click Attach Policy Set.

   4. Select OneTokenPolicy

      Since no bindings are attached to the provider application, it will use the default provider general bindings for the token consumers.

7. Optional. To create a Caller configuration for the provider, create custom bindings for the provider.

   1. Select the web services provider resource again.

   2. Click Assign Binding

   3. Click New Application Specific Binding to create an application-specific binding

   4. Specify Bindings configuration name:oneTokenProvBinding

   5. Click Add > WS-Security

   6. If the Main Message Security Policy Bindings' Panel does not display, select WS-Security

8. Optional. If a Caller configuration will be created, edit the custom bindings for the provider.

   1. Click Caller > New. Name: myCaller.

      • If using a UsernameToken, enter the following:

        • Caller identity local name: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken

      • If using an LTPA token, enter the following:

        • Caller identity local name: LTPAv2

        • Caller identity local URI: http://www.ibm.com/websphere/appserver/tokentype

   2. Click OK.

9. Click Save to save the configuration changes.

10. Restart the client provider.

    1. Stop the client and the provider

    2. Restart the client and the provider

11. Test the Service.

    1. Point the web browser at the JaxWSServicesSamples: http://localhost:9080/wssamplesei/demo

       Avoid trouble: Make sure you provide the correct hostname and port if the profile is not on the same machine or the port is not 9080.gotcha

    2. Select Message Type Synchronous Echo

    3. Make sure Use SOAP 1.2 is not selected

    4. Enter a message and click Send Message. The sample application should reply with JAXWS==>Message.

Results

The JaxWSServicesSamples web services application is configured to generate and consume a UsernameToken or LTPA token in the request message.

Related concepts

Access the samples