Manage policy set attachments for service references
Use wsadmin.sh to manage the policy set attachment configurations for services and service references. Use the Jython or Jacl scripting language to list all attachments and attachment properties, add or remove resources for an existing attachment, and transfer attachments across policy sets.
When administrative security is enabled, verify that you use the correct administrative role, as the following table describes:
Administrative role Authorization Administrator The Administrator role must have cell-wide access to manage policy set attachments. If we have access to a specific resource only, we can manage policy set attachments for the resource for which we have access. Configurator The Configurator role must have cell-wide access to manage policy set attachments. If we have access to a specific resource only, we can manage policy set attachments for the resource for which we have access. Deployer The Deployer role with cell-wide or resource-specific access can manage policy set attachments for application resources only. Operator The Operator role cannot manage policy set attachments. Monitor The Monitor role cannot manage policy set attachments.
Policy set attachments define how a policy set is attached to resources and binding configurations.
Application components including application clients, web modules, and EJB modules, can define references to external web services by using logical names called web service references. Before Version 8.0, web service references always inherited the policy set attachment of the web service.
In Version 8.0 and later, we can specify a policy set and binding for a service reference that is different from the policy set attachment for the service. In addition, we can indicate to not attach a policy set to a service reference, even if a policy set is attached to the service. The default behavior is that a service reference, as well as its endpoints and operations, inherits the policy set attachment of the corresponding resources of the service. Service references are only valid for the client attachment type.
In a mixed cell environment, the following limitations apply to service reference attachments or resource attachments specified in name-value pair format:
- We must not create these types of attachments for applications that are deployed on an application server that is prior to WebSphere Application Server Version 8.0. Service reference attachments are only supported on WebSphere Application Server V8.0 and later.
- An application containing these types of attachments must not be deployed on an application server that is prior to WebSphere Application Server Version 8.0.
- If an application that is deployed in a cluster environment contains these types of attachments, you must not add a member application server that is prior to WebSphere Application Server Version 8.0 to the cluster.
.
- Query the configuration for policy set attachments and attachment properties.
Before making configuration changes to the policy set attachments, use the listAttachmentsForPolicySet and getPolicySetAttachments commands to view current configuration information about the policy set attachments.
- Start the wsadmin scripting tool.
- Use the listAttachmentsForPolicySet command to view all applications to which a specific policy set is attached; for example:
AdminTask.listAttachmentsForPolicySet('[-policySet PolicySet1 -attachmentType client]')
- Use the getPolicySetAttachments command to view the properties for all policy set attachments in a specified application; for example:
AdminTask.getPolicySetAttachments('[-applicationName application1 -attachmentType client]')
- Determine the assets to which a specific policy set is attached.
Use the listAssetsAttachedToPolicySet command to display the assets that are attached to the policy set of interest:
AdminTask.listAssetsAttachedToPolicySet('[-policySet SecureConversation]')
The command returns a list of properties that describe each asset. Each properties object contains the assetType property, which specifies the type of asset.
- Use the createPolicySetAttachment command to create the policy set attachment.
For the commands in the PolicySetManagement group, the term, resource, refers to a web service artifact. For service references, use name-value pairs to specify the resource name. We can also use this format instead of the application hierarchy format to specify service resources.
The following format for application and client policy set attachments is required for service reference resources. For resources that are not service references, we can use either this format or the format specified in the managing policy set attachments documentation. Use the following format for application and client policy set attachments:
- type=WebService:/
Attaches all artifacts in the application to the policy set.
- type=WebService:/,module=myModule.war,service={ http://www.mynamespace.com}myService
Attaches all artifacts within the web service, {http://www.mynamespace.com}myService, to the policy set. Provide a fully qualified name (QName) for the service.
- type=WebService:/,module=myModule.war,service={ http://www.mynamespace.com }myService,serviceRef=myServiceRef
Attaches all artifacts within the web service reference, myServiceRef, to the policy set.
- type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,endpoint=endpointA
Attaches all operations for the service reference, endpointA, endpoint in the service reference, myServiceRef, to the policy set.
- type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,endpoint=endpointA,operation=operation1
Attaches only the operation1 operation in the service reference,
myServiceRef, to the policy set.
Use the inheritFromService parameter and specify either true or false to indicate whether to inherit the policy set attachment from the service.
- If we specify a service reference resource with inheritFromService=false and no policySet parameter, all attachments for the service reference are removed and the service reference does not inherit the policy set attachments of the service.
- If we specify a service reference resource with inheritFromService=false and policySet=<policySetName>, an attachment for the service reference resource to the policy set is created. If we create an attachment to attach a service reference to a policy set, the service reference does not inherit the policy set of the service.
- If we specify a service reference resource with inheritFromService=true, the service reference inherits the attachments for the service. The inheritFromService parameter is only valid for service references. If no policySet parameter is specified, the inheritFromService parameter is only valid at the serviceRef level, not at the endpoint or operation level.
For example, to attach policy set PolicySet1 to all operations and endpoints for the service reference, enter the following command:
AdminTask.createPolicySetAttachment('[-resources "type=WebService:/,module=webapp1.war,service= {http://www.mynamespace.com}myService,serviceRef=myServiceRef" -applicationName application1 -attachmentType client -policySet PolicySet1 -inheritFromService false]')To specify that the service reference does not have a policy set attachment and does not inherit the policy set from the service, enter the following command:
AdminTask.createPolicySetAttachment('[-resources "type=WebService:/,module=webapp1.war,service= {http://www.mynamespace.com}myService,serviceRef=myServiceRef" -applicationName application1 -attachmentType client -inheritFromService false]')
- Modify resources that apply to a policy set attachment.
- Start the wsadmin scripting tool.
- Determine the resource of interest, and review the command syntax for the updatePolicySetAttachment command.
- Modify the attachment.
For example, the policy set attachment is connected to the operation1 operation, which is a specific single operation. To attach the 124 attachment to all operations for the endpointA endpoint in the service reference, enter the following command:
AdminTask.updatePolicySetAttachment('[-attachmentId 124 -resources "type=WebService:/,module=webapp1.war,service={http://www.mynamespace.com}myService,serviceRef=myServiceRef, endpoint=endpointA" -applicationName application1 -attachmentType client]')
The updatePolicySetAttachment command replaces all existing resources for an attachment with the resources specified in the command. If we update an attachment to attach a service reference to a policy set, the service reference does not inherit the policy set of the service. We can also update the policy set attachments using the addToPolicySetAttachment command to add resources to an existing attachment, or we can also use the createPolicySetAttachment command to create an attachment for a specific resource. For more information about these commands reference the commands for the PolicySetManagement group (AdminTask). A resource for a service reference cannot be included in the same attachment as a resource for a service.
- Save the configuration changes.
Enter the following command to save the changes:
AdminConfig.save()
- Remove resources that apply to a policy set attachment.
- Start the wsadmin scripting tool.
- Determine which resources to remove with the command. We can remove a resource for each web service artifact, each endpoint operation, or for a specific operation. In the following example, the command removes the newAttach attachment from operation1 in the service reference myPlantServiceRef, which is associated with the plantShop application and myPlantService service:
AdminTask.removeFromPolicySetAttachment('[-attachmentId newAttach -resources "type=WebService:/,module=webapp1.war,service={http://www.mynamespace.com}myPlantService, serviceRef=myPlantServiceRef,endpoint=endpointA,operation=operation1" -applicationName plantShop -attachmentType client]')
The command returns a success or failure message.
- Save the configuration changes.
Enter the following command to save the changes:
AdminConfig.save()
- Transfer attachments from one policy set to another policy set. This command detaches each web service from the source policy set and attaches those web services to the destination policy set. The destination policy set must have the same set of enabled policy types as the source policy set.
- Enter the following command to transfer all attachments:
AdminTask.transferAttachmentsForPolicySet('[-sourcePolicySet PolicySet1 -destinationPolicySet PolicySet2]')
The command returns a success or failure message.
- Save the configuration changes.
Enter the following command to save the changes:
AdminConfig.save()
Related tasks
Manage policy set attachments Configure attachments for the trust service using the administrative console Configure application and system policy sets for web services Create policy set attachments Remove policy set attachments Manage policy sets using the administrative console
Search attached applications collection PolicySetManagement (AdminTask)