+

Search Tips   |   Advanced Search

Protection token settings (generator or consumer)

Use this page to configure protection tokens. Protection tokens sign messages to protect integrity or encrypt messages to provide confidentiality.

We can add protection token settings for message parts when editing general provider or client policy set bindings. We can also configure application specific bindings for tokens and message parts required by the policy set.

To view this administrative console page when editing a general provider binding...

  1. Click Services > Policy sets > General provider policy set bindings.

  2. Click on the name of the binding to edit.

  3. Click the WS-Security policy in the Policies table.

  4. Click the Authentication and protection link in the security policy bindings section.

  5. Click New token to create a new token generator or consumer, or click an existing consumer or generator token link from the Protection Tokens table.

To view this administrative console page when editing a general client binding...

  1. Click Services > Policy sets > General client policy set bindings.

  2. Click on the name of the binding to edit.

  3. Click the WS-Security policy in the Policies table.

  4. Click the Authentication and protection link in the Main message security policy bindings section.

  5. Click New token to create a new token generator or consumer or click an existing consumer or generator token link from the Protection Tokens table.

To view this administrative console page when we are configuring application specific bindings for tokens and message parts that are required by the policy set...

  1. Click Applications > Websphere enterprise applications.

  2. Select an application containing web services. The application must contain a service provider or a service client.

  3. Click the Service provider policy sets and bindings link or the Service client policy sets and bindings in the Web Services Properties section.

  4. Select a binding. We must have previously attached a policy set and assigned a binding.

  5. Click the WS-Security policy in the Policies table.

  6. Click the Authentication and protection link in the security policy bindings section.

  7. Click a consumer or generator token link from the Protection Tokens table.

This administrative console page applies only to JAX-WS applications.


Name

Token generator or consumer name. Enter a name in this field when creating a new token.


Token type

Type of token. When using bindings, the token type is determined from the policy and cannot be edited.

Valid values are:

The Secure Conversation Token v200502 token type for the WS-Security policy represents the requirement for a Security Context Token as defined in the February 2005 level of the WS-SecureConversation specification.


Enforce token version

When LTPA Token v2.0 is selected as the token type, both LTPA version 1 and LTPA version 2 tokens can be consumed. Select this checkbox to restrict token consumption to the LTPA Token v2.0 token type.


Local name

Local name of the custom token generator or consumer. The Local name field is populated based on the token type displayed. Use this field to edit custom token types only.

If the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile V1.1, use one of the following values listed for the local name. The value you choose depends on the specification level of the Kerberos token generated by the Key Distribution Center (KDC). The following table lists the values and the specification level associated with each value. For purposes of interoperability, the Basic Security Profile V1.1 standard requires the use of the local name http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ.

Local Name Value for Kerberos Token Associated Specification Level
http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerb erosv5_AP_REQ Kerberos v5 AP-REQ as defined in the Kerberos specification. Use this value when the Kerberos ticket is an AP Request.
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ GSS-API Kerberos V5 mechanism token containing a KRB_AP_REQ message as defined in RFC-1964 [1964], Sec. 1.1 and its successor RFC-4121, Sec. 4.1. Use this value when the Kerberos ticket is an AP Request (ST + Authenticator).
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510 Kerberos v5 AP-REQ as defined in RFC1510. Use this value when the Kerberos ticket is an AP Request per RFC1510.
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510 GSS-API Kerberos V5 mechanism token containing a KRB_AP_REQ message as defined in RFC-1964, Sec. 1.1 and its successor RFC-4121, Sec. 4.1. Use this value when the Kerberos ticket is an AP Request (ST + Authenticator) per RFC1510.
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120 Kerberos v5 AP-REQ as defined in RFC4120. Use this value when the Kerberos ticket is an AP Request per RFC4120.
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120 GSS-API Kerberos V5 mechanism token containing an KRB_AP_REQ message as defined in RFC-1964, Sec. 1.1 and its successor, RFC-4121, Sec. 4.1. Use this value when the Kerberos ticket is an AP Request (ST + Authenticator) per RFC4120.


URI

Uniform resource identifier (URI) of the custom token generator or consumer. The URI field is populated based on the token type displayed. Use this field to edit custom token types only.

Leave this field blank if the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile V1.1.


JAAS login

Specifies the JAAS application login information. Click New to add a new JAAS application login or JAAS system login entry.

If the server is in a security domain that includes specific system or application logins, these logins are listed in the JAAS login menu, in addition to the global logins.


New Application Login

Click to go to the effective JAAS login collection for the current security domain.


Custom properties - Name

Name of the custom property. Custom properties are not initially displayed in this column until they are added.

Select one of the following actions for custom properties:

Button Resulting Action
New Creates a new custom property entry. To add a custom property, enter the name and value.
Edit Specifies that we can edit the selected custom property. Select this action to provide input fields and create the listing of cell values for editing. The Edit button is not available until at least one custom property has been added.
Delete Removes the selected property.

If the custom token type is used to generate a Kerberos token, specify the following custom properties:

Custom property name Value
Specify the name of the target service. com.ibm.wsspi.wssecurity.krbtoken.targetServiceName Name of the target service.

Required.

com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost Host name that is associated with the target service in the following format: myhost.mycompany.com.

Required.

com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm Name of the realm that is associated with the target service.

This property is optional for a single Kerberos realm. If the targetServiceRealm property is not specified, the default realm name from the Kerberos configuration file is used as the realm name.
In a cross or trusted realm environment, provide a value for the targetServiceRealm property.

For the token generator, the combination of the target service name and target hostname forms the Service Principal Name (SPN), which represents the target Kerberos service principal name. The Kerberos client requests the initial Kerberos AP_REQ token for the SPN.

If an application generates or consumes a Kerberos V5 AP_REQ token for each web services request message, set the com.ibm.wsspi.wssecurity.kerberos.attach.apreq custom property to true in the token generator and the token consumer bindings for the application. For more information, see the Web Services Security troubleshooting tips topic.


Custom properties - Value

Value of the custom property. Use the Value field to enter, edit, or delete the value for a custom property.


Callback handler

After all other configurations on the protection token page are applied or saved, this section is displayed and links to the configuration settings for the callback handler. Click this link to specify callback handler settings that determine how security tokens are acquired from message headers.


Tolerate secure conversation token V200502

The secure conversation token V200502 token type for the WS-Security policy represents the requirement for a secure conversation token as defined the in the February 2005 level of the WS-SecureConversation specification. This option specifies whether the provider handles both secure conversation token V1.3 and secure conversation token V200502. By default, the provider handles both versions. We can change this behavior by clicking to remove the check box selection so that the provider handles only the V1.3 token.

This checkbox is displayed only in the service provider token consumer panel.

Information Value
Data type Check box
Range Selected or cleared
Default value Selected


Related tasks

  • Define and manage policy set bindings
  • Manage policy sets using the administrative console

  • Web Services Security troubleshooting tips

    Callback handler settings for JAX-WS

    Application policy sets collection

    Application policy set settings

    Search attached applications collection

    Policy set bindings settings

  • Configuration entry settings for Java Authentication and Authorization Service