WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-RPC web services > Configure message-level security for JAX-RPC at the server or cell level

Configure token consumers using JAX-RPC to protect message authenticity at the server level

The token consumer on the server level is used to specify the information needed to process the security token if it is not defined at the application level.

You need to understand the keystore/alias information that you provide for the generator, and the keystore/alias information that you provide for the consumer are used for different purposes.

The main difference applies to the Alias for an X.509 callback handler.

When used in association with an encryption consumer, the alias supplied for the consumer is used retrieve the private key to decrypt the message. A password is required. When associated with a signature consumer, the alias supplied for the consumer is used strictly to retrieve the public key used to resolve an X.509 certificate not passed in the SOAP security header as a BinarySecurityToken. A password is not required.

WebSphere Application Server provides default values for bindings. You must modify the defaults for a production environment.

To configure the token consumers on the server level.

1. Access the default bindings for the server level.

   1. Click Servers > Server Types > WebSphere application servers > server_name.

   2. Under Security, click JAX-WS and JAX-RPC security runtime.

      In a mixed node cell with a server using WAS v6.1 or earlier, click Web services: Default bindings for Web Services Security.

2. Under Default consumer bindings, click Token consumers.

3. Click New to create a token consumer configuration, click Delete to delete an existing configuration, or click the name of an existing token consumer configuration to edit its settings. If we are creating a new configuration, enter a unique name for the token consumer configuration in the Token consumer name field. For example, you might specify sig_tcon. This field specifies the name of the token consumer element.

4. Specify a class name in the Token consumer class name field. The JAAS Login Module implementation is used to validate (authenticate) the security token on the consumer side.

   Restriction: The com.ibm.wsspi.wssecurity.token.TokenConsumingComponent interface is not used with JAX-WS web services. If we are using JAX-RPC web services, this interface is still valid.

   The token consumer class name must be similar to the token generator class name.

   For example, if the application requires an X.509 certificate token consumer, we can specify the com.ibm.wsspi.wssecurity.token.X509TokenGenerator class name on the Token generator panel and the com.ibm.wsspi.wssecurity.token.X509TokenConsumer class name in this field. WAS provides the following default token consumer class implementations:

   com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer

   This implementation integrates a user name token.

   com.ibm.wsspi.wssecurity.token.X509TokenConsumer

   This implementation integrates an X.509 certificate token.

   com.ibm.wsspi.wssecurity.token.LTPATokenConsumer

   This implementation integrates a LTPA (LTPA) token.

   com.ibm.wsspi.wssecurity.token.IDAssertionUsernameTokenConsumer

   This implementation integrates an IDAssertionUsername token.

   A corresponding token generator class does not exist for this implementation.

5. Select a certificate path option. The certificate path specifies the certificate revocation list (CRL) used for generating a security token wrapped in a PKCS#7 with a CRL. WAS provides the following certificate path options:

   None

   If selected, the certificate path is not specified.

   Trust any

   If selected, any certificate is trusted. When the received token is consumed, the certificate path validation is not processed.

   Dedicated signing information

   If selected, we can specify a trust anchor and a certificate store. When you select the trust anchor or the certificate store of a trusted certificate, configure the collection certificate store before setting the certificate path. To define a collection certificate store on the server level, see Configure the collection certificate on the server level.

   1. Select a trust anchor in the Trust anchor field. WAS provides two sample trust anchors. However, IBM recommends that you configure our own trust anchors for a production environment. For information on configuring a trust anchor, see Configure trust anchors on the server level.

   2. Select a collection certificate store in the Certificate store field. WAS provides a sample collection certificate store. If we select None, the collection certificate store is not specified. For information on specifying a list of certificate stores containing untrusted, intermediary certificate files awaiting validation, see Configure trusted ID evaluators on the server level.

6. Select a trusted ID evaluator from the Trusted ID evaluation reference field. This field specifies a reference to the Trusted ID evaluator class name defined in Trusted ID evaluators panel. The trusted ID evaluator is used for evaluating whether the received ID is trusted. If we select None, the trusted ID evaluator is not referenced in this token consumer configuration. To configure a trusted ID evaluator, see Configure trusted ID evaluators on the server level.

7. Select the Verify nonce option if a nonce is included in a user name token on the generator side. Nonce is a unique cryptographic number that is embedded in a message to help stop repeat, unauthorized attacks of user name tokens. The Verify nonce option is available if we specify a user name token for the token consumer and nonce is added to the user name token on the generator side.

8. Select the Verify timestamp option if a time stamp is included in the user name token on the generator side. The Verify Timestamp option is available if we specify a user name token for the token consumer and a time stamp is added to the user name token on the generator side.

9. Specify the local name of the value type for the integrated token. This entry specifies the local name of the value type for a security token referenced by the key identifier. This attribute is valid when Key identifier is selected as the key information type. To specify the key information type, see Configure the key information for the consumer binding using JAX-RPC on the server level. WAS has predefined value type local names for the user name token and the X.509 certificate security token. Enter one of the following local names for the user name token and the X.509 certificate security token. When we specify the following local names, we do not need to specify the URI of the value type:

   Username token

   http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken

   X.509 certificate token

   http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3

   X.509 certificates in a PKIPath

   http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1

   A list of X.509 certificates and CRLs in a PKCS#7

   http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7

   To specify Lightweight Third Party Authentication (LTPA) or token propagation (LTPA_PROPAGATION), specify both the value type local name and the Uniform Resource Identifier (URI). For LTPA, specify LTPA for the local name and http://www.ibm.com/websphere/appserver/tokentype/5.0.2 for the URI. For LTPA token propagation, specify LTPA_PROPAGATION for the local name and http://www.ibm.com/websphere/appserver/tokentype for the URI. For example, when an X.509 certificate token is specified, we can use http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 for the local name. When we specify the local name of another token, specify a value type Qname. For example: uri=http://www.ibm.com/custom, localName=CustomToken

10. Specify the value type uniform resource identifier (URI) in the URI field. This entry specifies the namespace URI of the value type for a security token referenced by the key identifier. This attribute is valid when Key identifier is selected as the key information type on the Key information panel for the default generator. When we specify the token consumer for the user name token or an X.509 certificate security token, we do not need to specify this option. If we specify another token, specify the URI of the QName for the value type.

11. Click OK and then Save to save the configuration. After saving the token generator configuration, we can specify a JAAS configuration for the token consumer.

12. Click the name of your token generator configuration.

13. Under Additional properties, click JAAS configuration.

14. Select a JAAS configuration from the JAAS configuration name field.

    The field specifies the name of the JAAS system for application login configuration. We can specify additional JAAS system and application configurations by clicking Security > Global security. Expand Java Authentication and Authorization Service, then click Application logins > New or System logins > New. Do not remove the predefined system or application login configurations. However, within these configurations, we can add module class names and specify the order in which WAS loads each module. WAS provides the following predefined JAAS configurations:

    ClientContainer

    This selection specifies the login configuration used by the client container applications. The configuration uses the CallbackHandler API defined in the deployment descriptor for the client container. To modify this configuration, see the JAAS configuration panel for application logins.

    WSLogin

    This selection specifies whether all of the applications can use the WSLogin configuration to perform authentication for the security run time. To modify this configuration, see the JAAS configuration panel for application logins.

    DefaultPrincipalMapping

    This selection specifies the login configuration used by Java 2 Connectors (J2C) to map users to principals that are defined in the J2C authentication data entries. To modify this configuration, see the JAAS configuration panel for application logins.

    system.wssecurity.IDAssertion

    This selection enables a v5.x application to use identity assertion to map a user name to a WAS credential principal. To modify this configuration, see the JAAS configuration panel for system logins.

    system.wssecurity.Signature

    This selection enables a v5.x application to map a distinguished name (DN) in a signed certificate to a WAS credential principal. To modify this configuration, see the JAAS configuration panel for system logins.

    system.LTPA_WEB

    This selection processes login requests used by the web container such as servlets and JSP files. To modify this configuration, see the JAAS configuration panel for system logins.

    system.WEB_INBOUND

    This selection handles login requests for web applications, which include servlets and JSP files. This login configuration is used by WAS v5.1.1. To modify this configuration, see the JAAS configuration panel for system logins.

    system.RMI_INBOUND

    This selection handles logins for inbound Remote Method Invocation (RMI) requests. This login configuration is used by WAS v5.1.1. To modify this configuration, see the JAAS configuration panel for system logins.

    system.DEFAULT

    This selection handles the logins for inbound requests that are made by internal authentications and most of the other protocols except web applications and RMI requests. This login configuration is used by WAS v5.1.1. To modify this configuration, see the JAAS configuration panel for system logins.

    system.RMI_OUTBOUND

    This selection processes RMI requests sent outbound to another server when the com.ibm.CSIOutboundPropagationEnabled property is true. Set in the CSIv2 authentication panel. To access the panel, click Security > Global security. Under Authentication, expand RMI/IIOP security and click CSIv2 outbound authentication. To set the com.ibm.CSIOutboundPropagationEnabled property, select Security attribute propagation. To modify this JAAS login configuration, see the JAAS - System logins panel.

    system.wssecurity.X509BST

    This section verifies an X.509 binary security token (BST) by checking the validity of the certificate and the certificate path. To modify this configuration, see the JAAS configuration panel for system logins.

    system.wssecurity.PKCS7

    This selection verifies an X.509 certificate with a certificate revocation list in a PKCS7 object. To modify this configuration, see the JAAS configuration panel for system logins.

    system.wssecurity.PkiPath

    This section verifies an X.509 certificate with a public key infrastructure (PKI) path. To modify this configuration, see the JAAS configuration panel for system logins.

    system.wssecurity.UsernameToken

    This selection verifies the basic authentication (user name and password) data. To modify this configuration, see the JAAS configuration panel for system logins.

    system.wssecurity.IDAssertionUsernameToken

    This selection enables Versions 6 and later applications to use identity assertion to map a user name to a WAS credential principal. To modify this configuration, see the JAAS configuration panel for system logins.

    system.WSS_INBOUND

    This selection specifies the login configuration for inbound or consumer requests for security token propagation using Web Services Security. To modify this configuration, see the JAAS configuration panel for system logins.

    system.WSS_OUTBOUND

    This selection specifies the login configuration for outbound or generator requests for security token propagation using Web Services Security. To modify this configuration, see the JAAS configuration panel for system logins.

    None

    With this selection, we do not specify a JAAS login configuration.

15. Click OK and then Save to save the configuration.

Results

You have configured the token consumer at the server level.

Specify a similar token generator configuration for the server level.

Subtopics

• Token consumer page
  Use this page to view the token consumer. The information is used on the consumer side only to process the security token.
• Token consumer configuration settings
  Use this page to specify the information for the token consumer. The information is used at the consumer side only to process the security token.

Related

Configure trusted ID evaluators on the server level
Configure the collection certificate on the server level
Configure trust anchors on the server level
Configure programmatic logins for Java Authentication and Authorization Service

+

Search Tips   |   Advanced Search