WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Configure XML encryption for v5.x web services with the dmgr console

Configure pluggable tokens

We can configure the client-side request sender (ibm-webservicesclient-bnd.xmi file) or server-side request receiver (ibm-webservices-bnd.xmi file) using the WebSphere Application Server dmgr console.

There is an important distinction between v5.x and v6 and later applications. The information in this article supports v5.x applications only used with WAS v6.0.x and later. The information does not apply to v6.0.x and later applications.

Prior to completing these steps, it is assumed that we have already created a web service based on the Java EE specification. See either of the following topics for an introduction of how to manage Web Services Security binding information for the server:

This document describes how to configure a pluggable token in the request sender (ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi file) and request receiver (ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi file).

The pluggable token is required for the request sender and request receiver as they are a pair. The request sender and the request receiver must match for a request to be accepted by the receiver.

Prior to completing these steps, it is assumed deployeded a web services-enabled enterprise application to the WAS.

Use the following steps to configure the client-side request sender (ibm-webservicesclient-bnd.xmi file) or server-side request receiver (ibm-webservices-bnd.xmi file) using the WAS dmgr console.

  1. Click Applications > Application Types > WebSphere enterprise applications > enterprise_application.

  2. Under Modules, click Manage modules > URI_name. The URI is the web services-enabled module.

    1. Under Web Services Security Properties, click Web services: client security bindings to edit the response sender binding information, if web services are acting as client.

      1. Under Response sender binding, click Edit.

      2. Under Additional Properties, click Login binding.

      3. Select Dedicated login binding to define a new login binding.

        1. Enter the authentication method, this must match the authentication method defined in IBM extension deployment descriptor. The authentication method must be unique in the binding file.

        2. Enter an implementation of the JAAS javax.security.auth.callback.CallbackHandler interface.

        3. Enter the basic authentication information (User ID and Password) and the basic authentication information is passed to the construct of the CallbackHandler implementation. The usage of the basic authentication information is up to the implementation of the CallbackHandler.

        4. Enter the token value type, it is optional for BasicAuth, Signature and IDAssertion authentication methods but required for any other authentication method. The token value type is inserted into the <wsse:BinarySecurityToken>@ValueType for binary security token and used as the namespace of the XML based token.

        5. Click Properties. Define the property with name and value pairs. These pairs are passed to the construct of the CallbackHandler implementation as java.util.Map.

        Select None to deselect the login binding.

    2. Under Web Services Security Properties, click Web services: server security bindings to edit the request receiver binding information.

      1. Under Request Receiver Binding, click Edit.

      2. Under Additional Properties, click Login mappings.

      3. Click New to create new login mapping.

        1. Enter the authentication method, this must match the authentication method defined in the IBM extension deployment descriptor. The authentication method must be unique in the login mapping collection of the binding file.

        2. Enter a JAAS Login Configuration name. The JAAS Login Configuration must be defined under Security > Global security. Under Authentication, click Java Authentication and Authorization Service > Application logins. For more information, read about configuring programmatic logins for Java Authentication and Authorization Service.

        3. Enter an implementation of the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory interface. This is a mandatory field.

        4. Enter the token value type, it is optional for BasicAuth, Signature and IDAssertion authentication methods but required for any other authentication method. The token value type is used to validate against the <wsse:BinarySecurityToken>@ValueType for binary security token and against the namespace of the XML based token.

        5. Enter the name and value pairs for the "Login Mapping Property" by clicking Properties . These name and value pairs are available to the JAAS Login Module or Modules by com.ibm.wsspi.wssecurity.auth.callback.PropertyCallback JAAS Callback. Note: This is true when editing existing login mappings but not when creating new login mappings.

        6. Enter the name and value pairs for the "Callback Handler Factory Property", this name and value pairs is passed as java.util.Map to the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory.init() method. The usage of these name and value pairs is up to the CallbackHandlerFactory implementation.

    3. Click authentication method link to edit the selected login mapping.

    4. Click Remove to remove the selected login mapping or mappings.

  3. Click Save.


Results

The previous steps define how to configure the request sender to create security tokens in the SOAP message and the request receiver to validate the security tokens found in the incoming SOAP message. WAS supports pluggable security tokens.

We can use the authentication method defined in the login bindings and login mappings to generate security tokens in the request sender and validate security tokens in the request receiver.

After we have configured pluggable tokens, configure both the client and the server to support pluggable tokens. See the following topics to configure the client and the server:


Related concepts:

Pluggable token support
Overview of authentication methods
Binary security token
XML token
Username token
Security token
Overview of token types


Related


Configure pluggable tokens using an assembly tool
Configure programmatic logins for Java Authentication and Authorization Service


+

Search Tips   |   Advanced Search