WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Secure requests to the trust service using system policy sets

Configure attachments for the trust service

We can attach the trust service operations for a service endpoint to a system policy set and binding. Each new endpoint specified initially has the following four operations: issue, renew, cancel, and validate. By default, all endpoints inherit the policy set and binding that are attached to the respective trust service operation under Trust Service Defaults. However, we can explicitly attach a different policy set.

First you must define your policy sets and bindings. Policies describe the protection or quality of service provided (such as message security, transport and so forth). Bindings specify some details about how to implement the policy, such as: the path for the keystore file, the class name of the token generator, or the JAAS configuration name.

Use system policy sets with the trust service only. The requestor (client) must utilize JAX-WS only. Requestors which use Java API for XML-based remote procedure calls (JAX-RPC) are incompatible with the policy set QOS.

Depending on your assigned security role when security is enabled, you might not have access to text entry fields or buttons to create or edit configuration data. Review the administrative roles documentation to learn more about the valid roles for the application server. We can attach the trust service operations for a new endpoint to an existing policy set and binding. For each new service endpoint specified, four trust service operations (cancel, renew, validate and issue) change from having inherited attachments to being explicitly attached. The four operations are attached to the respective policy set and binding as specified in Trust Service Defaults. Then we can change the attachment to the desired existing policy set and binding.

An endpoint policy set consists of two sections: a bootstrap section and an application section. The system policy set attached to the Issue and renew trust service operations for a specific endpoint must correspond to the bootstrap section of the policy set for that endpoint. The system policy set attached to the Cancel and Validate trust service operations for a specific endpoint must correspond to the application section of the policy set for that endpoint.

This task describes how to manage trust service operations for service endpoint URLs to attach to a system policy set and binding. To complete the configuration of the WebSphere Application Server trust service, you must also complete the following task:

The sample general bindings provided with the product are initially set as the global security (cell) default bindings.

The default service provider binding and the default service client bindings are used when no application specific bindings or trust service bindings are assigned to a policy set attachment. For trust service attachments, the default bindings are used when no trust specific bindings are assigned. If we do not want to use the provided Provider sample as the default service provider binding, we can select an existing general provider binding or create a new general provider binding to meet your business needs. Likewise, if we do not want to use the provided Client sample as the default service client binding, we can select an existing general client binding or create a new general client binding. To specify your global security (cell) default bindings, use the dmgr console and click Services > Policy sets > Default policy set bindings. For environments with multiple security domains, we can optionally choose the general provider and general client bindings to use as the default bindings for a domain. For more information about default bindings see the topic Setting default policy set bindings.

  1. To manage system policy set attachments for trust service operations, click Services > Trust service > Trust service attachments. The list displays all endpoints that have at least one operation with a policy set attached as well as Trust Service Defaults. The list also displays the system policy set and the binding for each operation.

  2. Select one or more of the following actions to configure the trust service attachments:

    New Attachment

    Opens a new panel where we can specify the service endpoint URL. For each new service endpoint specified, four trust service operations (cancel, renew, validate and issue) change from having inherited attachments to being explicitly attached. The four operations are attached to the respective policy set and binding as specified in Trust Service Defaults. These initial attachments can be changed.

    Attach

    Displays a list of existing system policy sets, including the default trust-related system policy sets, to which each of the four trust service operations for a service endpoint can be attached. First, select the operation (for example, Cancel token) and then click Attach to display the list of available system policy sets. Select a default or custom system policy set to attach. When you change the policy set attachment, the binding automatically changes to Default. Select the operation and click Assign Binding to change the binding.

    The pre-configured system policy sets that we can select include:

    • TrustServiceSecurityDefault

      This trust policy set specifies the asymmetric algorithm as well as the public and private keys to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using RSA. Message confidentiality is provided by encrypting the body and signature using RSA. This policy set follows the WS-Security specification for the issue and renew trust operation requests.

    • TrustServiceSymmetricDefault

      This trust policy set specifies the symmetric algorithm as well as the derived key algorithms to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using HMAC-SHA1. Message confidentiality is provided by encrypting the body and signature using AES. This policy set follows the WS-Security and WS-SecureConversation specifications for the validate and cancel trust operation requests.

    • SystemWSSecurityDefault

      This system policy set specifies the asymmetric algorithm and both the public and private keys to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using RSA encryption. Message confidentiality is provided by encrypting the body and signature using RSA encryption.

    Inherit Operation Defaults

    Sets the operation to inherit the respective trust service default trust service policy set attachment and binding. If you select the attachments to modify and then click Inherit Operation Defaults, the explicit attachment for both the policy set and the binding is removed. Thereafter, the operation inherits any change to the default trust service policy set and binding.

    Assign Binding

    Changes the existing binding. We can create and assign a new binding, assign the Default binding, or assign an existing trust service specific binding to each of the selected trust service attachments.

    Update Runtime

    Updates the trust service runtime with any configuration changes that are made to the trust service attachments, token providers, and targets.

  3. Optional: Modify the custom policy set by clicking the name of a custom policy set from the list. Edit the settings for custom policy sets, as needed. Default trust service policy set information can only be viewed.

    We cannot edit the default policy sets: TrustServiceSecurityDefault and TrustServiceSymmetricDefault, or SystemWSSecurityDefault. TrustServiceSecurityDefault is the default for the issue and renew operations. TrustServiceSymmetricDefault is the default for the cancel and validate operations.

    At least one trust service operation for the endpoint service URL must be explicitly attached for the endpoint service URL to be displayed. If an operation is explicitly attached, the system policy set name appears. If no policy set is explicitly attached, the respective default trust service policy set appears, followed by the text (inherited).

  4. Optional: Modify the trust service specific binding by clicking the name of a binding from the list, as needed. Edit the settings for the trust service specific binding, as needed. Any modifications to a trust service binding affect all trust service attachments that reference the binding.

    If the resource has a policy set directly attached, either the bindings name appears or Default appears.

  5. Save your changes before applying the changes to the trust service runtime configuration.

  6. Click Update Runtime to update the trust service runtime configuration with any data changes for token providers, trust service attachments, and targets. Whether the confirmation window appears depends on whether you select the Show confirmation for update runtime command check box. Expand Preferences to view the check box.

  7. Optional: Confirm or cancel if the confirmation window appears. If you deselected the Show confirmation for update runtime command check box, all changes are made immediately without displaying the confirmation window.


Results

You have provided the basic information to create or update a trust service attachment. You have configured trust service operation attachments to system policy sets and bindings.

We can also create a new attachment for the WAS trust service using wsadmin. The wsadmin tool examples are written in the Jython scripting language.


Subtopics


Related


Create policy set attachments using wsadmin
Set default policy set bindings


Reference:

Administrative roles


+

Search Tips   |   Advanced Search