WAS v8.5 > Secure applications > Secure web services > Secure web services > Migrating Web Services Security > Migrating JAX-RPC Web Services Security applications to v8.5 applicationsMigrating the server-side bindings file
We can migrate the server-side bindings configuration for a Java EE v1.3 application to a Java EE v1.4 application.
The following table lists the mappings of the top-level sections under the server-side Binding Configurations tab from a Java EE v1.3 application to a Java EE v1.4 application.
The mapping of the configuration sections. Use the binding configuration information for migration.
Java EE v1.3 Binding Configurations Java EE v1.4 Binding Configurations Request Receiver Binding Configuration Details Request Consumer Service Binding Configuration Details Response Sender Binding Configuration Details Response Generator Binding Configuration Details Consider the following steps to migrate the server-side bindings from Java EE v1.3 to Java EE v1.4. These steps are dependent upon your specific configuration. The steps are based on typical scenarios, but the steps are not all-inclusive.
- Migrate the configuration information under the Request Receiver Binding Configuration Details section of a Java EE v1.3 application.
- Migrate any trust anchor information specified in the Java EE v1.3 application to Java EE v1.4 using the Trust Anchor dialog.
- Migrate the information under the certificate store list specified in the Java EE v1.3 application to Java EE v1.4 by configuring the Certificate Store List section in the Java EE v1.4 application.
- Configure the key locator and token consumer information referenced from the Key Information dialog window. The configuration of the key locator and the token consumer depends upon the key information type. For example, if an X.509 certificate that is embedded in the <wsse:Security> security header is used for digital signature...
- For configuring the key locator, specify the com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator class as the key locator class and do not specify a key store.
- For configuring the token consumer, select the com.ibm.wsspi.wssecurity.token.509TokenConsumer class, specify X509 certificate token for the value type Uniform Resource Identifier (URI), and specify system.wssecurity.X509BST in the jaas.config.name field. Also, specify the certificate path settings (the trust anchor reference and the certificate store reference) as part of the token consumer configuration.
- Explicitly specify the key information type in the Key Information Dialog window. In a Java EE v1.3 application, the key information type, such as the security token reference and the key identifier, is not explicitly specified. The key information type is implied by the configuration. In a Java EE v1.4 application, specify the key information type explicitly using the Key Information Dialog when we have digital signature or encryption information in the binding file. Before you configure the key information, verify we have configured the key locator and token consumer information referenced from the Key Information dialog.
When you configure the key information for either digital signature or encryption, specify the correct key information type. The value of the key information type depends upon the type of mechanism used to reference the security token used for digitally signing or encrypting. The following information describes the Security token reference (or Direct reference) and the Key identifier, which are the most common, recommended key information types used for digitally signing and encrypting:
- Security token reference (or Direct reference)
- The security token is directly referenced using the Uniform Resource Identifiers (URIs). The following <KeyInfo> element is generated in the SOAP message for this key information type:
<ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#mytoken" /> </wsse:SecurityTokenReference> </ds:KeyInfo>
- Key identifier
- The security token is referenced using an opaque value that uniquely identifies the token. The algorithm used for generating the KeyIdentifier value depends upon the token type. For example, a hash of the important elements of the security token is used for generating the KeyIdentifier value. The following <KeyInfo> element is generated in the SOAP message for this key information type:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:KeyIdentifier ValueType="wsse:X509v3">/62wXO...</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo>
In the Key Information Dialog window, specify the names of the key locator and the token consumer that you configured previously. The Key name field is optional for the consumer side.
- Migrate the information in the Signing Information section by configuring the Signing Information, Part References, and Transforms sections.
- Specify the Signature method and Canonicalization method algorithms in the Signing Information Dialog window.
- Specify the Digest method algorithm in the Part Reference Dialog window.
- Migrate the information under the Encryption Information section. In the Encryption Information Dialog window, select the name of the Key Information element that is configured for encryption, and specify the RequiredConfidentiality part. Verify the value for the selected RequiredConfidentiality part is the same name as the Required Confidentiality part that is configured in the extension file.
The Login Mapping section in the Java EE v1.3 application maps to the Token Consumer configuration for the type of token specified by the authentication method. For example, to migrate a Login Mappings configuration that uses the BasicAuth authentication method, configure a token consumer for the username token. To configure a token consumer for a username token...
- Select the com.ibm.wsspi.wssecurity.UsernameTokenConsumer token consumer class.
- Specify the name of the Required Security Token configuration from the Extensions within in the Security Token field.
- Select Username Token for value type.
- Specify the system.wssecurity.UsernameToken value in the jaas.config.name field.
- Migrate the configuration information in the Response Sender Binding Configuration Details section of the Java EE v1.3 bindings file to the Response Generator Binding Configuration Details section of the Java EE v1.4 application. Configuring the Response Generator section is very similar to configuring the Request Consumer section.
- Migrate the information from the Key Locators section using the Key Locator Dialog window in an assembly tool.
- Configure a token generator, which is referenced in the Key Information Dialog window. You must configure a token generator for every security token generated in the SOAP message. If the token generator is for an X.509 certificate used for digital signature or encryption...
- For configuring the key locator, specify the com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator class as the key locator class and do not specify a key store.
- For configuring the token generator, select the com.ibm.wsspi.wssecurity.X509TokenGenerator class and specify X509 certificate token for the value type Uniform Resource Identifier (URI). The key store information specified for the token generator is the same information used for configuring the key locator. Therefore, the keystore information from the Key Locators configuration in a Java EE v1.3 application is used to configure the key locator and the token generator in a Java EE v1.4 application.
- In the Token Generator Dialog window, specify the key store information required by the callback handler to obtain the key information required for generating the token.
- For the callback handler, select the com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler class.
- Specify the names of the key locator and the token generator in the Key Information Dialog window that you configured previously. The Key name is required for the generator side. The key specified in the Key Information Dialog window must exist in the list of keys specified in the key locator configuration. Also, migrating the Signing Information and the Encryption Information configurations is similar to migrating the Signing Information and the Encryption Information configurations for the Request Receiver Binding Configuration section. Configuring the key information for the response generator section is similar to configuring the key information for the request consumer section.
Results
This set of steps describes the types of information needed to migrate the server-side bindings configuration for a Java EE v1.3 application to a Java EE v1.4 application.
Migrate the client-side binding configuration for a Java EE v1.3 application to a Java EE v1.4 application. For more information, see Migrating the client-side bindings file.
Related
Migrating the JAX-RPC server-side extensions configuration
Migrating the client-side extensions configuration
Migrating the client-side bindings file