WAS v8.5 > Script the application serving environment (wsadmin) > Welcome to scripting for web services > Configure web services applications using wsadmin.sh > Configure application and system policy sets for web services using wsadmin.sh

Enable secure conversation using wsadmin.sh

Use this topic and the commands in the SecureConversation group of AdminTask to enable secure conversation client cache by creating a new policy set and bindings to attach to the applications.

Verify the SecureConversation policy set is available in your configuration. By default, the SecureConversation policy set is not available. Use the importPolicySet command to import the SecureConversation policy to your configuration, as the following example demonstrates:

Before using the commands in this topic, verify that you are using the most recent version of wsadmin. The policy set management commands that accept a properties object as the value for the attributes or bindingLocation parameters are not supported on previous versions of wsadmin. For example, the commands do not run on a v6.1.0.x node.

This topic uses the default SecureConversation policy set and default WS-Security and TrustServiceSecurityDefault bindings to enable secure conversation.

The default SecureConversation policy set contains an application policy with the symmetric binding, and a bootstrap policy with the asymmetric binding. The application policy secures application messages. The bootstrap policy secures RequestSecurityToken (RST) messages. The trust service, which issues security context token providers, uses the TrustServiceSecurityDefault system policy and the TrustServiceSecurityDefault bindings. The trust policy secures RequestSecurityTokenResponse (RSTR) messages. If we modify the bootstrap policy, you must also modify the trust policy so that both of the configurations match.

Use the following steps in development and test environments only. The WS-Security bindings in this procedure contain sample key files that you must customize before using the bindings in a production environment. Create custom bindings for the production environment.

  1. Launch the wsadmin scripting tool using the Jython scripting language. To learn more, see the starting the wsadmin scripting client information.
  2. Copy the existing SecureConversation policy set.

    Use the following command example to create a new policy set by copying the existing SecureConversation policy set:

      AdminTask.copyPolicySet('[-sourcePolicySet SecureConversation -newPolicySet CopyOfSCPolicySet]')

  3. Change the binding for the global security domain. If we chose the Create the server using the development template option when we created your profile with the Profile Management Tool or the manageprofiles command utility, we can optionally skip this step.

    1. List each WS-Security policy attribute.

      To modify the binding for the global security domain, use the getDefaultBindings command to determine the binding set as the default for the provider or client, as the following example demonstrates:

        AdminTask.getDefaultBinding('-bindingType provider')

    2. Display the attributes for the binding.

      Use the getBinding command to display the current attributes for the binding, as the following example demonstrates:

        AdminTask.getBinding('-bindingLocation "" -bindingName myBinding')

    3. Modify the outbound configuration for the protection token.

      Use the following commands to modify the outbound configuration for the protection token:

      cmd1_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler
      .key.name [CN=Bob,O=IBM, C=US]] [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler
      .keystore.storepass storepass] [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler
      .keystore.type JCEKS] [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler.key.alias bob] 
      [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler.keystore.path ${USER_INSTALL_ROOT}
      /etc/ws-security/samples/enc-sender.jceks] ]"
      
      AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "" -attributes cmd1_attributes_value 
      -attachmentType application]')
      
      cmd2_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore
      .path ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks] [application.securityoutboundbindingconfig
      .tokengenerator_0.callbackhandler.keystore.storepass client] [application.securityoutboundbindingconfig
      .tokengenerator_0.callbackhandler.key.name [CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP]] [application
      .securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.keypass client] [application
      .securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.alias soaprequester] 
      [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.type JKS] ]"
      
      AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "" -attributes cmd2_attributes_value 
      -attachmentType application]')

  4. Optional: Modify the TrustDefaultBindings binding. If we chose the Create the server using the development template option when we created your profile with the Profile Management Tool or the manageprofiles command utility, we can optionally skip this step.

    If the TrustDefaultBindings are not yet customized, use the following commands to modify the TrustDefaultBindings binding:

    cmd3_attributes_value = "[  [application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.keystore
    .storepass storepass] [application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.key.alias bob] 
    [application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.keystore.type JCEKS] [application
    .securityoutboundbindingconfig.tokengenerator_1.callbackhandler.keystore.path ${USER_INSTALL_ROOT}/etc
    /ws-security/samples/enc-sender.jceks] [application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler
    .key.name [CN=Bob, O=IBM, C=US]] ]"
    
    AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "[attachmentId 2]" 
    -attributes cmd3_attributes_value -attachmentType system/trust]')
    
    cmd4_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.path 
    ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks] [application.securityoutboundbindingconfig.tokengenerator_0
    .callbackhandler.keystore.storepass client] [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler
    .key.name [CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP]] [application.securityoutboundbindingconfig.tokengenerator_0
    .callbackhandler.key.keypass client] [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key
    .alias soaprequester] [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.type JKS] ]"
    
    AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "[attachmentId 2]" 
    -attributes cmd4_attributes_value -attachmentType system/trust]')
  5. Attach the policy set and binding to the application.

    Use the attachmentType parameter for the createPolicySetAttachment command to specify if the application is a service client or a service provider. Use the following commands to attach the CopyOfSCPolicySet policy set to the myTestApp service client application:

    AdminTask.createPolicySetAttachment('[-applicationName myTestApp -policySet CopyOfSCPolicySet 
    -resources WebService:/ -attachmentType client]') 
    Use the following commands to attach the CopyOfSCPolicySet policy set to the myTestApp service provider application:
    AdminTask.createPolicySetAttachment('[-applicationName myTestApp -policySet CopyOfSCPolicySet 
    -resources WebService:/ -attachmentType application]')
    This step automatically assigns the bindings.


Results

Your secure conversation configuration is updated in the WSSCCache.xml file located in the cell level directory.

Manage your secure conversation configurations with the SecureConversation command group for AdminTask.


Related concepts:

Secure conversation client cache and trust service configuration
SecureConversation default policy sets


Related


Start the wsadmin scripting client using wsadmin.sh
Configure the Web Services Security distributed cache
Example: Installing a web services sample with the console


+

Search Tips   |   Advanced Search