Authentication generator or consumer token settings

WAS v8.5 > Reference > Sets
Authentication generator or consumer token settings page

Authentication tokens are used to prove or assert an identity. Use the dmgr console to add authentication token settings for message parts when editing a general binding.
To configure authentication tokens...

To view and select the general bindings that are set as the global security default policy set bindings, click Services > Policy sets > Default policy set bindings. The specified bindings are used unless overridden at the attachment point, at the server, or at a security domain.
To access and configure the general bindings and to add authentication token settings for message parts, click Services > Policy sets > General provider policy set bindings.

Click the WS-Security policy in the Policies table.

Click the Authentication and protection link in the Main message security policy bindings section.

Click New token to create a new token generator or consumer, or click an existing consumer or generator token link from the Authentication Tokens table.

To configure application-specific bindings for tokens and message parts required by a policy set...

Click Applications > Application Types > WebSphere enterprise applications.
Select an application containing web services. The application must contain a service provider or a service client.

Click the Service provider policy sets and bindings link or the Service client policy sets and bindings link in the Web Services Properties section.
Select a binding. You must have previously attached a policy set and assigned an application specific binding.

Click the WS-Security policy in the Policies table.

Click the Authentication and protection link in the Main message security policy bindings section.

Click a consumer or generator token link from the Protection Tokens table.

This dmgr console page applies only to JAX-WS applications.

Name

Name of the token being configured. When using application specific bindings, this field is not displayed.

Token type

Type of token being configured.
When using application specific bindings, the token type is obtained from the policy file and it is read-only. When using general bindings, select a token type from the list. The following token types are available:

X509V3 Token V1.1
X509V3 Token V1.0

Username Token V1.1

Username Token V1.0
X509PKCS7 Token V1.1
X509PKCS7 Token V1.0
X509PkiPathV1 Token V1.1
X509PkiPathV1 Token V1.0
LTPA Propagation Token
X509V1 Token V1.1
LTPA Token
LTPA Token V2.0
Custom Token

The LTPA Token V2.0 token type is available only for bindings using the namespace as supported in IBM WebSphere Application Server, v7.0 or later. When you select LTPA Token V2.0 as the token type for the token consumer, both LTPA tokens and LTPA V2.0 tokens can be consumed. To restrict the token consumer to LTPA V2.0 tokens only, select the Enforce token version check box.
If you select LTPA Token as the token type for the token generator, single sign-on interoperability mode must be enabled. This is a setting in global security from Web and SIP security. If the interoperability flag is not set to enabled (true), an error occurs when the application that is attached to these bindings is started. To use the LTPA token without checking the state of the interoperability flag, we can set the custom property, com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7, on the token generator. Set the property using the dmgr console, as described in the topic Enabling or disabling single sign-on interoperability mode for the LTPA token. The property can not be set using the Web Services Security API.

Local name

Local name for the authentication token generator or consumer. The Local name field is populated based on the token type displayed. Use this field to edit custom token types only.

URI

Uniform resource identifier (URI) of the authentication token generator or consumer. The URI field is populated based on the token type displayed. Use this field to edit custom token types only.
Leave this field blank if the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile v1.1.

Security token reference

Security token reference. The security token reference field is displayed only for authentication tokens in application-specific bindings. This field is not available for default bindings.

JAAS login

List of application and system Java Authentication and Authorization Service (JAAS) logins that are effective for the domain to which the binding is scoped.
If an application is scoped to the global security or if it is scoped to a domain that does not customize its own JAAS logins, then the list of global logins are displayed in the menu list. Click New Application Login to access the global JAAS application login collection. The JAAS login menu list and New Application Login button behavior depend on whether the binding is being created in association with an attachment. Use caution when changing security domains, since a previously-referenced security configuration, such as JAAS logins, might not be accessible in a different security domain.

Custom properties – Name

Name used for the custom property.
Custom properties are not initially displayed in this column. Click one of the following buttons to enable the actions described:

Button Resulting Action
New Creates a new custom property entry. To add a custom property, enter the name and value.
Edit Enables the selected custom property to be edited. Clicking this button provides input fields and creates the listing of cell values to be edited. The Edit button is not available until at least one custom property has been added.
Delete Removes the selected custom property.

Custom properties – Value

Value of the custom property to be used. Use the Value field to enter, edit, or delete the value for a custom property.
If the custom token type is used to generate a Kerberos token, specify the following custom properties:

Custom property name Value
com.ibm.wsspi.wssecurity.krbtoken.targetServiceName Name of the target service.
Required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost Host name associated with the target service in the following format: myhost.mycompany.com.
Required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm Name of the realm associated with the target service.
This property is optional for a single Kerberos realm. If the targetServiceRealm property is not specified, the default realm name from the Kerberos configuration file is used as the realm name.
In a cross or trusted realm environment, you must provide a value for the targetServiceRealm property.
com.ibm.wsspi.wssecurity.krbtoken.clientRealm Name of the Kerberos realm associated with the client.
This property is optional for a single Kerberos realm environment.
When implementing Web Services Security in a cross or trusted Kerberos realm environment, you must provide a value for the clientRealm property.
com.ibm.wsspi.wssecurity.krbtoken.loginPrompt Enables the Kerberos login when the value is True. Default is False.
Required.

For the token generator, the combination of the target service name and target hostname forms a Service Principal Name (SPN) which represents the target Kerberos service principal name. The Kerberos client requests the initial Kerberos AP_REQ token for the SPN.
If an application generates or consumes a Kerberos V5 AP_REQ token for each web services request message, set the com.ibm.wsspi.wssecurity.kerberos.attach.apreq custom property to true in the token generator and the token consumer bindings for the application. For more information, see the Web Services Security troubleshooting tips topic.

Callback handler

Links to the Callback handler page where we can configure callback handlers. Callback handler settings determine how security tokens are acquired from messages headers.
If you are working with a Username token or LTPA token that is using default bindings, the user names and passwords might have been provided as examples. You need to update the values for these token types.

Related

Define and managing policy set bindings
Manage policy sets
Enable single sign-on interoperability mode for the LTPA token

Reference:

Callback handler settings for JAX-WS
Protection token settings (generator or consumer)
Application policy sets page
Application policy set settings
Search attached applications page
Policy set bindings settings

+
Search Tips | Advanced Search

Button	Resulting Action
New	Creates a new custom property entry. To add a custom property, enter the name and value.
Edit	Enables the selected custom property to be edited. Clicking this button provides input fields and creates the listing of cell values to be edited. The Edit button is not available until at least one custom property has been added.
Delete	Removes the selected custom property.

Custom property name	Value
com.ibm.wsspi.wssecurity.krbtoken.targetServiceName	Name of the target service. Required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost	Host name associated with the target service in the following format: myhost.mycompany.com. Required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm	Name of the realm associated with the target service. This property is optional for a single Kerberos realm. If the targetServiceRealm property is not specified, the default realm name from the Kerberos configuration file is used as the realm name. In a cross or trusted realm environment, you must provide a value for the targetServiceRealm property.
com.ibm.wsspi.wssecurity.krbtoken.clientRealm	Name of the Kerberos realm associated with the client. This property is optional for a single Kerberos realm environment. When implementing Web Services Security in a cross or trusted Kerberos realm environment, you must provide a value for the clientRealm property.
com.ibm.wsspi.wssecurity.krbtoken.loginPrompt	Enables the Kerberos login when the value is True. Default is False. Required.