Configure trusted ID evaluators on the server or cell level

We can configure trusted identity (ID) evaluators. The trusted ID evaluator determines whether or not to trust the identity-asserting authority.

This task provides the steps needed to configure trusted identity (ID) evaluators. The trusted ID evaluator determines whether to trust the identity-asserting authority. After the ID is trusted, the WebSphere Application Server issues the proper credentials based on the identity, which are used in a downstream call to another server for invoking resources. The trusted ID evaluator implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface.

We can configure the trusted ID evaluators on the server level and the cell level. In the following steps, use the first step to access the server-level default bindings and use the second step to access the cell-level bindings:

Tasks

1. Access the default bindings for the server level.

   1. Click Servers > Server Types > WebSphere application servers > server.

   2. Under Security, click JAX-WS and JAX-RPC security runtime.

      Mixed-version environment: In a mixed node cell with a server using WebSphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv

2. Click Security > Web services to access the default bindings on the cell level.

3. Under Additional properties, click Trusted ID evaluators.

4. Click New to create a trusted ID evaluator configuration, click Delete to delete an existing configuration, or click the name of an existing configuration to edit the settings. For a new configuration, enter a unique name for the trusted ID evaluator configuration in the Trusted ID evaluator name field. This field specifies the name used by the application binding to refer to a trusted identity (ID) evaluator that is defined in the default binding.

5. Specify a class name in the Trusted ID evaluator class name field. The default class name is com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl. The specified trusted ID evaluator class name must implement the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator class. When we use the default TrustedIDEvaluator class, specify the name and value properties for the default trusted ID evaluator to create the trusted ID list for evaluation.

6. Under Additional properties, click Properties > New.

7. Trusted ID evaluator name as a property name. Trusted ID evaluator name in the form, trustedId_n, where _n is an integer from zero (0) to n.

8. Trusted ID as a property value.

   property name="trustedId_0", value="CN=Bob,O=ACME,C=US"
   property name="trustedId_1, value="user1"
   

   If a distinguished name (DN) is used, the space is removed for comparison.

9. Click OK and then Save.

We have configured the trusted ID evaluators at the server or cell level.

Subtopics

• Trusted ID evaluator collection
  View a list of trusted identity (ID) evaluators. The trusted ID evaluator determines whether to trust the identity-asserting authority. After the ID is trusted, the application server issues the proper credentials based on the identity, which are used in a downstream call for invoking resources. The trusted ID evaluator implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface.
• Trusted ID evaluator configuration settings
  Use this information to configure trust identity (ID) evaluators.
• Trusted ID evaluator collection
  View a list of trusted identity (ID) evaluators. The trusted ID evaluator determines whether to trust the identity-asserting authority. After the ID is trusted, the application server issues the proper credentials based on the identity, which are used in a downstream call for invoking resources. The trusted ID evaluator implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface.
• Trusted ID evaluator configuration settings
  Use this information to configure trust identity (ID) evaluators.