Secure requests to the trust service using system policy sets

WebSphere Application Server provides message-level protection for its security token service, known as the WAS trust service. For the trust service, we must use a special class of policy sets known as system policy sets.

We can secure requests to the trust service using two different configuration methods:

• Use the administrative console to define and attach a system policy set and binding to a trust service operation associated with an endpoint.

• Use the wsadmin tool, which supports the Jython and Jacl scripting languages, to configure system policy sets for the trust service. We can manage the policies for the Quality of Service (QoS) by creating policy sets and managing associated policies.

For WAS trust service security, configure the system policy sets, the bindings, the trust service attachments, and the security cache.

Perform the following high-level steps. The order of the tasks is not important but all high-level required steps must be performed to complete the trust configuration.

Tasks

1. Define a new system policy set or manage existing system policy sets. To manage system policy sets, we can perform the following tasks:
   1. Define the system policy set and binding. The system policy set can be a new or existing policy set. If we create a new system policy set, specify and configure the policy types. A default binding configuration is associated with each policy type.
   2. Modify the system policy set, as needed.

      Other optional policy set-related tasks that we can perform include:

      • Add, edit, or remove policy set attachments.
      • Edit, enable, disable or remove policy types

      • Create a system policy set by selecting and copying an existing system policy set. When copying an existing system policy set, you also specify whether to move the existing attachments to this new system policy set.

      • Delete system policy sets. We cannot delete pre-configured system policy sets provided by WAS by default.
      • Archive a system policy set by selecting and exporting an existing system policy set. When exporting an existing system policy set, we create a .zip archive file. The .zip file for exporting the policy set is provided for downloading. For example, if we have a policy set named ABC_ps and we want to export and move the archive file from ServerA to ServerB, first use the export function to create the .zip file. Then, manually transfer the archive file to ServerB.

2. Create and manage explicit attachments. We can perform the following trust service attachment tasks:
   1. Attach the system policy set and assign a binding to an endpoint. For an endpoint, we can create explicit attachments for each of the four trust service operations to the respective Trust Service Defaults policy sets and bindings. After we have created these initial attachments, we can view and further modify existing policy set and binding configurations.
   2. Modify existing policy set attachment and binding configurations, as needed.. The system policy set can be a new or existing policy set. If we create a new system policy set, specify and configure the policy types. A default binding configuration is associated with each policy type.

      The system policy set that is attached to issue and renew must correspond to the client and endpoint's bootstrap policy set and the system policy set attached to validate and cancel must correspond to the client and endpoint's application policy set. The bootstrap policy set for the endpoint service is only required if the endpoint service makes issue and renew requests to the trust service.

      Other optional attachment-related tasks that we can perform include:

      • Change the system policy set and binding configurations.

      • Create custom system policy sets and bindings.

      • Attach each of the four default trust service operations to a system policy set and binding.

      • Attach each of the four trust service operations associated with a specific endpoint to a system policy set and binding.

      • Specify that the selected trust service operations for an endpoint inherit the respective default trust service policy set and binding.

      • Assign the Default binding or a custom binding configuration to the selected policy set attachment.
      • Update the trust service runtime configuration.

3. Manage the security context token provider that the trust service provides. We can perform the following trust service token provider tasks:
   1. Modify the configuration of the Security Context Token provider, as needed..

      Other optional token provider-related tasks that we can perform include:

      • Update the trust service runtime configuration for any token provider configuration changes.

4. Manage the trust service default token provider and any endpoints that have an explicitly assigned token (rather than inheriting from the default). Targets are endpoints assigned a specific token provider. We can perform the following trust service target tasks:
   1. Create a new trust service target by explicitly assigning a service endpoint URL to the default token provider.. Performing this task creates an explicit assignment to the default trust service token provider, the Security Context Token. All other endpoints inherit the trust service default token provider.
   2. Configure a target. WAS defines one default supported token provider, the Security Context Token. Other tasks that we can perform for existing targets include:

      • Modify one or more endpoints that have a security context token provider explicitly assigned.

      • Change the token provider for an endpoint from inherited to explicitly assigned. Therefore, the token provider for the endpoint does not change as the default trust service token provider changes.

      • Change the token provider for an endpoint from explicitly assigned to inherited. Therefore, the token provider for the endpoint is the default trust service token provider and changes as the default changes.
      • Update the trust service runtime configuration.

5. Configure the security cache. We can change the behavior of client-side security caching.
6. Update the trust service runtime configuration. We must update the runtime configuration whenever one or all of the following trust-related items are created or changed:
   • Trust service attachments

   • Token providers
   • Targets

After the configurations are completed and the trust service runtime configuration has been updated, we have used the administrative console to secure requests to the trust service using system policy sets.

Subtopics

• Enable secure conversation
  Use secure conversation to secure web services application messages.
• Trust service
  The security token service provided by WAS is called the trust service. The WAS trust service uses the secure messaging mechanisms of Web Services Trust (WS-Trust) to define additional extensions for the issuance, exchange, and validation of security tokens.
• Configure system policy sets
  By defining a custom policy set or defining assertions about how services are defined, we can configure Web Services Security. Use the administrative console to manage custom policy sets.
• Configure attachments for the trust service
  Attach the trust service operations for a service endpoint to a system policy set and binding. Each new endpoint that is specified initially has the following four operations: issue, renew, cancel, and validate. By default, all endpoints inherit the policy set and binding that are attached to the respective trust service operation under Trust Service Defaults. However, we can explicitly attach a different policy set.
• Configure the security context token provider for the trust service
  Configure the WAS trust service to issue a specific security token to the requestor for communication with an endpoint. Use the administrative console to configure the security context token provider that the trust service provides.
• Configure trust service endpoint targets
  The Trust Service manages tokens on behalf of service endpoints. A token provider is either explicitly or implicitly associated with each service endpoint. A specific token can be explicitly assigned to be issued when access to an endpoint is requested. Otherwise, the Trust Service Default token is issued.
• Update the Web Services Security runtime configuration
  Update Web Services Security runtime configuration with any data changes that we make and save for token providers, trust service attachments, and targets.
• Configure the Web Services Security distributed cache
  We can configure the Web Services Security runtime to use the security distributed cache to store security tokens.
• Enable secure conversation
  Use secure conversation to secure web services application messages.
• Trust service
  The security token service provided by WAS is called the trust service. The WAS trust service uses the secure messaging mechanisms of Web Services Trust (WS-Trust) to define additional extensions for the issuance, exchange, and validation of security tokens.
• Configure system policy sets
  By defining a custom policy set or defining assertions about how services are defined, we can configure Web Services Security. Use the administrative console to manage custom policy sets.
• Configure attachments for the trust service
  Attach the trust service operations for a service endpoint to a system policy set and binding. Each new endpoint that is specified initially has the following four operations: issue, renew, cancel, and validate. By default, all endpoints inherit the policy set and binding that are attached to the respective trust service operation under Trust Service Defaults. However, we can explicitly attach a different policy set.
• Configure the security context token provider for the trust service
  Configure the WAS trust service to issue a specific security token to the requestor for communication with an endpoint. Use the administrative console to configure the security context token provider that the trust service provides.
• Configure trust service endpoint targets
  The Trust Service manages tokens on behalf of service endpoints. A token provider is either explicitly or implicitly associated with each service endpoint. A specific token can be explicitly assigned to be issued when access to an endpoint is requested. Otherwise, the Trust Service Default token is issued.
• Update the Web Services Security runtime configuration
  Update Web Services Security runtime configuration with any data changes that we make and save for token providers, trust service attachments, and targets.
• Configure the Web Services Security distributed cache
  We can configure the Web Services Security runtime to use the security distributed cache to store security tokens.

Related:

Web Services Secure Conversation

Exporting policy sets

Configure system policy sets

Configure application and system policy sets for web services