Set default policy set bindings
We can set provider and client default policy set bindings used as the global security default policy set bindings. The specified global security default bindings apply to all web services unless the bindings are overridden at the attachment point, at the server, or at a security domain.
We must first install and configure an application server. After the application server is installed, install a JAX-WS application onto the server. Now, we are ready to attach a policy set to the web service application. We can define and manage general service provider and client policy set bindings for our web service resource using the administrative console.
Policy set bindings for servers
After we understand policy set bindings, then it is easier to understand how the default bindings are used.
Policy set bindings contain platform-specific information, such as keystore, authentication information or persistent information required by a policy set attachment. A policy set attachment is a policy set that is attached to an application resource. Starting with WebSphere Application Server v7.0 and later, there are two types of bindings, general bindings and application specific bindings.
There are two types of general bindings, general service provider bindings and general service client bindings. We can configure one or more general service provider bindings and one or more general service client bindings and then use them across a range of policy sets. Additionally, we can re-use these general bindings across applications and for trust service attachments. To define and manage general bindings, in the administrative console click...
Services > Policy sets > General provider policy set bindings or Services > Policy sets > General client policy set bindings
The general service provider and client bindings have independent settings that we can customize to meet the needs of the environment.
Create application specific bindings when you attach a policy set to a web service application resource. These bindings are specific to and defined by to the characteristics of the defined policy. Application specific bindings are capable of providing configuration for advanced policy requirements, such as multiple signatures; however, these bindings are only reusable within an application. Furthermore, application specific bindings have limited reuse across policy sets. To assign application specific bindings to an application for service providers, in the administrative console click...
Applications > Applications Types > WebSphere enterprise applications > application_name > Service provider policy sets and bindings
Select a web service resource with an attached policy and click...
Assign Binding > New Application Specific Binding
To assign application specific bindings to an application for service clients, in the administrative console click...
Applications > Applications Types > WebSphere enterprise applications > application_name > Service client policy sets and bindings
Select a web services resource with an attached policy and click...
Assign Binding > New Application Specific Binding
We can additionally assign application specific bindings for service providers or service clients using the administrative console and click...
Services > Service providers > application_name
...or...
Services > Service clients > application_name
...and then select a web services resource with an attached policy and assign your bindings.
To learn more about general bindings or application specific bindings, read about defining and managing policy set bindings.
Default policy set bindings
For transitioning users: In WAS v7.0 and later, the security model was enhanced to a domain-centric security model instead of a server-based security model. The configuration of the default global security (cell) level and default server level bindings has also changed in this version of the product. In the WAS v6.1 Feature Pack for Web Services, we can configure one set of default bindings for the cell and optionally configure one set of default bindings for each server. In v7.0 and later, we can configure one or more general service provider bindings and one or more general service client bindings. After we have configured general bindings, we can specify which of these bindings is the global default binding. We can also optionally specify general binding used as the default for an application server or a security domain. trns
General service provider and client bindings are not linked to a particular policy set, and they provide configuration information that we can reuse across multiple applications. Create and manage general provider and client policy set bindings and then select one of each binding type to use as the default for an application server. Setting the server default bindings is useful if we want the services deployed to a server to share binding configuration. We can also share binding configuration by either assigning the binding to each application that is deployed to the server or by setting default bindings for a security domain and assigning the security domain to one or more servers.
We can specify default bindings for our service provider or client used at the global security (cell) level, for a security domain, for a particular server. The default bindings are used in the absence of an overriding binding specified at a lower scope. The following list is the order of precedence from lowest to highest that the application server uses to determine which default bindings to use:
- Server level default
- Security domain level default
- Global security (cell) default
The sample general bindings provided with the product are initially set as the global security (cell) default bindings. The default service provider binding and the default service client bindings are used when no application specific bindings or trust service bindings are assigned to a policy set attachment. For trust service attachments, the default bindings are used when no trust specific bindings are assigned. If we do not want to use the provided Provider sample as the default service provider binding, we can select an existing general provider binding or create a new general provider binding to meet the business needs. Likewise, if we do not want to use the provided Client sample as the default service client binding, we can select an existing general client binding or create a new general client binding. To specify your global security (cell) default bindings, in the administrative console click Services > Policy sets > Default policy set bindings. For environments with multiple security domains, we can optionally choose the general provider and general client bindings to use as the default bindings for a domain.
In addition to choosing default bindings for the global security (cell), we can also choose the general provider and general client bindings to use as the default bindings for a server. This is only necessary to use different default bindings for a particular server than those used by the other servers in the security domain or cell. To choose the default bindings for a server from the administrative console, click...
Servers > Server Types > WebSphere application servers > server and then from Security, click Default policy set bindings. If we do not choose a general binding as the default for a server, the default bindings for the domain in which the server resides is used. If we do not choose a binding as the default for a domain, the default bindings for the global security (cell) are used. Choose a default service provider and default service client bindings for the cell. The general bindings included with the product are initially set as the global security (cell) default bindings. We cannot delete a binding used as part of any policy set attachment or specified as the default binding for the server, a domain, or the cell. To learn more about defining default bindings for a server, see the server default bindings documentation.
Depending on the assigned security role when security is enabled, we might not have access to text entry fields or buttons to create or edit configuration data. Review the administrative roles documentation to learn more about the valid roles for the application server.
Tasks
- Open the administrative console.
- To set global security default policy set bindings, select Services > Policy sets > Default policy set bindings.
- Select the default service provider binding. The default service provider binding is used as the default for policy set attachments unless the provider or client binding is overridden at the attachment point, at the server, or at a security domain. The default setting is Provider sample.
- Select the default service client binding. If we specify a default service client binding, the selected binding overrides the default bindings specified for the cell or the security domain to which the server is deployed. The default setting is Client sample.
- If multiple security domains are enabled, we can view the default provider bindings and the default client bindings for each security domain defined in the security domain default bindings collection. We can select the security domain name link to access the domain and select different default bindings. Additionally, we can select the default provider binding links or the default client binding links to access the default bindings and select different default binding settings.
- Click Apply to apply selected bindings as the global default bindings.
- Click Save to save the changes to the master configuration.
- (optional) If we are using a v6.1 application, we can specify server V6.1 default policy set bindings. To set these bindings, select Services > Policy sets > Default policy set bindings > v6.1 default policy set bindings.
Mixed-version environment:
If we have an application containing one or more application specific bindings configured at the WAS v6.1 level, this application is a V6.1 application. If we have applications deployed to V6.1 servers within the v7.0 or later application server environment, or we have V6.1 applications deployed to V7.0 or later versions of the application server, we can specify v6.1 default policy set bindings for the cell. These bindings are used for both client and provider policy set attachments within V6.1 applications and attachments to service applications deployed to a V6.1 server. Additionally, these default bindings are used for V6.1 attachments unless they are overridden at the attachment point by an application specific binding or a V6.1 server default binding. We can upgrade V6.1 bindings to the bindings used by WAS V7.0 and later versions. Use the upgradeBindings command using the wsadmin tool to upgrade the bindings level, if the V6.1 application is not installed on WAS V6.1.
mixv
When we complete these steps, we have defined your global security (cell) default policy set bindings and domain default policy set bindings, if applicable.
Example
Suppose that we do not want to use the provided general provider binding, Provider sample, as your default service provider binding. To take advantage of existing bindings, we can copy and modify the Provider sample to meet the business needs. This example assumes that the server environment has SecurityDomain1 and SecurityDomain2 defined.
- Copy and modify the provided Provider sample general service provider binding. Click Services > Policy sets > General provider policy set bindings. Select Provider sample > copy. Name the new general provider binding, MyServiceProviderbinding, and provide a description for the new binding.
- Copy and modify the provided Client sample general service client binding. Click Services > Policy sets > General client policy set bindings. Select Client sample > copy. Name the new general client binding, MyServiceClientbinding, and provide a description for the new binding.
- To specify the default policy set bindings for our global security (cell) and for our domains, click Services > Policy sets > Default policy set bindings. From this page, select MyServiceProviderbinding as the default service provider binding, and select MyClientProviderbinding as the default service client binding.
- Click Apply and Save to save the changes to the master configuration.
Assigning a domain default binding is optional. Generally, we assign domain default policy set bindings only when we want the servers in the domain to use different default bindings than the rest of the cell. In this example, suppose we have defined another general provider binding, MyServiceProviderbinding2, and we want to specify this binding as the domain default binding for our SecurityDomain1 domain.
- From the security domain default bindings collection click SecurityDomain1 > Default policy set bindings. From this page, we can select MyServiceProviderbinding2 as the service provider domain default binding.
- Click Apply and Save to save the changes to the master configuration.
Subtopics
- Default policy set bindings collection
Specify the service provider and client default bindings. The specified service provider and client bindings are used at the cell (global security) level unless these specified bindings are overridden at the attachment point, at the server, or at a security domain.- v6.1 default policy set bindings
Specify v6.1 default policy set bindings for the cell (global security). These bindings are used for both client and provider policy set attachments within v6.1 applications and attachments to service applications deployed to a v6.1 server. These default bindings are used for Version 6.1 attachments unless they are overridden at the attachment point or by a v6.1 server default binding.- Domain default bindings settings
Specify the default policy set bindings for this security domain.
Manage policy sets Server default binding settings Set server default bindings for policy sets Administrative roles