Configure custom policies and bindings for security tokens using wsadmin scripting
Use the setPolicyType and setBinding commands for the AdminTask object to specify security tokens for custom policy and binding configurations.
Create a new custom policy set.
The following scenarios configure the custom policy and bindings to use a Kerberos token based on the Oasis Kerberos Token Profile V1.1 specification. We can also use the setPolicyType and setBinding commands to configure other binary security tokens, such as username tokens, LTPA and SecureConversation.
Tasks
- Configure custom policies for security tokens.
- Launch the wsadmin scripting tool using the Jython scripting language. To learn more, see the starting the wsadmin scripting client information.
- Display the properties of the policy of interest.
Use the getPolicyType command to display detailed property information for the WS-Security policy type, as the following command demonstrates:
AdminTask.getPolicyType('-policySet AuthenticationTokenService -policyType WSSecurity')The getPolicyType command returns a properties object containing name and value pairs for each property, as the following sample output displays:
'[ [SupportingTokens.request:krb_token.CustomToken.IncludeToken http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient] [enabled true] [type WSSecurity] [description [Policies for sending security tokens and providing message confidentiality and integrity, based on the OASIS Web Service Security and Token Profiles specifications.]] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri ] [provides ] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] ]'- Specify the authentication token for the policy type.
Use the setPolicyType command to specify the Uniform Resource Identifier (URI) of the authentication token for services as the value for the SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri property. Use the [ ] syntax to specify an empty string. The following example specifies an empty string as the value for the authentication token:
AdminTask.setPolicyType('-policySet AuthenticationTokenService -policyType WSSecurity -attributes "[ [SupportingTokens.request:krb_token.CustomToken.IncludeToken http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient] [enabled true] [type WSSecurity] [description [Policies for sending security tokens and providing message confidentiality and integrity, based on the OASIS Web Services Security and Token Profiles specifications.]] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri []] [provides []] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] ]"')
- Configure custom bindings for security tokens.
- Start the wsadmin scripting tool.
- Display the properties of the bindings of interest.
Use the getBinding command to display detailed property information for the binding of interest.:
AdminTask.getBinding('-policyType WSSecurity -bindingLocation "" -bindingName AuthenticationTokenService')The getBinding command returns a properties object containing name and value pairs for each property, as the following sample output displays:
'[ [application.securityinboundbindingconfig.tokenconsumer_0.properties_0.name com.ibm.wsspi.wssecurity.krbtoken.serviceSPN] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri ] [application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler] [application.name application][application.securityinboundbindingconfig.tokenconsumer_0.properties_0.value HTTP/derekho1.firehorse.austin.ibm.com] [application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname system.wss.consume.KRB5BST] [application.securityinboundbindingconfig.tokenconsumer_0.name con_krbtoken][application.securityinboundbindingconfig.tokenconsumer_0.classname com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer] [application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference request:krb_token] ]'- Specify the authentication token for the policy type.
Use the setBinding command to specify the Uniform Resource Identifier (URI) of the authentication token for services as the value for the application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri property. Use the [ ] syntax to specify an empty string. The following example specifies an empty string as the value for the authentication token:
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "" -bindingName AuthenticationTokenService -attributes "[ [application.securityinboundbindingconfig.tokenconsumer_0.properties_0.name com.ibm.wsspi.wssecurity.krbtoken.serviceSPN] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri []] [application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler] [application.name application][application.securityinboundbindingconfig.tokenconsumer_0.properties_0.value HTTP/derekho1.firehorse.austin.ibm.com] [application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname system.wss.consume.KRB5BST][application.securityinboundbindingconfig.tokenconsumer_0.name con_krbtoken][application.securityinboundbindingconfig.tokenconsumer_0.classname com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer] [application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference request:krb_token] ]"')
If the setPolicyType and setBinding commands return a 'true' value, the system successfully updated the policy and binding configurations.
Related:
Web Services Security default policy sets Start the wsadmin scripting client Create policy sets Add and remove policies PolicySetManagement WSSecurity policy and binding properties