Create policy set attachments
Use the wsadmin tool, which supports the Jython and Jacl scripting languages, to define the policy set configuration for our web services applications.
When administrative security is enabled, verify that we use the correct administrative role, as the following table describes:
Administrative role Authorization Administrator The Administrator role must have cell-wide access to create policy set attachments. If we have access to a specific resource only, we can create policy set attachments for the resource for which we have access. Configurator The Configurator role must have cell-wide access to create policy set attachments. If we have access to a specific resource only, we can create policy set attachments for the resource for which we have access. Deployer The Deployer role with cell-wide or resource specific access can create policy set attachments for application resources only. Operator The Operator role cannot create policy set attachments. Monitor The Monitor role cannot create policy set attachments. Before using the commands in this topic, verify that we are using the most recent version of the wsadmin tool. The policy set management commands that accept a properties object as the value for the attributes or bindingLocation parameters are not supported on previous versions of the wsadmin tool. For example, the commands do not run on a v6.1.0.x node.
To use a new policy set to manage policies for the application, we must attach the policy set to an application artifact or artifacts. When the application restarts, the application uses the policies from the newly attached policy set.
Mixed-version environment: In a mixed cell environment, the following limitations apply to service reference attachments or resource attachments specified in name-value pair format:
- We must not create these types of attachments for applications deployed on an application server that is prior to WAS v8.0. Service reference attachments are only supported on WAS V8.0 and later.
- An application containing these types of attachments must not be deployed on an application server that is prior to WAS v8.0.
- If an application that is deployed in a cluster environment contains these types of attachments, we must not add a member application server that is prior to WAS v8.0 to the cluster.
mixv
Tasks
- Launch a scripting command. To learn more, read about starting the wsadmin scripting client.
- Select an application with web services to update. Use the listWebServices command to list all web services and the associated applications. Enter the following command to list all web services and attributes:
AdminTask.listWebServices()For each web service, the command returns the associated application name, module name, service name, and service type. For example, the following information is returned:'[ [service {http://www.ibm.com}service1] [client false] [application application1] [module webapp1.war] [type JAX-WS] ]'- Create a policy set attachment for an application.
For the commands in the PolicySetManagement group, the term resource refers to a web service artifact. For application and service client.policy sets, the artifacts use the application hierarchy. The application hierarchy includes a web service, module name, endpoint, or operation. Enter the value for the -resource parameter as a string, with a backslash ( / ) character as a delimiter.
When attempting to connect to a web service from a thin client, verify that the resources we are specifying are valid before running the updatePolicySetAttachment command. No configuration changes are made if the requested resource does not match a resource in the attachment file for the application.
Use the following format for application and client policy set attachments:
- WebService:/
Attaches all artifacts in the application to the policy set.
- WebService:/webapp1.war:{http://www.ibm.com}myService
Attaches all artifacts within the web service {http://www.ibm.com}myService to the policy set. Provide a fully qualified name (QName) for the service.
- WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA
Attaches all operations for the endpointA endpoint to the policy set.
- WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA/operation1
Attaches only the operation1 operation to the policy set.
The format for the -resource string differs for service reference attachments. Use the following format for service reference attachments:
- type=WebService:/
Attaches all artifacts in the application to the policy set.
- type=WebService:/,module=myModule.war,service={ http://www.mynamespace.com}myService
Attaches all artifacts within the web service {http://www.mynamespace.com}myService to the policy set. Provide a fully qualified name (QName) for the service.
- type=WebService:/,module=myModule.war,service={ http://www.mynamespace.com }myService,serviceRef=myServiceRef
Attaches all artifacts within the web service reference myServiceRef to the policy set.
- type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,endpoint=endpointA
Attaches all operations for the service reference endpointA endpoint in the service reference myServiceRef to the policy set.
- type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,endpoint=endpointA operation=operation1
Attaches only the operation1 operation in the service reference myServiceRef to the policy set.
The format for the -resource string differs for system policy set attachments for the trust service. Use the following format for system policy set attachments:
- Trust.opName:/
The opName attribute can be issue, renew, cancel, or validate.
- Trust.opName:/url
The opName attribute can be issue, renew, cancel, or validate. We can specify any valid URL for the url attribute.
- Enter the command to attach the policy set to the application. This command attaches the policyset1 application policy set to all artifacts in the WebService application.
For transitioning users: Even though we can specify the application value for the -attachmentType parameter, use the provider value in place of the application value because the attachments are used for more than just applications, such as system attachments for trust service. For system policy set attachments, specify the provider value for the attachmentType parameter and the "[systemType trustService]" value for the -attachmentProperties parameter. For WSNClient attachments, specify the client value for the attachmentType parameter and the bus and WSNService properties with the -attachmentProperties parameter.trns
To attach a policy set to a Web service application, specify the provider value for the -attachmentType parameter:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources "WebService:/" -applicationName WebService -attachmentType provider]')To attach a policy set to a service client application, specify the client value for the -attachmentType parameter:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources "WebService:/" -applicationName WebService -attachmentType client]')To create a trust service attachment for a system policy set, specify the provider value for the -attachmentType parameter and the [systemType trustService] value for the -attachmentProperties parameter:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources "WebService:/" -attachmentType provider -attachmentProperties "[systemType trustService]"]')To attach a policy set to a service reference, enter:
AdminTask.createPolicySetAttachment('[-resources "type=WebService:/,module=webapp1.war,service= {http://www.mynamespace.com}myService,serviceRef=myServiceRef" -applicationName application1 -attachmentType client -policySet PolicySet1 -inheritFromService false]')This command returns an attachment ID number that we must use to reference this attachment. In the next step, use the attachment ID number to set the binding configuration. For this example, the attachment ID number is 124.
- Run the command to set the binding.
To attach a policy set to a web services application, specify the provider value for the -attachmentType parameter.
The following example demonstrates how to set the timestamp expiration attribute on the SecureConversation123binding binding for the WSSecurity policy, on the WebService Web service application.
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[application WebService] [attachmentId 124] ]" -attachmentType provider -bindingName SecureConversation123binding -attributes "[application.securityoutboundbindingconfig.timestampexpires.expires 5]"')To attach a policy set to a Web services application client or to a service reference, specify the client value for the -attachmentType parameter.
- Save the configuration changes.
Enter the following command to save the changes:
AdminConfig.save()
Your have attached the policy set to the application artifact or artifacts specified. Restart the application to use the policies from the newly attached policy set.
What to do next
Manage and update our attachments.
Start the wsadmin scripting client Configure attachments for the trust service Manage policy set attachments Manage policy set attachments for service references Configure application and system policy sets for web services Create policy sets Add and remove policies Removing policy set attachments Manage policy sets Search attached applications collection PolicySetManagement WebServicesAdmin