Manage policy set attachments
Use the wsadmin tool to manage your policy set attachment configurations. Use the Jython or Jacl scripting language to list all attachments and attachment properties, add or remove resources for an existing attachment, and transfer attachments across policy sets.
When administrative security is enabled, verify that we use the correct administrative role, as the following table describes:
Administrative role Authorization Administrator The Administrator role must have cell-wide access to manage policy set attachments. If we have access to a specific resource only, we can manage policy set attachments for the resource for which we have access. Configurator The Configurator role must have cell-wide access to manage policy set attachments. If we have access to a specific resource only, we can manage policy set attachments for the resource for which we have access. Deployer The Deployer role with cell-wide or resource specific access can manage policy set attachments for application resources only. Operator The Operator role cannot manage policy set attachments. Monitor The Monitor role cannot manage policy set attachments.
Policy set attachments define how a policy set is attached to resources and binding configurations.
Tasks
- Query the configuration for policy set attachments and attachment properties.
Before making configuration changes to your policy set attachments, use the listAttachmentsForPolicySet and getPolicySetAttachments commands to view current configuration information about your policy set attachments.
- Start the wsadmin scripting tool.
- Use the listAttachmentsForPolicySet command to view all applications to which a specific policy set is attached, for example:
AdminTask.listAttachmentsForPolicySet('[-policySet PolicySet1]')Use the -attachmentType parameter to narrow your query. We can query for provider or client attachments.The application and system/trust values for the -attachmentType parameter are deprecated. Provider value in place of the application value. For system policy set attachments, specify the provider value for the attachmentType parameter. For a trust client attachment, or a WSNClient attachment, specify the client value for the attachmentType parameter.
- Use the getPolicySetAttachments command to view the properties for all policy set attachments in a specified application, for example:
AdminTask.getPolicySetAttachments('[-applicationName application1]')Use the -attachmentType parameter to narrow your query. We can query for provider or client attachments.
- Determine the assets to which a specific policy set is attached.
Use the listAssetsAttachedToPolicySet command to display the assets that are attached to the policy set of interest, as the following example demonstrates:
AdminTask.listAssetsAttachedToPolicySet('[-policySet SecureConversation]')The command returns a list of properties that describe each asset. Each properties object contains the assetType property, which specifies the type of asset.
- Modify resources that apply to a policy set attachment.
- Start the wsadmin scripting tool.
- Determine the resource of interest and review the command syntax for the updatePolicySetAttachment command.
For the commands in the PolicySetManagement group, the term resource refers to a web service artifact. For application and service client.policy sets, the artifacts use the application hierarchy. The application hierarchy includes a web service, module name, endpoint, or operation. Enter the value for the -resource parameter as a string, with a backslash ( / ) character as a delimiter.
When attempting to connect to a web service from a thin client, verify that the resources we are specifying are valid before running the updatePolicySetAttachment command. No configuration changes are made if the requested resource does not match a resource in the attachment file for the application.
Use the following format for application and client policy set attachments:
- WebService:/
Attaches all artifacts in the application to the policy set.
- WebService:/webapp1.war:{http://www.ibm.com}myService
Attaches all artifacts within the web service {http://www.ibm.com}myService to the policy set. Provide a fully qualified name (QName) for the service.
- WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA
Attaches all operations for the endpointA endpoint to the policy set.
- WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA/operation1
Attaches only the operation1 operation to the policy set.
The format for the -resource string differs for system policy set attachments for the trust service. Use the following format for system policy set attachments:
- Trust.opName:/
The opName attribute can be issue, renew, cancel, or validate.
- Trust.opName:/url
The opName attribute can be issue, renew, cancel, or validate. We can specify any valid URL for the url attribute.
- Modify the attachment.
For example, the policy set attachment is connected to the operation1 operation, which is a specific single operation. To attach the 124 attachment to all operations for the endpointA endpoint, enter:
AdminTask.updatePolicySetAttachment('[-attachmentId 124 -resources "WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA" -applicationName application1]')
The updatePolicySetAttachment command replaces all existing resources for an attachment with the resources specified in the command. We can also update our policy set attachments using the addToPolicySetAttachment command to add resources to an existing attachment, or we can also use the createPolicySetAttachment command to create an attachment for a specific resource. For more information about these commands reference the commands for the PolicySetManagement group for the AdminTask object.
- Save the configuration changes.
Enter the following command to save the changes:
AdminConfig.save()
- Remove resources that apply to a policy set attachment.
- Start the wsadmin scripting tool.
- Determine which resources to remove with the command. We can remove a resource for each web service artifact, each operation for an endpoint, or for a specific operation. In the following example, the command removes the newAttach attachment from operation1, which is associated with the plantShop application.
AdminTask.removeFromPolicySetAttachment('[-attachmentId newAttach -resources "WebService:/webapp1.war:{http://www.ibm.com}myPlantService/endpointA/operation1" -applicationName plantShop]')The command returns a success or failure message.- Save the configuration changes.
Enter the following command to save the changes:
AdminConfig.save()
- Transfer attachments from one policy set to another policy set. This command detaches each web service from the source policy set and attaches those web services to the destination policy set. The destination policy set must have the same set of enabled policy types as the source policy set.
- Enter the following command to transfer all attachments:
AdminTask.transferAttachmentsForPolicySet('[-sourcePolicySet PolicySet1 -destinationPolicySet PolicySet2]')The command returns a success or failure message.- Save the configuration changes.
Enter the following command to save the changes:
AdminConfig.save()
Configure attachments for the trust service Manage policy set attachments for service references Configure application and system policy sets for web services Create policy set attachments Manage policy set attachments Removing policy set attachments Manage policy sets Search attached applications collection PolicySetManagement