Protection token settings (generator or consumer)
Configure protection tokens. Protection tokens sign messages to protect integrity or encrypt messages to provide confidentiality.
We can add protection token settings for message parts when we are editing general provider or client policy set bindings. We can also configure application specific bindings for tokens and message parts required by the policy set.
To view this administrative console page when we are editing a general provider binding:
- Click Services > Policy sets > General provider policy set bindings.
- Click on the name of the binding we want to edit.
- Click the WS-Security policy in the Policies table.
- Click the Authentication and protection link in the security policy bindings section.
- Click New token to create a new token generator or consumer, or click an existing consumer or generator token link from the Protection Tokens table.
To view this administrative console page when we are editing a general client binding:
- Click...
Services > Policy sets > General client policy set bindings
- Click on the name of the binding we want to edit.
- Click the WS-Security policy in the Policies table.
- Click the Authentication and protection link in the Main message security policy bindings section.
- Click New token to create a new token generator or consumer or click an existing consumer or generator token link from the Protection Tokens table.
To view this administrative console page when we are configuring application specific bindings for tokens and message parts that are required by the policy set:
- Click Applications > WebSphere enterprise applications.
- Select an application containing web services. The application must contain a service provider or a service client.
- Click the Service provider policy sets and bindings link or the Service client policy sets and bindings in the Web Services Properties section.
- Select a binding. We must have previously attached a policy set and assigned a binding.
- Click the WS-Security policy in the Policies table.
- Click the Authentication and protection link in the security policy bindings section.
- Click a consumer or generator token link from the Protection Tokens table.
This administrative console page applies only to JAX-WS applications.
Name
Token generator or consumer name. Enter a name in this field when we create a new token.
Token type
Type of token. When using bindings, the token type is determined from the policy and cannot be edited.
Valid values are:
- LTPA Token V2.0
- Secure Conversation Token V1.3
- Secure Conversation Token V200502
- X509V3 Token V1.1
- X509V3 Token V1.0
- X509PKCS7 Token V1.1
- X509PKCS7 Token V1.0
- X509PkiPathV1 Token V1.1
- X509PkiPathV1 Token V1.0
- X509V1 Token V1.1
- Custom Token
The Secure Conversation Token v200502 token type for the WS-Security policy represents the requirement for a Security Context Token as defined in the February 2005 level of the WS-SecureConversation specification.
Enforce token version
When LTPA Token v2.0 is selected as the token type, both LTPA version 1 and LTPA version 2 tokens can be consumed. Select this checkbox to restrict token consumption to the LTPA Token v2.0 token type.
Local name
Local name of the custom token generator or consumer. The Local name field is populated based on the token type displayed. Use this field to edit custom token types only.
If the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile V1.1, use one of the following values listed for the local name. The value we choose depends on the specification level of the Kerberos token generated by the Key Distribution Center (KDC). The following table lists the values and the specification level associated with each value. For purposes of interoperability, the Basic Security Profile V1.1 standard requires the use of the local name http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ.
Local Name Value for Kerberos Token Associated Specification Level http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerb erosv5_AP_REQ Kerberos v5 AP-REQ as defined in the Kerberos specification. Use this value when the Kerberos ticket is an AP Request. http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ GSS-API Kerberos V5 mechanism token containing a KRB_AP_REQ message as defined in RFC-1964 [1964], Sec. 1.1 and its successor RFC-4121, Sec. 4.1. Use this value when the Kerberos ticket is an AP Request (ST + Authenticator). http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510 Kerberos v5 AP-REQ as defined in RFC1510. Use this value when the Kerberos ticket is an AP Request per RFC1510. http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510 GSS-API Kerberos V5 mechanism token containing a KRB_AP_REQ message as defined in RFC-1964, Sec. 1.1 and its successor RFC-4121, Sec. 4.1. Use this value when the Kerberos ticket is an AP Request (ST + Authenticator) per RFC1510. http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120 Kerberos v5 AP-REQ as defined in RFC4120. Use this value when the Kerberos ticket is an AP Request per RFC4120. http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120 GSS-API Kerberos V5 mechanism token containing an KRB_AP_REQ message as defined in RFC-1964, Sec. 1.1 and its successor, RFC-4121, Sec. 4.1. Use this value when the Kerberos ticket is an AP Request (ST + Authenticator) per RFC4120.
URI
Uniform resource identifier (URI) of the custom token generator or consumer. The URI field is populated based on the token type displayed. Use this field to edit custom token types only.
Leave this field blank if the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile V1.1.
JAAS login
JAAS application login information. Click New to add a new JAAS application login or JAAS system login entry.
If the server is in a security domain that includes specific system or application logins, these logins are listed in the JAAS login menu, in addition to the global logins.
New Application Login
Click to go to the effective JAAS login collection for the current security domain.
Custom properties - Name
Name of the custom property. Custom properties are not initially displayed in this column until they are added.
Select one of the following actions for custom properties:
Button Resulting Action New Creates a new custom property entry. To add a custom property, enter the name and value. Edit That we can edit the selected custom property. Select this action to provide input fields and create the listing of cell values for editing. The Edit button is not available until at least one custom property has been added. Delete Removes the selected property. If the custom token type is used to generate a Kerberos token, specify the following custom properties:
For the token generator, the combination of the target service name and target hostname forms the Service Principal Name (SPN), which represents the target Kerberos service principal name. The Kerberos client requests the initial Kerberos AP_REQ token for the SPN.
Custom property name Value Specify the name of the target service. com.ibm.wsspi.wssecurity.krbtoken.targetServiceName Name of the target service. This property is required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost Host name associated with the target service in the following format: myhost.mycompany.com. This property is required.
com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm Name of the realm associated with the target service. This property is optional for a single Kerberos realm. If the targetServiceRealm property is not specified, the default realm name from the Kerberos configuration file is used as the realm name.
In a cross or trusted realm environment, provide a value for the targetServiceRealm property.If an application generates or consumes a Kerberos V5 AP_REQ token for each web services request message, set the com.ibm.wsspi.wssecurity.kerberos.attach.apreq custom property to true in the token generator and the token consumer bindings for the application. For more information, see the Web Services Security troubleshooting tips topic.
Custom properties - Value
Value of the custom property. Use the Value field to enter, edit, or delete the value for a custom property.
Callback handler
After all other configurations on the protection token page are applied or saved, this section is displayed and links to the configuration settings for the callback handler. Click this link to specify callback handler settings that determine how security tokens are acquired from message headers.
Tolerate secure conversation token V200502
The secure conversation token V200502 token type for the WS-Security policy represents the requirement for a secure conversation token as defined the in the February 2005 level of the WS-SecureConversation specification. This option specifies whether the provider handles both secure conversation token V1.3 and secure conversation token V200502. By default, the provider handles both versions. We can change this behavior by clicking to remove the check box selection so that the provider handles only the V1.3 token.
This checkbox is displayed only in the service provider token consumer panel.
Information Value Data type Check box Range Selected or cleared Default value Selected
Define and manage policy set bindings Manage policy sets WS-Security authentication and protection Web Services Security troubleshooting tips Callback handler settings for JAX-WS Application policy sets collection Application policy set settings Search attached applications collection Policy set bindings settings Configuration entry settings for JAAS