Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

---

 

Configure the Consumer portal for LTPA token authentication

After you have exported the portal EAR file and imported it into the assembly tool, you can now make the modifications required to configure your Consumer portal for LTPA authentication. You can also have your Consumer portal support multiple Producers with different Web services security configurations.

You can use all security tokens that IBM^® WebSphere^® Application Server supports. The example scenario and configuration procedure in this topic uses LTPA token forwarding. For these modifications, use the tools provided by the Application Server Toolkit (AST). The AST is provided with the portal on a separate set of CDs. To make these modifications, you perform the following tasks:

• Modifying the Web services client security extensions for LTPA authentication on the Consumer portal

• Modifying the Web services client security bindings for LTPA authentication on the Consumer portal

• Optional: If you want to consume WSRP services from Producers with different security configurations, you also perform this task: Modifying the Consumer portal for using different Web services security configurations for Producers.

For more general and detailed background information about configuring Web services security while assembling Web services applications refer to the WebSphere Application Server information center under the following locations:

• http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.base.doc/info/aes/ae/twbs_confappwssassembly.html.

• http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.nd.doc/info/ae/ae/catk_assemblytools.html

 

Parent topic:

Securing WSRP by LTPA for a Consumer portal

 

Previous topic

Importing the portal EAR file into an assembly tool

 

Next topic

Exporting the modified portal EAR file from the assembly tool

 

Modifying the Web services client security extensions for LTPA authentication on the Consumer portal

As part of specifying the LTPA authentication for a Consumer portal, you modify the Web service client security extensions.

You need to add the necessary Producer security extension information for each WSRP portType. To specify the security extension information for a Producer portal, you modify the Web service client security extensions. To do this, you use the Web services client editor of the assembly tool. Proceed by the following steps:

1. In the J2EE perspective, project explorer, expand the WebServices > Clients subtree.

2. Open the client descriptor by one of the following two ways:

   • Open the client descriptor wps.ear:service/WSRPService with the WebServices Client Editor. It is the default. wps.ear is the EAR file name that you assigned when you imported the portal EAR file into the assembly tool in a previous step.

   • Alternatively, you can configure the client descriptor security extensions and bindings by opening Dynamic Web Projects > wps > Web Content > WEB-INF > web.xml, where wps is the WAR file name that you assigned when you imported the portal EAR file into the assembly tool in a previous step.

3. In the editor navigate to the tab WS Extension.

4. For every port that requires LTPA token authentication, select the port in the Port Qname Bindings section.

5. Select Request Generator Configuration > Security Token.

6. Click Add to add a new token.

7. In the pop-up Security Token dialog, proceed by the following steps:

   1. Assign a unique name to the token.

   2. From the drop-down list select LTPA token as the token type.

   3. Click OK to leave the dialog.

8. Click Save to save your changes in the service descriptor.

 

Modifying the Web services client security bindings for LTPA authentication on the Consumer portal

As part of specifying the LTPA authentication for a Consumer portal, you add the necessary client security binding information.

You need to add the necessary Consumer security binding information for each WSRP portType. To specify the client security binding information for a Consumer portal, you modify the Web service client security bindings. To do this, you use the Web services client editor of the assembly tool. Proceed by the following steps:

1. In the J2EE perspective, project explorer, expand theWebServices > Clients subtree.

2. Open the client descriptor by one of the following two ways:

   • Open the client descriptor wps.ear:service/WSRPService with the WebServices Client Editor. It is the default. wps.ear is the EAR file name that you assigned when you imported the portal EAR file into the assembly tool in a previous step.

   • Alternatively, you can configure the client descriptor security extensions and bindings by opening Dynamic Web Projects > wps > Web Content > WEB-INF > web.xml, where wps is the WAR file name that you assigned when you imported the portal EAR file into the assembly tool in a previous step.

3. In the editor navigate to the tab WS Binding.

4. For every port that requires LTPA token authentication, select the port in the Port Qname Bindings section.

5. Select Request Generator Binding Configuration > Token Generator.

6. Click Add to add a new token generator.

7. In the pop-up Token Generator dialog, proceed by the following steps:

   1. Assign a unique name to the token generator.

   2. Select com.ibm.wsspi.wssecurity.token.LTPATokenGenerator as the token generator class from the drop-down list.

   3. Select the token name to which this token generator applies. The security token name is the name of the token that you assigned in the Web service client security extension for the portType that you are configuring.

   4. Select LTPA Token as the value type. Depending on the assembly tool that you use, this selection might be by a drop down list or by a checkbox.

   5. From the drop-down list select com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler as the callback handle.

   6. Click OK to leave the dialog.

8. Click Save to save your changes in the service descriptor.

Alternatively, you can also modify the Web services client security bindings by using the administrative console. However, if do this, you can only perform this step after you have modified the Web Services Client Security Extensions in the previous step and redeployed the portal EAR file. For details about the administrative console, refer to the WebSphere Application Server Information Center.

 

Modifying the Consumer portal for using different Web services security configurations for Producers

If you want to consume Web services from different Producers, you set up different security configurations for them in your Consumer portal.

To set up different security configurations for these Producers in your Consumer portal, you generate custom ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmifiles. The settings that you configure by these files overwrite the security settings configured in the Web Service Client Security Extensions and Web Service Client Bindings as described under Modifying the Web services client security extensions for LTPA authentication on the Consumer portal and Modifying the Web services client security bindings for LTPA authentication on the Consumer portal above.

Only one port can be described in each set of extension and binding files. For each portType, you need to create a pair of ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmifiles files which contain only one portType definition. Therefore, if the ws-security settings for all Producers are different, repeat steps 3 to 5 and specify the settings respectively for each Producer. To generate these files, perform the following steps for each portType:

1. Export the WebSphere Portal Express EAR file as described in Exporting the portal EAR file.

2. Import the WebSphere Portal Express EAR file into an Assembly Tool as described under Importing the portal EAR file into an assembly tool. For details about how to do this, refer to the WebSphere Application Server Information Center.

3. Modify the Web Service Client Security Extensions by using the following steps:

   1. In the J2EE perspective, project explorer, expand the WebServices > Clients subtree.

   2. Open the client descriptor by one of the following two ways:

      • Open the client descriptor wps.ear:service/WSRPService with the WebServices Client Editor. It is the default. wps.ear is the EAR file name that you assigned when you imported the portal EAR file into the assembly tool in a previous step.

      • Alternatively, you can configure the client descriptor security extensions and bindings by opening Dynamic Web Projects > wps > Web Content > WEB-INF > web.xml, where wps is the WAR file name that you assigned when you imported the portal EAR file into the assembly tool in a previous step.

   3. In the editor navigate to the tab WS Extension.

   4. In the Port Qname Bindings section, remove all portTypes except the one that you intend to configure.

   5. Configure the Request Generator Configuration > Security Token. To do this, follow the description given in Modifying the Web services client security extensions for LTPA authentication on the Consumer portal above.

   6. Click Save to save your changes in the client descriptor.

4. Modify the Web Service Client Security Bindings by using the following steps:

   1. In the Web Services editor navigate to the tab WS Binding .

   2. In the Port Qname Bindings section, remove all portTypes except the one that you intend to configure.

      This has to be same portType that you configured in the Web Service Client Security Extensions tab.

   3. Configure the Security Request Generator Binding Configuration > Token Generator. To do this, follow the description given in Modifying the Web services client security bindings for LTPA authentication on the Consumer portal above.

   4. Click Save to save your changes in the client descriptor.

5. Copy and rename the changed files ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi to a location of your choice in your file system. To do this

   1. Select both files in the Project Explorer > Dynamic Web Projects > wps > Web Content > WEB-INF.

   2. Right-click, select Export > File System. A file saving dialog appears.

   3. Proceed by guidance of the presented file saving user dialog.

   In a cluster environment place the file at the same directory location in each cluster node.

6. After you have created all necessary files, add the following WSRP configuration properties of the portal Resource Environment Provider WSRPWebServiceSecurity in the administrative console. For details about how to do this refer to Setting configuration properties. With the configuration of this Resource Environment Provider you can assign the Web service client and Web service extension files for each port to a Producer. You can configure the following custom properties:

   reloadInterval =(900)

   This property defines the reload time interval by which the Consumer loads this property file into its memory. This property is optional. Specify a value in seconds. A value of zero or less will stop reloading the configuration. The default value is 900 seconds (= 15 minutes).

   producerToken.wsdl

   This property defines the URL to the Producer WSDL file. This property is mandatory if port definitions for this Producer are available. The value of this property has to be unique in this file.

   producerToken.WSRPBaseService.WSClientExtension

   This property defines the file location of the Web service client extension file for the WSRPBaseService. This property is optional.

   producerToken.WSRPBaseService.WSClientBinding

   This property defines the file location of the Web service client binding file for the WSRPBaseService.

   For each Producer that requires a separate security configuration, replace the producerToken portions of the three producerToken.xyz parameters listed above with a unique, freely definable group identifier. The security configuration with the binding and extension files for the WSRPServiceDescriptionService, the WSRPPortletManagementService, and the WSRPRegistrationService needs to follow the rules of the WSRPBaseService. The following example lists the properties for a configuration of the WSRP Resource Environment Provider with two Producers and a Producer security configuration for the WSRPServiceDescriptionService and WSRPBaseService:

   Example property name	Example property value
   prod1.wsdl prod1.WSRPBaseService.WSClientExtension prod1.WSRPBaseService.WSClientBinding prod1.WSRPServiceDescriptionService.WSClientExtension prod1.WSRPServiceDescriptionService.WSClientBinding prod2.wsdl prod2.WSRPServiceDescriptionService.WSClientExtension prod2.WSRPServiceDescriptionService.WSClientBinding	http://www.portal.com:10038/wps/wsdl/wsrp.wsdl /portal/prod1_bs_ext.xmi /portal/prod1_bs_bnd.xmi /portal/prod1_sd_ext.xmi /portal/prod1_sd_bnd.xmi http://foreignhost:80/portal/wsdl/file.wsdl /portal/prod2_sd_ext.xmi /portal/prod2_sd_bnd.xmi

---