Configure WSRP Producer ports for Web Service Security on the Consumer portal
We can configure each WSRP port of a particular Producer definition to use web service security using either LTPA or username tokens.
The WSRP Consumer creates a WS-Security-compliant header containing a security token. When the Producer receives a WSRP request message that contains a WS-Security header, it processes the request under the user identity represented by the security token, and performs access control for provided portlets.
IBM WebSphere Portal Express Version 8.5 provides three security token types for the most common scenarios.
LTPAv2_Token The Consumer portal provides an LTPA version 2 token in the WS-Security message header. This token type requires that Consumer and Producer portals share their user registry and LTPA configuration. LTPA_Token The Consumer portal provides an LTPA version 1 token in the WS-Security message header. This token type requires that the Consumer and Producer portals share their user registry and LTPA configuration. IBM WAS V8.5 supports the LTPA v2 token by default. Use the LTPA_Token only if a Producer requires an LTPA v1 token and cannot be configured to use LTPA v2 tokens. A WebSphere Portal V8.5 Producer does not require LTPA v1 tokens. If we use a WebSphere Portal V8.5 Producer, do not use this token type. As WAS V8.5 does not support LTPA v1 by default, we need to enable the single sign-on interoperability mode using the single sign-on (SSO) panel within the WebSphere Console. If we select this token type, and did not enable LTPA v1 tokens before, the WSRP Consumer throws an exception when trying to create the security token for a WSRP request message.
Username_Token The Consumer portal provides a username token in the WS-Security message header. The username token specifies the user name in clear text. In a default portal installation, none of the Producer ports is configured for message authentication or a token type. If our setup does not require security, we do not need to configure the Producer ports.
We can set the token types by either of the following two ways:
- We can use the portal administration portlet Web Service Configuration....
- In the portlet, go to the section for the port settings of the specific Producer for which we want to set the token types.
- From the list of service references and token types, select the token type for each port. By default, this list offers the three security token types. If we have defined custom service references, the list also offers these services. We can select either of the token types and custom service references from this list:
- If we select a token type, the WSRP Consumer uses the default WSRP service reference for this port. Additionally, it includes a security token of the specified type in the WS-Security header of the WSRP request messages.
- If a custom service reference is available and we select it, the WSRP Consumer uses this service reference. It does not generate extra security tokens.
- If we do not select anything from this list, the WSRP Consumer uses the default WSRP service reference. It does not generate security tokens.
- We can use xmlaccess to set port specific settings, for example token types.
Results
The WSRP Consumer provides a token of the selected type in the WS-Security header of WSRP request messages that are sent to the appropriate Producer port. No further security mechanism, such as message integrity or message confidentiality, is used. If we plan a more complex service configuration or if we plan to use another token type, read Configure WSRP web service clients.
The token types correspond to the default WSRP policy sets and provider policy bindings that are available for the configuration of Producers. The tokens are also compatible to a corresponding WebSphere Portal Express Version 7 or 8 Producer security configuration.
Parent topic: Configure security on the Consumer portalRelated concepts:
xmlaccess.shRelated tasks:
Configure WSRP web service clients
Work with xmlaccess.sh