Configuring the Producer portal for WS-Security authentication
After you have exported the portal EAR file and imported it into
the assembly tool, you can now make the modifications required to configure
your Producer portal for Web services security (WS-Security) authentication.
Note: You can use all security tokens that IBM® WebSphere® Application Server supports.
The portal provides a set of sample security token configurations that correspond
to the default security profiles for the WSRP Consumer; these are LTPA token,
Username token, and signed Username token. To use one of these configurations,
take the fast path described in the following.
Parent topic: Securing WSRP by WS-Security for a Producer portal
Fast path: Using one of the sample WS-Security configurations for the
Producer portal
The portal provides a set of sample security token configurations
that correspond to the default security profiles for the WSRP Consumer.
To make the sample configuration files available, proceed by the following
steps:
Run the following command, and pass in the path of the directory
to which you want to copy the sample files as the value for the Destination parameter:
- Linux: ./ConfigEngine.sh
copy-samples –DCategoriesList=wp.wsrp.producer –DDestination=directory in
the wp_profile/ConfigEngine directory
- i5/OS: ConfigEngine
copy-samples –DCategoriesList=wp.wsrp.producer –DDestination=directory in
the profiles/wp_profile/ConfigEngine directory
- Windows: ConfigEngine.bat
copy-samples –DCategoriesList=wp.wsrp.producer –DDestination=directory in
the wp_profile\ConfigEngine directory
Each sample configuration consists of two descriptor files ibm-webservices-bnd.xmi and ibm-webservices-ext.xmi. Take these files from the chosen sample configuration and replace the existing
files with the same name in the assembly tool project to which you have imported
the EAR file in the previous step. After saving the project, continue with
the next step. The following list describes the available sample configurations.
- LTPA_Token
- Producer configuration for LTPA token forwarding. This works only if the
Consumer and Producer portals share the same user registry and LTPA configuration.
The Producer portal expects the Consumer portal to propagate the LTPA token
information of the current user in the WS-Security SOAP header and uses this
information to establish a security context.
- Username_Token
- Producer configuration for Username token forwarding. This configuration
expects the Consumer portal to propagate the clear text username in the WS-Security
SOAP header and creates a security context based on this asserted identity.
- Signed_Username_Token
- Producer configuration for Username token forwarding including a signature,
nonce, and timestamp. The Producer portal expects only the security token
to be signed by using the following algorithms according to the WS Basic Security
Profile recommendations:
- Transformation
- exclusive c14n. Refer to
http://www.w3.org/2001/10/xml-exc-c14n#.
- Canonicalization
- exclusive c14n. Refer to
http://www.w3.org/2001/10/xml-exc-c14n#.
- Digest
- sha-1. Refer to
http://www.w3.org/2000/09/xmldsig#sha1.
- Signature
- rsa-sha1. Refer to
http://www.w3.org/2000/09/xmldsig#rsa-sha1.
The trust store that contains the signer certificates to decrypt
the digest and signature is NodeDefaultTrustStore. It is
taken from the default SSL settings in the WebSphere
Application Server configuration.
To create other configurations than the ones that the portal
provides as samples or modify a sample configuration, use the tools provided
by the Application Server Toolkit (AST). The AST is provided with the portal
on a separate set of CDs. To make these modifications, you perform the following
tasks:
For more general and detailed background information about configuring
WS-Security while assembling Web services applications refer to the WebSphere
Application Server information
center under the locations given
below.
Related tasks
Securing WSRP by WS-Security for a Consumer portal
Related information
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/twbs_confappwssassembly.html
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.doc/info/ae/ae/catk_assemblytools.html
Modifying the Web services security extensions on the Producer portal
As part of specifying the WS-Security for a Producer portal, you
add the necessary Producer Web service security extensions.
You need to add the necessary Producer security extension information
for each WSRP portType. To specify the security
extension information for a Producer portal, you modify the Web service client
security extensions. To do this, you use the Web services editor of the
assembly tool.
- In the J2EE perspective, project explorer, expand the subtree.
- Open the service descriptor WSRPService with
the WebServices Editor. It is the default.
Alternatively,
you can open the service descriptor by opening , where wps is the
WAR file name that you assigned when you imported the portal EAR file into
the assembly tool in a previous step.
- In the Web Services editor navigate to the tab Extensions.
- For every port that requires WS-Security authentication, select
the port in the Port Component Binding section.
- Select .
- Click Add to add a new token.
- In the pop-up Required Security Token dialog,
proceed by the following steps:
- Assign a unique name to the token.
- Select the appropriate token as the token type from the drop-down
list.
- Click OK to leave the dialog.
- For every port that requires WS-Security authentication, select
the port in the Port Component Binding section. Under, click Add to add a
caller part definition. In the pop-up Caller Part dialog,
proceed with the following steps:
- Assign the caller a unique name.
- From the drop-down list select the appropriate token as the
token type.
- Click OK to leave the dialog.
- Click Save to save your changes in the service
descriptor.
Modifying the Web services security bindings on the Producer portal
As part of specifying the LTPA authentication for a Producer portal,
you add the necessary Producer security binding information.
You need to add the necessary Producer security binding information
for each WSRP portType. To specify the security
binding information for a Producer portal, you modify the Web service client
security bindings. To do this, you use the Web services editor of the
assembly tool.
- In the J2EE perspective, project explorer, expand the subtree.
- Open the service descriptor WSRPService with
the WebServices Editor. It is the default.
Alternatively,
you can open the service descriptor by opening , where wps is the
WAR file name that you assigned when you imported the portal EAR file into
the assembly tool in a previous step.
- In the Web Services editor navigate to the tab Binding
Configurations.
- For every port that requires WS-Security authentication, select
the port in the Port Component Binding section.
- Select .
- Click Add to add a new token Consumer.
- In the pop-up Token Consumer dialog, proceed
by the following steps:
- Assign a unique name to the token Consumer.
- Select the appropriate class as the token Consumer class from
the drop-down list.
- Select the security token to which this token Consumer applies.
The security token name is the name of the token that you assigned in the
Web service security extensions for the portType that you
are configuring.
- From the drop-down list select the appropriate value type.
- Click OK to leave the dialog.
- Click Save to save your changes in the service
descriptor.
Note: Alternatively, you can also modify the Web services security
bindings by using the administrative console. However, if you do this, you
can only perform this step after you have modified the Web services security
extensions in the previous step and redeployed the portal EAR file. For details
about the administrative console, refer to the WebSphere
Application Server Information
Center.
|
|
|
Portal, Express Beta Version 6.1