Login mapping configuration settings

Use this page to specify the Java Authentication and Authorization Service (JAAS) login configuration settings used to validate security tokens within incoming messages.

To view this administrative console page, complete the following steps:

  1. Click Servers > Application Servers > server.

  2. Under Additional Properties, click Web Services: Default bindings for Web Services Security > Login Mappings > New.

Authentication Method Specifies the method of authentication.

Use any string, but the string must match the element in the service-level configuration. The following words are reserved and have special meanings:

BasicAuth Uses both a user name and a password.

IDAssertion Uses only a user name, but requires that additional trust is established on the receiving server using a TrustedIDEvaluator mechanism.

Signature Uses the distinguished name (DN) of the signer.

LTPA Validates a token.

JAAS Configuration Name Name of the Java Authentication and Authorization Service (JAAS) configuration.

Specify your JAAS configurations using the administrative console by clicking Security > JAAS Configuration > Application.

Callback Handler Factory Class Name Name of the factory for the CallbackHandler class.

You must implement the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory class in this field.

Default: com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory

Token Type URI Namespace Uniform Resource Identifiers (URI), which denotes the type of security token accepted.

If binary security tokens are accepted, the value denotes the ValueType attribute in the element. The ValueType element identifies the type of security token and its namespace. If Extensible Markup Language (XML) tokens are accepted, the value denotes the top-level element name of the XML token.

If the reserved words are specified previously in the Authentication Method field, this field is ignored.

Data type: Unicode characters except for non-ASCII characters, but including the number sign (#), the percent sign (%), and the square brackets ([ ]).

Token Type Local Name Specifies the local name of the security token type, for example, X509v3.

If binary security tokens are accepted, the value denotes the ValueType attribute in the element. The ValueType attribute identifies the type of security token and its namespace. If Extensible Markup Language (XML) tokens are accepted, the value denotes the top-level element name of the XML token.

If the reserved words are specified previously in the Authentication Method field, this field is ignored.

Nonce Maximum Age   Specifies the time, in seconds, before the nonce time stamp expires. Nonce is a randomly generated value.

You must specify a minimum of 300 seconds for the Nonce Maximum Age field. However, the maximum value cannot exceed the number of seconds specified in the Nonce Cache Timeout field for either the server level or the cell level. You can specify the Nonce Maximum Age value for the server level:

  1. Click Servers > Application Servers > server.

  2. Under Additional Properties, click Web Services: Default bindings for Web Services Security.

  3. Specify the Nonce Maximum Age value for the cell level by clicking Security > Web Services > Properties.

Note that The Nonce Maximum Age field on this panel is optional and only valid if the BasicAuth authentication method is specified. If you specify another authentication method and attempt to specify values for this field, the following error message displays and you must remove the specified value: Nonce is not supported for authentication methods other than BasicAuth.

If you specify BasicAuth, but do not specify values for the Nonce Maximum Age field, the Web services security run time searches for a Nonce Maximum Age value on the server level. If a value is not found on the server level, the run time searches the cell level. If a value is not found on either the server level or the cell level, the default is 300 seconds.

Default 300 seconds
Range 300 to Nonce Cache Timeout seconds

Nonce Clock Skew   Specifies the clock skew value, in seconds, to consider when WebSphere Application Server checks the freshness of the message. Nonce is a randomly generated value.

You must specify a minimum of 0 seconds for the Nonce Clock Skew field. However, the maximum value cannot exceed the number of seconds specified in the Nonce Maximum Age on this Login Mappings panel.

Note that The Nonce Clock Skew field on this panel is optional and only valid if the BasicAuth authentication method is specified. If you specify another authentication method and attempt to specify values for this field, the following error message displays and you must remove the specified value: Nonce is not supported for authentication methods other than BasicAuth.

If you specify BasicAuth, but do not specify values for the Nonce Clock Skew field, the Web services security run time searches for a Nonce Clock Skew value on the server level. If a value is not found on the server level, the run time searches the cell level. If a value is not found on either the server level or the cell level, the default is 0 seconds.

Default 0 seconds
Range 0 to Nonce Maximum Age seconds

 

See Also

Login mappings
Login mappings collection