Configure identity assertion

 

Before you begin

Prior to completing this task, import your application into an assembly tool. For information on how to import your application, see Import enterprise applications.

 

Overview

Identity assertion is one of the WebSphere Application Server v6.x enhancements, but it must be used in a secured environment such as a VPN or HTTPs. In a secure environment, it is possible to send the requester identity without credentials with other trusted credentials such as the server identity. With identity assertion, WebSphere Application server supports the following types of trust modes:

None

Specifies that a trusted credential is not attached to the Simple Object Access protocol (SOAP) message

BasicAuth

Specifies that a username token with a user name and a password is used as a trusted credential

Signature

Specifies that an X.509 certificate security token is used in the digital signature

The specific configuration for identity assertion is necessary on the consumer side in a service configuration only. On the generator side, we need to configure two token generators in a client configuration: one for a requester token and one for a token of a trusted party.

Complete the following steps to configure an application for identity assertion. You must configure both the consumer and the generator to complete the configuration.

 

Procedure

  1. Start the assembly tool and click Window > Open Perspective > J2EE.

  2. Expand the Web Services > Services section in the Project Explorer and double-click the name of the Web service.

  3. Click the Extensions tab and expand the Response Consumer Service Configuration Details > Caller Part section to configure the caller token.

  4. Configure the caller token for the consumer. Complete the following steps to configure the caller token for the consumer:

    1. Click Add to configure the caller part. The Caller Part Dialog window is displayed. In this window, configure both a token that is used as a caller (requester) credential and a token for the trusted party.

    2. Specify a name for the caller token in the Name field.

    3. Select the type of caller token in Token type field. For example, one can select Username if a username token is used as the caller token. When you select the token type, the Local name is automatically specified.

    4. Optional: If you select the Custom token in the Token type field, specify the Local name and the Uniform Resource Identifier (URI) of the custom token. The URI field is used only for a custom token.

    5. Optional: If the caller token is also used as a certificate of a required integrity or confidentiality part, select the name of the part in Integrity or Confidentiality part field. The list contains the names of the integrity and confidentiality parts that are defined in the Required Integrity and Required Confidentiality sections for the consumer. For example, when an X.509 certificate token is used for both a caller token and a signature certificate of the body element, one can select X.509 certificate token in the Token type field and select reqint_body1 in Integrity or Confidentiality part field. This example assumes that reqint_body1 is a required integrity configuration.

  5. Configure a trusted party token for the consumer. Complete the following steps to configure the trusted party token:

    1. Select the Use IDAssertion option to associate a trust method with this caller and to verify an asserted identity from the intermediary (caller).

    2. Select the name of the trust method in the Trust method name field. The following selections are supported:

      None

      Select this option to specify that a trusted credential is not attached to the SOAP message.

      BasicAuth

      Select this option to specify that a username token with a user name and password is used as a trusted credential.

      Signature

      Select this option to specify that an X.509 certificate security token is used in the digital signature.

      When you select either BasicAuth or Signature, the URI and the Local name fields are automatically specified.

    3. Optional: Select a name of an integrity or confidentiality part in the Integrity or Confidentiality part field if you require digital signature or encryption by the trusted party token. For example, if you select Signature in the Trust method name field and you require that the trusted party token signs the body element, select reqint_body2 in Integrity and Confidentiality part field. This example assumed that reqint_body2 is a required integrity configuration.

  6. Optional: If you select BasicAuth or Signature in the Trust method name field, specify a trusted ID evaluator in Token Consumer Dialog window of the binding configuration. Complete the following steps to specify a trusted ID evaluator:

    1. Click Binding Configurations in the Web services editor.

    2. Expand the Token Consumer section and click Add.

    3. Click the Use trusted ID evaluator option.

    4. Specify a class name in the Trusted ID evaluator class field. The class implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface and validates a trusted party token. WebSphere Application Server provides the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl class, which is a sample implementation of the TrustedIDEvaluator interface. If you use this class, specify com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl in Trusted ID evaluator class field and click Add to add the following trusted ID evaluator property:

      • In the name field, specify trustedid

      • In the value field, specify CN=Alice,O=IBM,C=US

      The value of the property is the distinguished name (DN) of the username or X.509 certificate token of the trusted party token.

    5. Click OK to save the configuration.

  7. Expand the Web Services > Client section in the Project Explorer and double-click the name of the Web service.

  8. Click the WS Extension tab and expand the Request Generator Configuration > Security Token section.

  9. Specify the caller token for the generator. Do not specify a token in the required token if the token is used for signing or encryption. However, specify a token in the required token for a stand-alone token. A stand-alone token is a token that is not used for signing or encryption. When the caller token type is a username token or an X.509 certificate token and it is not used for signing or encryption, specify a security token for this caller token.

    1. Click Add to configure a security token.

    2. Specify a name for the caller token in the Name field.

    3. Select either the Username or X.509 certificate token option in the Token type field. After you select one of these two options, a value for the Local name field is automatically defined.

    4. Click OK to save the configuration.

    5. Click the WS Binding tab and expand the Security Request Generator Binding Configuration > Token Generator section.

    6. Click Add and add the token generator configuration for the caller token.

    7. Click OK to save the configuration.

  10. Configure the trusted party token. When the trust mode, which was specified previously, is None only the caller token is attached and you do not need to specify the security token of the trusted party. When the trust mode is BasicAuth or Signature we need to specify a username token or an X.509 certificate token of the trusted party token. However, if the X.509 certificate token of trusted party is used for digital signing or encryption as well, you do not need to specify the security token of the trusted party. Complete the following steps to configure the trusted party token:

    1. Expand the Web Services > Client section in the Project Explorer and double-click the name of the Web service.

    2. Click the WS Extension tab and expand the Request Generator Configuration > Security Token section.

    3. Click Add to configure a security token.

    4. Specify a name for the trusted party token in the Name field.

    5. Select either the Username or X.509 certificate token option in the Token type field. After you select one of these two options, a value for the Local name field is automatically defined.

    6. Click OK to save the configuration.

    7. Click the WS Binding tab and expand the Security Request Generator Binding Configuration > Token Generator section.

    8. Click Add and add the token generator configuration for the trusted party token.

    9. Click OK to save the configuration.

 

What to do next

Your environment is configured for identity assertion.

 

Related Tasks


Configuring token generators with an assembly tool