+

Search Tips   |   Advanced Search

Create policy set attachments using wsadmin


Use wsadmin, which supports the Jython and Jacl scripting languages, to define the policy set configuration for the Web services applications. We can attach policy sets to an application, Web service, endpoint, or specific operation.

When admin security is enabled, verify that you use the correct admin role, as the following table describes:


Table 1. Administrative roles

Administrative role Authorization
Administrator The Administrator role must have cell-wide access to create policy set attachments. If we have access to a specific resource only, we can create policy set attachments for the resource for which we have access.
Configurator The Configurator role must have cell-wide access to create policy set attachments. If we have access to a specific resource only, we can create policy set attachments for the resource for which we have access.
Deployer The Deployer role with cell-wide or resource specific access can create policy set attachments for application resources only.
Operator The Operator role cannot create policy set attachments.
Monitor The Monitor role cannot create policy set attachments.

Before you use the commands in this topic, verify that we are using the most recent version of wsadmin. The policy set management commands that accept a properties object as the value for the attributes or bindingLocation parameters are not supported on previous versions of wsadmin. For example, the commands do not run on a V6.1.0.x node.

To use a new policy set to manage policies for the application, attach the policy set to an application artifact or artifacts. When the application restarts, the application uses the policies from the newly attached policy set.

 

  1. Launch a scripting.

  2. Select an application with Web services to update.

    Use the listWebServices command to list all Web services and the associated applications. Enter the following command to list all Web services and attributes:

    AdminTask.listWebServices()

    For each Web service, the command returns the associated application name, module name, service name, and service type. For example, the following information is returned:

    '[ [service {http://www.ibm.com}service1] [client false] [application application1] [module webapp1.war] [type JAX-WS] ]'

  3. Create a policy set attachment for an application.

    For the commands in the PolicySetManagement group, the term resource refers to a Web service artifact. For application and service client.policy sets, the artifacts use the application hierarchy. The application hierarchy includes a Web service, module name, endpoint, or operation. Enter the value for the -resource parameter as a string, with a backslash ( / ) character as a delimiter.

    When attempting to connect to a Web service from a thin client, verify that the resources we are specifying are valid before running the updatePolicySetAttachment command. No configuration changes are made if the requested resource does not match a resource in the attachment file for the application. Use the following format for application and client.policy set attachments:

    • WebService:/

      Attaches all artifacts in the application to the policy set.

    • WebService:/webapp1.war:{http://www.ibm.com}myService

      Attaches all artifacts within the Web service {http://www.ibm.com}myService to the policy set. You must provide a fully qualified name (QName) for the service.

    • WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA

      Attaches all operations for the endpointA endpoint to the policy set.

    • WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA/operation1

      Attaches only the operation1 operation to the policy set.

    The format for the -resource string differs for system policy set attachments for the trust service. Use the following format for system policy set attachments:

    • Trust.opName:/

      The opName attribute can be issue, renew, cancel, or validate.

    • Trust.opName:/url

      The opName attribute can be issue, renew, cancel, or validate. We can specify any valid URL for the url attribute.

    1. Enter the command to attach the policy set to the application. This command attaches the policyset1 application policy set to all artifacts in the WebService application.

      For transitioning users: The application and system/trust values for the -attachmentType parameter are deprecated. Specify the provider value in place of the application value. For system policy set attachments, specify the provider value for the attachmentType parameter and the "[systemType trustService]" value for the -attachmentProperties parameter. For WSNClient attachments, specify the client value for the attachmentType parameter and the bus and WSNService properties with the -attachmentProperties parameter.trns To attach a policy set to a Web service application, specify the provider value for the -attachmentType parameter:

      AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources "WebService:/" -applicationName WebService -attachmentType provider]')

      To attach a policy set to a service client application, specify the client value for the -attachmentType parameter...

      AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources "WebService:/" -applicationName WebService -attachmentType client]')

      To create a trust service attachment for a system policy set, specify the provider value for the -attachmentType parameter and the [systemType trustService] value for the -attachmentProperties parameter...

      AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources "WebService:/" -applicationName WebService -attachmentType client -attachmentProperties "[systemType trustService]"]')

      This command returns an attachment ID number that use to reference this attachment. In the next step, use the attachment ID number to set the binding configuration. For this example, the attachment ID number is 124.

  4. Run the command to set the binding.

    The following example demonstrates how to set the timestamp expiration attribute on the SecureConversation123binding binding for the WSSecurity policy, on the WebService Web service application. To attach a policy set to a Web services application, specify the provider value for the -attachmentType parameter.

    AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[ [application WebService] [attachmentId 124] ]" -attachmentType provider -bindingName SecureConversation123binding -attributes "[application.securityoutboundbindingconfig.timestampexpires.expires 5]"')

  5. Save the configuration changes. Enter the following command to save the changes:

    AdminConfig.save()

 

Results

Your have attached the policy set to the application artifact or artifacts specified. Restart the application to use the policies from the newly attached policy set.

 

What to do next

Manage and update the attachments.

 

Related tasks


Set attachments for the trust service
Manage policy set attachments using wsadmin
Set application and system policy sets for Web services using scripting
Create policy sets using wsadmin
Add and remove policies using wsadmin
Remove policy set attachments using wsadmin
Manage policy sets

 

Related


Search attached applications collection
PolicySetManagement
WebServicesAdmin