+

Search Tips   |   Advanced Search

Login mapping settings


To specify the Java ™ Authentication and Authorization Service (JAAS) login settings that are used to validate security tokens within incoming messages.

There is an important distinction between V5.x and Version 6 and later applications. The information in this article supports Version 5.x applications only that are used with WAS V6.0.x and later. The information does not apply to V 6.0.x and later applications.

To view this admin console page for the cell level...

  1. Click Security > JAX-WS and JAX-RPC security runtime

  2. Under Additional properties, click Login mappings.

  3. Click either New to create a new login mapping configuration or click the name of an existing configuration.

To view this admin console page for the server level...

  1. Click Servers > Server Types > WebSphere application servers > server_name.

  2. Under Security, click JAX-WS and JAX-RPC security runtime.

    In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security

  3. Under Additional properties, click Login mappings.

  4. Click either New to create a new login mapping configuration or click the name of an existing configuration.

To use this admin console page for the application level...

  1. Click Applications > Application Types > WebSphere enterprise apps > application_name.

  2. Under Modules, click Manage modules > URI_name.

  3. Under WS-Security Properties, click Web services: Server security bindings.

  4. Click Edit under Request receiver binding.

  5. Click Login mappings.

  6. Click either New to create a new login mapping configuration or click the name of an existing configuration.

If the login mapping configuration is not found on the application level, the Web services run time searches for the login mapping configuration on the server level. If the configuration is not found on the server level, the Web services run time searches the cell.

Authentication method

Method of authentication.

Use any string, but the string must match the element in the service-level configuration.

The following words are reserved and have special meanings:

BasicAuth

Uses both a user name and a password.

IDAssertion

Uses only a user name, but requires that additional trust is established on the receiving server using a TrustedIDEvaluator mechanism.

Signature

Uses the distinguished name (DN) of the signer.

LTPA

Validates a token.

JAAS configuration name

Name of the JAAS configuration.

Among the predefined system login configurations that we can use are the following:

system.wssecurity.IDAssertion

Enables a version 5.x application to use identity assertion to map a user name to a WAS credential principal.

system.wssecurity.Signature

Enables a version 5.x application to map a distinguished name (DN) in a signed certificate to a WAS credential principal.

system.LTPA_WEB

Processes login requests that are used by the Web container such as servlets and JSPs.

system.WEB_INBOUND

Handles logins for Web app requests, which include servlets and JSPs. This login configuration is used by WAS V 5.1.1.

system.RMI_INBOUND

Handles logins for inbound RMI requests. This login configuration is used by WAS V 5.1.1.

system.DEFAULT

Handles the logins for inbound requests made by internal authentications and most of the other protocols except Web apps and RMI requests. This login configuration is used by WAS V 5.1.1.

system.RMI_OUTBOUND

Processes RMI requests that are sent outbound to another server when the com.ibm.CSIOutboundPropagationEnabled property is true. Is set in the CSIv2 authentication panel. To access the panel, click Security > Global security. Expand RMI/IIOP security, then click on CSIv2 Outbound authentication. To set the com.ibm.CSIOutboundPropagationEnabled property, select Security attribute propagation.

system.wssecurity.X509BST

Verifies an X.509 binary security token (BST) by checking the validity of the certificate and the certificate path.

system.wssecurity.PKCS7

Verifies an X.509 certificate with a certificate revocation list in a PKCS7 object.

system.wssecurity.PkiPath

Verifies an X.509 certificate with a public key infrastructure (PKI) path.

system.wssecurity.UsernameToken

Verifies basic authentication (user name and password).

These system login configurations are defined on the System logins panel, which is accessible by completing the following steps:

  1. Click...

      Security | Global security

  2. Expand Java Authentication and Authorization Service, then click System logins.

The predefined system login configurations are listed on the System logins configuration panel without the system prefix. For example, the system.wssecurity.UsernameToken configuration listed in the Java Authentication and Authorization Service (JAAS) configuration name option corresponds to the wssecurity.UsernameToken configuration that is on the System logins configuration panel.

Use the following predefined application login configurations:

ClientContainer

Login configuration used by the client container application, which uses the CallbackHandler API that is defined in the deployment descriptor of the client container.

WSLogin

Whether all applications can use the WSLogin configuration to perform authentication for the WAS security run time.

DefaultPrincipalMapping

Login configuration used by Java 2 Connectors (J2C) to map users to principals defined in the J2C authentication data entries.

These application login configurations are defined on the Application logins panel, which is accessible by completing the following steps:

  1. Click...

      Security | Global security

  2. Expand Java Authentication and Authorization Service, then click Application logins.

Do not remove these predefined system or application login configurations. Within these configurations, we can add module class names and specify the order in which WAS loads each module.

Callback handler factory class name

Name of the factory for the CallbackHandler class.

You must implement the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory class in this field.

Token type URI

Namespace Uniform Resource Identifiers (URI), which denotes the type of security token that is accepted.

If binary security tokens are accepted, the value denotes the ValueType attribute in the element. The ValueType element identifies the type of security token and its namespace. If XML tokens are accepted, the value denotes the top-level element name of the XML token.

If the reserved words are specified previously in the Authentication method field, this field is ignored.

Data type: Unicode characters except for non-ASCII characters, but including the number sign (#), the percent sign (%), and the square brackets ([ ]).

Token type local name

Local name of the security token type, for example, X509v3.

If binary security tokens are accepted, the value denotes the ValueType attribute in the element. The ValueType attribute identifies the type of security token and its namespace. If XML tokens are accepted, the value denotes the top-level element name of the XML token.

If the reserved words are specified previously in the Authentication method field, this field is ignored.

Nonce maximum age

Time, in seconds, before the nonce timestamp expires. Nonce is a randomly generated value.

Specify a minimum of 300 seconds for the Nonce maximum age field. However, the maximum value cannot exceed the number of seconds specified in the Nonce cache timeout field for either the cell level or the server level.

We can specify the Nonce maximum age value for the cell level by completing the following steps:

  1. Click Security > JAX-WS and JAX-RPC security runtime.

We can specify the Nonce maximum age value for the server level by completing the following steps:

  1. Click Servers > Server Types > WebSphere application servers > server_name.

  2. Under Security, click JAX-WS and JAX-RPC security runtime.

    In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security

The Nonce maximum age field on this panel is optional and only valid if the BasicAuth authentication method is specified. If we specify another authentication method and attempt to specify values for this field, the following error message displays and remove the specified value: Nonce is not supported for authentication methods other than BasicAuth.

If specify the BasicAuth method, but do not specify values for the Nonce maximum age field, the WS-Security run time searches for a Nonce maximum age value on the server level. If a value is not found on the server level, the run time searches the cell level. If a value is not found on either the server level or the cell level, the default is 300 seconds.

Default 300 seconds
Range 300 to Nonce cache timeout seconds

Nonce clock skew

Clock skew value, in seconds, to consider when WAS checks the freshness of the message. Nonce is a randomly generated value.

We can specify the Nonce clock skew value for the cell level by completing the following steps:

  1. Click Security > JAX-WS and JAX-RPC security runtime.

We can specify the Nonce clock skew value for the server level by completing the following steps:

  1. Click Servers > Server Types > WebSphere application servers > server_name.

  2. Under Security, click JAX-WS and JAX-RPC security runtime.

    In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security

Specify a minimum of zero (0) seconds for the Nonce Clock Skew field. However, the maximum value cannot exceed the number of seconds specified in the Nonce maximum age field on this Login mappings panel.

The Nonce clock skew field on this panel is optional and only valid if the BasicAuth authentication method is specified. If we specify another authentication method and attempt to specify values for this field, the following error message displays and remove the specified value: Nonce is not supported for authentication methods other than BasicAuth.

If we specify BasicAuth, but do not specify values for the Nonce clock skew field, WAS searches for a Nonce clock skew value on the server level. If a value is not found on the server level, the run time searches the cell level. If a value is not found on either the server level or the cell level, the default is zero (0) seconds.

Default 0 seconds
Range 0 to Nonce Maximum Age seconds





 

Related concepts


Login mappings

 

Related tasks


Secure Web services for V5.x applications using XML digital signature

 

Related


Login mappings collection
Default bindings and security runtime properties