Token generator settings - JAX-RPC and JAX-WS
Overview
The information is used at the generator side only to generate the security token.
To view this admin console page for the cell level...
Security | JAX-WS and JAX-RPC security runtime | JAX-RPC Default Generator Bindings | Token generators | token_generator_name
To view this admin console page for the server level...
-
Servers | Server Types | WebSphere appservers | server_name | Security | JAX-WS and JAX-RPC security runtime | JAX-RPC Default Generator Bindings | Token generators | token_generator_name
In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security
To view this admin console page for the application level...
-
Applications | Application Types | WebSphere enterprise apps | application_name | Modules | Manage modules | URI_name | Additional properties
We can access the token generator information for the following bindings:
- For the Request generator (sender) binding, click...
-
Web services: Client security bindings | Request generator (sender) binding | Edit custom
- For the Response generator (sender) binding, click...
-
Web services: WAS security bindings | Response generator (sender) binding | Edit custom
To view this admin console page for the application level...
-
Applications | Application Types | WebSphere enterprise apps | application_name | Modules | Manage modules | URI_name | WS-Security Properties | Web services: Client security bindings | Request generator (sender) binding | Edit custom | Additional properties | Token generators | New
Before specifying additional properties, specify a value in the Token generator name and the Token generator class name fields.
- Token generator name
-
Name of the token generator configuration.
For example, the default X509 token generator names are either gen_enctgen for encrypting or gen_signtgen for signing. Or, a custom token generator name might be sig_tgen for signing.
- Token generator class name
-
Name of the token generator implementation class.
This class must implement the com.ibm.wsspi.wssecurity.token.TokenGeneratorComponent interface.
- Token generator class name
-
Name of the token generator implementation class.
- Certificate path
-
Certificate revocation list (CRL) used for generating a security token wrapped in a PKCS#7 token type with CRL.
When the token generator is not for a PKCS#7 token type, select None. When the token generator is for the PKCS#7 token type and you want to package CRL in the security token, select Dedicated signing information and specify the CRL for the collection certificate store.
We can specify a certificate store configuration for the following bindings on the following levels:
Table 1. Certificate path binding settings
Binding name Server level, cell level, or application level Path Default generator bindings Cell level Security | JAX-WS and JAX-RPC security runtime | Additional properties | Collection certificate store Default generator bindings Server level Servers | Server Types | WebSphere appservers | server_name | Security | JAX-WS and JAX-RPC security runtime | Additional properties | Collection certificate store In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security
Use the collection certificate store, we can configure a related certificate revocation list by clicking Certificate revocation list under Additional properties.
- Add nonce
-
Indicates whether nonce is included in the user name token for the token generator. Nonce is a unique cryptographic number that is embedded in a message to help stop repeat, unauthorized attacks of user name tokens.
On the application level, if we select the Add nonce option, we can specify the following properties under Additional properties:
Table 2. Additional nonce properties
Property name Default value Explanation com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.cacheTimeout
600 seconds Timeout value, in seconds, for the nonce value that is cached on the server. com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.clockSkew
0 seconds Time, in seconds, before the nonce time stamp expires. com.ibm.ws.wssecurity.config.token. BasicAuth.Nonce.maxAge
300 seconds Clock skew value, in seconds, to consider when the appserver checks the timeliness of the message. These properties are available on the admin console at the cell and server level. However, on the application level, we can configure the properties under Additional properties.
This option is displayed on the cell, server, and application levels. This option is valid only when the generated token type is a user name token.
- Add timestamp
-
Whether to insert the time stamp into the user name token.
This option is displayed on the cell, server, and application levels. This option is valid only when the generated token type is a user name token.
- Value type local name
-
Local name of the value type for the generated token.
For a user name token and an X.509 certificate security token, this product provides predefined value types. When specify the following local names, you do not need to specify the Uniform Resource Identifier (URI) of value type.
- Username token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
- X509 certificate token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509
- X509 certificates in a PKIPath
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1
- A list of X509 certificates and CRLs in a PKCS#7
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7
- Lightweight Third Party Authentication (LTPA)
- LTPA_PROPAGATION
For LTPA, the value type local name is LTPA. If we enter LTPA for the local name, specify the http://www.ibm.com/websphere/appserver/tokentype/5.0.2 URI value in the Value type URI field as well. For LTPA token propagation, the value type local name is LTPA_PROPAGATION. If we enter LTPA_PROPAGATION for the local name, specify the http://www.ibm.com/websphere/appserver/tokentype URI value in the Value type URI field as well. For the other predefined value types (Username token, X509 certificate token, X509 certificates in a PKIPath, and a list of X509 certificates and CRLs in a PKCS#7), the value for the local name field begins with http://. For example, if we are specifying the user name token for the value type, enter http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken in the Value type local name field and then you do not need to enter a value in the Value type URI field.
When you specify a custom value type for custom tokens, we can specify the local name and the URI of the quality name (QName) of the value type. For example, we might specify Custom for the local name and http://www.ibm.com/custom for the URI.
- Value type URI
-
Namespace URI of the value type for the generated token.
When specify the token generator for the user name token or the X.509 certificate security token, you do not need to specify this option. To specify another token, specify the URI of the QName of the value type.
The appserver provides the following predefined value type URIs:
- For the LTPA token: http://www.ibm.com/websphere/appserver/tokentype/5.0.2
- For the LTPA token propagation: http://www.ibm.com/websphere/appserver/tokentype
Related tasks
Set token generators using JAX-RPC to protect message authenticity at the server or cell level
Set programmatic logins for Java Authentication and Authorization Service
Related
Token consumer collection
Token consumer settings
Token generator collection