Configure the Producer portal for WS-Security authentication

After you have exported the portal EAR file and imported it into the assembly tool, you can now make the modifications required to configure your Producer portal for Web services security (WS-Security) authentication.

You can use all security tokens that IBM WAS supports.

The portal provides a set of sample security token configurations that correspond to the default security profiles for the WSRP Consumer; these are LTPA token, Username token, and signed Username token. To use one of these configurations, take the fast path described in the following.

Parent topic:

Secure WSRP by WS-Security for a Producer portal

Previous topic:

Import the portal EAR file into an assembly tool

Next topic:

Export the modified portal EAR file from the assembly tool

Related information

http://www.w3.org/2001/10/xml-exc-c14n#
http://www.w3.org/2000/09/xmldsig#sha1
http://www.w3.org/2000/09/xmldsig#rsa-sha1

Fast path: Using one of the sample WS-Security configurations for the Producer portal

The portal provides a set of sample security token configurations that correspond to the default security profiles for the WSRP Consumer.

To make the sample configuration files available... Run the following command, and pass in the path of the directory to which you want to copy the sample files as the value for the Destination parameter:

UNIX: ./ConfigEngine.sh copy-samples -DWasPassword=password -DCategoriesList=wp.wsrp.producer -DDestination=directory in the profile_root/ConfigEngine directory

• i5/OS: ConfigEngine copy-samples -DWasPassword=password -DCategoriesList=wp.wsrp.producer -DDestination=directory in the profile_root/ConfigEngine directory

  Windows: ConfigEngine.bat copy-samples -DWasPassword=password -DCategoriesList=wp.wsrp.producer -DDestination=directory in the profile_root/ConfigEngine directory

Each sample configuration consists of two descriptor files ibm-webservices-bnd.xmi and ibm-webservices-ext.xmi. Take these files from the chosen sample configuration and replace the existing files with the same name in the assembly tool project to which you have imported the EAR file in the previous step. After saving the project, continue with the next step. The following list describes the available sample configurations.

LTPA_Token

Producer configuration for LTPA token forwarding. This works only if the Consumer and Producer portals share the same user registry and LTPA configuration.

The Producer portal expects the Consumer portal to propagate the LTPA token information of the current user in the WS-Security SOAP header and uses this information to establish a security context.

Username_Token

Producer configuration for Username token forwarding. This configuration expects the Consumer portal to propagate the clear text user name in the WS-Security SOAP header and creates a security context based on this asserted identity.

Signed_Username_Token

Producer configuration for Username token forwarding including a signature, nonce, and timestamp. The Producer portal expects only the security token to be signed by using the following algorithms according to the WS Basic Security Profile recommendations:

Transformation

exclusive c14n. Refer to

http://www.w3.org/2001/10/xml-exc-c14n#.

Canonicalization

exclusive c14n. Refer to

http://www.w3.org/2001/10/xml-exc-c14n#.

Digest

sha-1. Refer to

http://www.w3.org/2000/09/xmldsig#sha1.

Signature

rsa-sha1. Refer to

http://www.w3.org/2000/09/xmldsig#rsa-sha1.

The trust store that contains the signer certificates to decrypt the digest and signature is NodeDefaultTrustStore. It is taken from the default SSL settings in the WAS configuration.

To create other configurations than the ones that the portal provides as samples or modify a sample configuration, use the tools provided by the Application Server Toolkit (AST). The AST is provided with the portal on a separate set of CDs. To make these modifications, you perform the following tasks:

• Modifying the Web services security extensions on the Producer portal

• Modifying the Web services security bindings on the Producer portal

For more general and detailed background information about configuring WS-Security while assembling Web services applications refer to the WAS information center under the locations given below.

Related tasks

Secure WSRP by WS-Security for a Consumer portal

Related information

http://www.setgetweb.com/p/WAS70/twbs_confappwssassembly.html
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.doc/info/ae/ae/Assembly_tools8.html

Modifying the Web services security extensions on the Producer portal

As part of specifying the WS-Security for a Producer portal, you add the necessary Producer Web service security extensions.

You need to add the necessary Producer security extension information for each WSRP portType. To specify the security extension information for a Producer portal, you modify the Web service client security extensions. To do this, you use the Web services editor of the assembly tool. Proceed by the following steps:

1. In the J2EE perspective, project explorer, expand the WebServices > Services subtree.

2. Open the service descriptor, depending on the WSRP version:

   • For WSRP Version 1 open WSRPService.

   • For WSRP Version 2 open WSRPService_v2.

   To open the service descriptor, use the WebServices Editor. It is the default.

   Alternatively, you can open the service descriptor by opening Dynamic Web Projects > wps > Web Content > WEB-INF > webservices.xml, where wps is the WAR file name that you assigned when you imported the portal EAR file into the assembly tool in a previous step.

3. In the Web Services editor navigate to the tab Extensions.

4. For every port that requires WS-Security authentication, select the port in the Port Component Binding section.

5. Select Request Consumer Service Configuration Details > Required Security Token.

6. Click Add to add a new token.

7. In the pop-up Required Security Token dialog, proceed by the following steps:

   1. Assign a unique name to the token.

   2. Select the appropriate token as the token type from the drop-down list.

   3. Click OK to leave the dialog.

8. For every port that requires WS-Security authentication, select the port in the Port Component Binding section. Under Request Consumer Service Configuration Details > Caller Part, click Add to add a caller part definition. In the pop-up Caller Part dialog, proceed with the following steps:

   1. Assign the caller a unique name.

   2. From the drop-down list select the appropriate token as the token type.

   3. Click OK to leave the dialog.

9. Click Save to save your changes in the service descriptor.

Modifying the Web services security bindings on the Producer portal

As part of specifying the LTPA authentication for a Producer portal, you add the necessary Producer security binding information.

You need to add the necessary Producer security binding information for each WSRP portType. To specify the security binding information for a Producer portal, you modify the Web service client security bindings. To do this, you use the Web services editor of the assembly tool. Proceed by the following steps:

1. In the J2EE perspective, project explorer, expand the WebServices > Services subtree.

2. Open the service descriptor, depending on the WSRP version:

   • For WSRP Version 1 open WSRPService.

   • For WSRP Version 2 open WSRPService_v2.

   To open the service descriptor, use the WebServices Editor. It is the default.

   Alternatively, you can open the service descriptor by opening Dynamic Web Projects > wps > Web Content > WEB-INF > webservices.xml, where wps is the WAR file name that you assigned when you imported the portal EAR file into the assembly tool in a previous step.

3. In the Web Services editor navigate to the tab Binding Configurations.

4. For every port that requires WS-Security authentication, select the port in the Port Component Binding section.

5. Select Request Consumer Binding Configuration Details > Token Consumer.

6. Click Add to add a new token Consumer.

7. In the pop-up Token Consumer dialog, proceed by the following steps:

   1. Assign a unique name to the token Consumer.

   2. Select the appropriate class as the token Consumer class from the drop-down list.

   3. Select the security token to which this token Consumer applies.

      The security token name is the name of the token that you assigned in the Web service security extensions for the portType that you are configuring.

   4. From the drop-down list select the appropriate value type.

   5. Click OK to leave the dialog.

8. Click Save to save your changes in the service descriptor.

Alternatively, you can also modify the Web services security bindings by using the administrative console. However, if you do this, you can only perform this step after you have modified the Web services security extensions in the previous step and redeployed the portal EAR file. For details about the administrative console, refer to the WAS Information Center.

---