Configure the Producer portal for WS-Security authentication

After you have exported the portal EAR file and imported it into the assembly tool, we can now make the modifications required to configure the Producer portal for Web services security (WS-Security) authentication.

We can use all security tokens that IBM WebSphere Application Server supports. The portal provides has a set of sample security token configurations that correspond to the default security profiles for the WSRP Consumer; these are LTPA token, Username token, and signed Username token. To use one of these configurations, take the fast path described in the following.

Parent: Secure WSRP by WS-Security for a Producer portal
Previous: Import the portal EAR file into an assembly tool
Next: Export the modified portal EAR file from the assembly tool
Related:

http://www.w3.org/2001/10/xml-exc-c14n#

http://www.w3.org/2000/09/xmldsig#sha1

http://www.w3.org/2000/09/xmldsig#rsa-sha1

Fast path: Use one of the sample WS-Security configurations for the Producer portal

The portal provides has a set of sample security token configurations that correspond to the default security profiles for the WSRP Consumer.

To make the sample configuration files available:

1. For z/OS : Open a UNIX System Services (USS) command prompt.

2. Run the following command, and pass in the path of the directory to which to copy the sample files as the value for the Destination parameter:
   ./ConfigEngine.sh copy-samples -DWasPassword=foo -DCategoriesList=wp.wsrp.producer -DDestination=directory in the WP_PROFILE/ConfigEngine
   • IBM i: ConfigEngine copy-samples -DWasPassword=foo -DCategoriesList=wp.wsrp.producer -DDestination=directory in the WP_PROFILE/ConfigEngine
   • z/OS: ./ConfigEngine.sh copy-samples -DWasPassword=foo -DCategoriesList=wp.wsrp.producer -DDestination=directory in the WP_PROFILE/ConfigEngine copy-samples -DWasPassword=foo -DCategoriesList=wp.wsrp.producer -DDestination=directory in the WP_PROFILE\ConfigEngine

Each sample configuration consists of two descriptor files ibm-webservices-bnd.xmi and ibm-webservices-ext.xmi. Take these files from the chosen sample configuration and replace the existing files with the same name in the assembly tool project to which you have imported the EAR file in the previous step. After saving the project, continue with the next step. The following list describes the available sample configurations.

LTPA_Token

Producer configuration for LTPA token forwarding. This works only if the Consumer and Producer portals share the same user registry and LTPA configuration. The Producer portal expects the Consumer portal to propagate the LTPA token information of the current user in the WS-Security SOAP header and uses this information to establish a security context.

Username_Token

Producer configuration for Username token forwarding. This configuration expects the Consumer portal to propagate the clear text user name in the WS-Security SOAP header and creates a security context based on this asserted identity.

Signed_Username_Token

Producer configuration for Username token forwarding including a signature, nonce, and timestamp. The Producer portal expects only the security token to be signed using the following algorithms according to the WS Basic Security Profile recommendations:

Transformation

exclusive c14n. Refer to
http://www.w3.org/2001/10/xml-exc-c14n#.

Canonicalization

exclusive c14n. Refer to
http://www.w3.org/2001/10/xml-exc-c14n#.

Digest

sha-1. Refer to
http://www.w3.org/2000/09/xmldsig#sha1.

Signature

rsa-sha1. Refer to
http://www.w3.org/2000/09/xmldsig#rsa-sha1.

The truststore containing the signer certificates to decrypt the digest and signature is NodeDefaultTrustStore. It is taken from the default SSL settings in the WAS configuration.

To create other configurations than the ones that the portal provides as samples or modify a sample configuration, use the tools provided by the Application Server Toolkit (AST). The AST is provided with the portal on a separate set of CDs. To make these modifications, you

• Modify the Web services security extensions on the Producer portal
• Modify the Web services security bindings on the Producer portal

For more general and detailed background information about configuring WS-Security while assembling Web services applications refer to the WAS information center under the following locations:
Related:
Secure WSRP by WS-Security for a Consumer portal

Modify the Web services security extensions on the Producer portal

As part of specifying the WS-Security for a Producer portal, we add the necessary Producer Web service security extensions.

You need to add the necessary Producer security extension information for each WSRP portType. To specify the security extension information for a Producer portal, you modify the Web service client security extensions. To do this, we use the Web services editor of the assembly tool.:

1. In the J2EE perspective, project explorer, expand the WebServices > Services subtree.

2. Open the service descriptor, depending on the WSRP version:

   • For WSRP Version 1 open WSRPService.

   • For WSRP Version 2 open WSRPService_v2.

   To open the service descriptor, use the WebServices Editor. It is the default.

   Alternatively, we can open the service descriptor by opening Dynamic Web Projects > wps > Web Content > WEB-INF > webservices.xml, where wps is the WAR file name that you assigned when you imported the portal EAR file into the assembly tool in a previous step.

3. In the Web Services editor navigate to the tab Extensions.

4. For every port that requires WS-Security authentication, select the port in the Port Component Binding section.

5. Select Request Consumer Service Configuration Details > Required Security Token.

6. Click Add to add a new token.

7. In the pop-up Required Security Token dialog...

   1. Assign a unique name to the token.

   2. Select the appropriate token as the token type from the drop-down list.

   3. Click OK to leave the dialog.

8. For every port that requires WS-Security authentication, select the port in the Port Component Binding section. Under Request Consumer Service Configuration Details > Caller Part, click Add to add a caller part definition. In the pop-up Caller Part dialog, proceed with the following steps:

   1. Assign the caller a unique name.

   2. From the drop-down list select the appropriate token as the token type.

   3. Click OK to leave the dialog.

9. Click Save to save the changes in the service descriptor.

Modify the Web services security bindings on the Producer portal

As part of specifying the LTPA authentication for a Producer portal, we add the necessary Producer security binding information.

You need to add the necessary Producer security binding information for each WSRP portType. To specify the security binding information for a Producer portal, you modify the Web service client security bindings. To do this, we use the Web services editor of the assembly tool.:

1. In the J2EE perspective, project explorer, expand the WebServices > Services subtree.

2. Open the service descriptor, depending on the WSRP version:

   • For WSRP Version 1 open WSRPService.

   • For WSRP Version 2 open WSRPService_v2.

   To open the service descriptor, use the WebServices Editor. It is the default.

   Alternatively, we can open the service descriptor by opening Dynamic Web Projects > wps > Web Content > WEB-INF > webservices.xml, where wps is the WAR file name that you assigned when you imported the portal EAR file into the assembly tool in a previous step.

3. In the Web Services editor navigate to the tab Binding Configurations.

4. For every port that requires WS-Security authentication, select the port in the Port Component Binding section.

5. Select Request Consumer Binding Configuration Details > Token Consumer.

6. Click Add to add a new token Consumer.

7. In the pop-up Token Consumer dialog...

   1. Assign a unique name to the token Consumer.

   2. Select the appropriate class as the token Consumer class from the drop-down list.

   3. Select the security token to which this token Consumer applies. The security token name is the name of the token that you assigned in the Web service security extensions for the portType that we are configuring.

   4. From the drop-down list select the appropriate value type.

   5. Click OK to leave the dialog.

8. Click Save to save the changes in the service descriptor.

Alternatively, we can also modify the Web services security bindings using the WAS admin console. However, if you do this, we can only perform this step after you have modified the Web services security extensions in the previous step and redeployed the portal EAR file. For details about the WAS admin console, refer to the WAS Information Center.