WS-Security Provider (wsSecurityProvider)

Web Services Security default configuration for provider.

Attribute name Data type Default value Description
ws-security.callback-handler string   Password callback handler implementation class.
ws-security.enable.nonce.cache boolean true Whether to cache UsernameToken nonces.
ws-security.encryption.username string   Alias used for accessing encryption keystore.
ws-security.signature.username string   Alias used for accessing signature keystore.
ws-security.username string   User information to create Username Token.
callerToken
Description: Caller token.
Required: false
Data type:
Attribute name Data type Default value Description
allowCustomCacheKey boolean true Allow the generation of a custom cache key to access the authentication cache and get the subject.
groupIdentifier string   Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value.
includeTokenInSubject boolean true Specifies whether to include a SAML assertion in the subject.
mapToUserRegistry
  • User
  • No
  • Group
No Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
User
Map a SAML identity to a user defined in the registry
No
Do not map a SAML identity to a user or group in the registry
Group
Map a SAML identity to a group defined in the user registry
name string   Specify token name. The options are Usernametoken, X509token, Samltoken.
realmIdentifier string   Specifies a SAML attribute that is used as the realm name. The default is issuer.
realmName string   Specifies a realm name when mapToUserRegistry is set to No or Group.
userIdentifier string   Specifies a SAML attribute that is used as the user principal name in the subject. The default is NameID assertion.
userUniqueIdentifier string   Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.
encryptionProperties
Description: Required encryption configuration.
Required: false
Data type:
Attribute name Data type Default value Description
org.apache.ws.security.crypto.merlin.cert.provider string   The provider used to load certificates. Defaults to keystore provider.
org.apache.ws.security.crypto.merlin.file string   The location of the keystore
org.apache.ws.security.crypto.merlin.keystore.alias string   The default keystore alias to use, if none is specified.
org.apache.ws.security.crypto.merlin.keystore.password Reversably encoded password (string)   Password to access keystore file.
org.apache.ws.security.crypto.merlin.keystore.private.password Reversably encoded password (string)   The default password used to load the private key.
org.apache.ws.security.crypto.merlin.keystore.provider string   The provider used to load keystores. Defaults to installed provider.
org.apache.ws.security.crypto.merlin.keystore.type string   JKS, JCEKS or PKCS11
org.apache.ws.security.crypto.merlin.truststore.file string   The location of the truststore
org.apache.ws.security.crypto.merlin.truststore.password Reversably encoded password (string)   The truststore password.
org.apache.ws.security.crypto.merlin.truststore.type string   The truststore type.
org.apache.ws.security.crypto.merlin.x509crl.file string   The location of an (X509) CRL file to use.
org.apache.ws.security.crypto.provider string org.apache.ws.security.components.crypto.Merlin Provider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin".
samlToken
Description: Specifies the properties that are used to evaluate the trustworthiness and validity of a SAML Assertion.
Required: false
Data type:
Attribute name Data type Default value Description
clockSkew A period of time with millisecond precision 5m This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
requiredSubjectConfirmationMethod
  • bearer
bearer Specify whether the Subject Confirmation Method is required in the SAML Assertion. Default is true.
bearer
bearer
timeToLive A period of time with millisecond precision 30m Specify the default life time of a SAML Assertion in the case it does not define the NoOnOrAfter condition. Default is 30 minutes. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
wantAssertionsSigned boolean true Indicates a requirement for the <saml:Assertion> elements received by this service provider to be signed.
samlToken > audienceRestrictions
Description: Specify the allowed audiences of the SAML Assertion. Default is all audiences allowed.
Required: false
Data type: string
signatureProperties
Description: Required signature configuration.
Required: false
Data type:
Attribute name Data type Default value Description
org.apache.ws.security.crypto.merlin.cert.provider string   The provider used to load certificates. Defaults to keystore provider.
org.apache.ws.security.crypto.merlin.file string   The location of the keystore
org.apache.ws.security.crypto.merlin.keystore.alias string   The default keystore alias to use, if none is specified.
org.apache.ws.security.crypto.merlin.keystore.password Reversably encoded password (string)   Password to access keystore file.
org.apache.ws.security.crypto.merlin.keystore.private.password Reversably encoded password (string)   The default password used to load the private key.
org.apache.ws.security.crypto.merlin.keystore.provider string   The provider used to load keystores. Defaults to installed provider.
org.apache.ws.security.crypto.merlin.keystore.type string   JKS, JCEKS or PKCS11
org.apache.ws.security.crypto.merlin.truststore.file string   The location of the truststore
org.apache.ws.security.crypto.merlin.truststore.password Reversably encoded password (string)   The truststore password.
org.apache.ws.security.crypto.merlin.truststore.type string   The truststore type.
org.apache.ws.security.crypto.merlin.x509crl.file string   The location of an (X509) CRL file to use.
org.apache.ws.security.crypto.provider string org.apache.ws.security.components.crypto.Merlin Provider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin".

Icon that indicates the type of topic Reference topic



Timestamp icon Last updated: Saturday, 3 December 2016
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=rwlp_config_wsSecurityProvider
File name: rwlp_config_wsSecurityProvider.html