The token consumer on the server or
cell level is used to specify the information that is needed to process
the security token if it is not defined at the application level.
About this task
WebSphere
Application Server provides default values for bindings. You must modify the
defaults for a production environment.
You
can configure the token consumers on the server level and the cell level.
In the following steps, use the first step to access the server-level default
bindings and use the second step to access the cell-level bindings.
Procedure
- Access the default bindings for the server level.
- Click Servers > Application servers > server_name .
- Under Security, click Web services: Default bindings for
Web services security.
- Click Security > Web services to
access the default bindings on the cell level.
- Under Default consumer bindings, click Token consumers.
- Click New to create a token consumer configuration, click Delete to
delete an existing configuration, or click the name of an existing token consumer
configuration to edit its settings. If you are creating a new configuration,
enter a unique name for the token consumer configuration in the Token consumer
name field. For example, you might specify sig_tcon. This field
specifies the name of the token consumer element.
- Specify a class name in the Token consumer class name field.
The
token consumer class must implement the com.ibm.wsspi.wssecurity.token.TokenConsumerComponent
interface. The
token consumer class name must be similar to the token generator class name.
For
example, if your application requires an X.509 certificate token consumer,
you can specify the com.ibm.wsspi.wssecurity.token.X509TokenGenerator class
name on the Token generator panel and the com.ibm.wsspi.wssecurity.token.X509TokenConsumer
class name in this field. WebSphere Application Server provides the following
default token consumer class implementations:
- com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer
- This implementation integrates a user name token.
- com.ibm.wsspi.wssecurity.token.X509TokenConsumer
- This implementation integrates an X.509 certificate token.
- com.ibm.wsspi.wssecurity.token.LTPATokenConsumer
- This implementation integrates a Lightweight Third Party Authentication
(LTPA) token.
- com.ibm.wsspi.wssecurity.token.IDAssertionUsernameTokenConsumer
- This implementation integrates an IDAssertionUsername token.
A corresponding
token generator class does not exist for this implementation.
- Select a certificate path option. The certificate path
specifies the certificate revocation list (CRL) that is used for generating
a security token wrapped in a PKCS#7 with a CRL. WebSphere Application Server
provides the following certificate path options:
- None
- If you select this option, the certificate path is not specified.
- Trust any
- If you select this option, any certificate is trusted. When the received
token is consumed, the certificate path validation is not processed.
- Dedicated signing information
- If you select this option, you can specify a trust anchor and a certificate
store. When you select the trust anchor or the certificate store of a trusted
certificate, you must configure the collection certificate store before setting
the certificate path. To define a collection certificate store on the server or cell level, see Configuring the collection certificate on the server or
cell level
.
- Select a trust anchor in the Trust anchor field. WebSphere
Application Server provides two sample trust anchors. However, it is recommended
that you configure your own trust anchors for a production environment. For
information on configuring a trust anchor, see Configuring trust anchors on the server or
cell level
.
- Select a collection certificate store in the Certificate store
field. WebSphere Application Server provides a sample collection
certificate store. If you select None, the collection certificate store
is not specified. For information on specifying a list of certificate stores
that contain untrusted, intermediary certificate files awaiting validation,
see Configuring trusted ID evaluators on the server or
cell level
.
- Select a trusted ID evaluator from the Trusted ID evaluation reference
field. This field specifies a reference to the Trusted ID evaluator
class name that is defined in Trusted ID evaluators panel. The trusted ID
evaluator is used for evaluating whether the received ID is trusted. If you
select None, the trusted ID evaluator is not referenced in this token
consumer configuration. To configure a trusted ID evaluator, see Configuring trusted ID evaluators on the server or
cell level
.
- Select the Verify nonce option if a nonce is included in
a user name token on the generator side. Nonce is a unique cryptographic
number that is embedded in a message to help stop repeat, unauthorized attacks
of user name tokens. The Verify nonce option is available if you specify
a user name token for the token consumer and nonce is added to the user name
token on the generator side.
- Select the Verify timestamp option if a time stamp is included
in the user name token on the generator side. The Verify Timestamp option
is available if you specify a user name token for the token consumer and a
time stamp is added to the user name token on the generator side.
- Specify the local name of the value type for the integrated token.
This entry specifies the local name of the value type for a security
token that is referenced by the key identifier. This attribute is valid when Key
identifier is selected as the key information type. To specify the key
information type, see Configuring the key information for the consumer binding on the server or cell level
. WebSphere Application Server has predefined value type
local names for the user name token and the X.509 certificate security token.
Enter one of the following local names for the user name token and the X.509
certificate security token. When you specify the following local names, you
do not need to specify the URI of the value type:
- Username token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
- X.509 certificate token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
- X.509 certificates in a PKIPath
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1
- A list of X.509 certificates and CRLs in a PKCS#7
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7
Note: To specify Lightweight
Third Party Authentication (LTPA) or token propagation (LTPA_PROPAGATION),
you must specify both the value type local name and the Uniform Resource Identifier
(URI). For LTPA, specify LTPA for the local name and http://www.ibm.com/websphere/appserver/tokentype/5.0.2 for
the URI. For LTPA token propagation, specify LTPA_PROPAGATION for
the local name and http://www.ibm.com/websphere/appserver/tokentype for
the URI.
For example, when an X.509 certificate token is specified,
you can use http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 for
the local name. When you specify the local name of another token, you must
specify a value type Qname. For example: uri=http://www.ibm.com/custom,
localName=CustomToken
- Specify the value type uniform resource identifier (URI) in the
URI field. This entry specifies the namespace URI of the value
type for a security token that is referenced by the key identifier. This attribute
is valid when Key identifier is selected as the key information type
on the Key information panel for the default generator. When you specify the
token consumer for the user name token or an X.509 certificate security token,
you do not need to specify this option. If you specify another token, you
need to specify the URI of the QName for the value type.
- Click OK and then Save to save the configuration.
After saving the token generator configuration, you can specify a JAAS
configuration for your token consumer.
- Click the name of your token generator configuration.
- Under Additional properties, click JAAS configuration.
- Select a JAAS configuration from the JAAS configuration name field.
The field specifies the name of the JAAS system
for application login configuration. You can specify additional JAAS system
and application configurations by clicking Security > Global security.
Under Authentication, click JAAS configuration and either Application
logins > New or System logins > New.
For
more information on the JAAS configurations, see JAAS configuration settings
.
Do not remove the
predefined system or application login configurations. However, within these
configurations, you can add module class names and specify the order in which
WebSphere Application Server loads each module. WebSphere Application Server
provides the following predefined JAAS configurations:
- ClientContainer
- This selection specifies the login configuration that is used by the client
container applications. The configuration uses the CallbackHandler application
programming interface (API) that is defined in the deployment descriptor for
the client container. To modify this configuration, see the JAAS configuration
panel for application logins.
- WSLogin
- This selection specifies whether all of the applications can use the WSLogin
configuration to perform authentication for the security run time. To modify
this configuration, see the JAAS configuration panel for application logins.
- DefaultPrincipalMapping
- This selection specifies the login configuration that is used by Java
2 Connectors (J2C) to map users to principals that are defined in the J2C
authentication data entries. To modify this configuration, see the JAAS configuration
panel for application logins.
- system.wssecurity.IDAssertion
- This selection enables a Version 5.x application to use identity
assertion to map a user name to a WebSphere Application Server credential
principal. To modify this configuration, see the JAAS configuration panel
for system logins.
- system.wssecurity.Signature
- This selection enables a Version 5.x application to map a distinguished
name (DN) in a signed certificate to a WebSphere Application Server credential
principal. To modify this configuration, see the JAAS configuration panel
for system logins.
- system.LTPA_WEB
- This selection processes login requests that are used by the Web container
such as servlets and JavaServer Pages (JSP) files. To modify this configuration,
see the JAAS configuration panel for system logins.
- system.WEB_INBOUND
- This selection handles login requests for Web applications, which include
servlets and JavaServer Pages (JSP) files. This login configuration is used
by WebSphere Application Server Version 5.1.1. To modify this configuration,
see the JAAS configuration panel for system logins.
- system.RMI_INBOUND
- This selection handles logins for inbound Remote Method Invocation (RMI)
requests. This login configuration is used by WebSphere Application Server
Version 5.1.1. To modify this configuration, see the JAAS configuration panel
for system logins.
- system.DEFAULT
- This selection handles the logins for inbound requests that are made by
internal authentications and most of the other protocols except Web applications
and RMI requests. This login configuration is used by WebSphere Application
Server Version 5.1.1. To modify this configuration, see the JAAS configuration
panel for system logins.
- system.RMI_OUTBOUND
- This selection processes RMI requests that are sent outbound to another
server when the com.ibm.CSIOutboundPropagationEnabled property is true.
This property is set in the CSIv2 authentication panel. To access the panel,
click Security > Global security > Authentication protocol > CSIv2 Outbound
authentication. To set the com.ibm.CSIOutboundPropagationEnabled property,
select Security attribute propagation. To modify this JAAS login configuration,
see the JAAS configuration panel for system logins.
- system.wssecurity.X509BST
- This section verifies an X.509 binary security token (BST) by checking
the validity of the certificate and the certificate path. To modify this configuration,
see the JAAS configuration panel for system logins.
- system.wssecurity.PKCS7
- This selection verifies an X.509 certificate with a certificate revocation
list in a PKCS7 object. To modify this configuration, see the JAAS configuration
panel for system logins.
- system.wssecurity.PkiPath
- This section verifies an X.509 certificate with a public key infrastructure
(PKI) path. To modify this configuration, see the JAAS configuration panel
for system logins.
- system.wssecurity.UsernameToken
- This selection verifies the basic authentication (user name and password)
data. To modify this configuration, see the JAAS configuration panel for system
logins.
- system.wssecurity.IDAssertionUsernameToken
- This selection enables Versions 6 and later applications to use identity
assertion to map a user name to a WebSphere Application Server credential
principal. To modify this configuration, see the JAAS configuration panel
for system logins.
- system.WSS_INBOUND
- This selection specifies the login configuration for inbound or consumer
requests for security token propagation using Web services security. To modify
this configuration, see the JAAS configuration panel for system logins.
- system.WSS_OUTBOUND
- This selection specifies the login configuration for outbound or generator
requests for security token propagation using Web services security. To modify
this configuration, see the JAAS configuration panel for system logins.
- None
- With this selection, you do not specify a JAAS login configuration.
- Click OK and then Save to save the configuration.
Results
You have configured the token consumer at the server or
cell level.
What to do next
You must specify a similar token generator configuration for the
server or cell level.