File name: uwbs_callback.html
Callback handler configuration settings
Use this page to specify how to acquire the security token
that is inserted in the Web services security header within the Simple
Object Access Protocol (SOAP) message. The token acquisition is a
pluggable framework that leverages the Java Authentication and Authorization
Service (JAAS) javax.security.auth.callback.CallbackHandler interface
for acquiring the security token.
To
view this administrative console page for the callback handler on
the cell level, complete the following steps:
- Click Security > Web services.
- Under Default generator bindings, click Token generators > token_generator_name .
- Under Additional properties, click Callback handler.
To view this administrative console page for the callback handler
on the server level, complete the following steps:
- Click Servers > Application servers > server_name .
- Under Security, click Web services: Default bindings for Web
services security.
- Under Default generator bindings, click Token generators > token_generator_name .
- Under Additional properties, click Callback handler.
To view this administrative console page for the callback handler
on the application level , complete the following steps:
- Click Applications > Enterprise applications > application_name.
- Click Manage modules > URI_name .
- Under Additional properties, you can access the callback handler
information for the following bindings:
- For the Request generator (sender) binding, click Web services:
Client security bindings. Under Request generator (sender) binding,
click Edit custom. Under Additional properties, click Token
generator. Click New to create a new token generator configuration
or click the name of an existing configuration to modify its settings.
Under Additional properties, click Callback handler.
- For the Response generator (sender) binding, click Web services:
Server security bindings. Under Response generator (sender) binding,
click Edit custom. Under Additional properties, click Token
generator. Click New to create a new token generator configuration
or click the name of an existing configuration to modify its settings.
Under Additional properties, click Callback handler.
Callback handler class name
Specifies the name of the callback handler implementation
class that is used to plug in a security token framework.
The specified callback handler class must implement the javax.security.auth.callback.CallbackHandler
class. The implementation of the JAAS javax.security.auth.callback.CallbackHandler
interface must provide a constructor using the following syntax:
MyCallbackHandler(String username, char[] password, java.util.Map properties)
Where:
- username
- Specifies the user name that is passed into the configuration.
- password
- Specifies the password that is passed into the configuration.
- properties
- Specifies the other configuration properties that are passed into
the configuration.
The application server provides the following default callback
handler implementations:
- com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
- This callback handler uses a login prompt to gather user name
and password information. However, if you specify the user name and
password on this panel, a prompt is not displayed and the application
server returns the user name and password to the token generator if
it is specified on this panel. Use this implementation for a Java
2 Platform, Enterprise Edition (J2EE) application client only.
- This callback handler uses a login prompt to gather user name
and password information. However, if you specify the user name and
password on this panel, a prompt is not displayed and the application
server returns the user name and password to the token generator if
it is specified on this panel. Use this implementation for a Java
2 Platform, Enterprise Edition (J2EE) application client only.
- com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
- This callback handler does not issue a prompt and returns the
user name and password if it is specified on this panel. You can use
this callback handler when the Web service is acting as a client.
- This callback handler does not issue a prompt and returns the
user name and password if it is specified on this panel. You can use
this callback handler when the Web service is acting as a client.
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
- This callback handler uses a standard-in prompt to gather the
user name and password. However, if the user name and password is
specified on this panel, the application server does not issue a prompt,
but returns the user name and password to the token generator. Use
this implementation for a Java 2 Platform, Enterprise Edition (J2EE)
application client only.
- This callback handler uses a standard-in prompt to gather the
user name and password. However, if the user name and password is
specified on this panel, the application server does not issue a prompt,
but returns the user name and password to the token generator. Use
this implementation for a Java 2 Platform, Enterprise Edition (J2EE)
application client only.
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
- This callback handler uses a standard-in prompt to gather the
user name and password. However, if the user name and password is
specified on this panel, the application server does not issue a prompt,
but returns the user name and password to the token generator. Use
this implementation for a Java 2 Platform, Enterprise Edition (J2EE)
application client only.
- This callback handler uses a standard-in prompt to gather the
user name and password. However, if the user name and password is
specified on this panel, the application server does not issue a prompt,
but returns the user name and password to the token generator. Use
this implementation for a Java 2 Platform, Enterprise Edition (J2EE)
application client only.
- com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
- This callback handler is used to obtain the Lightweight Third
Party Authentication (LTPA) security token from the Run As invocation
Subject. This token is inserted in the Web services security header
within the SOAP message as a binary security token. However, if the
user name and password are specified on this panel, the application
server authenticates the user name and password to obtain the LTPA
security token rather than obtaining it from the Run As Subject. Use
this callback handler only when the Web service is acting as a client
on the application server. It is recommended that you do not use this
callback handler on a J2EE application client.
The LTPATokenCallbackHandler
is used to generate either a LTPA or a LTPA_PROPAGATION token. When
the LTPATokenCallbackHandler is used to generate a LTPA token, you
can supply basic authentication information to obtain the required
LTPA token. However, when LTPATokenCallbackHandler is used to generate
a LTPA_PROPAGATION token, basic authentication information can not
be used to generate the token, and therefore should not be supplied.
- This callback handler is used to obtain the Lightweight Third
Party Authentication (LTPA) security token from the Run As invocation
Subject. This token is inserted in the Web services security header
within the SOAP message as a binary security token. However, if the
user name and password are specified on this panel, the application
server authenticates the user name and password to obtain the LTPA
security token rather than obtaining it from the Run As Subject. Use
this callback handler only when the Web service is acting as a client
on the application server. It is recommended that you do not use this
callback handler on a J2EE application client.
The LTPATokenCallbackHandler
is used to generate either a LTPA or a LTPA_PROPAGATION token. When
the LTPATokenCallbackHandler is used to generate a LTPA token, you
can supply basic authentication information to obtain the required
LTPA token. However, when LTPATokenCallbackHandler is used to generate
a LTPA_PROPAGATION token, basic authentication information can not
be used to generate the token, and therefore should not be supplied.
- com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler
- This callback handler is used to create the X.509 certificate
that is inserted in the Web services security header within the SOAP
message as a binary security token. A keystore and a key definition
is required for this callback handler.
- com.ibm.wsspi.wssecurity.auth.callback.PKCS7CallbackHandler
- This callback handler is used to create X.509 certificates encoded
with the PKCS#7 format. The certificate is inserted in the Web services
security header in the SOAP message as a binary security token. A
keystore is required for this callback handler. You must specify a
certificate revocation list (CRL) in the collection certificate store.
The CRL is encoded with the X.509 certificate in the PKCS#7 format.
- com.ibm.wsspi.wssecurity.auth.callback.PkiPathCallbackHandler
- This callback handler is used to create X.509 certificates encoded
with the PkiPath format. The certificate is inserted in the Web services
security header within the SOAP message as a binary security token.
A keystore is required for this callback handler. A CRL is not supported
by the callback handler; therefore, the collection certificate store
is not required or used.
The callback
handler implementation obtains the required security token and passes
it to the token generator. The token generator inserts the security
token in the Web services security header within the SOAP message.
Also, the token generator is the plug-in point for the pluggable security
token framework. Service providers can provide their own implementation,
but the implementation must use the com.ibm.wsspi.wssecurity.token.TokenGeneratorComponent
interface.
Use identity assertion
Select this option if you have identity assertion defined
in the IBM extended deployment descriptor.
This option indicates that only the identity of the initial sender
is required and inserted into the Web services security header within
the SOAP message. For example, the application server sends only the
user name of the original caller for a Username TokenGenerator. For
an X.509 token generator, the application server sends the original
signer certification only.
Use RunAs identity
Select this option if you have identity assertion defined
in the IBM extended deployment descriptor and you want to use the
Run As identity instead of the initial caller identity for identity
assertion for a downstream call.
This option is valid only if you have Username TokenGenerator configured
as a token generator.
Basic authentication user ID
Specifies the user name that is passed to the constructors
of the callback handler implementation.
The basic authentication user name and password are used if you
select one of the following default callback handler implementations
provided by this product:
- com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
- com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
These implementations are described in detail under the Callback
handler class name field description in this article.
Basic authentication password
Specifies the password that is passed to the constructor
of the callback handler.
The keystore and its related configuration are used if you select
one of the following default callback handler implementations provided
by this product:
- com.ibm.wsspi.wssecurity.auth.callback.PKCS7CallbackHandler
- The keystore is used to build the X.509 certificate with the certificate
path.
- com.ibm.wsspi.wssecurity.auth.callback.PkiPathCallbackHandler
- The keystore is used to build the X.509 certificate with the certificate
path.
- com.ibm.wsspi.wssecurity.auth.callback.X509CallbackHandler
- The keystore is used to retrieve the X.509 certificate.
Key store configuration name
Specifies the name of the key store configuration defined
in the keystore settings in secure communications.
Key store password
Specifies the password that is used to access the keystore
file.
Key store path
Specifies the location of the keystore file.
Use ${USER_INSTALL_ROOT} in the path name because this variable
expands to the product path on your machine. To change the path used
by this variable, click Environment > WebSphere variables and
click USER_INSTALL_ROOT.
Key store type
Specifies the type of keystore file format
Choose one of the following values for this field:
- JKS
- Use this option if the keystore uses the Java Keystore (JKS) format.
- JCEKS
- Use this option if the Java Cryptography Extension is configured
in the software development kit (SDK). The default IBM JCE is configured
in the application server. This option provides stronger protection
for stored private keys by using Triple DES encryption.
- JCERACFKS
- Use JCERACFKS if the certificates are stored in a SAF key ring
(z/OS only).
- PKCS11KS (PKCS11)
- Use this option if your keystore file uses the PKCS#11 file format.
Keystore files that use this format might contain Rivest Shamir Adleman
(RSA) keys on cryptographic hardware or might encrypt keys that use
cryptographic hardware to ensure protection.
- PKCS12KS (PKCS12)
- Use this option if your keystore file uses the PKCS#12 file format.
|
