WebSphere Application Server provides message-level protection
for its security token service, known as the WebSphere Application Server
trust service. For the trust service, you must use a special class of policy
sets known as system policy sets.
Before you begin
You can secure requests to the trust service by using two different
configuration methods:
- Use the administrative console to define and attach a system policy set
and binding to a trust service operation that is associated with an endpoint.
- Use the wsadmin tool, which supports the Jython and Jacl scripting languages,
to configure system policy sets for the trust service. You can manage the
policies for the Quality of Service (QoS) by creating policy sets and managing
associated policies.
About this task
For WebSphere Application Server trust service security, you must
configure the system policy sets, the bindings, the trust service attachments,
and the secure conversation client cache.
Perform the following high-level
steps. The order of the tasks is not important but all high-level required
steps must be performed to complete the trust configuration.
Procedure
- Define a new system policy set or manage existing system policy
sets. To manage system policy sets, you can perform the following
tasks:
- Define
the system policy set and binding. The system policy set
can be a new or existing policy set. If you create a new system policy set,
you must specify and configure the policy types. A default binding configuration
is associated with each policy type.
- Modify
the system policy set, as needed.
Other optional policy
set-related tasks that you can perform include:
- Add, edit, or remove policy set attachments.
- Edit, enable, disable or remove policy types
- Create a system policy set by selecting and copying an existing system
policy set. When copying an existing system policy set, you also specify whether
to move the existing attachments to this new system policy set.
- Delete system policy sets. You cannot delete pre-configured system policy
sets that are provided by WebSphere Application Server by default.
- Archive a system policy set by selecting and exporting an existing system
policy set. When exporting an existing system policy set, you create a .zip
archive file. The .zip file for exporting the policy set is provided for downloading.
For example, if you have a policy set named ABC_ps and you want to export
and move the archive file from ServerA to ServerB, first use the export function
to create the .zip file. Then, manually transfer the archive file to ServerB.
- Create and manage explicit attachments.
You can perform the following trust service attachment tasks:
- Attach
the system policy set and assign a binding to an endpoint. For
an endpoint, you can create explicit attachments for each of the four trust
service operations to the respective Trust Service Defaults policy sets and
bindings. After you have created these initial attachments, you can view and
further modify existing policy set and binding configurations.
- Modify
existing policy set attachment and binding configurations, as needed..
The system policy set can be a new or existing policy set. If you create
a new system policy set, you must specify and configure the policy types.
A default binding configuration is associated with each policy type.
The
system policy set that is attached to issue and renew must correspond to the
client and endpoint’s bootstrap policy set and the system policy set attached
to validate and cancel must correspond to the client and endpoint’s application
policy set. The bootstrap policy set for the endpoint service is only required
if the endpoint service makes issue and renew requests to the trust service.
Other
optional attachment-related tasks that you can perform include:
- Change the system policy set and binding configurations.
- Create custom system policy sets and bindings.
- Attach each of the four default trust service operations to a system policy
set and binding.
- Attach each of the four trust service operations associated with a specific
endpoint to a system policy set and binding.
- Specify that the selected trust service operations for an endpoint inherit
the respective default trust service policy set and binding.
- Assign the Default binding or a custom binding configuration to the selected
policy set attachment.
- Update the trust service runtime configuration.
- Manage the security context token provider that the trust service
provides. You can perform the following trust service token provider
tasks:
- Modify
the configuration of the Security Context Token provider, as needed..
Other optional token provider-related tasks that you can perform
include:
- Update the trust service runtime configuration for any token provider
configuration changes.
- Manage the trust service default token provider and any endpoints
that have an explicitly assigned token (rather than inheriting from the default).
Targets are endpoints that are assigned a specific token provider. You
can perform the following trust service target tasks:
- Create
a new trust service target by explicitly assigning a service endpoint URL
to the default token provider.. Performing this task creates
an explicit assignment to the default trust service token provider, the Security
Context Token. All other endpoints inherit the trust service default token
provider.
- Configure
a target. WebSphere Application Server defines one default
supported token provider, the Security Context Token. Other tasks that you
can perform for existing targets include:
- Modifying one or more endpoints that have a security context token provider
explicitly assigned.
- Changing the token provider for an endpoint from inherited to explicitly
assigned. Therefore, the token provider for the endpoint does not change as
the default trust service token provider changes.
- Changing the token provider for an endpoint from explicitly assigned to
inherited. Therefore, the token provider for the endpoint is the default trust
service token provider and changes as the default changes.
- Updating the trust service runtime configuration.
- Configure
the Secure Conversation client cache. You can change the
behavior of the secure conversation client-side caching.
- Update
the trust service runtime configuration. You must update
the runtime configuration whenever one or all of the following trust-related
items are created or changed:
- Trust service attachments
- Token providers
- Targets
Results
After the configurations are completed and the trust service runtime
configuration has been updated, you have used the administrative console to
secure requests to the trust service by using system policy sets.