You can attach the trust service operations for a service endpoint
to a system policy set and binding. Each new endpoint that is specified initially
has the following four operations: issue, renew, cancel, and validate. By
default, all endpoints inherit the policy set and binding that are attached
to the respective trust service operation under Trust Service Defaults. However,
you can explicitly attach a different policy set.
Before you begin
First you must define your policy sets and bindings. Policies describe
the protection or quality of service that is provided (such as message security,
transport and so forth). Bindings specify some details about how to
implement the policy, such as: the path for the keystore file, the class name
of the token generator, or the JAAS configuration name.
Important: Use
system policy sets with the trust service only. The requestor (client) must
utilize Java API for XML-Based Web Services (JAX-WS) only. Requestors which
use Java API for XML-based remote procedure calls (JAX-RPC) are incompatible
with the policy set QOS.
About this task
You can attach the trust service operations for a new endpoint
to an existing policy set and binding. For each new service endpoint that
is specified, four trust service operations (cancel, renew, validate and issue)
change from having inherited attachments to being explicitly attached. The
four operations are attached to the respective policy set and binding as specified
in Trust Service Defaults. Then you can change the attachment to the desired
existing policy set and binding.
An endpoint policy set consists of
two sections: a bootstrap section and an application section. The system
policy set attached to the Issue and renew trust service operations for a
specific endpoint must correspond to the bootstrap section of the policy set
for that endpoint. The system policy set attached to the Cancel and Validate
trust service operations for a specific endpoint must correspond to the application
section of the policy set for that endpoint.
This task describes how
to manage trust service operations for service endpoint URLs that you want
to attach to a system policy set and binding. To complete the configuration
of the WebSphere Application Server trust service, you must also complete
the following task:
- Create or manage targets. You can create explicit assignments for new
service endpoints (targets) or manage endpoints that have a security token
explicitly assigned or that inherit the Trust Service Default token.
If no explicit bindings are attached, WebSphere Application Server
uses the cell level default bindings. The binding Default refers to
the cell default bindings.
Procedure
- To manage system policy set attachments for trust service operations,
click Services > Trust service > Trust service attachments. The
list displays all endpoints that have at least one operation with a policy
set attached as well as Trust Service Defaults. The list also displays the
system policy set and the binding for each operation.
- Select one or more of the following actions to configure the trust
service attachments:
- New Attachment
- Opens a new panel where you can specify the service endpoint URL. For
each new service endpoint that is specified, four trust service operations
(cancel, renew, validate and issue) change from having inherited attachments
to being explicitly attached. The four operations are attached to the respective
policy set and binding as specified in Trust Service Defaults. These initial
attachments can be changed.
- Attach
- Displays a list of existing system policy sets, including the two default
trust-related system policy sets, to which each of the four trust service
operations for a service endpoint can be attached. First, select the operation
(for example, Cancel token) and then click Attach to display the list
of available system policy sets. Select a default or custom system policy
set to attach. When you change the policy set attachment, the binding automatically
changes to Default. Select the operation and click Assign Binding to
change the binding.
The pre-configured system policy sets that you can select
include:
- TrustServiceSecurityDefault
This trust policy set specifies the
asymmetric algorithm as well as the public and private keys to provide message
security. Message integrity is provided by digitally signing the body, time
stamp, and WS-Addressing headers using RSA. Message confidentiality is provided
by encrypting the body and signature using RSA. This policy set follows the
WS-Security specification for the issue and renew trust operation requests.
- TrustServiceSymmetricDefault
This trust policy set specifies
the symmetric algorithm as well as the derived key algorithms to provide message
security. Message integrity is provided by digitally signing the body, time
stamp, and WS-Addressing headers using HMAC-SHA1. Message confidentiality
is provided by encrypting the body and signature using AES. This policy set
follows the WS-Security and WS-SecureConversation specifications for the validate
and cancel trust operation requests.
- Inherit Operation Defaults
- Sets the operation to inherit the respective trust service default trust
service policy set attachment and binding. If you select the attachments to
modify and then click Inherit Operation Defaults, the explicit attachment
for both the policy set and the binding is removed. Thereafter, the operation
inherits any change to the default trust service policy set and binding.
- Assign Binding
- Changes the existing binding. You can create and assign a new binding,
assign the Default binding, or assign an existing custom binding to each of
the selected trust service attachments.
- Update Runtime
- Updates the trust service runtime with any configuration changes that
are made to the trust service attachments, token providers, and targets.
- Optional: Modify the custom policy set by clicking
the name of a custom policy set from the list. Edit the settings
for custom policy sets, as needed. Default trust service policy set information
can only be viewed.
You cannot edit the two default trust policy sets:
TrustServiceSecurityDefault and TrustServiceSymmetricDefault. TrustServiceSecurityDefault
is the default for the issue and renew operations. TrustServiceSymmetricDefault
is the default for the cancel and validate operations.
At least one
trust service operation for the endpoint service URL must be explicitly attached
for the endpoint service URL to be displayed. If an operation is explicitly
attached, the system policy set name appears. If no policy set is explicitly
attached, the respective default trust service policy set appears, followed
by the text (inherited).
- Optional: Modify the custom binding by clicking the
name of a custom binding from the list, as needed. Edit the settings
for a custom binding, as needed. You can only view default binding information.
You cannot edit the default binding: Default. Any modifications to a trust
service binding affects all trust service attachments that reference the binding.
If
the resource has a policy set directly attached, either the bindings name
appears or Default appears.
- Save your changes before applying the changes to the trust service
runtime configuration.
- Click Update Runtime to update the trust service runtime
configuration with any data changes for token providers, trust service attachments,
and targets. Whether the confirmation window appears depends on
whether you select the Show confirmation for update runtime command check
box. Expand Preferences to view the check box.
- Optional: Confirm or cancel if the confirmation window
appears. If you deselected the Show confirmation for update
runtime command check box, all changes are made immediately without displaying
the confirmation window.
Results
You have provided the basic information to create or update a trust
service attachment. You have configured trust service operation attachments
to system policy sets and bindings.
What to do next
You can also create a new attachment for the WebSphere Application
Server trust service using the wsadmin tool. The wsadmin tool examples are
written in the Jython scripting language.