Use this topic and the commands in the SecureConversation group
of the AdminTask object to enable secure conversation client cache by creating
a new policy set and bindings to attach to your applications.
Before you begin
Deploy applications that contain Web services.
Before you use the commands in this topic, verify that
you are using the most recent version of the wsadmin tool. The policy set
management commands that accept a properties object as the value for the attributes or bindingLocation parameters
are not supported on previous versions of the wsadmin tool. For example, the
commands do not run on a Version 6.1.0.x node.
About this task
This topic uses the default SecureConversation policy set and
default WS-Security and TrustServiceSecurityDefault bindings to enable secure
conversation.
The default SecureConversation policy set contains an
application policy with the symmetric binding, and a bootstrap policy with
the asymmetric binding. The application policy secures application messages.
The bootstrap policy secures RequestSecurityToken (RST) messages. The trust
service, which issues security context token providers, uses the TrustServiceSecurityDefault
system policy and the TrustServiceSecurityDefault bindings. The trust policy
secures RequestSecurityTokenResponse (RSTR) messages. If you modify the bootstrap
policy, you must also modify the trust policy so that both of the configurations
match.
Note: Use the following steps in development and test environments
only. The WS-Security default bindings in this procedure contain sample key
files that you must customize before using the bindings in a production environment.
Create custom bindings for your production environment.
Procedure
- Launch the wsadmin
scripting tool.
- Copy the existing SecureConversation policy set.
Use
the following command example to create a new policy set by copying the existing
SecureConversation policy set:
AdminTask.copyPolicySet('[-sourcePolicySet SecureConversation -newPolicySet CopyOfSCPolicySet]')
- Optional: Modify the WS-Security default bindings.
If you chose the "Create the server using the development template" option
when you created your profile, you can optionally skip this step.
If
the WS-Security default bindings are not yet customized, modify the keystore
attributes so that the service clients and service providers use the same
set of bindings.
- List each WS-Security policy attribute.
Use the
following command example to list each WS-Security policy attribute:
AdminTask.getBinding('-policyType WSSecurity -bindingLocation ""')
- Modify the outbound configuration for the protection token.
Use the following commands to modify the outbound configuration for
the protection token:
cmd1_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler
.key.name [CN=Bob,O=IBM, C=US]] [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler
.keystore.storepass storepass] [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler
.keystore.type JCEKS] [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler.key.alias bob]
[application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler.keystore.path ${USER_INSTALL_ROOT}
/etc/ws-security/samples/enc-sender.jceks] ]"
AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "" -attributes cmd1_attributes_value
-attachmentType application]')
cmd2_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore
.path ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks] [application.securityoutboundbindingconfig
.tokengenerator_0.callbackhandler.keystore.storepass client] [application.securityoutboundbindingconfig
.tokengenerator_0.callbackhandler.key.name [CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP]] [application
.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.keypass client] [application
.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.alias soaprequester]
[application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.type JKS] ]"
AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "" -attributes cmd2_attributes_value
-attachmentType application]')
- Optional: Modify the TrustDefaultBindings binding.
If you chose the "Create the server using the development template" option
when you created your profile, you can optionally skip this step.
If
the TrustDefaultBindings are not yet customized, use the following commands
to modify the TrustDefaultBindings binding:
cmd3_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.keystore
.storepass storepass] [application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.key.alias bob]
[application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.keystore.type JCEKS] [application
.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.keystore.path ${USER_INSTALL_ROOT}/etc
/ws-security/samples/enc-sender.jceks] [application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler
.key.name [CN=Bob, O=IBM, C=US]] ]"
AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "[attachmentId 2]"
-attributes cmd3_attributes_value -attachmentType system/trust]')
cmd4_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.path
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks] [application.securityoutboundbindingconfig.tokengenerator_0
.callbackhandler.keystore.storepass client] [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler
.key.name [CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP]] [application.securityoutboundbindingconfig.tokengenerator_0
.callbackhandler.key.keypass client] [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key
.alias soaprequester] [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.type JKS] ]"
AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "[attachmentId 2]"
-attributes cmd4_attributes_value -attachmentType system/trust]')
- Attach the policy set and binding to the application.
Use
the attachmentType parameter for the createPolicySetAttachment command to
specify if your application is a service client or a service provider. Use
the following commands to attach the
CopyOfSCPolicySet policy set to
the
myTestApp service client application:
AdminTask.createPolicySetAttachment('[-applicationName myTestApp -policySet CopyOfSCPolicySet
-resources WebService:/ -attachmentType client]')
Use the following commands to attach the
CopyOfSCPolicySet policy
set to the
myTestApp service provider application:
AdminTask.createPolicySetAttachment('[-applicationName myTestApp -policySet CopyOfSCPolicySet
-resources WebService:/ -attachmentType application]')
This step automatically assigns the default
bindings.
Results
Your secure conversation configuration is updated in the WSSCCache.xml file
located in the cell level directory.
What to do next
Manage your secure conversation configurations with the SecureConversation
command group for the AdminTask object.