Authentication tokens are used to prove or assert an identity. Use the administrative console to add authentication token settings for message parts when you are editing a general binding.
To configure authentication tokens, complete the following steps:
This administrative console panel applies only to Java API for XML Web Services (JAX-WS) applications.
Specifies the name of the token being configured. When using application specific bindings, this field is not displayed.
Specifies the type of token being configured.
When you are using application specific bindings, the token type is obtained from the policy file and it is read-only. When you are using general bindings, select a token type from the list. The following token types are available:
If you select LTPA Token as the token type for the token generator, single sign-on interoperability mode must be enabled. This is a setting in global security from Web and SIP security. If the interoperability flag is not set to enabled (true), an error occurs when the application that is attached to these bindings is started. If you want to use the LTPA token without checking the state of the interoperability flag, you can set the custom property, com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7, on the token generator. Set the property using the administrative console, as described in the topic Enabling or disabling single sign-on interoperability mode for the LTPA token. The property can not be set using the Web Services Security API.
newfeatSpecifies the local name for the authentication token generator or consumer. The Local name field is populated based on the token type displayed. Use this field to edit custom token types only.
Specifies the uniform resource identifier (URI) of the authentication token generator or consumer. The URI field is populated based on the token type displayed. Use this field to edit custom token types only.
Leave this field blank if the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile v1.1.
Specifies the security token reference. The security token reference field is displayed only for authentication tokens in application-specific bindings. This field is not available for default bindings.
Specifies a list of application and system Java Authentication and Authorization Service (JAAS) logins that are effective for the domain to which the binding is scoped.
If an application is scoped to the global security or if it is scoped to a domain that does not customize its own JAAS logins, then the list of global logins are displayed in the menu list. Click New Application Login to access the global JAAS application login collection. The JAAS login menu list and New Application Login button behavior depend on whether the binding is being created in association with an attachment. Use caution when changing security domains, since a previously-referenced security configuration, such as JAAS logins, might not be accessible in a different security domain.
Specifies the name used for the custom property.
Custom properties are not initially displayed in this column. Click one of the following buttons to enable the actions described:
Button | Resulting Action |
---|---|
New | Creates a new custom property entry. To add a custom property, enter the name and value. |
Edit | Enables the selected custom property to be edited. Clicking this button provides input fields and creates the listing of cell values to be edited. The Edit button is not available until at least one custom property has been added. |
Delete | Removes the selected custom property. |
Specifies the value of the custom property to be used. Use the Value field to enter, edit, or delete the value for a custom property.
If the custom token type is used to generate a Kerberos token, specify the following custom properties:
Custom property name | Value |
---|---|
com.ibm.wsspi.wssecurity.krbtoken.targetServiceName | Specifies the name of the target service. This property is required. |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost | Specifies the host name that is associated with the target
service in the following format: myhost.mycompany.com. This property is required. |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm | Specifies the name of the realm that is associated with the
target service. This property is optional for a single Kerberos realm. If the targetServiceRealm property is not specified, the default realm name from the Kerberos configuration file is used as the realm name. In a cross or trusted realm environment, you must provide a value for the targetServiceRealm property. |
For the token generator, the combination of the target service name and target hostname forms a Service Principal Name (SPN) which represents the target Kerberos service principal name. The Kerberos client requests the initial Kerberos AP_REQ token for the SPN.
If an application generates or consumes a Kerberos V5 AP_REQ token for each Web services request message, set the com.ibm.wsspi.wssecurity.kerberos.attach.apreq custom property to true in the token generator and the token consumer bindings for the application. For more information, see the Web services security troubleshooting tips topic.
Links to the Callback handler page where you can configure callback handlers. Callback handler settings determine how security tokens are acquired from messages headers.
If you are working with a Username token or LTPA token that is using default bindings, the user names and passwords might have been provided as examples. You need to update the values for these token types.