Use the wsadmin tool, which supports the Jython and Jacl
scripting languages, to define the policy set configuration for your
Web services applications. You can attach
policy sets to an application, Web service, endpoint, or specific
operation.
Before you begin
When administrative security is enabled, verify that you
use the correct administrative role, as the following table describes:
Table 1. Administrative roles. The administrative role determines
if you can create policy set attachments.
Administrative role |
Authorization |
Administrator |
The Administrator role must have cell-wide access
to create policy set attachments. If you have access to a specific
resource only, you can create policy set attachments for the resource
for which you have access. |
Configurator |
The Configurator role must have cell-wide access
to create policy set attachments. If you have access to a specific
resource only, you can create policy set attachments for the resource
for which you have access. |
Deployer |
The Deployer role with cell-wide or resource
specific access can create policy set attachments for application
resources only. |
Operator |
The Operator role cannot create policy set attachments. |
Monitor |
The Monitor role cannot create policy set attachments. |
Before you use the commands in this topic, verify
that you are using the most recent version of the wsadmin tool. The
policy set management commands that accept a properties object as
the value for the attributes or bindingLocation parameters
are not supported on previous versions of the wsadmin tool. For example,
the commands do not run on a Version 6.1.0.x node.
About this task
To use a new policy set to manage policies for your application,
you must attach the policy set to an application artifact or artifacts.
When the application restarts, the application uses the policies from
the newly attached policy set.
Procedure
- Launch a scripting command. To learn more, read
about starting the wsadmin scripting client.
- Select an application with Web services to update.
Use the listWebServices command to list all Web services and
the associated applications. Enter the following command to list
all Web services and attributes:
AdminTask.listWebServices()
For each Web service, the command returns the associated
application name, module name, service name, and service type. For
example, the following information is returned: '[ [service {http://www.ibm.com}service1] [client false] [application application1]
[module webapp1.war] [type JAX-WS] ]'
- Create a policy set attachment for an application.
For the commands in the PolicySetManagement group, the term resource refers
to a Web service artifact. For application and service client policy
sets, the artifacts use the application hierarchy. The application
hierarchy includes a Web service, module name, endpoint, or operation.
Enter the value for the -resource parameter as a string, with a backslash
( / ) character as a delimiter.
Avoid trouble: When
attempting to connect to a Web service from a thin client, verify
that the resources you are specifying are valid before running the
updatePolicySetAttachment command. No configuration changes are made
if the requested resource does not match a resource in the attachment
file for the application.
gotcha
Use the following format for application
and client policy set attachments:
- WebService:/
Attaches all artifacts in the application
to the policy set.
- WebService:/webapp1.war:{http://www.ibm.com}myService
Attaches
all artifacts within the Web service {http://www.ibm.com}myService to
the policy set. You must provide a fully qualified name (QName) for
the service.
- WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA
Attaches
all operations for the endpointA endpoint to the policy set.
- WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA/operation1
Attaches
only the operation1 operation to the policy set.
The format for the -resource string differs for system
policy set attachments for the trust service. Use the following format
for system policy set attachments:
- Trust.opName:/
The opName attribute can be
issue, renew, cancel, or validate.
- Trust.opName:/url
The opName attribute can
be issue, renew, cancel, or validate. You can specify any valid URL
for the url attribute.
- Enter the command to attach the policy set to the application.
This command attaches the policyset1 application policy set
to all artifacts in the WebService application.
For transitioning users: The
application and
system/trust values
for the -attachmentType parameter are deprecated. Specify the
provider value
in place of the
application value. For system policy set
attachments, specify the
provider value for the attachmentType
parameter and the
"[systemType trustService]" value for the
-attachmentProperties parameter.
For WSNClient attachments, specify the
client value for
the attachmentType parameter and the
bus and
WSNService properties
with the -attachmentProperties parameter.
trns
To attach a policy set to a Web
service application, specify the
provider value for the -attachmentType
parameter:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources
"WebService:/" -applicationName WebService -attachmentType provider]')
To
attach a policy set to a service client application, specify the
client value
for the -attachmentType parameter, as the following example demonstrates:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources
"WebService:/" -applicationName WebService -attachmentType client]')
To
create a trust service attachment for a system policy set, specify
the
provider value for the -attachmentType parameter and
the
[systemType trustService] value for the -attachmentProperties
parameter, as the following example demonstrates:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources
"WebService:/" -attachmentType provider -attachmentProperties "[systemType trustService]"]')
This command returns an attachment ID number that you
must use to reference this attachment. In the next step, use the
attachment ID number to set the binding configuration. For this example,
the attachment ID number is 124.
- Run the command to set the binding. The following
example demonstrates how to set the timestamp expiration attribute
on the SecureConversation123binding binding for the WSSecurity policy,
on the WebService Web service application. To attach a policy
set to a Web services application, specify the provider value
for the -attachmentType parameter.
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[application WebService] [attachmentId 124] ]" -attachmentType provider
-bindingName SecureConversation123binding -attributes "[application.securityoutboundbindingconfig.timestampexpires.expires 5]"')
- Save the configuration changes.
Enter the
following command to save your changes:
AdminConfig.save()
Results
Your have attached the policy set to the application artifact
or artifacts specified. Restart your application to use the policies
from the newly attached policy set.
What to do next
Manage and update your attachments.