Use this page to configure callback handler settings, which determine how security tokens are acquired from message headers.
You can configure callback handler settings when you are editing a general cell-level or server-level binding. You can also configure application specific bindings for tokens and message parts that are required by the policy set.
This administrative console panel applies only to Java™ API for XML Web Services (JAX-WS) applications.
The Callback Handler displays fields differently for different tokens being configured. Depending on whether you are configuring generator or consumer tokens for protection or you are configuring inbound or outbound tokens for authentication, the sections and fields on this panel display some or all of the fields explained in this topic, as noted in the description of each field.
The fields in the Class name section are available for all types of token configuration.
Select the class name to use for the callback handler. Select the Use built-in default option for normal operation. Use the Use custom option only if you are using a custom token type.
For the Kerberos custom token type, use the class name, com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler, for token generator configuration. Use com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler for token consumer configuration.
Specifies that the default value is used for the class name. Use the default value (shown in the field) for the class name when you select this radio button. This name is based on the token type and whether the callback handler is for a token generator or a token consumer. This option is mutually exclusive to the Use custom option.
Specifies that a custom value is used for the class name. Select this radio button and enter the name in the field to use a custom class name.
No default value is available for this entry field. Use the information in the following table to determine this value:
Token Type | Consumer or Generator | Callback Handler Class Name |
---|---|---|
UsernameToken | consumer | com.ibm.websphere.wssecurity.callbackhandler.UNTConsumeCallbackHandler |
UsernameToken | generator | com.ibm.websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler |
X509Token | consumer | com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallbackHandler |
X509Token | generator | com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler |
LTPAToken/LTPAPropagationToken | consumer | com.ibm.websphere.wssecurity.callbackhandler.LTPAConsumeCallbackHandler |
LTPAToken/LTPAPropagationToken | generator | com.ibm.websphere.wssecurity.callbackhandler.LTPAGenerateCallbackHandler |
SecureConversationToken | consumer | com.ibm.ws.wssecurity.impl.auth.callback.SCTConsumeCallbackHandler |
SecureConversationToken | generator | com.ibm.ws.wssecurity.impl.auth.callback.WSTrustCallbackHandler |
This button is mutually exclusive to the Use built-in default option.
The fields in the Certificates section are available if you are configuring a protection token. For a generator token, you can click to select a certificate store from the listing, or click the New button to add a certificate store.
The fields in the Certificates section are available if you are configuring a protection token. For a consumer token, you can use the Trust any certificate option, or the Certificate store option, to configure the certificate store.
This option is applicable only to the token consumer. This option indicates that the system will trust all certificates, and does not define a specific certificate store. This option is mutually exclusive to the Certificate store option.
This option is applicable only the to the token consumer. Use this option to specify a certificate store collection containing intermediate certificates, which can include certificate revocation lists (CRLs). Select this option to trust the certificate store or stores specified in the entry field. This option is mutually exclusive to the Trust any certificate option. When you select the Certificate store option, the New button is enabled so that you can configure a new certificate store and trusted anchor store.
You can set the value of the certificate store field to the default value, which is None. However, the trusted anchor store value must be set to a specific value. There is no default value. The trusted anchor is required if the Trust any certificate option is not selected.
The fields in the Basic authentication section are available if you are configuring an authentication token that is not an LTPA propagation token.
For the Kerberos custom token type, you must complete the Basic Authentication section for the Kerberos login.
Specifies the user name that you want to authenticate.
Specifies the password to be authenticated. Enter a password to authenticate in this entry field.
Specifies the password that you want to confirm.
The fields in the Keystore section are available if you are configuring a protection token.
In the Keystore name list, you can click Custom to define a custom keystore, click one of the externally defined keystore names, or click None if no keystore is required.
Specifies the name of the centrally managed keystore file that you want to use.
Specifies a link to create a custom keystore. Click this link to open a panel where you can configure a custom keystore.
The fields in the Key section are available if you are configuring a protection token.
Specifies the name of the key to use. Enter the name of the key to be used in this required field.
Specifies the alias name of the key that you want to use. Enter the alias of the name of the key to use in this required field.
Specifies the password for the key that you want to use.
You cannot set a password for public keys for asymmetric encryption generator or asymmetric signature consumer.
Specifies the confirmation of the password for the key that you want to use. Enter the password that you entered in the Password field to confirm.
Do not provide a key confirm password for public keys for asymmetric outbound encryption or inbound signature.
The fields in the Custom properties section are available for all types of token configuration.
You can add custom properties needed by the callback handler using name-value pairs.
To implement signer certificate encryption when using the JAX-WS programming model, add the custom property com.ibm.wsspi.wssecurity.token.cert.useRequestorCert with the value true on the callback handler of the encryption token generator. This implementation uses the certificate of the signer of the SOAP request to encrypt the SOAP response. This custom property is used by the response generator.
For a Kerberos custom token based on OASIS Web Services Security Specification for Kerberos Token Profile V1.1, specify the following property for token generation: com.ibm.wsspi.wssecurity.krbtoken.clientRealm. This specifies the name of the Kerberos realm associated with the client and allows the Kerberos client realm to initiate the Kerberos login. If not specified, the default Kerberos realm name is used. This property is optional for a single Kerberos realm environment. When implementing Web services security in a cross or trusted Kerberos realm environment, you must provide a value for the clientRealm property.
The Kerberos custom property, com.ibm.wsspi.wssecurity.krbtoken.loginPrompt, enables the Kerberos login when the value is true. The default value is False. This property is optional.
Property name (generator) | Property value |
---|---|
com.ibm.wsspi.wssecurity.token.username.addNonce | true |
com.ibm.wsspi.wssecurity.token.username.addTimestamp | true |
Property name (consumer) | Property value |
---|---|
com.ibm.wsspi.wssecurity.token.username.verifyNonce | true |
com.ibm.wsspi.wssecurity.token.username.verifyTimestamp | true |
Specifies the name of the custom property to use.
Custom properties are not initially displayed in this column. Click one of the following actions for custom properties:
Button | Resulting action |
---|---|
New | Creates a new custom property entry. To add a custom property, enter the name and value. |
Delete | Removes the selected custom property. |
Specifies the value of the custom property to use. With the Value entry field, you can enter or delete the value for a custom property.