To set up bindings for message protection with JAX-WS applications, you must create a custom binding. Complete this task to set the bindings for a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile Version 1.1.
You must configure Kerberos for IBM WebSphere® Application Server. For more information, see Kerberos (KRB5) authentication mechanism support for security. In addition, you must configure the Kerberos token policy set for JAX-WS applications. For more information, see Configuring the Kerberos token policy set for JAX-WS applications.
You can leverage existing frameworks including the policy set and bindings for JAX-WS applications.
Use the administrative console to configure the application-specific bindings to use a Kerberos token in Web services message protection.
These alternative values depend on the specification level for the Kerberos token that is generated by the Key Distribution Center (KDC). For more information about when to use these values, see Protection token settings (generator or consumer).
Name | Value | Type |
---|---|---|
com.ibm.wsspi.wssecurity.krbtoken.targetServiceName | Specify the name of the target service. | Required |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost | Specify the host name that is associated with the target service in the following format: myhost.mycompany.com | Required |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm | Specify the name of the realm that is associated with the target service. | Optional* |
To specify multiple custom property name and value pairs, click New.
The user name specifies the default user ID that is passed to the constructor of the callback handler; for example, kerberosuser.
Name | Value | Type |
---|---|---|
com.ibm.wsspi.wssecurity.krbtoken.loginPrompt | Enables the Kerberos login when the value is True. The default value is False. | Optional |
To specify multiple custom property name and value pairs, click New.
These alternative values depend on the specification level for the Kerberos token that is generated by the Key Distribution Center (KDC). For more information about when to use these values, see Protection token settings (generator or consumer).
Authentication tokens are sent in messages to prove or assert an identity.
These alternative values depend on the specification level for the Kerberos token that is generated by the Key Distribution Center (KDC). For more information about when to use these values, see Authentication generator or consumer token settings.
Name | Value | Type |
---|---|---|
com.ibm.wsspi.wssecurity.krbtoken.targetServiceName | Specify the name of the target service. | Required |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost | Specify the host name that is associated with the target service in the following format: myhost.mycompany.com | Required |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm | Specify the name of the realm that is associated with the target service. | Optional |
To specify multiple custom property name and value pairs, click New.
The user name specifies the default user ID that is passed to the constructor of the callback handler. For example: kerberosuser
Name | Value | Type |
---|---|---|
com.ibm.wsspi.wssecurity.krbtoken.loginPrompt | Enables the Kerberos login when the value is True. The default value is False. | Optional |
com.ibm.wsspi.wssecurity.krbtoken.clientRealm | Specify the name of the Kerberos realm associated with the client | Optional* |
If an application generates or consumes a Kerberos V5 AP_REQ token for each Web Services request message, set the com.ibm.wsspi.wssecurity.kerberos.attach.apreq custom property to true in the token generator and the token consumer bindings for the application
To specify multiple custom property name and value pairs, click New.
These alternative values depend on the specification level for the Kerberos token that is generated by the Key Distribution Center (KDC). For more information conditions under which to use these values, see the related link for the "Authentication generator or consumer token settings" topic.
You can optionally define key bindings for the request message protection and response message protection. If you choose to derive a key from the Kerberos token, configure the derived key information when you configure the key information for signature and encryption.
Return to the steps in the Configuring the Kerberos token for Web services security topic to ensure you have completed the steps for configuring the Kerberos token.
In this information ...Related concepts
Related tasks
| IBM Redbooks, demos, education, and more(Index) Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience. This feature requires Internet access. Most of the following links will take you to information that is not part of the formal product documentation and is provided "as is." Some of these links go to non-IBM Web sites and are provided for your convenience only and do not in any manner serve as an endorsement by IBM of those Web sites, the material thereon, or the owner thereof. |