File name: uwbs_logmapn.html
Login mapping configuration settings
Use this page to specify the Java™ Authentication and Authorization Service
(JAAS) login configuration settings that are used to validate security tokens
within incoming messages.
Important: There is an important distinction between Version 5.x and
Version 6 and later applications. The information in this article supports
Version 5.x applications only that are used with WebSphere® Application
Server Version 6.0.x and later. The information does not apply to Version
6.0.x and later applications.
To view this administrative console page for the cell level,
complete the following steps:
- Click Security > JAX-WS and JAX-RPC security runtime
- Under Additional properties, click Login mappings.
- Click either New to create a new login mapping configuration or
click the name of an existing configuration.
To view this administrative console page for the server level, complete
the following steps:
- Click server_name.
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere Application
Server version 6.1 or earlier, click
Web services: Default bindings
for Web services security.
mixv
- Under Additional properties, click Login mappings.
- Click either New to create a new login mapping configuration or
click the name of an existing configuration.
To use this administrative console page for the application level, complete
the following steps:
- Click application_name.
- Under Modules, click Manage modules > URI_name.
- Under Web Services Security Properties, click Web services: Server
security bindings.
- Click Edit under Request receiver binding.
- Click Login mappings.
- Click either New to create a new login mapping configuration or
click the name of an existing configuration.
Important: If the login mapping configuration is not found on
the application level, the Web services run time searches for the login mapping
configuration on the server level. If the configuration
is not found on the server level, the Web services run time searches the cell.
Authentication method
Specifies the method of authentication.
You can use any string, but the string must match the element in the service-level
configuration. The following words are reserved and have special meanings:
- BasicAuth
- Uses both a user name and a password.
- IDAssertion
- Uses only a user name, but requires that additional trust is established
on the receiving server using a TrustedIDEvaluator mechanism.
- Signature
- Uses the distinguished name (DN) of the signer.
- LTPA
- Validates a token.
JAAS configuration name
Specifies the name of the Java Authentication and Authorization Service
(JAAS) configuration.
These system login configurations are defined on the System logins panel,
which is accessible by completing the following steps:
- Click Security >
Global security.
- Expand Java Authentication and Authorization Service, then click System
logins.
Attention: The predefined system login configurations are listed
on the System logins configuration panel without the system prefix. For example,
the system.wssecurity.UsernameToken configuration listed in the Java Authentication
and Authorization Service (JAAS) configuration name option corresponds to
the wssecurity.UsernameToken configuration that is on the System logins configuration
panel.
You can use the following predefined application login configurations:
- ClientContainer
- Specifies the login configuration that is used by the client container
application, which uses the CallbackHandler API that is defined in the deployment
descriptor of the client container.
- WSLogin
- Specifies whether all applications can use the WSLogin configuration to
perform authentication for the WebSphere Application Server security
run time.
- DefaultPrincipalMapping
- Specifies the login configuration used by Java 2 Connectors (J2C) to map users to
principals that are defined in the J2C authentication data entries.
These application login configurations are defined on the Application logins
panel, which is accessible by completing the following steps:
- Click Security >
Global security.
- Expand Java Authentication and Authorization Service, then
click Application logins.
Do not remove these predefined system or application login configurations.
Within these configurations, you can add module class names and specify the
order in which WebSphere Application
Server loads each module.
Callback handler factory class name
Specifies the name of the factory for the CallbackHandler class.
You must implement the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory
class in this field.
Token type URI
Specifies the namespace Uniform Resource Identifiers (URI), which
denotes the type of security token that is accepted.
If binary security tokens are accepted, the value denotes the ValueType
attribute in the element. The ValueType element identifies the type of security
token and its namespace. If Extensible Markup Language (XML) tokens are accepted,
the value denotes the top-level element name of the XML token.
If the reserved words are specified previously in the Authentication method
field, this field is ignored.
Data type: |
Unicode characters except for non-ASCII characters, but including
the number sign (#), the percent sign (%), and the square brackets ([ ]). |
Token type local name
Specifies the local name of the security token type, for example,
X509v3.
If binary security tokens are accepted, the value denotes the ValueType
attribute in the element. The ValueType attribute identifies the type of security
token and its namespace. If Extensible Markup Language (XML) tokens are accepted,
the value denotes the top-level element name of the XML token.
If the reserved words are specified previously in the Authentication method
field, this field is ignored.
Nonce maximum age
Specifies the time, in seconds, before the nonce timestamp expires.
Nonce is a randomly generated value.
You must specify a minimum of 300 seconds for the Nonce maximum age field.
However, the maximum value cannot exceed the number of seconds specified in
the Nonce cache timeout field for either the cell level
or the server level.
You can specify the Nonce maximum age value for the cell
level by completing the following steps:
- Click Security > JAX-WS and JAX-RPC security runtime.
You can specify the Nonce maximum age value for the server level by completing
the following steps:
- Click server_name.
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere Application
Server version 6.1 or earlier, click
Web services: Default bindings
for Web services security.
mixv
Important: The Nonce maximum age field on this panel is optional
and only valid if the BasicAuth authentication method is specified. If you
specify another authentication method and attempt to specify values for this
field, the following error message displays and you must remove the specified
value: Nonce is not supported for authentication methods other than BasicAuth.
If you specify the BasicAuth method, but do not specify values for the
Nonce maximum age field, the Web services security run time searches for a
Nonce maximum age value on the server level. If a value
is not found on the server level, the run time searches the cell level. If
a value is not found on either the server level or the cell level, the default
is 300 seconds.
Default |
300 seconds |
Range |
300 to Nonce cache timeout seconds |
Nonce clock skew
Specifies the clock skew value, in seconds, to consider when WebSphere Application
Server checks the freshness of the message. Nonce is a randomly generated
value.
You can specify the Nonce clock skew value for the cell
level by completing the following steps:
- Click Security > JAX-WS and JAX-RPC security runtime.
You can specify the
Nonce clock skew value for the server level
by completing the following steps:
- Click server_name.
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere Application
Server version 6.1 or earlier, click
Web services: Default bindings
for Web services security.
mixv
You must specify a minimum of zero (0) seconds for the Nonce Clock Skew
field. However, the maximum value cannot exceed the number of seconds that
is specified in the Nonce maximum age field on this Login mappings panel.
Important: The Nonce clock skew field on this panel is optional
and only valid if the BasicAuth authentication method is specified. If you
specify another authentication method and attempt to specify values for this
field, the following error message displays and you must remove the specified
value: Nonce is not supported for authentication methods other than BasicAuth.
Note: If you specify BasicAuth, but do not specify values for the Nonce clock
skew field, WebSphere Application
Server searches for a Nonce clock skew value on the server level. If
a value is not found on the server level, the run time searches the cell level.
If a value is not found on either the server level or the cell level, the
default is zero (0) seconds.
Default |
0 seconds |
Range |
0 to Nonce Maximum Age seconds |
|
