Configuring a generic security token login module for an authentication token: Token generator

You can configure a generic security token login module for an authentication token on the token generator side of the Web services security process.

Before you begin

Prior to completing this task, you must set up your configuration to support generic security token login modules. For more information, see the documentation about setting up the system configuration for generic login modules.

About this task

When you invoke the generic security token login modules on the generator side, the login module delegates the token generation process to a Security Token Service (STS) using a WS-Trust Issue or WS-Trust Validate request. The STS processes the request and returns a RequestSecurityTokenResponse message to the login module. The login module inserts the token from the STS response message in the security header of the Web service request message.

For illustration purposes, it is assumed that policy sets and bindings are configured and attached to an application. For example, you can use the SAML11 Bearer WSSecurity default policy set and SAML Bearer Client sample binding. For more information, see the topic about configuring client and provider bindings for the SAML bearer token.

Complete the following steps to configure the generic security token login module on the token generator side using the administrative console:

Procedure

  1. Configure the wss.generate.issuedToken Java™ Authentication and Authorization Service (JAAS) login module for your application.
    1. Expand Applications > Application Types and click WebSphere enterprise applications.
    2. Click the application that contains the policy sets and bindings that you want to modify.
    3. Under Web Services Properties, click Service client policy sets and bindings.
    4. In the Binding column on the Service client policy sets and bindings panel, click the name of the binding.
    5. In the Policy column on the Bindings configuration panel, click WS-Security.
    6. Under the Main Message Security Policy Bindings heading, click Authentication and protection .
    7. In the Authentication tokens section of the Authentication and protection panel, select the token that you want to configure. For example, select request:SAMLToken11Bearer
    8. On the Token generator panel, select the wss.generate.issuedToken option for the JAAS login.
      Avoid trouble: If you do not see the wss.generate.issuedToken option for the JAAS login on the token generator panel, verify that you successfully completed the system configuration process for generic login modules before completing the steps in this task. For more information, see the documentation about setting up the system configuration for generic login modules.gotcha
    9. Click Apply.
  2. Configure the callback handler.
    1. Under the Additional Bindings heading, click Callback handler.
    2. Under the Class Name heading on the Callback handler panel, select Use custom and specify com.ibm.websphere.wssecurity.callbackhandler.GenericIssuedTokenGenerateCallbackHandler for the class name.
    3. Click Apply. After you click apply, a list of existing custom properties displays in the Custom Properties section of the panel. You can add, edit, or delete entries in the custom properties list. For more information about the custom properties for the callback handler, see the information about the com.ibm.wsspi.wssecurity.core.config.IssuedTokenConfigConstants application programming interface (API). This information is accessible within the Reference > Programming interfaces > APIs- Application Programming Interfaces section of the product documentation.
    4. Click Add to add both the stsURI custom property and its associated value. This custom property value is the target Security Token Service URL address. This property is required, unless you want to use a security token from the RunAs subject without calling out to a security token service for validation. For more information, read the information about the validateUseToken and useRunAsSubjectOnly custom properties in subsequent steps.
    5. Click Add to add both the wstrustClientPolicy custom property and its associated value. This custom property value is the trust client policy set name that applies to the WS-Trust client call.
    6. Click Add to add both the wstrustClientBinding custom property and its associated value. The custom property value is the trust client bindings that applies to the WS-Trust client call. For more information about creating trust client bindings, see the documentation on configuring client and provider bindings for the SAML bearer token.
    7. Optional: Specify other custom properties. You can add the custom properties that are listed in the following tables. To add these custom properties, click New in the Custom properties section.
      Table 1. Callback handler custom properties for both token generator and token consumer bindings. This table contains the custom property name, its values, and a short description.
      Name Values Description
      stsURI

      This custom property does not have a default value.

      Use this custom property to specify the Security Token Service (STS) address.

      This custom property is required for the token consumer. However, this custom property is optional for the token generator if the requested token exists in the RunAs Subject and its verification is not required.

      wstrustClientBinding

      This custom property does not have a default value.

      Use this custom property to specify the binding name for the WS-Trust client.

      wstrustClientBindingScope You can specify an application or domain value. Use this custom property to specify the type of bindings that are used for the WS-Trust client.
      The following conditions apply:
      • If you specify the domain value, general bindings are used.
      • If you specify the application value, custom bindings are used.
      • If you do not specify a value and application bindings exist, those application bindings are used.
      • If you do not specify a value and general bindings exist, those general bindings are used.
      • If neither application or general bindings exist, the default bindings are used.

      This custom property is optional.

      wstrustClientPolicy

      This custom property does not have a default value.

      Use this custom property to specify the policy set name for the WS-Trust client.

      wstrustClientSoapVersion

      You can specify a 1.1 or 1.2 value.

      Use this custom property to specify the SOAP message version that the trust client uses to generate the SOAP message. The SOAP message is sent to the Security Token Service (STS). If you do not define this custom property, the generic security token login module uses the SOAP version of the application when it generates the SOAP message for the trust client request.

      The default value corresponds to the SOAP version that is used by the application client.

      This custom property is optional.

      wstrustClientWSTNamespace
      Specify one of the following values:
      Trust Version 1.3 (Default)

      Specify 1.3 to use Trust Version 1.3 (Default).

      http://docs.oasis-open.org/ws-sx/ws-trust/200512
      Trust Version 1.2

      Specify 1.2 to use Trust Version 1.2.

      http://schemas.xmlsoap.org/ws/2005/02/trust

      Use this custom property to specify which trust client namespace the generic security token login modules uses when it makes the WS-Trust request.

      wstrustValidateClientBinding

      By default, the value for this custom property is the same value that is specified for the wstrustClientBinding custom property.

      Use this custom property to specify the bindings that are used by the WS-Trust Validate request.

      If you do not specify this custom property, the WS-Trust Validate request uses the same bindings that are used by WS-Trust Issue, which are defined by the wstrustClientBinding custom property.

      wstrustValidateClientPolicy

      By default, the value for this custom property is the same value that is specified for the wstrustClientPolicy custom property.

      Use this custom property to specify the policy sets to use with the WS-Trust Validate request.

      If you do not specify a value for this custom property, WS-Trust Validate uses the same policy set as WS-Trust Issue, which is defined by the required wstrustClientPolicy custom property.

      wstrustIssuer

      You can use any string value.

      Use this custom property to specify the issuer for the request token.

      This custom property is optional

      wstrustValidateTargetOption

      The default value is the WS-Trust base extension value.

      You can specify a token value or a base value, which is also the default value.

      Use this custom property to specify whether the WS-Trust client passes the validation token to the WS-Trust Security Token Service using the ValidateTarget or the Base element extension.

      The following conditions apply:
      • If you do not specify a value for this custom property, the token is wrapped in the Base element extension within the RequestedSecurityToken element.
      • If you specify the token value, the token is wrapped in the ValidateTarget element within the RequestedSecurityToken element.
      Table 2. Callback handler custom properties for token generator bindings only. This table contains the custom property name, its values, and a short description.
      Name Value Description
      useRunAsSubject

      You can use a True or False value. By default, a True value is used.

      This value for this custom property is not case sensitive.

      Use this custom property to specify whether the generic security token login modules use the token from the RunAs Subject for the outgoing request. By default, the login module uses the validated tokens in the RunAs Subject first.

      The following conditions apply:
      • If you set this custom property to a false value, the generic security token login module does not use WS-Trust Validate to exchange the token for the outbound request. Instead, it uses WS-Trust Issue to request a token.
      • If you do not specify this custom property, the generic security token login module attempts to use a token from the RunAs Subject and WS-Trust Validate to exchange the token.
      • If a token does not exist in the RunAs Subject, the generic security token login module uses WS-Trust Issue and is protected by the trust client policy sets.
      useRunAsSubjectOnly

      You can use a True or False value. By default, a False value is used.

      This value for this custom property is not case sensitive.

      Use this custom property to disable or enable WS-Trust Issue in the generic security token login module. If you set this custom property to a true value, the generic security token login module uses the token from the RunAs Subject and WS-Trust Validate to exchange the tokens. The generic security token login module does not use WS-Trust Issue to request a token even if WS-Trust Validate fails or it does not find a matching token in the RunAs Subject.

      useToken

      You can use any string value of the ValueType value for the security token.

      When you use a security token in a RunAs Subject to validate and exchange tokens for an outbound request, you can use this custom property to specify which token ValueType value in the RunAs Subject to validate and exchange for the requested token.

      For example, you might have a token with a ValueType value of Token_1 in the RunAs Subject. However, the ValueType value of Token_2 is the required token. You can set this custom property to Token_1 .

      If you do not define this custom property, the validation token is the token from the RunAs Subject that has the same ValueType value as the required token.

      This custom property is optional.

      validateUseToken

      You can use a True or False value. By default, a True value is used.

      This value for this custom property is not case sensitive.

      Use this custom property to specify whether the token generator uses WS-Trust Validate to validate the token from the RunAs Subject.

      By default, the generic security token login module validates a token from the RunAs Subject against the Security Token Service (STS) before sending the token in the SOAP message to the service provider.

      If you set this custom property value to false and the generic security token login module finds a matching token from the RunAs Subject, the login module does not invoke WS-Trust Validate to validate the matching token. Instead, it sends the matching token to the downstream service provider without validation.

      wstrustIncludeTokenType

      You can use a True or False value. By default, a True value is used.

      This value for this custom property is not case sensitive.

      Use this custom property to specify whether the WS-Trust RequestedSecurityToken token includes the requested token ValueType value.

      If you do not specify this custom property, the generic security token login modules includes the requested token type in the WS-Trust RequestedSecurityToken token.

      This custom property is optional.

  3. Click OK and click Save to save the bindings.
  4. Stop and restart the applications.

Results

When you complete this task, you have configured a generic login module for the token generator.

What to do next

Configure a generic security token login module for the token consumer.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 10:04:34 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=twbs_configgenericlmodgen
File name: twbs_configgenericlmodgen.html