The Trust Service manages tokens on behalf of service endpoints.
A token provider is either explicitly or implicitly associated with each service
endpoint. A specific token can be explicitly assigned to be issued when access
to an endpoint is requested. Otherwise, the Trust Service Default token is
issued.
Before you begin
The Web Services Secure Conversation specification defines the
protocol for a client to establish a secure session with a target service.
The security token service that WebSphere® Application Server provides,
referred to as the trust service, issues only the Security Context Token (SCT).
The security context token is used for Web Services Secure Conversation (WS-SecureConversation).
About this task
This task describes how to create new or manage existing assignments
of tokens to be issued for endpoint targets. You can create explicit assignments
for new service endpoints (targets) or manage existing token assignments.
To
complete the configuration for the trust service, you must have performed
the following tasks:
- Manage the security context token provider.
- Create or manage service endpoint URLs that you want to attach to the
policy set and binding.
The order in which you complete these tasks is not important.
Depending on your assigned security role
when security is enabled, you might not have access to text entry
fields or buttons to create or edit configuration data. Review the
administrative roles documentation to learn more about the valid roles
for the application server.
Procedure
- To configure new and existing trust service endpoint targets, click Services >
Trust service > Targets. A list of all service endpoints
that have a security token provider explicitly defined is displayed. The token
provider assigned to the Trust Service Default by default handles requests
to issue tokens to access an endpoint.
- Click one of the following actions to manage a new or existing
endpoint target configuration:
- New Assignment
- Opens a new panel where you can specify a custom service endpoint URL
and explicitly assign the token provider, which is specified as the Trust
Service Default, to be issued for access to the endpoint.
- Change Token
- Changes an explicitly assigned token to be issued for the service endpoint
to the security context token. Select an endpoint and then click Change
Token. Select the Security Context Token.
Also, removes the explicit
assignment of a token to be issued; therefore, the token that is issued is
inherited from the Trust Service Default. Select an endpoint and then click Change
Token. Click Inherit Default to remove a token provider assignment
for the selected endpoint and to return the issued token to be the token that
is specified as the Trust Service Default. If the token that is issued is
inherited, the endpoint is no longer displayed in the list because the token
provider is no longer explicitly assigned to the endpoint.
- Click the token name link for an existing endpoint target to modify
the token provider configuration information. You can modify the
token type schema URI, or change custom properties.
- Save your changes before applying the changes to the Web services
security runtime configuration.
- Click Update Runtime to update the Web services security
runtime configuration with any data changes for token providers, trust service
attachments, and targets. Whether the confirmation window is displayed
depends on whether you select the Show confirmation for update runtime
command check box. Expand Preferences to view the check box.
- Optional: Confirm or click Cancel when the confirmation
window appears. If you deselected the Show confirmation for
update runtime command check box, all changes are made immediately without
displaying the confirmation window.
Results
When you complete these steps, the service endpoint URL displays in
the Targets collection, unless you changed the token to inherit the default
value. You can also configure the trust service to issue tokens for individual
endpoint targets using the wsadmin tool. The wsadmin tool examples are written
in the Jython scripting language.
What to do next
You have completed the required steps to create or manage existing
trust service targets, to assign the security token provider to an endpoint
target, and to update the Web services security runtime configuration. Next,
if you have not competed these tasks already, configure the security context
token provider or configure attachments to the policy set and binding to complete
the trust service configuration.