File name: uwbs_logmapn.htmlLogin mapping configuration settings
Use this page to specify the Java Authentication
and Authorization Service (JAAS) login configuration settings that
are used to validate security tokens within incoming messages.
Important: There is an important distinction between Version
6 and later applications. The information in this article supports
Version 6.x applications only that are used with WebSphere® Application
Server Version 6.x and later. The information does not apply
to Version 6.0.x and later applications.
To view this administrative console page for the
cell level, complete the following steps:
- Click
- Under Additional properties, click Login mappings.
- Click either New to create a new login
mapping configuration or click the name of an existing configuration.
To view this administrative console page for the server level,
complete the following steps:
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere
Application Server version 6.1 or earlier, click
Web services:
Default bindings for Web Services Security.
mixv
- Under Additional properties, click Login mappings.
- Click either New to create a new login
mapping configuration or click the name of an existing configuration.
To use this administrative console page for the application level,
complete the following steps:
- Click .
- Under Modules, click .
- Under Web Services Security Properties, click Web services:
Server security bindings.
- Click Edit under Request receiver binding.
- Click Login mappings.
- Click either New to create a new login
mapping configuration or click the name of an existing configuration.
Important: If the login mapping configuration is not found
on the application level, the web services run time searches for the
login mapping configuration on the server level. If
the configuration is not found on the server level, the web services
run time searches the cell.
Authentication method
Specifies the method of authentication.
You can use any string, but the string must match the element in
the service-level configuration. The following words are reserved
and have special meanings:
- BasicAuth
- Uses both a user name and a password.
- IDAssertion
- Uses only a user name, but requires that additional trust is established
on the receiving server using a TrustedIDEvaluator mechanism.
- Signature
- Uses the distinguished name (DN) of the signer.
- LTPA
- Validates a token.
JAAS configuration name
Specifies the name of the Java Authentication
and Authorization Service (JAAS) configuration.
Among the predefined system login configurations that you can use
are the following:
- system.wssecurity.IDAssertion
- Enables a version 6.x application to use identity assertion
to map a user name to a WebSphere Application Server
credential principal.
- system.wssecurity.Signature
- Enables a version 6.x application to map a distinguished
name (DN) in a signed certificate to a WebSphere Application
Server credential principal.
- system.LTPA_WEB
- Processes login requests that are used by the web container such
as servlets and JavaServer Pages (JSP) files.
- system.WEB_INBOUND
- Handles logins for web application requests, which include servlets
and JavaServer Pages..
- system.RMI_INBOUND
- Handles logins for inbound Remote Method Invocation (RMI) requests.
- system.DEFAULT
- Handles the logins for inbound requests made by internal authentications
and most of the other protocols except web applications and RMI requests.
- system.RMI_OUTBOUND
- Processes RMI requests that are sent outbound to another server
when the com.ibm.CSIOutboundPropagationEnabled property is true.
This property is set in the CSIv2 authentication panel. To
access the panel, click . Expand RMI/IIOP
security, then click on CSIv2 Outbound authentication.
To set the com.ibm.CSIOutboundPropagationEnabled property,
select Security attribute propagation.
- system.wssecurity.X509BST
- Verifies an X.509 binary security token (BST) by checking the
validity of the certificate and the certificate path.
- system.wssecurity.PKCS7
- Verifies an X.509 certificate with a certificate revocation list
in a PKCS7 object.
- system.wssecurity.PkiPath
- Verifies an X.509 certificate with a public key infrastructure
(PKI) path.
- system.wssecurity.UsernameToken
- Verifies basic authentication (user name and password).
These system login configurations are defined on the System logins
panel, which is accessible by completing the following steps:
- Click .
- Expand Java Authentication and Authorization Service, then click System
logins.
Attention: The predefined system login configurations
are listed on the System logins configuration panel without the system
prefix. For example, the system.wssecurity.UsernameToken configuration
listed in the Java Authentication and Authorization
Service (JAAS) configuration name option corresponds to the wssecurity.UsernameToken
configuration that is on the System logins configuration panel.
You can use the following predefined application login configurations:
- ClientContainer
- Specifies the login configuration that is used by the client container
application, which uses the CallbackHandler API that is defined in
the deployment descriptor of the client container.
- WSLogin
- Specifies whether all applications can use the WSLogin configuration
to perform authentication for the WebSphere Application
Server security run time.
- DefaultPrincipalMapping
- Specifies the login configuration used by Java 2
Connectors (J2C) to map users to principals that are defined in the
J2C authentication data entries.
These application login configurations are defined on the Application
logins panel, which is accessible by completing the following steps:
- Click .
- Expand Java Authentication and Authorization
Service, then click Application logins.
Do not remove these predefined system or application login configurations.
Within these configurations, you can add module class names and specify
the order in which WebSphere Application Server
loads each module.
Callback handler factory class name
Specifies the name of the factory for the CallbackHandler class.
You must implement the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory class
in this field.
Token type URI
Specifies the namespace Uniform Resource Identifiers (URI),
which denotes the type of security token that is accepted.
If binary security tokens are accepted, the value denotes the ValueType
attribute in the element. The ValueType element identifies the type
of security token and its namespace. If Extensible Markup Language
(XML) tokens are accepted, the value denotes the top-level element
name of the XML token.
If the reserved words are specified previously in the Authentication
method field, this field is ignored.
Data type: |
Unicode characters except for non-ASCII characters, but including
the number sign (#), the percent sign (%), and the square brackets
([ ]). |
Token type local name
Specifies the local name of the security token type, for
example, X509v3.
If binary security tokens are accepted, the value denotes the ValueType
attribute in the element. The ValueType attribute identifies the type
of security token and its namespace. If Extensible Markup Language
(XML) tokens are accepted, the value denotes the top-level element
name of the XML token.
If the reserved words are specified previously in the Authentication
method field, this field is ignored.
Nonce maximum age
Specifies the time, in seconds, before the nonce timestamp
expires. Nonce is a randomly generated value.
You must specify a minimum of 300 seconds for the Nonce maximum
age field. However, the maximum value cannot exceed the number of
seconds specified in the Nonce cache timeout field for either the cell level or the server level.
You can specify the Nonce maximum age value for
the cell level by completing the following steps:
- Click .
You can specify the Nonce maximum age value for the server level
by completing the following steps:
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere
Application Server version 6.1 or earlier, click
Web services:
Default bindings for Web Services Security.
mixv
Important: The Nonce maximum age field on this panel is
optional and only valid if the BasicAuth authentication method is
specified. If you specify another authentication method and attempt
to specify values for this field, the following error message displays
and you must remove the specified value: Nonce is not supported
for authentication methods other than BasicAuth.
If you specify the BasicAuth method, but do not specify values
for the Nonce maximum age field, the Web Services Security run time
searches for a Nonce maximum age value on the server level. If a value is not found on the server level, the run
time searches the cell level. If a value is not found on either the
server level or the cell level, the default is 300 seconds.
Default |
300 seconds |
Range |
300 to Nonce cache timeout seconds |
Nonce clock skew
Specifies the clock skew value, in seconds, to consider
when WebSphere Application Server checks the
freshness of the message. Nonce is a randomly generated value.
You can specify the Nonce clock skew value for
the cell level by completing the following steps:
- Click .
You can specify the
Nonce clock skew value
for the server level by completing the following steps:
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere
Application Server version 6.1 or earlier, click
Web services:
Default bindings for Web Services Security.
mixv
You must specify a minimum of zero (0) seconds for the Nonce Clock
Skew field. However, the maximum value cannot exceed the number of
seconds that is specified in the Nonce maximum age field on this Login
mappings panel.
Important: The Nonce clock skew field on this panel is
optional and only valid if the BasicAuth authentication method is
specified. If you specify another authentication method and attempt
to specify values for this field, the following error message displays
and you must remove the specified value: Nonce is not supported
for authentication methods other than BasicAuth.
Note: If you specify BasicAuth, but do not specify values for the
Nonce clock skew field, WebSphere Application Server
searches for a Nonce clock skew value on the server level. If a value is not found on the server level, the run
time searches the cell level. If a value is not found on either the
server level or the cell level, the default is zero (0) seconds.
Default |
0 seconds |
Range |
0 to Nonce Maximum Age seconds |
|
