The token consumer on the server or
cell level is used to specify the information that is needed
to process the security token if it is not defined at the application
level.
Before you begin
You need to understand that the keystore/alias
information that you provide for the generator, and the keystore/alias
information that you provide for the consumer are used for different
purposes. The main difference applies to the Alias for an X.509 callback
handler.
When used in association with an encryption consumer,
the alias supplied for the consumer is used retrieve the private key
to decrypt the message. A password is required. When associated
with a signature consumer, the alias supplied for the consumer is
used strictly to retrieve the public key that is used to resolve an
X.509 certificate that is not passed in the SOAP security header as
a BinarySecurityToken. A password is not required.
![[Updated in July 2011]](../../deltaend.gif)
jul2011
About this task
WebSphere
® Application Server provides default
values for bindings. You must modify the defaults for a production
environment.
You can configure the token consumers
on the server level and the cell level. In the following steps, use
the first step to access the server-level default bindings and use
the second step to access the cell-level bindings.
Procedure
- Access the default bindings for the server level.
- Click .
- Under Security, click JAX-WS and JAX-RPC
security runtime.
Mixed-version environment: In
a mixed node cell with a server using Websphere Application Server
version 6.1 or earlier, click
Web services: Default bindings
for Web Services Security.
mixv
- Click to access the default
bindings on the cell level.
- Under Default consumer bindings, click Token
consumers.
- Click New to create a token consumer
configuration, click Delete to delete an existing
configuration, or click the name of an existing token consumer configuration
to edit its settings. If you are creating a new configuration,
enter a unique name for the token consumer configuration in the Token
consumer name field. For example, you might specify sig_tcon.
This field specifies the name of the token consumer element.
- Specify a class name in the Token consumer class name field.
The Java Authentication and Authorization Service
(JAAS) Login Module implementation is used to validate (authenticate)
the security token on the consumer side.
Restriction: The com.ibm.wsspi.wssecurity.token.TokenConsumingComponent
interface is not used with JAX-WS web services. If you are using JAX-RPC
web services, this interface is still valid.
The
token consumer class name must be similar to the token generator class
name.
For example, if your application requires an X.509 certificate
token consumer, you can specify the com.ibm.wsspi.wssecurity.token.X509TokenGenerator
class name on the Token generator panel and the com.ibm.wsspi.wssecurity.token.X509TokenConsumer
class name in this field. WebSphere Application Server
provides the following default token consumer class implementations:
- com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer
- This implementation integrates a user name token.
- com.ibm.wsspi.wssecurity.token.X509TokenConsumer
- This implementation integrates an X.509 certificate token.
- com.ibm.wsspi.wssecurity.token.LTPATokenConsumer
- This implementation integrates a Lightweight Third Party Authentication
(LTPA) token.
- com.ibm.wsspi.wssecurity.token.IDAssertionUsernameTokenConsumer
- This implementation integrates an IDAssertionUsername token.
A
corresponding token generator class does not exist for this implementation.
- Select a certificate path option. The certificate
path specifies the certificate revocation list (CRL) that is used
for generating a security token wrapped in a PKCS#7 with a CRL. WebSphere Application Server provides the
following certificate path options:
- None
- If you select this option, the certificate path is not specified.
- Trust any
- If you select this option, any certificate is trusted. When the
received token is consumed, the certificate path validation is not
processed.
- Dedicated signing information
- If you select this option, you can specify a trust anchor and
a certificate store. When you select the trust anchor or the certificate
store of a trusted certificate, you must configure the collection
certificate store before setting the certificate path. To define a
collection certificate store on the server or
cell level, see Configuring the collection certificate on the server or cell level.
- Select a trust anchor in the Trust anchor field.
WebSphere Application Server provides two
sample trust anchors. However, it is recommended that you configure
your own trust anchors for a production environment. For information
on configuring a trust anchor, see Configuring trust anchors on the server or cell level.
- Select a collection certificate store in the Certificate
store field. WebSphere Application Server
provides a sample collection certificate store. If you select None,
the collection certificate store is not specified. For information
on specifying a list of certificate stores that contain untrusted,
intermediary certificate files awaiting validation, see Configuring trusted ID evaluators on the server or cell level.
- Select a trusted ID evaluator from the Trusted ID evaluation
reference field. This field specifies a reference to the
Trusted ID evaluator class name that is defined in Trusted ID evaluators
panel. The trusted ID evaluator is used for evaluating whether the
received ID is trusted. If you select None,
the trusted ID evaluator is not referenced in this token consumer
configuration. To configure a trusted ID evaluator, see Configuring trusted ID evaluators on the server or cell level.
- Select the Verify nonce option if
a nonce is included in a user name token on the generator side.
Nonce is a unique cryptographic number that is embedded in a
message to help stop repeat, unauthorized attacks of user name tokens.
The Verify nonce option is available if you
specify a user name token for the token consumer and nonce is added
to the user name token on the generator side.
- Select the Verify timestamp option
if a time stamp is included in the user name token on the generator
side. The Verify Timestamp option
is available if you specify a user name token for the token consumer
and a time stamp is added to the user name token on the generator
side.
- Specify the local name of the value type for the integrated
token. This entry specifies the local name of the value
type for a security token that is referenced by the key identifier.
This attribute is valid when Key identifier is
selected as the key information type. To specify the key information
type, see Configuring the key information for the consumer binding using JAX-RPC on the server or cell level. WebSphere Application Server has predefined
value type local names for the user name token and the X.509 certificate
security token. Enter one of the following local names for the user
name token and the X.509 certificate security token. When you specify
the following local names, you do not need to specify the URI of the
value type:
- Username token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
- X.509 certificate token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
- X.509 certificates in a PKIPath
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1
- A list of X.509 certificates and CRLs in a PKCS#7
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7
Note: To specify Lightweight
Third Party Authentication (LTPA) or token propagation (LTPA_PROPAGATION),
you must specify both the value type local name and the Uniform Resource
Identifier (URI). For LTPA, specify LTPA for
the local name and http://www.ibm.com/websphere/appserver/tokentype/5.0.2 for
the URI. For LTPA token propagation, specify LTPA_PROPAGATION for
the local name and http://www.ibm.com/websphere/appserver/tokentype for
the URI.
For example, when an X.509 certificate token is specified,
you can use http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 for
the local name. When you specify the local name of another token,
you must specify a value type Qname. For example: uri=http://www.ibm.com/custom,
localName=CustomToken
- Specify the value type uniform resource identifier (URI)
in the URI field. This entry specifies the namespace URI
of the value type for a security token that is referenced by the key
identifier. This attribute is valid when Key identifier is
selected as the key information type on the Key information panel
for the default generator. When you specify the token consumer for
the user name token or an X.509 certificate security token, you do
not need to specify this option. If you specify another token, you
need to specify the URI of the QName for the value type.
- Click OK and then Save to
save the configuration. After saving the token generator
configuration, you can specify a JAAS configuration for your token
consumer.
- Click the name of your token generator configuration.
- Under Additional properties, click JAAS configuration.
- Select a JAAS configuration from the JAAS configuration
name field.
The field specifies the
name of the JAAS system for application login configuration. You
can specify additional JAAS system and application configurations
by clicking . Expand Java Authentication
and Authorization Service, then click or .
For
more information on the JAAS configurations, see JAAS configuration settings.
Do not
remove the predefined system or application login configurations.
However, within these configurations, you can add module class names
and specify the order in which WebSphere Application
Server loads each module. WebSphere Application Server
provides the following predefined JAAS configurations:
- ClientContainer
- This selection specifies the login configuration that is used
by the client container applications. The configuration uses the CallbackHandler
application programming interface (API) that is defined in the deployment
descriptor for the client container. To modify this configuration,
see the JAAS configuration panel for application logins.
- WSLogin
- This selection specifies whether all of the applications can use
the WSLogin configuration to perform authentication for the security
run time. To modify this configuration, see the JAAS configuration
panel for application logins.
- DefaultPrincipalMapping
- This selection specifies the login configuration that is used
by Java 2 Connectors (J2C) to map users to principals
that are defined in the J2C authentication data entries. To modify
this configuration, see the JAAS configuration panel for application
logins.
- system.wssecurity.IDAssertion
- This selection enables a Version 5.x application to use
identity assertion to map a user name to a WebSphere Application
Server credential principal. To modify this configuration, see the
JAAS configuration panel for system logins.
- system.wssecurity.Signature
- This selection enables a Version 5.x application to map
a distinguished name (DN) in a signed certificate to a WebSphere Application
Server credential principal. To modify this configuration, see the
JAAS configuration panel for system logins.
- system.LTPA_WEB
- This selection processes login requests that are used by the web
container such as servlets and JavaServer Pages (JSP) files. To modify
this configuration, see the JAAS configuration panel for system logins.
- system.WEB_INBOUND
- This selection handles login requests for web applications, which
include servlets and JavaServer Pages (JSP) files. This login configuration
is used by WebSphere Application Server Version 5.1.1.
To modify this configuration, see the JAAS configuration panel for
system logins.
- system.RMI_INBOUND
- This selection handles logins for inbound Remote Method Invocation
(RMI) requests. This login configuration is used by WebSphere Application
Server Version 5.1.1. To modify this configuration, see the JAAS configuration
panel for system logins.
- system.DEFAULT
- This selection handles the logins for inbound requests that are
made by internal authentications and most of the other protocols except
web applications and RMI requests. This login configuration is used
by WebSphere Application Server Version 5.1.1.
To modify this configuration, see the JAAS configuration panel for
system logins.
- system.RMI_OUTBOUND
- This selection processes RMI requests that are sent outbound to
another server when the com.ibm.CSIOutboundPropagationEnabled property
is true. This property is set in the CSIv2
authentication panel. To
access the panel, click . Under Authentication,
expand RMI/IIOP security and click CSIv2
outbound authentication. To set the com.ibm.CSIOutboundPropagationEnabled property,
select Security attribute propagation. To modify
this JAAS login configuration, see the JAAS - System logins panel.
- system.wssecurity.X509BST
- This section verifies an X.509 binary security token (BST) by
checking the validity of the certificate and the certificate path.
To modify this configuration, see the JAAS configuration panel for
system logins.
- system.wssecurity.PKCS7
- This selection verifies an X.509 certificate with a certificate
revocation list in a PKCS7 object. To modify this configuration, see
the JAAS configuration panel for system logins.
- system.wssecurity.PkiPath
- This section verifies an X.509 certificate with a public key infrastructure
(PKI) path. To modify this configuration, see the JAAS configuration
panel for system logins.
- system.wssecurity.UsernameToken
- This selection verifies the basic authentication (user name and
password) data. To modify this configuration, see the JAAS configuration
panel for system logins.
- system.wssecurity.IDAssertionUsernameToken
- This selection enables Versions 6 and later applications to use
identity assertion to map a user name to a WebSphere Application
Server credential principal. To modify this configuration, see the
JAAS configuration panel for system logins.
- system.WSS_INBOUND
- This selection specifies the login configuration for inbound or
consumer requests for security token propagation using Web Services
Security. To modify this configuration, see the JAAS configuration
panel for system logins.
- system.WSS_OUTBOUND
- This selection specifies the login configuration for outbound
or generator requests for security token propagation using Web Services
Security. To modify this configuration, see the JAAS configuration
panel for system logins.
- None
- With this selection, you do not specify a JAAS login configuration.
- Click OK and then Save to
save the configuration.
Results
You have configured the token consumer at the server or cell level.
What to do next
You must specify a similar token generator configuration
for the server or cell level.