Use this page to specify how to acquire the
security token that is inserted in the Web Services Security header
for JAX-RPC
within the SOAP message. The token
acquisition is a pluggable framework that leverages the Java Authentication and Authorization Service
(JAAS) javax.security.auth.callback.CallbackHandler interface
for acquiring the security token.
When used in associated with a signature consumer, the alias supplied for the consumer is used strictly to retrieve the public key that is used to resolve an X.509 certificate that is not passed in the SOAP security header as a BinarySecurityToken. A password is not required.
The alias that is entered on a callback handler associated with an signature consumer must be accessible without a password. This means that the alias must not have private key information associated with it in the keystore.
When an X.509 certificate that is not passed in the SOAP security header as a BinarySecurityToken, a SecurityTokenReference will appear in the KeyInfo element within the Signature element in the SOAP security header that will be used to resolve the X.509 certificate. The methods that can be used are Key identifier, X.509 issuer name and issuer serial, and Thumbprint. The consumer will accept any of these three methods for resolving an X.509 certificate outside the message when a keystore/alias is configured for an X.509 token consumer associated with a signature consumer.
Because only one alias can be configured on the X.509 token consumer, the WS-Security run time can resolve only one certificate outside a message. For example, if the X.509 token consumer is configured for certificate A, if client A sends the keyIdentifier for certificate A, the certificate can be retrieved. However, if client B sends the keyIdentifier for certificate B, the certificate cannot be retrieved and the message will be rejected.
When an X.509 certificate is sent in the SOAP security header as a BinarySecurityToken, if there is a keystore/alias configured on the X.509 token consumer associated with a signature consumer, the certificate that is configured on the consumer will be compared against the one that is passed in the message. If they do not match, the message will be rejected. This behavior is different than JAX-RPC. The certificate associated with the alias configured on the X.509 token consumer is not used to evaluate trust on the inbound certificate. Only the trust store and cert stores are used for that purpose.
com.ibm.wsspi.wssecurity.consumer.callbackHandlerKeystoreLimitsAccess=false
See the topic Key information settings for more information about the key identifier, X.509 issuer/serial, and thumbprint.
Specifies the name of the callback handler implementation class that is used to plug in a security token framework.
MyCallbackHandler(String username, char[] password, java.util.Map properties)
The callback handler implementation obtains the required security token and passes it to the token generator. The token generator inserts the security token in the Web Services Security header within the SOAP message. Also, the token generator is the plug-in point for the pluggable security token framework. Service providers can provide their own implementation, but the implementation must use the com.ibm.websphere.wssecurity.wssapi.token.SecurityToken interface. The Java Authentication and Authorization Service (JAAS) Login Module implementation is used to create the security token on the generator side and to validate (authenticate) the security token on the consumer side, respectively.
Select this option if you have identity assertion defined in the IBM® extended deployment descriptor.
This option indicates that only the identity of the initial sender is required and inserted into the Web Services Security header within the SOAP message. For example, the application server sends only the user name of the original caller for a Username TokenGenerator. For an X.509 token generator, the application server sends the original signer certification only.
Select this option if you have identity assertion defined in the IBM extended deployment descriptor and you want to use the Run As identity instead of the initial caller identity for identity assertion for a downstream call.
This option is valid only if you have Username TokenGenerator configured as a token generator.
Specifies the user name that is passed to the constructors of the callback handler implementation.
These implementations are described in detail under the Callback handler class name field description in this article.
Specifies the password that is passed to the constructor of the callback handler.
Select None if no keystore is needed for this configuration.
Select Predefined keystore to choose predefined keystores with keystore configuration name.
Select User-defined keystore to use user-defined keystores.
The following information needs to be specified:
Specifies the name of the key store configuration defined in the keystore settings in secure communications.
Specifies the password that is used to access the keystore file.
Specifies the location of the keystore file.
Use ${USER_INSTALL_ROOT} in the path name because this variable expands to the product path on your machine. To change the path used by this variable, click USER_INSTALL_ROOT.
and clickSpecifies the type of keystore file format