You can attach the trust service operations for a service
endpoint to a system policy set and binding. Each new endpoint that
is specified initially has the following four operations: issue, renew,
cancel, and validate. By default, all endpoints inherit the policy
set and binding that are attached to the respective trust service
operation under Trust Service Defaults. However, you can explicitly
attach a different policy set.
Before you begin
First you must define your policy sets and bindings. Policies describe
the protection or quality of service that is provided (such as message
security, transport and so forth). Bindings specify some details
about how to implement the policy, such as: the path for the keystore
file, the class name of the token generator, or the JAAS configuration
name.
Important: Use system policy sets with the trust
service only. The requestor (client) must utilize Java API
for XML-Based Web Services (JAX-WS) only. Requestors which use Java API for XML-based remote procedure calls
(JAX-RPC) are incompatible with the policy set QOS.
Depending on your assigned security role
when security is enabled, you might not have access to text entry
fields or buttons to create or edit configuration data. Review the
administrative roles documentation to learn more about the valid roles
for the application server.
About this task
You can attach the trust service operations for a new
endpoint to an existing policy set and binding. For each new service
endpoint that is specified, four trust service operations (cancel,
renew, validate and issue) change from having inherited attachments
to being explicitly attached. The four operations are attached to
the respective policy set and binding as specified in Trust Service
Defaults. Then you can change the attachment to the desired existing
policy set and binding.
An endpoint policy set consists of two
sections: a bootstrap section and an application section. The system
policy set attached to the Issue and renew trust service operations
for a specific endpoint must correspond to the bootstrap section of
the policy set for that endpoint. The system policy set attached to
the Cancel and Validate trust service operations for a specific endpoint
must correspond to the application section of the policy set for that
endpoint.
This task describes how to manage trust service operations
for service endpoint URLs that you want to attach to a system policy
set and binding. To complete the configuration of the WebSphere® Application
Server trust service, you must also complete the following task:
- Create or manage targets. You can create explicit assignments
for new service endpoints (targets) or manage endpoints that have
a security token explicitly assigned or that inherit the Trust Service
Default token.
The sample general bindings that are provided with the product
are initially set as the global security (cell) default bindings.
The default service provider binding and the default service client
bindings are used when no application specific bindings or trust service
bindings are assigned to a policy set attachment. For trust service
attachments, the default bindings are used when no trust specific
bindings are assigned. If you do not want to use the provided Provider
sample as the default service provider binding, you can select an
existing general provider binding or create a new general provider
binding to meet your business needs. Likewise, if you do not want
to use the provided Client sample as the default service client binding,
you can select an existing general client binding or create a new
general client binding. To specify your global security (cell) default
bindings, use the administrative console and click .
For environments with multiple security domains, you can optionally
choose the general provider and general client bindings that you want
to use as the default bindings for a domain. For more information
about default bindings see the topic Setting default policy set bindings.
Procedure
- To manage system policy set attachments for trust service
operations, click . The list displays all endpoints that have
at least one operation with a policy set attached as well as Trust
Service Defaults. The list also displays the system policy set and
the binding for each operation.
- Select one or more of the following actions to configure
the trust service attachments:
- New Attachment
- Opens a new panel where you can specify the service endpoint URL.
For each new service endpoint that is specified, four trust service
operations (cancel, renew, validate and issue) change from having
inherited attachments to being explicitly attached. The four operations
are attached to the respective policy set and binding as specified
in Trust Service Defaults. These initial attachments can be changed.
- Attach
- Displays a list of existing system policy sets, including the
default trust-related system policy sets, to which each of the four
trust service operations for a service endpoint can be attached. First,
select the operation (for example, Cancel token) and then click Attach to
display the list of available system policy sets. Select a default
or custom system policy set to attach. When you change the policy
set attachment, the binding automatically changes to Default.
Select the operation and click Assign Binding to
change the binding.
The
pre-configured system policy sets that you can select include:
- TrustServiceSecurityDefault
This trust policy set specifies
the asymmetric algorithm as well as the public and private keys to
provide message security. Message integrity is provided by digitally
signing the body, time stamp, and WS-Addressing headers using RSA.
Message confidentiality is provided by encrypting the body and signature
using RSA. This policy set follows the WS-Security specification for
the issue and renew trust operation requests.
- TrustServiceSymmetricDefault
This trust policy set specifies
the symmetric algorithm as well as the derived key algorithms to provide
message security. Message integrity is provided by digitally signing
the body, time stamp, and WS-Addressing headers using HMAC-SHA1. Message
confidentiality is provided by encrypting the body and signature using
AES. This policy set follows the WS-Security and WS-SecureConversation
specifications for the validate and cancel trust operation requests.
- SystemWSSecurityDefault
This system policy set specifies
the asymmetric algorithm and both the public and private keys to provide
message security. Message integrity is provided by digitally signing
the body, time stamp, and WS-Addressing headers using RSA encryption.
Message confidentiality is provided by encrypting the body and signature
using RSA encryption.
- Inherit Operation Defaults
- Sets the operation to inherit the respective trust service default
trust service policy set attachment and binding. If you select the
attachments to modify and then click Inherit Operation
Defaults, the explicit attachment for both the policy
set and the binding is removed. Thereafter, the operation inherits
any change to the default trust service policy set and binding.
- Assign Binding
- Changes the existing binding. You can create and assign a new
binding, assign the Default binding, or assign an existing trust service
specific binding to each of the selected trust service attachments.
- Update Runtime
- Updates the trust service runtime with any configuration changes
that are made to the trust service attachments, token providers, and
targets.
- Optional: Modify the custom policy set by clicking
the name of a custom policy set from the list. Edit the
settings for custom policy sets, as needed. Default trust service
policy set information can only be viewed.
You cannot edit the
default policy sets: TrustServiceSecurityDefault and TrustServiceSymmetricDefault,
or SystemWSSecurityDefault. TrustServiceSecurityDefault is the default
for the issue and renew operations. TrustServiceSymmetricDefault
is the default for the cancel and validate operations.
At least
one trust service operation for the endpoint service URL must be explicitly
attached for the endpoint service URL to be displayed. If an operation
is explicitly attached, the system policy set name appears. If no
policy set is explicitly attached, the respective default trust service
policy set appears, followed by the text (inherited).
- Optional: Modify the trust service specific
binding by clicking the name of a binding from the list, as needed. Edit the settings for the trust service specific binding, as
needed. Any modifications to a trust service binding affect all trust
service attachments that reference the binding.
If the resource
has a policy set directly attached, either the bindings name appears
or Default appears.
- Save your changes before applying the changes to the trust
service runtime configuration.
- Click Update Runtime to update the
trust service runtime configuration with any data changes for token
providers, trust service attachments, and targets. Whether
the confirmation window appears depends on whether you select the Show
confirmation for update runtime command check box. Expand Preferences to
view the check box.
- Optional: Confirm or cancel if the confirmation
window appears. If you deselected the Show confirmation
for update runtime command check box, all changes are
made immediately without displaying the confirmation window.
Results
You have provided the basic information to create or update
a trust service attachment. You have configured trust service operation
attachments to system policy sets and bindings.
What to do next
You can also create a new attachment for the WebSphere Application Server trust service
using the wsadmin tool. The wsadmin tool examples are written in the
Jython scripting language.