You can use sample bindings with the administrative console
for testing purposes. The configurations that
you specify are reflected on the cell or server level.
WebSphere® Application Server Version 7.0
and later includes provider and client sample bindings for testing
purposes. In the bindings, the product provides sample values for
supporting tokens for different token types, such as the X.509 token,
the username token, the LTPA token, and the Kerberos token. The bindings
also include sample values for message protection information for
token types such as X.509 and secure conversation. Both provider and
client sample bindings can be applied to the applications attached
with a system policy set, or application policy set, from the default
local repository.
This information describes the general sample bindings for the Java API for XML-Based Web Services (JAX-WS)
programming model. You can develop web services using the Java API for XML-based RPC (JAX-RPC) programming
model, or for WebSphere Application Server Version 7.0
and later, using the Java API
for XML-Based Web Services (JAX-WS) programming model. Sample general
bindings may differ depending on which programming model you use.
The following sections, describing various general sample bindings,
are provided:
Best practice: IBM® WebSphere Application
Server supports the Java API
for XML-Based Web Services (JAX-WS) programming model and the Java API for XML-based RPC (JAX-RPC)
programming model. JAX-WS is the next generation web services programming
model extending the foundation provided by the JAX-RPC programming
model. Using the strategic JAX-WS programming model, development of
web services and clients is simplified through support of a standards-based
annotations model. Although the JAX-RPC programming model and applications
are still supported, take advantage of the easy-to-implement JAX-WS
programming model to develop new web services applications and clients. best-practices
Do not use these provider and client sample bindings in their default
state in a production environment. You must modify the bindings to
meet your security needs before using them in a production environment
by making a copy of the bindings and then modifying the copy. For
example, you must change the key and keystore settings to ensure security,
and modify the binding settings to match your environment.
Avoid trouble: After making a copy of the provider or client
sample bindings, only customize the settings of your new copy to suit
your purposes. Do not remove anything from the client sample binding,
such as token generators, token consumers, sign parts, or encrypt
parts.
gotcha
One set of general default bindings is shared by
the applications to make application deployment easier. You can specify
default bindings for your service provider or client that are used
at the global security (cell) level, for a security domain, or for
a particular server. The default bindings are used in the absence
of an overriding binding specified at a lower scope. The order of
precedence from lowest to highest that the application server uses
to determine which default bindings to use is as follows:
- Server level default
- Security domain level default
- Global security (cell) default
General client sample
bindings
- The sample configuration for signing information generation, called asymmetric-signingInfoRequest,
contains the following configuration:
- References the gen_signkeyinfo signing key information.
- The part reference configuration, which contains the transform
configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, gen_signkeyinfo,
which contains this configuration:
- The security token reference.
- The gen_signx509token protection token asymmetric
signature generator, as follows:
- Contains the X.509 V3 Token v1.0 token type.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type for the local part value.
- Contains the wss.generate.x509 JAAS login
- The X.509 Callback Handler. The callback handler calls the custom
keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsigsender.ks,
with these characteristics:
- The keystore type is JKS.
- The keystore password is client.
- The alias name of the trusted certificate is soapca.
- The alias name of the personal certificate is soaprequester.
- The key password client issued by the intermediary certificate
authority Int CA2, which is in turn issued by soapca.
- The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for signing information generation called symmetric-signingInfoRequest contains
the following configuration:
- References the gen_signsctkeyinfo signing key
information.
- The part reference configuration, which contains the transform
configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, gen_signsctkeyinfo,
which contains this configuration:
- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The gen_scttoken protection token generator,
as follows:
- Contains the Secure Conversation Token Version 1.3 token type.
- Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value
type as the local part value.
- Contains wss.generate.sct JAAS login
- The WS-Trust Callback Handler.
- The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for encryption information generation,
called asymmetric-encryptionInfoRequest, contains
the following configuration:
- References the gen_enckeyinfo encryption key
information.
- Encryption key information, named gen_enckeyinfo,
which contains this configuration:
- The key identifier.
- The gen_encx509token protection token asymmetric
encryption generator, as follows:
- Keystore type is JCEKS.
- Keystore password is client.
- Alias name of the trusted certificate is soapca.
- Alias name of the personal certificate is bob.
- Key password client issued by intermediary certificate authority Int
CA2, which is in turn issued by soapca.
- The X.509 Callback Handler. The callback handler calls the custom
keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks.
- The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
- The sample configuration for encryption information generation,
called symmetric-encryptionInfoRequest, contains
the following configuration:
- References the gen_encsctkeyinfo encryption key
information.
- The encryption key information, gen_encsctkeyinfo,
which contains this configuration:
- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The gen_scttoken protection token generator,
which contains the following configuration:
- Contains the Secure Conversation Token v1.3 token type.
- Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value
type for the local part value.
- Contains wss.generate.sct JAAS login.
- The WS-Trust Callback Handler.
- The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
- The sample configuration for signing information consumption,
called asymmetric-signingInfoResponse, contains the
following configuration:
- References the con_signkeyinfo signing key information.
- The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, named con_signkeyinfo,
which contains the following configuration:
- The con_signx509token protection token asymmetric
signature consumer, as follows:
- Contains the X.509 V3 Token v1.0 token type.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type for the local part value.
- Contains the wss.consume.x509 JAAS login.
- The X.509 Callback Handler, as follows:
- References a certificate store named DigSigCertStore.
- References a trusted anchor store named DigSigTrustAnchor.
- The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for signing information consumption,
called symmetric-signingInfoResponse, contains the
following configuration:
- References the con_sctsignkeyinfo signing key
information.
- The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, named con_sctsignkeyinfo,
which contains the following configuration:
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The con_scttoken protection token consumer, as
follows:
- Contains the Secure Conversation Token v1.3 token type.
- Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value
type for the local part value.
- Contains the wss.consume.sct JAAS login.
- The WS-SecureConversation Callback Handler.
- The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for encryption information consumption,
called asymmetric-encryptionInfoResponse, which contains
the following configuration:
- References the dec_keyinfo encryption key information.
- The encryption key information, named dec_keyinfo,
which contains the following configuration:
- The con_encx509token protection token asymmetric
encryption consumer, as follows:
- Contains the X.509 V3 Token v1.0 token type.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type for the local part value.
- Contains the wss.consume.x509 JAAS login.
- The X.509 Callback Handler. The callback handler calls the custom
keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks,
with the follow characteristics:
- The keystore type is JCEKS.
- The keystore password is client.
- The alias name of the trusted certificate is soapca.
- The alias name of the personal certificate is alice.
- The key password client issued by intermediary certificate authority Int
CA2, which is in turn issued by soapca.
- The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
- The sample configuration for encryption information consumption,
called symmetric-encryptionInfoResponse, contains
the following configuration:
- References the dec_sctkeyinfo encryption key
information.
- The encryption key information, named dec_sctkeyinfo,
contains the following configuration:
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The con_scttoken protection token consumer, as
follows:
- Contains the Secure Conversation Token v1.3 token type.
- Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value
type for the local part value.
- Contains the wss.consume.sct JAAS login.
- The WS-SecureConversation Callback Handler.
- The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
- The sample configuration for authentication token generation,
called gen_signkrb5token, contains the following
configuration:
- The custom token type for the Kerberos v5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for
the local part value.
- The wss.generate.KRB5BST JAAS login.
- The following custom properties:
- The custom Kerberos token callback handler. You must provide the
correct values for the Kerberos client principal and password.
- The sample configuration for authentication token generation,
called gen_signltpaproptoken, contains the following
configuration:
- The token type LTPA propagation token, as follows:
- Contains LTPA_PROPAGATION for the local part
value.
- Contains http://www.ibm.com/websphere/appserver/tokentype for
the Namespace URI value.
- Contains the wss.generate.ltpaProp JAAS login.
- Uses the LTPA token callback handler.
- The sample configuration for authentication token generation,
called gen_signltpatoken, contains the following
configuration:
- The token type of LTPA Token v2.0, as follows:
- Contains LTPA_PROPAGATION for the local part
value.
- Contains http://www.ibm.com/websphere/appserver/tokentype for
the Namespace URI value.
- The wss.generate.ltpa JAAS login.
- The LTPA token callback handler.
- The sample configuration for authentication token generation,
called gen_signunametoken, contains the following
configuration:
- The token type of Username Token v1.0, which uses http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken for
the local part value.
- The wss.generate.unt JAAS login.
- The Username token callback handler, as follows:
- Contains basic authentication fields. You must provide the correct
values for your environment for client principal and password.
- Contains the following custom properties:
- com.ibm.wsspi.wssecurity.token.username.addNonce for
adding the nonce value.
- com.ibm.wsspi.wssecurity.token.username.addTimestamp for
adding the time stamp value.
Client sample bindings
V2
Two new general sample bindings, Client sample V2, and
Provider sample V2, have been added to the product. While many of
the configurations are the same as previous versions of the client
sample and provider sample bindings, there are several additional,
new sample configurations. To use these new bindings, create a new
profile after installing the product. For more information, read the
topic Configuring Kerberos policy sets and V2 general sample bindings.
- The sample configuration for signing information generation, called symmetric-KrbsignInfoRequest,
contains the following configuration:
- References the gen_reqKRBsignkeyinfo signing
key information.
- The part reference configuration, which contains the transform
configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, gen_reqKRBsignkeyinfo,
which contains this configuration:
- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The gen_krb5token protection token generator,
as follows:
- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value
type as the local part value.
- Contains wss.generate.KRB5BST JAAS login
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.
- The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for encryption information generation,
called symmetric-KrbEncInfoRequest, contains the
following configuration:
- References the gen_reqKRBenckeyinfo encryption
key information.
- The encryption key information, gen_reqKRBenckeyinfo,
which contains this configuration:
- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The gen_krb5token protection token generator,
which contains the following configuration:
- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value
type for the local part value.
- Contains wss.generate.KRB5BST JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.
- The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
- The sample configuration for signing information consumption,
called symmetric-KrbsignInfoResponse, contains the
following configuration:
- References the con_respKRBsignkeyinfo signing
key information.
- The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, named con_respKRBsignkeyinfo,
which contains the following configuration:
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The con_krb5token protection token consumer,
as follows:
- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value
type for the local part value.
- Contains the wss.consume.KRB5BST JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler
- The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for encryption information consumption,
called symmetric-KrbEncInfoResponse, contains the
following configuration:
- References the con_respKRBenckeyinfo encryption
key information.
- The encryption key information, named con_respKRBenckeyinfo,
contains the following configuration:
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The con_krb5token protection token consumer,
as follows:
- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value
type for the local part value.
- Contains the wss.consume.KRB5BST JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.
- The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
- The sample configuration for authentication token generation,
called gen_krb5token, contains the following configuration:
- The sample configuration for authentication token generation,
called con_krb5token, contains the following configuration:
- The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for
the local part value.
- The wss.consume.KRB5BST JAAS login.
- The custom Kerberos token callback handler.
General provider
sample bindings
- The sample configuration for signing information consumption,
called asymmetric-signingInfoRequest, contains the
following configuration:
- References the con_signkeyinfo signing key information.
- The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, named con_signkeyinfo,
which contains the following configuration:
- The con_signx509token protection token asymmetric
signature consumer, as follows:
- Contains the X.509 V3 Token v1.0 token type.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type for the local part value.
- Contains the wss.consume.x509 JAAS login.
- The X.509 Callback Handler, as follows:
- References a certificate store named DigSigCertStore.
- References a trusted anchor store named DigSigTrustAnchor.
- The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for signing information consumption,
called symmetric-signingInfoRequest, contains the
following configuration:
- References the con_sctsignkeyinfo signing key
information.
- The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, named con_sctsignkeyinfo,
which contains the following configuration:
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The con_scttoken protection token generator,
as follows:
- Contains the Secure Conversation Token v1.3 token type.
- Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value
type for the local part value.
- Contains the wss.consume.sct JAAS login.
- The WS-SecureConversation Callback Handler.
- The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for encryption information consumption,
called asymmetric-encryptionInfoRequest, contains
the following configurations:
- References the dec_keyinfo encryption key information.
- The encryption key information, named dec_keyinfo,
which contains the following configuration:
- The con_encx509token protection token asymmetric
encryption consumer, as follows:
- Contains the X.509 V3 Token v1.0 token type.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type for the local part value.
- Contains the wss.consume.x509 JAAS login.
- The X.509 Callback Handler. The callback handler calls the custom
keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks,
with the following characteristics:
- The keystore type is JCEKS.
- The keystore password is client.
- The alias name of the trusted certificate is soapca.
- The alias name of the personal certificate is bob.
- The key password client issued by intermediary certificate authority Int
CA2, which is in turn issued by soapca.
- The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
- The sample configuration for encryption information consumption,
called symmetric-encryptionInfoRequest, contains
the following configuration:
- References the dec_sctkeyinfo encryption key
information.
- The encryption key information, named dec_sctkeyinfo,
which contains the following configuration:
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The con_scttoken protection token consumer, as
follows:
- Contains the Secure Conversation Token v1.3 token type.
- Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value
type for the local part value.
- Contains the wss.consume.sct JAAS login.
- The WS-SecureConversation Callback Handler.
- The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
- The sample configuration for signing information generation, called asymmetric-signingInfoResponse,
contains the following configuration:
- References the gen_signkeyinfo signing key information.
- The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, named gen_signkeyinfo,
which contains the following configuration:
- The security token reference.
- The gen_signx509token protection token asymmetric
signature generator, as follows:
- Contains the X.509 V3 Token v1.0 token type.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type for the local part value.
- Contains the wss.generate.x509 JAAS login.
- The X.509 Callback Handler. The callback handler calls the custom
keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks,
with the following characteristics:
- The keystore type is JKS.
- The keystore password is client.
- The alias name of the trusted certificate is soapca.
- The alias name of the personal certificate is soapprovider.
- The key password client issued by intermediary certificate authority Int
CA2, which is in turn issued by soapca.
- The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for signing information generation, called symmetric-signingInfoResponse,
contains the following configuration:
- References the gen_signsctkeyinfo signing key
information.
- The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, named gen_signsctkeyinfo,
which contains the following configuration:
- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The gen_scttoken protection token generator,
as follows:
- Contains the Secure Conversation Token v1.3 token type.
- Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value
type for the local part value.
- Contains the wss.generate.sct JAAS login.
- The WS-Trust Callback Handler.
- The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for encryption information generation,
called asymmetric-encryptionInfoResponse, contains
the following configuration:
- References the gen_enckeyinfo encryption key
information.
- The encryption key information, named gen_enckeyinfo,
contains the following configuration
- The key identifier.
- The gen_encx509token protection token asymmetric
encryption generator, as follows:
- Contains the X.509 V3 Token v1.0 token type.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type for the local part value.
- Contains the wss.generate.x509 JAAS login.
- Uses X.509 Callback Handler. The callback handler calls the custom
keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks,
with the following characteristics:
- The keystore type is JCEKS.
- The keystore password is client.
- The alias name of the trusted certificate is soapca.
- The alias name of the personal certificate is alice.
- The key password client issued by intermediary certificate authority Int
CA2, which is in turn issued by soapca.
- The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
- The sample configuration for encryption information generation,
called symmetric-encryptionInfoResponse, contains
the following configuration:
- References the gen_encsctkeyinfo encryption key
information.
- The encryption key information, named gen_encsctkeyinfo,
contains the following configuration:
- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The gen_scttoken protection token generator,
as follows:
- Contains the Secure Conversation Token v1.3 token type.
- Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value
type for the local part value.
- Contains the wss.generate.sct JAAS login.
- The WS-Trust Callback Handler.
- The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
- The sample configuration for authentication token consumption,
called con_krb5token, contains the following configuration:
- The custom token type for Kerberos v5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for
the local part value.
- The wss.consume.KRB5BST JAAS login.
- The custom Kerberos token callback handler.
- The sample configuration for authentication token consumption,
called con_ltpaproptoken, contains the following
configuration:
- The token type LTPA propagation token.
- The wss.consume.ltpaProp JAAS login.
- The LTPA token callback handler.
- The sample configuration for authentication token consumption,
called con_ltpatoken, contains the following configuration:
- The token type LTPA Token v2.0, with the following
characteristics:
- Contains LTPAv2 for the local part value.
- Contains http://www.ibm.com/websphere/appserver/tokentype for
the Namespace URI value.
- The wss.consume.ltpa JAAS login
- The LTPA token callback handler.
- The sample configuration for authentication token consumption,
called con_unametoken, contains the following configuration:
- Token type Username Token v1.0, which uses http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken for
the local part value.
- The wss.consume.unt JAAS login.
- The Username token callback handler, with the following custom
properties:
- com.ibm.wsspi.wssecurity.token.username.verifyNonce for
verifying the nonce value.
- com.ibm.wsspi.wssecurity.token.username.verifyTimestamp for
verifying the time stamp value.
Provider sample bindings
V2
Two new general sample bindings, Client sample V2, and
Provider sample V2, have been added to the product. While many of
the configurations are the same as previous versions of the client
sample and provider sample bindings, there are several additional,
new sample configurations. To use these new bindings, create a new
profile after installing the product. For more information, read the
topic Configuring Kerberos policy sets and V2 general sample bindings.
- The sample configuration for signing information generation, called symmetric-KrbsignInfoRequest,
contains the following configuration:
- References the con_respKRBsignkeyinfo signing
key information.
- The part reference configuration, which contains the transform
configuration using the http://www.w3.org/2001/10/xml-exc-c14n#
algorithm.
- The signing key information, con_respKRBsignkeyinfo,
which contains this configuration:
- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The con_krb5token protection token consumer,
as follows:
- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value
type as the local part value.
- Contains wss.consume.KRB5BST JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.
- The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for encryption information generation,
called symmetric-KrbEncInfoRequest, contains the
following configuration:
- References the con_reqKRBenckeyinfo encryption
key information.
- The encryption key information, con_reqKRBenckeyinfo,
which contains this configuration:
- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The con_krb5token protection token consumer,
which contains the following configuration:
- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value
type for the local part value.
- Contains wss.consume.KRB5BST JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.
- The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
- The sample configuration for signing information consumption,
called symmetric-KrbsignInfoResponse, contains the
following configuration:
- References the gen_respKRBsignkeyinfo signing
key information.
- The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- The signing key information, named gen_respKRBsignkeyinfo,
which contains the following configuration:
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The gen_krb5token protection token generator,
as follows:
- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value
type for the local part value.
- Contains the wss.generate.KRB5BST JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.
- The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
- The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
- The sample configuration for encryption information consumption,
called symmetric-KrbEncInfoResponse, contains the
following configuration:
- References the gen_respKRBenckeyinfo encryption
key information.
- The encryption key information, named gen_respKRBenckeyinfo,
contains the following configuration:
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The gen_krb5token protection token generator,
as follows:
- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value
type for the local part value.
- Contains the wss.generate.KRB5BST JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler
- The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
- The sample configuration for authentication token generation,
called gen_krb5token, contains the following configuration:
- The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for
the local part value.
- The wss.generate.KRB5BST JAAS login.
- The custom Kerberos token callback handler.
- The sample configuration for authentication token generation,
called con_krb5token, contains the following configuration:
- The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for
the local part value.
- The wss.consume.KRB5BST JAAS login.
- The custom Kerberos token callback handler.