Propriétés de liaison et de règle WSSecurity
Utilisez le paramètre attributes pour les commandes setPolicyType et setBinding afin d'indiquer des informations de configuration supplémentaires relatives à la règle et à la liaison WSSecurity. Les ensembles de règles d'application et de système peuvent utiliser la règle WSSecurity et la configuration de liaison correspondante.
Avant d'utiliser les commandes décrites dans cette rubrique, assurez-vous d'utiliser la version la plus récente de l'outil wsadmin. Les commandes de gestion de l'ensemble de règles admettant l'objet properties comme valeur pour les paramètres attributes ou bindingLocation ne sont pas prises en charge dans les versions précédentes. Par exemple, elles ne fonctionnent pas sur un noeud dont la version est 6.1.0.x.
- Utilisez le paramètre -attributes des commandes getPolicyType et getBinding pour afficher les propriétés de la configuration des règles et des liaisons. Pour obtenir un attribut, associez le nom de la propriété à la commande getPolicyType ou getBinding.
- Utilisez le paramètre -attributes pour les commandes setPolicyType et setBinding afin d'ajouter des propriétés à la configuration des règles et des liaisons, d'en mettre à jour ou d'en supprimer. Pour ajouter ou mettre à jour un attribut, spécifiez le nom de la propriété et sa valeur. Les commandes setPolicyType et setBinding mettent à jour la valeur si l'attribut existe ou ajoutent l'attribut et la valeur s'il n'existe pas. Pour supprimer un attribut, spécifiez la valeur sous forme de chaîne vide (""). Le paramètre -attributes admet l'objet properties.

Pour prendre en charge un environnement à cellules mixtes, WebSphere Application Server prend en charge des liaisons version 7.0 et version 6.1. Les liaisons générales de niveau cellule sont spécifiques à la version 7.0. Les liaisons propres à l'application restent à la version requise par celle-ci. Lorsque l'utilisateur crée une liaison propre à l'application, le serveur d'applications détermine la version de liaison requise à utiliser pour celle-ci.
SignatureProtection.response:
int_body.SignedParts.Body,SignatureProtection.response:int_body.SignedParts.Header_0.Name
and SignatureProtection.response:int_body.SignedParts.Header_0.Namespace
WSSecurity policy properties
- AsymmetricBinding
- You can specify zero or one binding assertion.
- SymmetricBinding
- You can specify zero or one binding assertion. AsymmetricBinding and SymmetricBinding cannot co-exist in a security policy file.
- Wss11
- You can specify zero or one Wss11 assertion.
- Wss10
- You can specify zero or one Wss10 assertion.
- Trust10
- You can specify zero or one Trust10 assertion.
- SignatureProtection
- You can specify zero or any number of signature protection assertions.
- EncryptionProtection
- You can specify zero or any number of encryption protection assertions
- SupportingTokens
- You can specify zero or any number of supporting token assertions.
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy
/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientSignatureToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy
/200512/IncludeToken/AlwaysToInitiator">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientSignatureToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding><sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy
/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientSignatureToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy
/200512/IncludeToken/AlwaysToInitiator">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientSignatureToken>
</wsp:Policy>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</sp:AsymmetricBinding>
AsymmetricBinding.Layout = Strict
AsymmetricBinding.AlgorithmSuite.Basic256 = true
AsymmetricBinding.RecipientSignatureToken.X509Token_0.IncludeToken = http://docs.oasis-open.org
/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToInitiator
AsymmetricBinding.InitiatorSignatureToken.X509Token_0.WssX509V3Token10 = true
AsymmetricBinding.InitiatorSignatureToken.X509Token_0.IncludeToken = http://docs.oasis-open.org
/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient
AsymmetricBinding.RecipientSignatureToken.X509Token_0.WssX509V3Token10 = true
<sp:SupportingTokens>
<wsp:Policy wsu:Id="request:custom_auth">
<spe:CustomToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/
ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<spe:WssCustomToken uri=http://bar.com/MyCustomToken localname="tokenv1">
</spe:WssCustomToken>
</wsp:Policy>
</spe:CustomToken>
</wsp:Policy>
</sp:SupportingTokens
SupportingTokens.request:custom_auth.CustomToken_0.WssCustomToken.uri=http://bar.com
/MyCustomToken
SupportingTokens.request:custom_auth.CustomToken_0.IncludeToken=http://docs.oasis-open.org
/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient
SupportingTokens.request:custom_auth.CustomToken_0.WssCustomToken.localname=tokenv1
- Elément wsu:IdCet élément utilise la valeur réelle de l'ID, au lieu d'utiliser Id comme nom d'attribut. Exemple de propriété de fichier de règle :
L'exemple wsu:Id ci-dessus renvoie les propriétés suivantes :<wsp:Policy wsu:Id="response:int_body"> <sp:SignedParts> <sp:Body/> </sp:SignedParts> </wsp:Policy>
SignatureProtection.response:int_body.SignedParts.Body = true
- The Header elementBecause there can be multiple Header elements, the Header_n notation is used to represent this property. See the following policy file example:
L'exemple Header ci-dessus renvoie les propriétés suivantes :<wsp:Policy wsu:Id="request:conf_body"> <sp:EncryptedParts> <sp:Body/> <sp:Header Name="MyElement" Namespace="http://foo.com/MyNamespace" /> </sp:EncryptedParts> </wsp:Policy>
EncryptionProtection.request:conf_body.EncryptedParts.Header_0.Name=MyElement EncryptionProtection.request:conf_body.EncryptedParts.Header_0.Namespace=http:// foo.com/MyNamespace
- Elément XPathLa notation XPath_n sert à représenter cette propriété car il peut y avoir plusieurs éléments XPath. Consultez l'exemple de fichier de règle suivant :
L'exemple XPath ci-dessus renvoie les propriétés suivantes :<wsp:Policy wsu:Id="request:int_body"> <sp:SignedElements> <sp:XPath>SomeXPathExpression</sp:XPath> <sp:XPath>SomeOtherXPathExpression</sp:XPath> </sp:EncryptedElements> </wsp:Policy>
SignatureProtection.request:int_body.SignedElements.XPath_0=SomeXPathExpression SignatureProtection.request:int_body.SignedElements.XPath_1=SomeOtherXPathExpression
- The X509Token element
Use the X509Token_n notation to represent this property because multiple X509Token elements can exist. For an example, see the AsymmetricBinding assertion.
- The CustomToken element
Use the CustomToken_n notation to represent this property because multiple CustomToken elements can exist. For an example, see the SupportingTokens assertion.
WSSecurity binding properties
Use the getBinding command to review a properties object with the properties that are configured in your current WSSecurity binding configuration. You can also use the administrative console to configure your WSSecurity bindings. Use the information center topics for configuring WSSecurity bindings with administrative console for more information.
The properties defined in this section reflect the hierarchy of the binding schema. Each part of the property name is a lowercase version of the schema type. For example, the application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname property follows the hierarchal format. The attributes begin with application or bootstrap. Attributes that begin with application represent bindings that are associated with the main WS-Security policy. Attributes that begin with bootstrap represent bindings that are associated with the WS-Security bootstrap policy, where the WS-Security policy uses Secure Conversation.
application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.
certpathsettings.certstoreref.reference
application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.
certpathsettings.trustanchorref.reference
application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname
application.securityinboundbindingconfig.tokenconsumer_0.classname
application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname
application.securityinboundbindingconfig.tokenconsumer_0.name
application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname
application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri
Additionally, some properties in the security binding file return a value of true when queried. To set these properties, set the value to true to include the property, or set the value to an empty string ("") to remove the property. For example, the time stamp, nonce, and trustAnyCertificate properties follow this pattern.
- To add a property, use the setBinding command to pass the property name with a non-zero length string value. To add a list item, use the _n notation to reflect a numeric value that is greater than any current numeric value for the property. For example, if the tokenconsumer_0 and tokenconsumer_1 properties exist in your configuration, specify the new tokenconsumer property as tokenconsumer_2. After adding a property, use the getBinding command to view the most recent list of configured properties.
- To remove a property, use the setBinding command to pass the property
name with an empty string (""). For example, to remove all of the tokenconsumer_0 properties, specify the following property
with the attributes parameter:
The previous example removes all properties that begin with the application.securityinboundbindingconfig.tokenconsumer_0 property name.application.securityinboundbindingconfig.tokenconsumer_0=""
The following examples display several sets of properties to configure for your binding. This list does not include all properties to configure for the WSSecurity binding. Use this information as a reference to determine how to form specific property names.
- signinginfo element
- Use this property to configure signing information. For a custom
binding, an unlimited number of signinginfo elements specified for the securityoutboundbindingconfig and securityinboundbindingconfig assertions
can exist. In the default bindings, the system allows a maximum of
two signinginfo elements for the securityoutboundbindingconfig and securityinboundbindingconfig assertions. The following example displays the format for two signinginfo elements:
application.securityinboundbindingconfig.signinginfo_0.signingkeyinfo_0 .reference=con_signkeyinfo application.securityinboundbindingconfig.signinginfo_0.signingpartreference_0 .reference=request:int_body application.securityoutboundbindingconfig.signinginfo_0.signingpartreference_0 .reference=response:int_body application.securityoutboundbindingconfig.signinginfo_0.signingpartreference_0.timestamp=true
- Elément encryptioninfo
- Cette propriété permet de configurer les informations de chiffrement. Pour une liaison personnalisée, un nombre illimité d'éléments
encryptioninfo indiqués pour les assertions securityoutboundbindingconfig et securityinboundbindingconfig peut exister. Dans les liaisons par défaut, le système admet un maximum de deux éléments encryptioninfo pour les assertions securityoutboundbindingconfig et securityinboundbindingconfig. L'exemple suivant présente le format de deux propriétés encryptioninfo :
application.securityinboundbindingconfig.encryptioninfo_0.encryptionpartreference .nonce=true application.securityinboundbindingconfig.encryptioninfo_0.encryptionpartreference .reference=request:conf_body application.securityoutboundbindingconfig.encryptioninfo_0.encryptionpartreference .nonce=true application.securityoutboundbindingconfig.encryptioninfo_0.encryptionpartreference .timestamp=true
- Elément tokengenerator
- Dans les liaisons par défaut, les éléments tokengenerator non référencés par les éléments signinginfo ou encryptioninfo sont considérés comme étant des générateurs de jetons d'authentification. Chaque générateur de jetons d'authentification doit comporter un élément
valuetype unique. Voici un exemple de générateur pour un jeton de protection X.509 :
application.securityoutboundbindingconfig.tokengenerator_0.name=gen_signtgen application.securityoutboundbindingconfig.tokengenerator_0.classname=com.ibm.ws.wssecurity.wssapi.token .impl.CommonTokenGenerator application.securityoutboundbindingconfig.tokengenerator_0.valuetype.uri= application.securityoutboundbindingconfig.tokengenerator_0.valuetype.localname=http://docs.oasis-open.org /wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.classname=com.ibm.websphere.wssecurity .callbackhandler.X509GenerateCallbackHandler application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.alias=soaprequester application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.keypass={xor}PDM2OjEr application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.name=CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.path=${USER_INSTALL_ROOT} /etc/ws-security/samples/dsig-sender.ks application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.storepass={xor}PDM2OjEr application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.type=JKS application.securityoutboundbindingconfig.tokengenerator_0.jaasconfig.configname=system.wss.generate.x509
The following example displays a generator for a username authentication token:application.securityoutboundbindingconfig.tokengenerator_1.name=gen_usernametoken application.securityoutboundbindingconfig.tokengenerator_1.classname=com.ibm.ws.wssecurity .wssapi.token.impl.CommonTokenGenerator application.securityoutboundbindingconfig.tokengenerator_1.valuetype.uri= application.securityoutboundbindingconfig.tokengenerator_1.valuetype.localname=http://docs .oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.classname=com.ibm .websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.basicAuth.userid=user1 application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.basicAuth.password=myPassword application.securityoutboundbindingconfig.tokengenerator_1.securityTokenReference.reference=request:uname_token application.securityoutboundbindingconfig.tokengenerator_1.jaasconfig.configname=system.wss.generate.unt
- tokenconsumer element
- In the default bindings, the tokenconsumer elements that the signinginfo or encryptioninfo elements do not reference are authentication
token consumers. Each authentication token consumer must have a unique valuetype element. The following example displays the
format for a set of tokenconsumer elements:
application.securityinboundbindingconfig.tokenconsumer_0.name=con_unametoken application.securityinboundbindingconfig.tokenconsumer_0.classname=com.ibm.ws.wssecurity.wssapi .token.impl.CommonTokenConsumer application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname=http://docs.oasis-open.org /wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri= application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname=com.ibm.websphere .wssecurity.callbackhandler.UNTConsumeCallbackHandler application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname=system.wss.consume.unt application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference=request:uname_token
- actor element
- Defines the actor uniform resource identifier (URI) to be included
in the WSSecurity headers of a generated message, as displayed by
the following example:
application.securityinboundbindingconfig.actor=http://myActor.com application.securityoutboundbindingconfig.actor=http://myActor.com
- Elément certstorelist
- Définit des configurations d'espace de stockage et des informations de signature, comme dans l'exemple suivant :
application.securityinboundbindingconfig.certstorelist.collectioncertstores_0 .name=DigSigCertStore application.securityinboundbindingconfig.certstorelist.collectioncertstores_0 .provider=IBMCertPath application.securityinboundbindingconfig.certstorelist.collectioncertstores_0 .x509certificates_0.path=${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer
- Elément keyinfo
- Définit des informations de clés pour les configurations de signature et de chiffrement, comme dans l'exemple suivant :
application.securityinboundbindingconfig.keyinfo_0.classname=com.ibm.ws.wssecurity.wssapi .CommonContentConsumer application.securityinboundbindingconfig.keyinfo_0.name=con_signkeyinfo application.securityinboundbindingconfig.keyinfo_0.tokenreference.reference=con_tcon application.securityinboundbindingconfig.keyinfo_0.type=STRREF
- Propriété trustanchor
- Définit des informations de configuration permettant de valider la fiabilité du certificat de signataire, comme dans l'exemple suivant :
application.securityinboundbindingconfig.trustanchor_0.keystore.path=${USER_INSTALL_ROOT} /etc/ws-security/samples/dsig-receiver.ks application.securityinboundbindingconfig.trustanchor_0.keystore.storepass={xor}LDotKTot application.securityinboundbindingconfig.trustanchor_0.keystore.type=JKS application.securityinboundbindingconfig.trustanchor_0.name=DigSigTrustAnchor
- Elément timestampexpires
- Définit une date d'expiration pour la configuration, comme dans l'exemple suivant :
application.securityoutboundbindingconfig.timestampexpires.expires=5
- application.securityinboundbindingconfig.caller_X.order
- Spécifie l'order pour un demandeur lors de l'utilisation de scripts wsadmin, où X correspond à la chaîne unique qui identifie l'instance du demandeur :
-attributes [[application.securityinboundbindingconfig.caller_0.order 2]]
Exemples de commandes setPolicyType et setBinding
Utilisez les informations de référence précédentes à l'aide des commandes setPolicyType et setBinding pour modifier vos données de configuration de règles et de liaison.

AdminTask.setBinding('[-bindingLocation "" -bindingName cellWideBinding2 -policyType
WSSecurity
-attributes [[application.securityinboundbindingconfig.caller_0.order 2][inResponsewithSSL:configAlias
NodeDefaultSSLSettings]
[inResponsewithSSL:config properties_directory/ssl.client.props]
[outAsyncResponsewithSSL:configFile properties_directory/ssl.client.props]
[outAsyncResponsewithSSL:configAlias NodeDefaultSSLSetings]
[outRequestwithSSL:configFile properties_directory/ssl.client.props]
[outRequestwithSSL:configAlias NodeDefaultSSLSettings]]]')
AdminTask.setPolicyType('-policySet myPolicySet -policyType WSSecurity -attributes
"[[enabled true][provides
Some_amount_of_security][SignatureProtection.request:app_signparts.SignedElements.XPath_0
SignatureProtectionV2]]"')
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[server server1][node
node01]]"
-attributes "[[application.securityinboundbindingconfig.keyinfo_0.name dec_server_keyinfo]
[application.securityinboundbindingconfig.keyinfo_0.classname
com.ibm.ws.wssecurity.wssapi.CommonContentGenerator]
[application.securityinboundbindingconfig.keyinfo_0.type STRREF]]"')
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[application PolicySet]
[attachmentId 999]]"
-attributes "[[application.securityinboundbindingconfig.keyinfo_0.name dec_app_keyinfo]
[application.securityinboundbindingconfig.keyinfo_0.classname
com.ibm.ws.wssecurity.wssapi.CommonContentGenerator]
[application.securityinboundbindingconfig.keyinfo_0.type STRREF]]" -attachmentType application
-bindingName myBindingName')
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "" -attributes
"[application.securityinboundbindingconfig.trustanchor_0.name DigSigTrustAnchor2]"')