使用 wsadmin 脚本来配置安全性令牌的定制策略和绑定
使用 AdminTask 对象的 setPolicyType 和 setBinding 命令来指定定制策略和绑定配置的安全性令牌。
开始之前
创建新的定制策略集。
关于此任务
以下方案配置定制策略和绑定以使用基于 Oasis Kerberos Token Profile V1.1 规范的 Kerberos 令牌。您也可以使用 setPolicyType 和 setBinding 命令来配置其他二进制安全性令牌,例如用户名令牌、轻量级第三方认证 (LTPA) 和 SecureConversation。
过程
- 配置安全性令牌的定制策略。
- 通过使用 Jython 脚本语言,启动 wsadmin 脚本编制工具。 要了解更多信息,请参阅“启动 wsadmin 脚本编制客户机”信息。
- 显示相关策略的属性。 使用 getPolicyType 命令来显示 WS-Security 策略类型的详细属性信息,如以下命令所示:
AdminTask.getPolicyType('-policySet AuthenticationTokenService -policyType WSSecurity')
getPolicyType 命令会返回属性对象,该对象包含每个属性的“名称/值”对,如以下样本输出所示:'[ [SupportingTokens.request:krb_token.CustomToken.IncludeToken http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient] [enabled true] [type WSSecurity] [description [Policies for sending security tokens and providing message confidentiality and integrity, based on the OASIS Web Service Security and Token Profiles specifications.]] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri ] [provides ] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] ]'
- 指定策略类型的认证令牌。 使用 setPolicyType 命令将服务认证令牌的统一资源标识 (URI) 指定为 SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri 属性的值。使用 [ ] 语法来指定空字符串。以下示例指定空字符串作为认证令牌的值:
AdminTask.setPolicyType('-policySet AuthenticationTokenService -policyType WSSecurity -attributes "[ [SupportingTokens.request:krb_token.CustomToken.IncludeToken http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient] [enabled true] [type WSSecurity] [description [Policies for sending security tokens and providing message confidentiality and integrity, based on the OASIS Web Services Security and Token Profiles specifications.]] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri []] [provides []] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] ]"')
- 配置安全性令牌的定制绑定。
- 启动 wsadmin 脚本编制工具。
- 显示相关绑定的属性。 使用 getBinding 命令来显示相关绑定的详细属性信息,如以下命令所示:
AdminTask.getBinding('-policyType WSSecurity -bindingLocation "" -bindingName AuthenticationTokenService')
getBinding 命令会返回属性对象,该对象包含每个属性的“名称/值”对,如以下样本输出所示:'[ [application.securityinboundbindingconfig.tokenconsumer_0.properties_0.name com.ibm.wsspi.wssecurity.krbtoken.serviceSPN] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri ] [application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler] [application.name application][application.securityinboundbindingconfig.tokenconsumer_0.properties_0.value HTTP/derekho1.firehorse.austin.ibm.com] [application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname system.wss.consume.KRB5BST] [application.securityinboundbindingconfig.tokenconsumer_0.name con_krbtoken][application.securityinboundbindingconfig.tokenconsumer_0.classname com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer] [application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference request:krb_token] ]'
- 指定策略类型的认证令牌。 使用 setBinding 命令将服务认证令牌的统一资源标识 (URI) 指定为 application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri 属性的值。使用 [ ] 语法来指定空字符串。以下示例指定空字符串作为认证令牌的值:
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "" -bindingName AuthenticationTokenService -attributes "[ [application.securityinboundbindingconfig.tokenconsumer_0.properties_0.name com.ibm.wsspi.wssecurity.krbtoken.serviceSPN] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri []] [application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler] [application.name application][application.securityinboundbindingconfig.tokenconsumer_0.properties_0.value HTTP/derekho1.firehorse.austin.ibm.com] [application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname system.wss.consume.KRB5BST][application.securityinboundbindingconfig.tokenconsumer_0.name con_krbtoken][application.securityinboundbindingconfig.tokenconsumer_0.classname com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer] [application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference request:krb_token] ]"')
结果
如果 setPolicyType 和 setBinding 命令返回 'true' 值,那么系统已成功更新策略和绑定配置。
相关概念:


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=txml_7secpolicy
文件名:txml_7secpolicy.html