Managing self-issue SAML token configuration using wsadmin commands

The SAMLIssuerConfig.properties file usage is deprecated in WebSphere® Application Server Version 8. You can use the listSAMLIssuerConfig and updateSAMLIssuerConfig wsadmin command tasks to read and modify the SAMLIssuerConfig.properties cell level and server level configuration files. Starting with WebSphere Application Server Version 8, you should use the administrative console or the setSAMLIssuerConfigInBinding command task to specify a self-issued SAML token's configuration as custom properties in the requester's outbound configuration in the general bindings or in the application-specific bindings. Do not use server level and cell level SAMLIssuerConfig.properties file.

开始之前

The product provides an alternate way to specify a self-issued SAML token configuration in policy set bindings. Migrate self-issued SAML token configuration data from the SAMLIssuerConfig.properties file to the bindings. Specifying configuration data for creating self-issued SAML tokens in general bindings or application-specific bindings provides management flexibility to specify the configuration at a finer grained scope, in addition to the cell level and the server level. For example you can configure a specific SAML token issuer for a particular web service application, for an arbitrary group of applications, or for a web service application in a security domain.

避免故障 避免故障: Self-issued SAML token configuration data that is defined in the bindings takes precedence over data that is defined in the server level or the cell level SAMLIssuerConfig.properties file, in that order. When a self-issued SAML token configuration data is defined in an attached policy set bindings, the Web services security runtime environment will neglect the SAMLIssuerConfig.properties files, both at the server level and at the cell level. So it is important that when you migrate from the SAMLIssuerConfig.properties file to the bindings, you must migrate all the required properties.gotcha

关于此任务

Two command tasks are available to manage the SAMLIssuerConfig.properties file-based SAML issuer configuration. This file can be located at the cell level and the server level. These two tasks are:

  • listSAMLIssuerConfig
  • updateSAMLIssuerConfig

过程

  1. Run the wsadmin command task in the interactive mode. The following Jython script illustrates how to run the wsadmin command task in the interactive mode.
    AdminTask.listSAMLIssuerConfig('[-interactive]')

    要选择服务器级别 SAML 发布者配置,需要 serverNamenodeName 参数。如果缺少这些参数,那么该命令任务将列示单元级别 SAML 发布者配置。

  2. 使用 listSAMLIssuerConfig 命令任务来显示服务器级别 SAML 发布者配置。
    AdminTask.listSAMLIssuerConfig('[-nodeName Node01 -serverName server1]')

    需要“监视员”或更高的管理角色权限才能执行 listSAMLIssuerConfig 命令。

  3. 使用 updateSAMLIssuerConfig 命令任务来更新服务器级别或单元级别 SAML 发布者配置。
    AdminTask.updateSAMLIssuerConfig('[-IssuerURI My_Issuer 
                                       -TimeToLiveMilliseconds 3600000 
                                       -KeyStoreRef "name=myKeyStore managementScope=(cell):Node01Cell:(node):Node01" 
                                       -KeyAlias samlissuer 
                                       -KeyName "CN=SAMLIssuer, O=Acme, C=US" -KeyPassword ***** 
                                       -TrustStoreRef "name=myKeyStore managementScope=(cell):Node01Cell:(node):Node01 "]')

    如果未指定 serverNamenodeName 参数,那么该任务将更新单元级别 SAML 发布者配置。

    需要“管理员”管理角色权限才能执行 updateSAMLIssuerConfig 命令。

结果

现在,您已创建了用于自动更新单元级别或服务器级别 SAMLIssuerConfig.properties 文件的命令脚本,或者在常规绑定或特定于应用程序绑定中的请求者出站配置内将自签发 SAML 令牌的配置数据创建为定制属性。

示例

以下示例阐明了如何添加或修改特定于应用程序的绑定中的自签发 SAML 令牌配置数据:
AdminTask.setSAMLIssuerConfigInBinding('[-bindingName SAMLTestAppClientBinding 
-bindingLocation [ [application JaxWSServicesSamples] [attachmentId 1904] ] 
-com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerURI My_Issuer 
-com.ibm.wsspi.wssecurity.saml.config.issuer.TimeToLiveMilliseconds 3600000 
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStoreRef "name=myKeyStore managementScope=(cell):Node01Cell:(node):Node01 " 
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyAlias samlissuer 
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyName "CN=SAMLIssuer, O=Acme,C=US" 
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyPassword ***** 
-com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStoreRef "name=myKeyStore managementScope=(cell):Node01Cell:(node):Node01 "]')
以下示例阐明了如何修改常规绑定:
AdminTask.setSAMLIssuerConfigInBinding('[-bindingName "Saml Bearer Client sample" 
-bindingScope domain -bindingLocation  -domainName global 
-com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerURI My_Issuer 
-com.ibm.wsspi.wssecurity.saml.config.issuer.TimeToLiveMilliseconds 3600000 
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStorePath "profile_root/etc/ws-security/saml/saml-issuer.jceks 
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStoreType jceks 
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStorePassword ***** 
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyAlias samlissuer 
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyName "CN=SAMLIssuer, O=Acme, C=US" 
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyPassword ***** 
-com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStorePath "profile_root/profiles/<server_name>/etc/ws-security/saml/saml-issuer.jceks 
-com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStoreType jceks 
-com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStorePassword *****]')

当指定应用程序绑定时,bindingLocation 是必需参数且可以作为属性对象进行提供。属性名为 applicationattachmentId。当指定常规绑定时,bindingLocation 是必需参数,该参数可以是空值或具有空属性。此外,如果范围不是全局,那么 bindingScope 是必需参数。请使用 bindingName 参数来识别绑定位置。有关 bindingLocationbindingScopedomainName 的更多信息,请参阅 setBindinggetBinding 命令任务文档。

要从绑定中移除 SAML 发布者配置定制属性,请使用管理控制台或 setBinding 命令任务。


指示主题类型的图标 任务主题



时间戳记图标 最近一次更新时间: last_date
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twbs_manage_saml_self_issuer
文件名:twbs_manage_saml_self_issuer.html