WSSecurity 策略和绑定属性
使用 setPolicyType 和 setBinding 命令的 attributes 参数为 WSSecurity 策略和绑定配置指定更多配置信息。应用程序和系统策略集可以使用 WSSecurity 策略和绑定配置。
在使用此主题中的命令之前,请验证是否在使用 wsadmin 工具的最新版本。将属性对象作为 attributes 或 bindingLocation 参数的值来接受的策略集管理命令不受 wsadmin 工具的先前版本支持。例如,这些命令不在 V6.1.0.x 节点上运行。
- 将 -attributes 参数用于 getPolicyType 和 getBinding 命令以查看策略和绑定配置的属性。要获取属性,请将属性名传递至 getPolicyType 或 getBinding 命令。
- 将 -attributes 参数用于 setPolicyType 和 setBinding 命令以在策略和绑定配置中添加、更新或除去属性。要添加或属性更新,请指定属性名和属性值。如果该属性存在,那么 setPolicyType 和 setBinding 命令更新该值;如果该属性不存在,那么会添加该属性及值。要除去属性,请指定属性值为空字符串 ("")。-attributes 参数接受属性对象。

为了支持混合单元环境,WebSphere Application Server 支持 V7.0 和 V6.1 绑定。常规单元级别绑定是特定于 V7.0 和更高版本的绑定。特定于应用程序的绑定保留在该应用程序所需要的版本处。当用户创建特定于应用程序的绑定时,应用程序服务器将决定要用于应用程序所必需的绑定版本。
SignatureProtection.response:
int_body.SignedParts.Body,SignatureProtection.response:int_body.SignedParts.Header_0.Name
and SignatureProtection.response:int_body.SignedParts.Header_0.Namespace
WSSecurity policy properties
- AsymmetricBinding
- You can specify zero or one binding assertion.
- SymmetricBinding
- You can specify zero or one binding assertion. AsymmetricBinding and SymmetricBinding cannot co-exist in a security policy file.
- Wss11
- You can specify zero or one Wss11 assertion.
- Wss10
- You can specify zero or one Wss10 assertion.
- Trust10
- You can specify zero or one Trust10 assertion.
- SignatureProtection
- You can specify zero or any number of signature protection assertions.
- EncryptionProtection
- You can specify zero or any number of encryption protection assertions
- SupportingTokens
- You can specify zero or any number of supporting token assertions.
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy
/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientSignatureToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy
/200512/IncludeToken/AlwaysToInitiator">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientSignatureToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding><sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy
/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientSignatureToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy
/200512/IncludeToken/AlwaysToInitiator">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientSignatureToken>
</wsp:Policy>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</sp:AsymmetricBinding>
AsymmetricBinding.Layout = Strict
AsymmetricBinding.AlgorithmSuite.Basic256 = true
AsymmetricBinding.RecipientSignatureToken.X509Token_0.IncludeToken = http://docs.oasis-open.org
/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToInitiator
AsymmetricBinding.InitiatorSignatureToken.X509Token_0.WssX509V3Token10 = true
AsymmetricBinding.InitiatorSignatureToken.X509Token_0.IncludeToken = http://docs.oasis-open.org
/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient
AsymmetricBinding.RecipientSignatureToken.X509Token_0.WssX509V3Token10 = true
<sp:SupportingTokens>
<wsp:Policy wsu:Id="request:custom_auth">
<spe:CustomToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/
ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<spe:WssCustomToken uri=http://bar.com/MyCustomToken localname="tokenv1">
</spe:WssCustomToken>
</wsp:Policy>
</spe:CustomToken>
</wsp:Policy>
</sp:SupportingTokens
SupportingTokens.request:custom_auth.CustomToken_0.WssCustomToken.uri=http://bar.com
/MyCustomToken
SupportingTokens.request:custom_auth.CustomToken_0.IncludeToken=http://docs.oasis-open.org
/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient
SupportingTokens.request:custom_auth.CustomToken_0.WssCustomToken.localname=tokenv1
- wsu:Id 元素此元素使用 ID 的实际值而不使用 Id 作为属性名。以下策略文件示例属性:
前面的 wsu:Id 示例将返回下列属性:<wsp:Policy wsu:Id="response:int_body"> <sp:SignedParts> <sp:Body/> </sp:SignedParts> </wsp:Policy>
SignatureProtection.response:int_body.SignedParts.Body = true
- The Header elementBecause there can be multiple Header elements, the Header_n notation is used to represent this property. See the following policy file example:
前面的 Header 示例将返回下列属性:<wsp:Policy wsu:Id="request:conf_body"> <sp:EncryptedParts> <sp:Body/> <sp:Header Name="MyElement" Namespace="http://foo.com/MyNamespace" /> </sp:EncryptedParts> </wsp:Policy>
EncryptionProtection.request:conf_body.EncryptedParts.Header_0.Name=MyElement EncryptionProtection.request:conf_body.EncryptedParts.Header_0.Namespace=http:// foo.com/MyNamespace
- XPath 元素因为可能存在多个 XPath 元素,所以使用 XPath_n 表示法来表示此属性。请参阅以下策略文件示例:
前面的 XPath 示例将返回下列属性:<wsp:Policy wsu:Id="request:int_body"> <sp:SignedElements> <sp:XPath>SomeXPathExpression</sp:XPath> <sp:XPath>SomeOtherXPathExpression</sp:XPath> </sp:EncryptedElements> </wsp:Policy>
SignatureProtection.request:int_body.SignedElements.XPath_0=SomeXPathExpression SignatureProtection.request:int_body.SignedElements.XPath_1=SomeOtherXPathExpression
- The X509Token element
Use the X509Token_n notation to represent this property because multiple X509Token elements can exist. For an example, see the AsymmetricBinding assertion.
- The CustomToken element
Use the CustomToken_n notation to represent this property because multiple CustomToken elements can exist. For an example, see the SupportingTokens assertion.
WSSecurity binding properties
Use the getBinding command to review a properties object with the properties that are configured in your current WSSecurity binding configuration. You can also use the administrative console to configure your WSSecurity bindings. Use the information center topics for configuring WSSecurity bindings with administrative console for more information.
The properties defined in this section reflect the hierarchy of the binding schema. Each part of the property name is a lowercase version of the schema type. For example, the application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname property follows the hierarchal format. The attributes begin with application or bootstrap. Attributes that begin with application represent bindings that are associated with the main WS-Security policy. Attributes that begin with bootstrap represent bindings that are associated with the WS-Security bootstrap policy, where the WS-Security policy uses Secure Conversation.
application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.
certpathsettings.certstoreref.reference
application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.
certpathsettings.trustanchorref.reference
application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname
application.securityinboundbindingconfig.tokenconsumer_0.classname
application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname
application.securityinboundbindingconfig.tokenconsumer_0.name
application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname
application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri
Additionally, some properties in the security binding file return a value of true when queried. To set these properties, set the value to true to include the property, or set the value to an empty string ("") to remove the property. For example, the time stamp, nonce, and trustAnyCertificate properties follow this pattern.
- To add a property, use the setBinding command to pass the property name with a non-zero length string value. To add a list item, use the _n notation to reflect a numeric value that is greater than any current numeric value for the property. For example, if the tokenconsumer_0 and tokenconsumer_1 properties exist in your configuration, specify the new tokenconsumer property as tokenconsumer_2. After adding a property, use the getBinding command to view the most recent list of configured properties.
- To remove a property, use the setBinding command to pass the property
name with an empty string (""). For example, to remove all of the tokenconsumer_0 properties, specify the following property
with the attributes parameter:
The previous example removes all properties that begin with the application.securityinboundbindingconfig.tokenconsumer_0 property name.application.securityinboundbindingconfig.tokenconsumer_0=""
The following examples display several sets of properties to configure for your binding. This list does not include all properties to configure for the WSSecurity binding. Use this information as a reference to determine how to form specific property names.
- signinginfo element
- Use this property to configure signing information. For a custom
binding, an unlimited number of signinginfo elements specified for the securityoutboundbindingconfig and securityinboundbindingconfig assertions
can exist. In the default bindings, the system allows a maximum of
two signinginfo elements for the securityoutboundbindingconfig and securityinboundbindingconfig assertions. The following example displays the format for two signinginfo elements:
application.securityinboundbindingconfig.signinginfo_0.signingkeyinfo_0 .reference=con_signkeyinfo application.securityinboundbindingconfig.signinginfo_0.signingpartreference_0 .reference=request:int_body application.securityoutboundbindingconfig.signinginfo_0.signingpartreference_0 .reference=response:int_body application.securityoutboundbindingconfig.signinginfo_0.signingpartreference_0.timestamp=true
- encryptioninfo 元素
- 使用此属性来配置加密信息。对于定制绑定,可以存在为 securityoutboundbindingconfig 和 securityinboundbindingconfig 断言指定的无限数量的 encryptioninfo 元素。在缺省绑定中,系统允许最多为 securityoutboundbindingconfig 和 securityinboundbindingconfig 声明指定两个 encryptioninfo 元素。以下示例显示了两个 encryptioninfo 属性的格式:
application.securityinboundbindingconfig.encryptioninfo_0.encryptionpartreference .nonce=true application.securityinboundbindingconfig.encryptioninfo_0.encryptionpartreference .reference=request:conf_body application.securityoutboundbindingconfig.encryptioninfo_0.encryptionpartreference .nonce=true application.securityoutboundbindingconfig.encryptioninfo_0.encryptionpartreference .timestamp=true
- tokengenerator 元素
- 在缺省绑定中,signinginfo 或 encryptioninfo 元素未引用的 tokengenerator 元素将被认为是认证令牌生成器。每个认证令牌生成器都必须具有唯一的 valuetype 元素。以下示例显示了 X.509 保护令牌的一个生成器示例:
application.securityoutboundbindingconfig.tokengenerator_0.name=gen_signtgen application.securityoutboundbindingconfig.tokengenerator_0.classname=com.ibm.ws.wssecurity.wssapi.token .impl.CommonTokenGenerator application.securityoutboundbindingconfig.tokengenerator_0.valuetype.uri= application.securityoutboundbindingconfig.tokengenerator_0.valuetype.localname=http://docs.oasis-open.org /wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.classname=com.ibm.websphere.wssecurity .callbackhandler.X509GenerateCallbackHandler application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.alias=soaprequester application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.keypass={xor}PDM2OjEr application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.name=CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.path=${USER_INSTALL_ROOT} /etc/ws-security/samples/dsig-sender.ks application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.storepass={xor}PDM2OjEr application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.type=JKS application.securityoutboundbindingconfig.tokengenerator_0.jaasconfig.configname=system.wss.generate.x509
The following example displays a generator for a username authentication token:application.securityoutboundbindingconfig.tokengenerator_1.name=gen_usernametoken application.securityoutboundbindingconfig.tokengenerator_1.classname=com.ibm.ws.wssecurity .wssapi.token.impl.CommonTokenGenerator application.securityoutboundbindingconfig.tokengenerator_1.valuetype.uri= application.securityoutboundbindingconfig.tokengenerator_1.valuetype.localname=http://docs .oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.classname=com.ibm .websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.basicAuth.userid=user1 application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.basicAuth.password=myPassword application.securityoutboundbindingconfig.tokengenerator_1.securityTokenReference.reference=request:uname_token application.securityoutboundbindingconfig.tokengenerator_1.jaasconfig.configname=system.wss.generate.unt
- tokenconsumer element
- In the default bindings, the tokenconsumer elements that the signinginfo or encryptioninfo elements do not reference are authentication
token consumers. Each authentication token consumer must have a unique valuetype element. The following example displays the
format for a set of tokenconsumer elements:
application.securityinboundbindingconfig.tokenconsumer_0.name=con_unametoken application.securityinboundbindingconfig.tokenconsumer_0.classname=com.ibm.ws.wssecurity.wssapi .token.impl.CommonTokenConsumer application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname=http://docs.oasis-open.org /wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri= application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname=com.ibm.websphere .wssecurity.callbackhandler.UNTConsumeCallbackHandler application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname=system.wss.consume.unt application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference=request:uname_token
- actor element
- Defines the actor uniform resource identifier (URI) to be included
in the WSSecurity headers of a generated message, as displayed by
the following example:
application.securityinboundbindingconfig.actor=http://myActor.com application.securityoutboundbindingconfig.actor=http://myActor.com
- certstorelist 元素
- 定义证书库配置和签名信息,如以下示例中所示:
application.securityinboundbindingconfig.certstorelist.collectioncertstores_0 .name=DigSigCertStore application.securityinboundbindingconfig.certstorelist.collectioncertstores_0 .provider=IBMCertPath application.securityinboundbindingconfig.certstorelist.collectioncertstores_0 .x509certificates_0.path=${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer
- keyinfo 元素
- 定义用于为配置签名和加密的密钥信息,如以下示例中所示:
application.securityinboundbindingconfig.keyinfo_0.classname=com.ibm.ws.wssecurity.wssapi .CommonContentConsumer application.securityinboundbindingconfig.keyinfo_0.name=con_signkeyinfo application.securityinboundbindingconfig.keyinfo_0.tokenreference.reference=con_tcon application.securityinboundbindingconfig.keyinfo_0.type=STRREF
- trustanchor 属性
- 定义用于验证签署者证书的信任度的配置信息,如以下示例中所示:
application.securityinboundbindingconfig.trustanchor_0.keystore.path=${USER_INSTALL_ROOT} /etc/ws-security/samples/dsig-receiver.ks application.securityinboundbindingconfig.trustanchor_0.keystore.storepass={xor}LDotKTot application.securityinboundbindingconfig.trustanchor_0.keystore.type=JKS application.securityinboundbindingconfig.trustanchor_0.name=DigSigTrustAnchor
- timestampexpires 元素
- 定义配置的到期日期,如以下示例中所示:
application.securityoutboundbindingconfig.timestampexpires.expires=5
- application.securityinboundbindingconfig.caller_X.order
- 指定当使用 wsadmin 脚本时调用者的顺序,其中 X 是标识该调用者的实例的唯一字符串:
-attributes [[application.securityinboundbindingconfig.caller_0.order 2]]
setPolicyType 和 setBinding 命令示例
使用 setPolicyType 和 setBinding 命令并根据前面所提供的参考信息来修改策略和绑定配置数据。

AdminTask.setBinding('[-bindingLocation "" -bindingName cellWideBinding2 -policyType
WSSecurity
-attributes [[application.securityinboundbindingconfig.caller_0.order 2][inResponsewithSSL:configAlias
NodeDefaultSSLSettings]
[inResponsewithSSL:config properties_directory/ssl.client.props]
[outAsyncResponsewithSSL:configFile properties_directory/ssl.client.props]
[outAsyncResponsewithSSL:configAlias NodeDefaultSSLSetings]
[outRequestwithSSL:configFile properties_directory/ssl.client.props]
[outRequestwithSSL:configAlias NodeDefaultSSLSettings]]]')
AdminTask.setPolicyType('-policySet myPolicySet -policyType WSSecurity -attributes
"[[enabled true][provides
Some_amount_of_security][SignatureProtection.request:app_signparts.SignedElements.XPath_0
SignatureProtectionV2]]"')
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[server server1][node
node01]]"
-attributes "[[application.securityinboundbindingconfig.keyinfo_0.name dec_server_keyinfo]
[application.securityinboundbindingconfig.keyinfo_0.classname
com.ibm.ws.wssecurity.wssapi.CommonContentGenerator]
[application.securityinboundbindingconfig.keyinfo_0.type STRREF]]"')
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[application PolicySet]
[attachmentId 999]]"
-attributes "[[application.securityinboundbindingconfig.keyinfo_0.name dec_app_keyinfo]
[application.securityinboundbindingconfig.keyinfo_0.classname
com.ibm.ws.wssecurity.wssapi.CommonContentGenerator]
[application.securityinboundbindingconfig.keyinfo_0.type STRREF]]" -attachmentType application
-bindingName myBindingName')
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "" -attributes
"[application.securityinboundbindingconfig.trustanchor_0.name DigSigTrustAnchor2]"')