Use this topic to enable the Kerberos token policy set
for JAX-WS applications.
Before you begin
Prior to beginning this task, you must specify the Kerberos
configuration information for IBM® WebSphere® Application
Server. For more information, see Kerberos (KRB5) authentication mechanism
support for security.
The configuration model for the Kerberos
token enables you to choose from the following existing WebSphere Application
Server frameworks:
- For JAX-RPC applications, the deployment descriptor and bindings
are used in the configuration. JAX-RPC application includes the deployment
descriptor for a Kerberos custom token, which is configured with authentication
tokens.
- For JAX-WS applications, the configuration uses a policy set and
bindings. The JAX-WS application is attached by a custom policy with
the Kerberos token configured with authentication tokens, message
protection tokens, or both.
Note: Fix packs that include updates
to the Software Development Kit (SDK) might overwrite unrestricted
policy files. Back up unrestricted policy files before you apply a
fix pack and reapply these files after the fix pack is applied.
About this task
Complete the following steps to configure the Kerberos token
policy set for JAX-WS applications using the administrative console
for WebSphere Application Server. In these
steps, the Main policy configuation panel references the administrative
console panel that is available after you complete the first five
steps.
Procedure
- Expand and click to create a new policy set.
- Specify a name and a short description for the new policy
set and click Apply.
- From the Policies heading, click Add and
then select the WS-Security security policy
type.
- Click OK and click Save to
save the new configuration directly to the master configuration.
- In the Policies field, click WS-Security and
click Main policy on the WS-Security panel
to configure the main policy for the Kerberos token policy set.
- From the Key Symmetry heading, select Use symmetric
tokens for message protection.
- Click Symmetric signature and encryption policies to
configure the Kerberos custom token type or clear the Message
level protection check box if you are configuring an authentication
token only.
Important: You do not need to configure
the request token policy if you are using the Kerberos token for message
protection. If you are configuring the authentication token only,
proceed to the next step. If you are not configuring the request token
policy for the authentication token, skip the next step.
- On the Main policy configuration panel, configure the policy
for the request token if you are configuring the authentication token.
- From the Policy Details heading, click Request
token policies.
- Click Add token type and select Custom.
- Specify the name of the custom token in the Custom
token name field.
- Specify the local part value in the Local
part field. For interoperability with other
web services technologies, specify the following local part: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ.
If you are not concerned with interoperability issues, you can specify
one of the following local name values:
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120
These alternative values depend on the specification level
for the Kerberos AP-REQ token that is generated by the Key Distribution
Center (KDC). For more information about when to use these values,
see Token type settings.
- Do not specify a value for the Namespace
URI field if you are generating a Kerberos token.
- Click OK and Save to
save the configuration directly to the master configuration.
This step completes the configuration process for configuring
the request token policy for the authentication token. You do not
need to complete the next two steps. Complete the next steps to configure
encryption and symmetric signature policies.
- Return to the main policy configuration panel for the application
policy set and click Symmetric signature and encryption
policies to configure the encryption and symmetric signature
policies.
- From the Message Integrity heading, click the Action menu
list for the Token type for signing and validating messages field
and select Custom.
- From the Message Confidentiality heading, select the Use
same token for confidentiality that is used for integrity option.
- Click OK and Save to
save the configuration changes.
- From the Message Integrity heading, click the Action menu
list for the Token type for signing and validating messages field
and select Edit Selected Type Policy.
- Edit the custom token type for the signature and encryption
by specifying the local part for the Kerberos custom token.
For
example, specify http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for
the local part value. Do not specify a Namespace URI value.
- Click OK and then click the Save link
to save the configuration changes.
- Return to the main policy configuration panel for the application
policy set and click Algorithms for symmetric tokens to
configure the symmetric token algorithm.
- Select the algorithm suite to use for the symmetric
tokens from the Algorithm suite menu list. Select the Advanced Encryption Standard (AES) algorithms for
a Kerberos token that is compliant with RFC-4120.
The symmetric
key wrap, or private key cryptography, algorithms include:
- Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes
- AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128
- AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256
Restriction: To use the 256–bit AES encryption algorithm,
you must apply the unlimited jurisdiction policy files. To remain
in compliance, see Basic Security Profile compliance tips.
Before downloading these policy files, mount the product
HFS as read/write. Back up the existing policy files prior to overwriting
them, in case you want to restore the original files later. The existing
policy files, which are the local_policy.jar and US_export_policy.jar files,
are located in the WAS_HOME/java/jre/lib/security/ directory.
Before downloading these policy files, mount the product
HFS as read/write. Back up the existing policy files prior to overwriting
them, in case you want to restore the original files later. The existing
policy files, which are the local_policy.jar and US_export_policy.jar files,
are located in the WAS_HOME/java/lib/security/ directory.
Important: 您的原住地對於加密軟體的輸入、佔有、使用或重新輸出至另一個國家或地區等方面可能會有一些限制。在下載或使用未限定的原則檔之前,您必須先查核您所在國家或地區的法令、規章,以及其對於加密軟體的輸入、佔有、使用或重新輸出等方面的政策,來判定是否允許這麼做。
For
application server platforms using IBM Developer
Kit, Java™ Technology Edition, Version 5, you can obtain
unlimited jurisdiction policy files by completing the following steps:
- Visit the IBM developerWorks: Security Information website.
- Click Java 5.
- Click IBM SDK Policy files.
The Unrestricted
JCE Policy files for SDK 5 website is displayed.
- Enter your user ID and password or register with IBM to
download the policy files. The policy files are downloaded onto your
workstation.
- Re-mount your product HFS as read/only.
For more information on the algorithm suite components,
see Algorithms settings.
- Select either the Exclusive canonicalization or Inclusive
canonicalization value for the Canonicalization
algorithm menu list. For more information,
see XML digital signature.
- Specify the XPath 1.0 or XPathfilter
2.0 version to use from the XPath version menu
list.
What to do next
Configure the bindings for message protection for Kerberos
for JAX-WS applications. For more information, see Configuring the bindings for message protection for Kerberos.