Token consumer configuration settings
Use this page to specify the information for the token consumer. The information is used at the consumer side only to process the security token.
- Click .
- Under JAX-RPC Default Consumer Bindings, click New to create a new token consumer. or click
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
混合版本環境: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv
- Under JAX-RPC Default Consumer Bindings, click New to create a new token consumer. or click
- Click .
- Click .
- Under Web Services Security Properties, you can access the signing
information for the following bindings:
- For the Response generator (sender) binding, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom. Under Required properties, click Token consumers.
- For the Response consumer (receiver) binding, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom. Under Required properties, click Token consumers.
- Click New to specify a new configuration or click the name of an existing configuration to modify its settings.
Before specifying additional properties, specify a value in the Token consumer name, the Token consumer class name, and the Value type local name fields.
Token consumer name
Specifies the name of the token consumer configuration.
For example, the default X509 token consumer names are either con_enctcon for encrypting or con_signtcon for signing. Or a custom, the token consumer name might be sig_tcon for signing.
Token consumer class name
Specifies the name of the token consumer implementation class.
This class must implement the com.ibm.wsspi.wssecurity.token.TokenConsumerComponent interface.
Token consumer class name
Specifies the name of the token consumer implementation class.
The Java™ Authentication and Authorization Service (JAAS) Login Module implementation is used to validate (authenticate) the security token on the consumer side.
Part reference
Specifies a reference to the name of the security token that is defined in the deployment descriptor.
On the application level, when the security token is not specified in the deployment descriptor, the Part reference field is not displayed.
Certificate path
Specifies the trust anchor and the certificate store.
- None
- If you select this option, the certificate path is not specified.
- Trust any
- If you select this option, any certificate is trusted. When the received token is incorporated, the certificate path validation is not processed.
- Dedicated signing information
- If you select this option, you can specify the trust anchor and the certificate store. When you select the trust anchor or the certificate store of a trusted certificate, you must configure the collection certificate store before setting the certificate path.
Trust anchor
Binding name | Server level, cell level, or application level | Path |
---|---|---|
Default consumer binding | Cell level |
|
Default consumer binding | Server level |
|
Certificate store
Binding name | Server level, cell level, or application level | Path |
---|---|---|
Default consumer binding | Cell level |
|
Default consumer binding | Server level |
|
Trusted ID evaluator reference
Specifies the reference to the Trusted ID evaluator class name that is defined in the Trusted ID evaluators panel. The trusted ID evaluator is used for determining whether the received ID is trusted.
- None
- If you select this option, the trusted ID evaluator is not specified.
- Existing evaluator definition
- If you select this option, you can select one of the configured
trusted ID evaluators. You can specify a certificate path configuration for the following bindings on the following levels:
Table 3. Trusted ID evaluator bindings settings. The trusted ID evaluator is used to determine if a received ID is trusted. Binding name Server level, cell level, or application level Path Default consumer binding Cell level - Click .
- Under Additional properties, click Trusted ID evaluators.
Default consumer binding Server level - Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
混合版本環境: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv
- Under Additional properties, click Trusted ID evaluators.
- Binding evaluator definition
- If you select this option, you can specify a new trusted ID evaluator and its class name.
When you select a trusted ID evaluator reference, you must configure the trusted ID evaluators before setting the token consumer.
The Trusted ID evaluator field is displayed in the default binding configuration and the application server binding configuration.
Verify nonce
Specifies whether the nonce of the user name token is verified.
This option is displayed on the cell, server, and application levels. This option is valid only when the type of incorporated token is the user name token.
Verify timestamp
Specifies whether the time stamp of user name token is verified.
This option is displayed on the cell, server, and application levels. This option is valid only when the type of incorporated token is the user name token.
Value type local name
Specifies the local name of value type for the consumed token.
- Username token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
- X509 certificate token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
- # X509 certificates in a PKIPath
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1
- A list of X509 certificates and CRLs in a PKCS#7
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7
- Lightweight Third Party Authentication (LTPA)
- LTPA_PROPAGATION
When you specify a custom value type for custom tokens, you can specify the local name and the URI of the Quality name (QName) of the value type. For example, you might specify Custom for the local name and http://www.ibm.com/custom for the URI.
Value type URI
Specifies the namespace URI of the value type for the integrated token.
When you specify the token consumer for the user name token or the X.509 certificate security token, you do not need to specify this option. If you want to specify another token, specify the URI of the QName for the value type.
- For the LTPA token: http://www.ibm.com/websphere/appserver/tokentype/5.0.2
- For the LTPA token propagation: http://www.ibm.com/websphere/appserver/tokentype