Creating policy set attachments using the wsadmin tool

Use the wsadmin tool, which supports the Jython and Jacl scripting languages, to define the policy set configuration for your web services applications.

Before you begin

When administrative security is enabled, verify that you use the correct administrative role, as the following table describes:
Table 1. Administrative roles. The administrative role determines if you can create policy set attachments.
Administrative role Authorization
Administrator The Administrator role must have cell-wide access to create policy set attachments. If you have access to a specific resource only, you can create policy set attachments for the resource for which you have access.
Configurator The Configurator role must have cell-wide access to create policy set attachments. If you have access to a specific resource only, you can create policy set attachments for the resource for which you have access.
Deployer The Deployer role with cell-wide or resource specific access can create policy set attachments for application resources only.
Operator The Operator role cannot create policy set attachments.
Monitor The Monitor role cannot create policy set attachments.

在使用這個主題中的指令之前,請確認您使用 wsadmin 工具的最新版本。 在舊版的 wsadmin 工具中,不支援接受內容物件作為 attributesbindingLocation 參數值的原則集管理指令。 例如,在 6.1.0.x 版節點上,不執行這些指令。

About this task

To use a new policy set to manage policies for your application, you must attach the policy set to an application artifact or artifacts. When the application restarts, the application uses the policies from the newly attached policy set.

混合版本環境 混合版本環境: In a mixed cell environment, the following limitations apply to service reference attachments or resource attachments that are specified in name-value pair format:
  • You must not create these types of attachments for applications that are deployed on an application server that is prior to WebSphere Application Server Version 8.0. Service reference attachments are only supported on WebSphere Application Server V8.0 and later.
  • An application that contains these types of attachments must not be deployed on an application server that is prior to WebSphere Application Server Version 8.0.
  • If an application that is deployed in a cluster environment contains these types of attachments, you must not add a member application server that is prior to WebSphere Application Server Version 8.0 to the cluster.
mixv

Procedure

  1. Launch a scripting command. To learn more, read about starting the wsadmin scripting client.
  2. Select an application with web services to update. Use the listWebServices command to list all web services and the associated applications. Enter the following command to list all web services and attributes:
    AdminTask.listWebServices()
    For each web service, the command returns the associated application name, module name, service name, and service type. For example, the following information is returned:
    '[ [service {http://www.ibm.com}service1] [client false] [application  application1] 
     [module webapp1.war] [type JAX-WS] ]'
  3. Create a policy set attachment for an application.

    For the commands in the PolicySetManagement group, the term resource refers to a web service artifact. For application and service client policy sets, the artifacts use the application hierarchy. The application hierarchy includes a web service, module name, endpoint, or operation. Enter the value for the -resource parameter as a string, with a backslash ( / ) character as a delimiter.

    避免困難 避免困難: When attempting to connect to a web service from a thin client, verify that the resources you are specifying are valid before running the updatePolicySetAttachment command. No configuration changes are made if the requested resource does not match a resource in the attachment file for the application.gotcha
    Use the following format for application and client policy set attachments:
    • WebService:/

      Attaches all artifacts in the application to the policy set.

    • WebService:/webapp1.war:{http://www.ibm.com}myService

      Attaches all artifacts within the web service {http://www.ibm.com}myService to the policy set. You must provide a fully qualified name (QName) for the service.

    • WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA

      Attaches all operations for the endpointA endpoint to the policy set.

    • WebService:/webapp1.war:{http://www.ibm.com}myService/endpointA/operation1

      Attaches only the operation1 operation to the policy set.

    The format for the -resource string differs for service reference attachments. Use the following format for service reference attachments:
    • type=WebService:/

      Attaches all artifacts in the application to the policy set.

    • type=WebService:/,module=myModule.war,service={ http://www.mynamespace.com}myService

      Attaches all artifacts within the web service {http://www.mynamespace.com}myService to the policy set. You must provide a fully qualified name (QName) for the service.

    • type=WebService:/,module=myModule.war,service={ http://www.mynamespace.com }myService,serviceRef=myServiceRef

      Attaches all artifacts within the web service reference myServiceRef to the policy set.

    • type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,endpoint=endpointA

      Attaches all operations for the service reference endpointA endpoint in the service reference myServiceRef to the policy set.

    • type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,endpoint=endpointA operation=operation1

      Attaches only the operation1 operation in the service reference myServiceRef to the policy set.

    The format for the -resource string differs for system policy set attachments for the trust service. Use the following format for system policy set attachments:
    • Trust.opName:/

      The opName attribute can be issue, renew, cancel, or validate.

    • Trust.opName:/url

      The opName attribute can be issue, renew, cancel, or validate. You can specify any valid URL for the url attribute.

    1. Enter the command to attach the policy set to the application. This command attaches the policyset1 application policy set to all artifacts in the WebService application.
      適用於轉換使用者 適用於轉換使用者: 雖然您可以在 -attachmentType 參數中指定 application 值,仍請利用 provider 值來取代 application 值,因為附件不只用於應用程式,例如,信任服務的系統附件。 如果是系統原則集附件,請在 attachmentType 參數中指定 provider 值,在 -attachmentProperties 參數中指定 "[systemType trustService]" 值。 如果是 WSNClient 附件,請在 attachmentType 參數中指定 client 值,在 -attachmentProperties 參數中指定 busWSNService 內容。trns
      To attach a policy set to a Web service application, specify the provider value for the -attachmentType parameter:
      AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources 
       "WebService:/" -applicationName WebService -attachmentType provider]')
      To attach a policy set to a service client application, specify the client value for the -attachmentType parameter, as the following example demonstrates:
      AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources 
       "WebService:/" -applicationName WebService -attachmentType client]')
      To create a trust service attachment for a system policy set, specify the provider value for the -attachmentType parameter and the [systemType trustService] value for the -attachmentProperties parameter, as the following example demonstrates:
      AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources 
       "WebService:/" -attachmentType provider -attachmentProperties "[systemType trustService]"]')
      To attach a policy set to a service reference, enter the following command:
      AdminTask.createPolicySetAttachment('[-resources "type=WebService:/,module=webapp1.war,service=
      {http://www.mynamespace.com}myService,serviceRef=myServiceRef" -applicationName application1 
      –attachmentType client -policySet PolicySet1 –inheritFromService false]')
      This command returns an attachment ID number that you must use to reference this attachment. In the next step, use the attachment ID number to set the binding configuration. For this example, the attachment ID number is 124.
  4. Run the command to set the binding.

    To attach a policy set to a web services application, specify the provider value for the -attachmentType parameter.

    The following example demonstrates how to set the timestamp expiration attribute on the SecureConversation123binding binding for the WSSecurity policy, on the WebService Web service application.
    AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[application WebService] 
    [attachmentId 124] ]" -attachmentType provider
     -bindingName SecureConversation123binding -attributes 
    "[application.securityoutboundbindingconfig.timestampexpires.expires 5]"')

    To attach a policy set to a Web services application client or to a service reference, specify the client value for the -attachmentType parameter.

  5. Save the configuration changes.
    Enter the following command to save your changes:
    AdminConfig.save()

Results

Your have attached the policy set to the application artifact or artifacts specified. Restart your application to use the policies from the newly attached policy set.

What to do next

Manage and update your attachments.


指出主題類型的圖示 作業主題



時間戳記圖示 前次更新: July 9, 2016 11:19
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=txml_wsfpcreateattach
檔名:txml_wsfpcreateattach.html